diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml
index 872e6ea..102766e 100644
--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
@@ -4,6 +4,7 @@ asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKN
 asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
 unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
+nextcloud-adminpass: ENC[AES256_GCM,data:8yX92evqkh5XDuKaPdaOxXX474mE2m5b,iv:2gKYS2s2oW0s4hhug6Y8n+8M9YMxIzcTLAp5gbktfkQ=,tag:eoT892rpSKvReve4Au+uSA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +20,8 @@ sops:
             T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
             Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-04T10:58:16Z"
-    mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str]
+    lastmodified: "2024-12-03T21:52:11Z"
+    mac: ENC[AES256_GCM,data:z4hl4FIVp9ZfsmEEv8ZkK6K5ndI0jMuumrLUtdhNsb9YFvwS+YIrqcdqytV1e2DSb5mlogN5L50ioCAhDljA15pKTUpu3LJRSfTS1b5U/dYZyZu6+PywlPOmSVYjCMP3E4nGuUR4n/gE2Z76Pt0FBI14PAph/iTeF90f64rYDv4=,iv:3IWUOUaH4Yh/g1D57b/u/C2vBR2dPH7Ma24CI0hAmas=,tag:2KIeAbZfOuORO3GmV3drpA==,type:str]
     pgp:
         - created_at: "2024-09-24T19:30:34Z"
           enc: |-
@@ -54,4 +55,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix
index d0b18c3..3485c4a 100644
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@@ -8,6 +8,7 @@
     ./grafana.nix
     ./labsync
     ./mailhog.nix
+    ./nextcloud.nix
     ./prometheus.nix
     ./unifi-controller.nix
     ./wekan.nix
diff --git a/machines/raven/services/nextcloud.nix b/machines/raven/services/nextcloud.nix
new file mode 100644
index 0000000..5661520
--- /dev/null
+++ b/machines/raven/services/nextcloud.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "nextcloud.fablab-nea.de";
+in
+{
+  sops.secrets.nextcloud-adminpass = {
+    sopsFile = ../secrets.yaml;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+  services.nextcloud = {
+    enable = true;
+    hostName = domain;
+    #secretFile =
+    #config.dbpassFile
+    https = true;
+    config = {
+      adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
+      dbtype = "pgsql";
+    };
+    settings = {
+      overwriteprotocol = "https";
+
+      oidc_login_client_id = "nextcloud";
+      oidc_login_provider_url = "https://keycloak.fablab-nea.de";
+      oidc_login_attributes = {
+        id = "preferred_username";
+      };
+      oidc_login_scope = "openid profile";
+      oidc_login_button_text = "Log in with OpenID";
+      oidc_login_code_challenge_method = "S256";
+    };
+    database.createLocally = true;
+    extraApps =
+      with config.services.nextcloud.package.packages.apps;
+      {
+        inherit
+          bookmarks
+          calendar
+          contacts
+          deck
+          tasks
+          ;
+      }
+      // {
+        oidc_login = pkgs.fetchNextcloudApp {
+          license = "agpl3Plus";
+          url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.0/oidc_login.tar.gz";
+          sha256 = "sha256-0wAbTjVEZCXcob982eMaXkCgdR5fN60O2Q8vCpzIo+w=";
+        };
+      };
+    extraAppsEnable = true;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}