diff --git a/schrottserver/configuration.nix b/schrottserver/configuration.nix
index f1bb2cf..2dcb81e 100644
--- a/schrottserver/configuration.nix
+++ b/schrottserver/configuration.nix
@@ -11,6 +11,7 @@
       ../common.nix
       ./proxy.nix
       ./vaultwarden.nix
+      ./nextcloud.nix
     ];
 
   jade = {
diff --git a/schrottserver/nextcloud.nix b/schrottserver/nextcloud.nix
new file mode 100644
index 0000000..5d25c60
--- /dev/null
+++ b/schrottserver/nextcloud.nix
@@ -0,0 +1,37 @@
+{ pkgs, ... }:
+{
+  services.nextcloud = {
+    enable = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      adminpassFile = "${../secret-data/nextcloud-admin-pass}";
+      adminuser = "root";
+    };
+    package = pkgs.nextcloud25;
+    extraApps = with pkgs.nextcloud25Packages.apps; { 
+      inherit bookmarks calendar contacts deck keeweb mail news notes onlyoffice polls tasks twofactor_webauthn;
+    };
+    extraAppsEnable = true;
+    hostName = "wolke.schrottkatze.de";
+    https = true;
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+     { name = "nextcloud";
+       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+     }
+    ];
+  };
+
+  # ensure that postgres is running *before* running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}
diff --git a/schrottserver/proxy.nix b/schrottserver/proxy.nix
index b8a702c..95da384 100644
--- a/schrottserver/proxy.nix
+++ b/schrottserver/proxy.nix
@@ -1,13 +1,10 @@
 { inputs, config, pkgs, ... }:
-let 
-  domain = "schrottkatze.de";
-  vaultwardenSubdomain = "vw";
-in {
+{
   security.acme = {
     acceptTerms = true;
     defaults.email = "jade@schrottkatze.de";
     certs = {
-      "${vaultwardenSubdomain}.${domain}" = {
+      "vw.schrottkatze.de" = {
         group = "nginx";
         keyType = "rsa2048";
       };
@@ -23,7 +20,7 @@ in {
     recommendedTlsSettings = true;
 
     virtualHosts = {
-      "${vaultwardenSubdomain}.${domain}" = {
+      "vw.schrottkatze.de" = {
         forceSSL = true;
         enableACME = true;
         locations."/" = {
@@ -39,6 +36,10 @@ in {
           proxyWebsockets = true;
         };
       };
+      "wolke.schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+      };
     };
   };
 }
diff --git a/schrottserver/vaultwarden.nix b/schrottserver/vaultwarden.nix
index b96dd0d..8ed816f 100644
--- a/schrottserver/vaultwarden.nix
+++ b/schrottserver/vaultwarden.nix
@@ -16,7 +16,7 @@
       ROCKET_LOG = "debug";
       ENABLE_WAL = false;
       ADMIN_TOKEN = builtins.readFile ../secret-data/vaultwarden-admin-token;
-      DOMAIN = "http://localhost";
+      DOMAIN = "https://vw.schrottkatze.de";
       #SMTP_HOST = "mx.example.com";
       #SMTP_FROM = "bitwarden@example.com";
       #SMTP_FROM_NAME = "Bitwarden_RS";
diff --git a/secret-data/nextcloud-admin-pass b/secret-data/nextcloud-admin-pass
new file mode 100644
index 0000000..7ad3b0e
Binary files /dev/null and b/secret-data/nextcloud-admin-pass differ