diff --git a/modules/services/adguardhome/default.nix b/modules/services/adguardhome/default.nix
index 467b7a6..e9dcc9b 100644
--- a/modules/services/adguardhome/default.nix
+++ b/modules/services/adguardhome/default.nix
@@ -60,6 +60,8 @@ in {
     };
 
     networking.firewall = {
+      # TODO: Remove this here and leave it up to systems to decide to enable
+      # the firewall
       enable = true;
       allowedTCPPorts = [
         # Plain DNS
diff --git a/modules/services/nextcoud/default.nix b/modules/services/nextcoud/default.nix
new file mode 100644
index 0000000..3afaf5e
--- /dev/null
+++ b/modules/services/nextcoud/default.nix
@@ -0,0 +1,46 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.nextcloud;
+in {
+  options.aa.services.nextcloud = with types; {
+    enable = mkEnableOption "nextcloud";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.nextcloud_admin = {
+      file = ../../../secrets/nextcloud_admin.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+
+    services.nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud27;
+      hostName = "nextcloud.kilonull.com";
+      https = true;
+      database.createLocally = true;
+      # Arbitrary large size
+      maxUploadSize = "16G";
+      config = {
+        dbtype = "pgsql";
+        adminuser = "alejandro";
+        adminpassFile = config.age.secrets.nextcloud_admin.path;
+      };
+    };
+
+    # nextcloud module configures nginx, just need to specify SSL stuffs here
+    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      useACMEHost = "kilonull.com";
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}
diff --git a/secrets/nextcloud_admin.age b/secrets/nextcloud_admin.age
new file mode 100644
index 0000000..d1ee0db
--- /dev/null
+++ b/secrets/nextcloud_admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 Yk7ehg jGTbLdX/9pfr1mMPZQMfutxjJx82h+fbLR7Aun7b31A
+pt/Mf1YRNF9PM5HWuz3dC24P9F6n190Nm7zVH/Rz48U
+-> piv-p256 UIEGzg A+roQyuPNOR0XX+rOn9sgtN7ja6j5h7v0zXQavvj91YH
+2uhjJwrcMjidT5MRaAL9fLtSGd6+Km4K8FOvQukyhSQ
+-> o-grease ~&WP )T+8
+I2ZtPacZkO2VeFhzPEkvZDdXFg
+--- tGKnzyOnnKkdQKcQxEBx0OltPyhndHDxnveNE07HUTg
+ª‹ÅœÉË¸*õŽ§¯ <ùÙ\ž´\J0ðÑWašB0u\§Åt¡ØãÞ°Š´mÛptÕI=ûNÇpŠ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e5eaca7..f64967c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,4 +5,5 @@ let
   machines.node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
 in {
   "cf_dns_kilonull.age".publicKeys = [users.me machines.node];
+  "nextcloud_admin.age".publicKeys = [users.me machines.node];
 }
diff --git a/systems/x86_64-linux/node/default.nix b/systems/x86_64-linux/node/default.nix
index 93d9e1a..c4099fa 100644
--- a/systems/x86_64-linux/node/default.nix
+++ b/systems/x86_64-linux/node/default.nix
@@ -19,6 +19,7 @@
     };
     services.openssh.enable = true;
     services.adguardhome.enable = true;
+    services.nextcloud.enable = true;
 
     system.zfs.enable = true;
     system.monitoring.enable = true;