diff --git a/configuration.nix b/configuration.nix
index 59079ae..b0df0df 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -127,6 +127,72 @@
     };
   };
 
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "nextcloud.samsehu.local" = {
+        # Force HTTP redirect to HTTPS
+        forceSSL = true;
+        # LetsEncrypt
+        enableACME = true;
+      };
+    };
+  };
+
+  services.nextcloud = {
+    enable = true;
+    hostName = "nextcloud.samsehu.local";
+    # Enable built-in virtual host management
+    # Takes care of somewhat complicated setup
+    nginx.enable = true;
+
+    # Use HTTPS for links
+    https = true;
+
+    autoUpdateApps.enable = true;
+    audoUpdateApps.startAt = "05:00:00";
+
+    config = {
+      overwriteProtocol = "https";
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      dbpassFile = "/var/nextcloud-db-pass";
+
+      adminpassFile = "/path/to/admin-pass-file";
+      adminuser = "admin";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      { name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
   # ACME client service for configuring SSL certificate
   security.acme = {
     acceptTerms = true;
@@ -158,6 +224,10 @@
     # Blocky DNS
     53
 
+    # Nextcloud / nginx
+    80 
+    443
+
     # Blocky API
     4000