diff --git a/configuration.nix b/configuration.nix
index 8678af8..a56861f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -81,6 +81,11 @@
       enable = true;
       secret = lib.fileContents ./secrets/matrix/secret.txt;
     };
+    # Nextcloud self-hosted cloud
+    nextcloud = {
+      enable = true;
+      password = lib.fileContents ./secrets/nextcloud/password.txt;
+    };
     # The whole *arr software suite
     pirate.enable = true;
     # Usenet client
diff --git a/secrets/nextcloud/password.txt b/secrets/nextcloud/password.txt
new file mode 100644
index 0000000..c2e458c
Binary files /dev/null and b/secrets/nextcloud/password.txt differ
diff --git a/services/default.nix b/services/default.nix
index 75af859..62205f4 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -6,6 +6,7 @@
     ./jellyfin.nix
     ./matrix.nix
     ./media.nix
+    ./nextcloud.nix
     ./nginx.nix
     ./pirate.nix
     ./sabnzbd.nix
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
new file mode 100644
index 0000000..db4ade5
--- /dev/null
+++ b/services/nextcloud.nix
@@ -0,0 +1,68 @@
+# A self-hosted cloud.
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.nextcloud;
+  domain = config.networking.domain;
+  nextcloudDomain = "nextcloud.${config.networking.domain}";
+in
+{
+  options.my.services.nextcloud = with lib; {
+    enable = mkEnableOption "Nextcloud";
+    maxSize = mkOption {
+      type = types.str;
+      default = "512M";
+      example = "1G";
+      description = "Maximum file upload size";
+    };
+    admin = mkOption {
+      type = types.str;
+      default = "Ambroisie";
+      example = "admin";
+      description = "Name of the admin user";
+    };
+    password = mkOption {
+      type = types.str;
+      example = "password";
+      description = "The admin user's password";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud20; # Nextcloud 19.0.6 is marked as insecure
+      hostName = nextcloudDomain;
+      maxUploadSize = cfg.maxSize;
+      config = {
+        adminuser = cfg.admin;
+        adminpass = cfg.password; # Insecure, but I don't care
+        dbtype = "pgsql";
+        dbhost = "/run/postgresql";
+        overwriteProtocol = "https"; # Nginx only allows SSL
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "nextcloud" ];
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    systemd.services."nextcloud-setup" = {
+      requires = [ "postgresql.service" ];
+      after = [ "postgresql.service" ];
+    };
+
+    services.nginx.virtualHosts."${nextcloudDomain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      locations."/".proxyPass = "http://localhost:3000/";
+    };
+  };
+}