diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix
index 7c4b105..e4ec094 100644
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@@ -5,6 +5,7 @@
     (relativeToBase "modules")
     ./boot.nix
     ./hardware.nix
+    ./nextcloud.nix
     ./security
   ];
 }
diff --git a/hosts/pi4/nextcloud.nix b/hosts/pi4/nextcloud.nix
new file mode 100644
index 0000000..d930b95
--- /dev/null
+++ b/hosts/pi4/nextcloud.nix
@@ -0,0 +1,72 @@
+{ pkgs, config, ... }:
+let
+  adminPass = "nextcloud/admin-pass";
+  domain = "beta.nextcloud.martials.no";
+  dbname = "nextcloud";
+  dbuser = dbname;
+in
+{
+  services = {
+    nextcloud = {
+      enable = true;
+
+      autoUpdateApps.enable = true;
+
+      config = {
+        adminpassFile = config.sops.secrets.${adminPass}.path;
+        dbtype = "pgsql";
+        dbname = dbname;
+        dbuser = dbuser;
+        # default directory for postgresql, ensures automatic setup of db
+        dbhost = "/run/postgresql";
+        adminuser = "admin";
+        defaultPhoneRegion = "NO";
+      };
+
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          contacts
+          tasks
+          deck
+          ;
+      };
+      extraAppsEnable = true;
+
+      hostName = domain;
+      https = true;
+
+      package = pkgs.nextcloud31;
+
+      settings = {
+        trusted_domains = [
+          domain
+        ];
+      };
+    };
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ dbname ];
+      ensureUsers = [
+        {
+          name = dbuser;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      location = "/data/backup/nextclouddb";
+      databases = [ dbname ];
+      # time to start backup in systemd.time format
+      startAt = "*-*-* 23:15:00";
+    };
+  };
+
+  sops.secrets.${adminPass}.neededForUsers = true;
+
+  # ensure postgresql db is started with nextcloud
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}
diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml
index f59fb67..2dd4638 100644
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@@ -1,4 +1,6 @@
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
+nextcloud:
+  admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -32,8 +34,8 @@ sops:
         SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
         YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-05-15T16:57:17Z"
-  mac: ENC[AES256_GCM,data:HE/liIsb/7RazR671Keo5nH9+qp3BMPGxJcm97fzXkeO8TnCk/lNy43InKu7ON316G375F2oTeiuz90JthUYV2wBQFZTVWR6pROhRSewT7T3pp3lRPtIIwmvOmvJd537OVN1iz2p+1EgW4+gERrgQ9wPHWyyeFB7a9SkTeLmmGA=,iv:bvL1WyUHnnXB7gWZyVdru+j8oAFD11lbQkMvgWkgm24=,tag:CKFt/UlRRImKYakUI44fWw==,type:str]
+  lastmodified: "2025-05-27T17:56:45Z"
+  mac: ENC[AES256_GCM,data:rXUdrKF4qcuKkk9QASAti2yk+mWLRPzqHPLV85P1nJBoqa6bnLaEoWwfclwr2riTeLjK8ASRHGzi9xiY9867+lhui7+nd0ISBPZlRKTxfXNddBNMqSh+MguJ9e02mTm6OpbSVlovT5NPLiJcQyTodtI5Cvkc0LU5v8yCwRF98jI=,iv:TCSHdf4Y9QPOFNOVjKL3vro65C9SEUhSSNFXNYchzmk=,tag:wGbBdQwPXO30ymyhtAguYg==,type:str]
   pgp: []
   unencrypted_suffix: _unencrypted
   version: 3.9.4