diff --git a/nixos/boxes/kelder/containers/spoder/default.nix b/nixos/boxes/kelder/containers/spoder/default.nix
index 2b5520c..6525e1c 100644
--- a/nixos/boxes/kelder/containers/spoder/default.nix
+++ b/nixos/boxes/kelder/containers/spoder/default.nix
@@ -37,6 +37,10 @@ in
                 owner = "acme";
                 group = "acme";
               };
+              "kelder/nextcloud-root.txt" = {
+                owner = "nextcloud";
+                group = "nextcloud";
+              };
             };
           };
         };
@@ -84,6 +88,20 @@ in
 
         services = {
           resolved.extraConfig = mkForce "";
+
+          nextcloud = {
+            enable = true;
+            package = pkgs.nextcloud26;
+            datadir = "/mnt/storage/nextcloud";
+            hostName = "cloud.${lib.my.kelder.domain}";
+            https = true;
+            enableBrokenCiphersForSSE = false;
+            config = {
+              extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ];
+              adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
+              defaultPhoneRegion = "IE";
+            };
+          };
         };
       };
     };
diff --git a/nixos/boxes/kelder/containers/spoder/nginx.nix b/nixos/boxes/kelder/containers/spoder/nginx.nix
index 5561324..57f6654 100644
--- a/nixos/boxes/kelder/containers/spoder/nginx.nix
+++ b/nixos/boxes/kelder/containers/spoder/nginx.nix
@@ -169,6 +169,10 @@ in
                 extraConfig = lib.my.nginx.proxyHeaders;
               };
             };
+
+            "cloud.${lib.my.kelder.domain}" = {
+              serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ];
+            };
           };
 
           defaultsFor = mapAttrs (n: _: {
diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix
index 0aee137..60af3c6 100644
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -392,6 +392,16 @@ in
       (mkIf config.boot.plymouth.enable {
         my.tmproot.persistence.config.files = [ "/var/lib/plymouth/boot-duration" ];
       })
+      (mkIf config.services.nextcloud.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.nextcloud.home;
+            mode = "0750";
+            user = "nextcloud";
+            group = "nextcloud";
+          }
+        ];
+      })
     ]))
   ]);
 
diff --git a/secrets/kelder/nextcloud-root.txt.age b/secrets/kelder/nextcloud-root.txt.age
new file mode 100644
index 0000000..7559aa2
--- /dev/null
+++ b/secrets/kelder/nextcloud-root.txt.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGdTeFAwUSBaU3RZ
+elBWY1E2RVlUZFBUdGlnTGFZT0UwV05mVmY0NWxqQ3dVSHhGK0VJCkcxZTA3VXU0
+SDM4bDYwSXBqMVA2MFlxK2hCZVNJM000THR5SkVTd1hYdGcKLT4gWDI1NTE5IGpn
+TFh3NlprN29Pa3FLOTJhUm9BMDJWblFPNWxYN01jZGxadzBUd2VHWGcKZkpzZUN1
+ZTNiOGl3aHh3Qm9WVnA0Nm5lQUJvMk4rV3R3eitqUTA1NkZaUQotPiB7Sm4tZ3Jl
+YXNlIG50TAowSlhDRytNNmJjbWNHaUtwMlZsSm9VeFFaaG5zQmk0RXVOQUVEYnE2
+UCsvZytYQUxHVkE1bCtuRGc5MUdOUFN5CkU3R1VUamVXCi0tLSB2dXdaNGxHaUY2
+bHFCQ015NUsxQkJ0bXphb05GY2piS0RDSEU2OXN3bitnClW6fcLB1n9IDiiSjzfw
+6i7tVP1BmaJAZThvuyUvNoTA42NOdJCkGbqa86/pliuCFh5UK2vM
+-----END AGE ENCRYPTED FILE-----