diff --git a/compose.yaml b/compose.yaml
index 8726f96..420439d 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -152,9 +152,37 @@ services:
     networks:
       - frontnet
 
+  nextcloud:
+    image: nextcloud:latest
+    restart: always
+    container_name: nextcloud
+    volumes:
+      - nextcloud-data:/var/www/html
+      - nextcloud-apps:/var/www/html/custom_apps
+      - nextcloud-config:/var/www/html/config
+      - nextcloud-data:/var/www/html/data
+    environment:
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.oily.dad
+      - MYSQL_HOST=db
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_PASSWORD=${DOTENV_MYSQL_NEXTCLOUD_PASSWORD}
+      - NEXTCLOUD_ADMIN_USER=admin
+      - NEXTCLOUD_ADMIN_PASSWORD=${DOTENV_NEXTCLOUD_ADMIN_PASSWORD}
+      - NEXTCLOUD_DATA_DIR=/var/www/html/data
+    networks:
+      - backnet
+      - frontnet
+    depends_on:
+      db:
+        condition: service_healthy
+
 volumes:
   db-data:
   pmb-root:
+  nextcloud-data:
+  nextcloud-apps:
+  nextcloud-config:
 
 networks:
   backnet:
diff --git a/compose.yaml.prod b/compose.yaml.prod
index c1094c1..8726f96 100644
--- a/compose.yaml.prod
+++ b/compose.yaml.prod
@@ -81,7 +81,7 @@ services:
       - GITEA__server__LANDING_PAGE=explore
       - GITEA__ui__REACTIONS="+1, -1, fu, heart, laugh, confused, hooray, eyes, gun, boom, poop, kiss, rocket, bomb, chart_with_downwards_trend, eggplant"
       # To disable new users after setup:
-      - GITEA__service__DISABLE_REGISTRATION=false
+      - GITEA__service__DISABLE_REGISTRATION=true
     networks:
       - backnet
       - frontnet
diff --git a/dotenv b/dotenv
index 9b5c435..0c60f3a 100644
--- a/dotenv
+++ b/dotenv
@@ -31,4 +31,8 @@ FLASK_ADMIN_EMAIL="git@aaa"
 FLASK_JWT_PHRASE="jwtphrase"
 FLASK_REAL_HOSTNAME="localhost"
 
+# Nextcloud:
+DOTENV_MYSQL_NEXTCLOUD_PASSWORD="nextcloudp"
+DOTENV_NEXTCLOUD_ADMIN_PASSWORD="adminp"
+
 
diff --git a/proxy/conf b/proxy/conf
index 25ca6b9..1038d71 100755
--- a/proxy/conf
+++ b/proxy/conf
@@ -51,3 +51,22 @@ server {
 	}
 }
 
+server {
+	listen 443 ssl http2;
+	# use the certificates
+	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
+	server_name nextcloud.oily.dad;
+	root /var/www/html;
+	index index.php index.html index.htm;
+
+	location / {
+		client_max_body_size 512M;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_pass http://nextcloud/;
+	}
+}
+