diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index 2655868..20a02ac 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -114,6 +114,10 @@ in
       domain = "monitoring.${config.networking.domain}";
     };
 
+    nextcloud = {
+      enable = true;
+    };
+
     postgresql-backup = {
       enable = true;
     };
diff --git a/secrets/default.nix b/secrets/default.nix
index 7d0e393..2120a11 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -12,6 +12,8 @@ with lib;
     miniflux-admin-credentials = lib.fileContents ./miniflux-admin-credentials.secret;
     borg-backup-repo = lib.fileContents ./borg-backup-repo.secret;
     transmission-password = lib.fileContents ./transmission.secret;
+    nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
+    nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
 
     wireguard = pkgs.callPackage ./wireguard.nix { };
   };
diff --git a/secrets/nextcloud-admin-pass.secret b/secrets/nextcloud-admin-pass.secret
new file mode 100644
index 0000000..49f51ea
Binary files /dev/null and b/secrets/nextcloud-admin-pass.secret differ
diff --git a/secrets/nextcloud-admin-user.secret b/secrets/nextcloud-admin-user.secret
new file mode 100644
index 0000000..e653faf
Binary files /dev/null and b/secrets/nextcloud-admin-user.secret differ
diff --git a/services/default.nix b/services/default.nix
index 3000594..a8891a8 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -11,6 +11,7 @@
     ./media.nix
     ./miniflux.nix
     ./monitoring.nix
+    ./nextcloud.nix
     ./nginx.nix
     ./postgresql-backup.nix
     ./tgv.nix
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
new file mode 100644
index 0000000..1ab9924
--- /dev/null
+++ b/services/nextcloud.nix
@@ -0,0 +1,73 @@
+{ lib, config, pkgs, ... }:
+
+# TODO: setup prometheus exporter
+
+let
+  cfg = config.my.services.nextcloud;
+  my = config.my;
+  domain = config.networking.domain;
+  dbName = "nextcloud";
+in
+{
+  options.my.services.nextcloud = {
+    enable = lib.mkEnableOption "NextCloud";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # FIXME: set postgresql package globally
+    services.postgresql = {
+      enable = true;
+
+      ensureDatabases = [ dbName ];
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions = {
+            "DATABASE ${dbName}" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+    };
+
+    services.postgresqlBackup = {
+      databases = [ dbName ];
+    };
+
+    services.nextcloud = {
+      enable = true;
+
+      hostName = "cloud.${domain}";
+      https = true;
+      package = pkgs.nextcloud21;
+
+      maxUploadSize = "1G";
+
+      config = {
+        overwriteProtocol = "https";
+
+        defaultPhoneRegion = "FR";
+
+        dbtype = "pgsql";
+        dbuser = "nextcloud";
+        dbname = dbName;
+        dbhost = "/run/postgresql";
+
+        adminuser = my.secrets.nextcloud-admin-user;
+        adminpass = my.secrets.nextcloud-admin-pass;
+      };
+    };
+
+    services.nginx = {
+      virtualHosts = {
+        "cloud.${domain}" = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+
+    my.services.borg-backup = lib.mkIf cfg.enable {
+      paths = [ config.services.nextcloud.home ];
+    };
+  };
+}