diff --git a/modules/matrix.nix b/modules/matrix.nix
index b4e8c03..8e51af1 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -20,6 +20,7 @@ local   all             postgres                                peer
 local   all             all                                     peer
 host    all             all             127.0.0.1/32            md5
 host    synapse         matrix-synapse         ::1/128                 md5
+host    nextcloud       nextcloud       ::1/128                 md5
 host    all             all             ::1/128                 md5
 local   replication     all                                     peer
 host    replication     all             127.0.0.1/32            md5
@@ -29,6 +30,7 @@ host    replication     all             ::1/128                 md5
     # ArbitraryMapName systemUser DBUser
        superuser_map      root      postgres
        superuser_map      matrix-synapse synapse
+       superuser_map      nextcloud nextcloud
        superuser_map      postgres  postgres
        # Let other names login as themselves
        superuser_map      /^(.*)$   \1
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 20de2b0..da30f2d 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -4,25 +4,69 @@ let
   nextcloud_host = "cloud.${root_host}";
   nextcloud_port = 8083;
 in {
-  security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ];
-  age.secrets.nextcloud_admin_pass = {
-    file = ../secrets/nextcloud_admin_pass.age;
-    owner = "nextcloud";
-    group = "nextcloud";
-    mode = "0600";
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
   };
 
+  security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ];
+  age.secrets = {
+    nextcloud_admin_pass = {
+      file = ../secrets/nextcloud_admin_pass.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "0600";
+    };
+  };
+
+  services.redis.servers.nextcloud = {
+    enable = true;
+    bind = "::1";
+    port = 6379;
+  };
+
+  systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
+    #!${pkgs.runtimeShell}
+    nextcloud-occ config:system:set redis 'host' --value '::1' --type string
+    nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
+    nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
+    nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
+  '';  
 
   services.nextcloud = {
     enable = true;
     https = true;
     hostName = nextcloud_host;
     package = pkgs.nextcloud28;
+    caching.redis = true;
+
 #    extraApps = with config.services.nextcloud.package.packages.apps; [
 #      news contacts calendar tasks;
 #    ];
     config = {
+      overwriteProtocol = "https";
       adminpassFile = config.age.secrets.nextcloud_admin_pass.path;
+      dbport = config.services.postgresql.port;
+      dbuser = "nextcloud";
+      dbtype = "pgsql";
+      defaultPhoneRegion = "DE";
+    };
+    phpOptions = {
+      "opcache.interned_strings_buffer" = "12";
+    };
+    extraOptions = {
+      filelocking.enabled = true;
+      redis = {
+        host = "localhost";
+        port = 6379;
+        timeout = 0.0;
+      };
     };
   };
 
diff --git a/secrets/nextcloud_db_pass.age b/secrets/nextcloud_db_pass.age
new file mode 100644
index 0000000..6bd73ce
--- /dev/null
+++ b/secrets/nextcloud_db_pass.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+ULPpqCrbkoqF5Zx+YNl2igi962ho+4bJv4ZqkdUJWXKvwBCKBujUhTRubao3E1H7
+M6Qa1X/ENOjLRjaDGN/LHTKl+7yv7TyayHxWlPVylBHgs2m18Zr0+pcIl+771FSm
+E0QFs61ENZibrBubOv9sib0Drb/8hi393kLAuBIIblzVt8Td3eLz9oXBltkXDJ26
+ndY61jJbMcOkaS/AgcENSdwuDETxlceOBNuIRucjpcGFDrobngJyNbV8amH3Fc4D
+07iwIGFK5xF+Z3h1dH+oKPTqenDcBsq32LYNOUczap0ia4/CCw/by/VrTnudX9FC
+VGJ3MmJIXLaeCMMSsHEQNrNf6hq+rysuAeW3rUco8k9lWv4J08l2Z4wEfwIX3UdT
+LmyTe9FeKib8ul4FuAnAXWl5Mwik2xG87Ci375/qeZgIduH6UyelBErzGA5HwtV+
+Zhfo+moImBg5wkQAMqBEYo3llMU4S0uV3A7sxcFSGrKnW+qFt46+TzkAAZJCBaFC
+tXM44LI+JceJhlBnI83sayEf1kEQlsxGqqdOpRQaVI5xBX7rGduFOFsVFAOO60I9
+jIESQSoV36KVgm4w+v99jYiLI9mfHRNzC0KH5qeTW8tST6N1+TyP0uhzfIoNVfpg
+buHTgKaPO37VciLDT2qGz8VVcbg7wlFE2neNPqQQss4
+--- CWjL7M33VOuujkVFJG+zj8JwUwvA2ymMNvjIXvAxNxE
+��`�
�n��\��U‘D��`A���?xM7���Re�N�J��I��}G���=x��@�ٔ��4)��R�f�rw��	�}��Z2
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index caaead7..8c8f6ae 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,4 +8,5 @@ in
   "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
   "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
   "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
+  "nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
 }