diff --git a/hosts/hainich/services/nextcloud.nix b/hosts/hainich/services/nextcloud.nix
new file mode 100644
index 0000000..477f8dd
--- /dev/null
+++ b/hosts/hainich/services/nextcloud.nix
@@ -0,0 +1,82 @@
+# TODOs before actually using this
+# - change root auth to use adminpassFile
+# - figure out how to enable redis caching
+# - figure out how to use multiple pools (do we need this?)
+# - how to enable ldap?
+# - move this into a container (only reason it's not in one already is
+#   to make testing easy; just run the following for a local test:
+#   `nixos-container create nextcloud --config-file nextcloud.nix`
+#
+# Additional notes:
+#  - there is a services.nextcloud.phpExtraExtensions, which may be
+#    useful for this, but it's only in nixos-unstable for now
+#  - there's a services.nextcloud.autoUpdateApps – do we trust nextcloud
+#    enough to enable it, or will everything break if we do?
+
+{ pkgs, ... }:
+{
+
+  environment.systemPackages = [ pkgs.htop ];
+
+  services.nextcloud = {
+    enable = true;
+    
+    # must be set manually; may not be incremented by more than one at
+    # a time, otherwise nextcloud WILL break
+    package = pkgs.nextcloud20;
+    
+    hostName = "10.233.2.2";
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      # there's also a adminpassFile option, but for testing this seems
+      # enough (less fiddling with getting the file into a nixos
+      # container for ad-hoc setups)
+      adminpass = "root";
+      adminuser = "root";
+    };
+    
+    caching.redis = true;
+    
+    # multiple pools may be doable using services.phpfpm.pools,
+    # but i have not tried this yet. The nextcloud module defines a
+    # pool "nextcloud"
+    poolSettings = {
+      pm = "dynamic";
+      "pm.max_children" = "32";
+      "pm.max_requests" = "500";
+      "pm.max_spare_servers" = "4";
+      "pm.min_spare_servers" = "2";
+      "pm.start_servers" = "2";
+    };
+    
+  };
+  
+  # TODO: this needs extra stuff in config.php, which right now can't
+  # be configured using this module. Perhaps we could fork it?
+  services.redis = {
+    enable = true;
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+     { # by default, postgres has unix sockets enabled, and allows a
+       # system user `nextcloud` to log in without other authentication
+       name = "nextcloud";
+       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+     }
+    ];
+  };
+
+  # ensure that postgres is running *before* running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}