diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix
index c3e126a3..2250a9c2 100644
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,6 +11,7 @@
     ./nix-serve.nix
     ./gitlab-runner.nix
     ./gitea.nix
+    ./nextcloud.nix
     ../hut/public-inbox.nix
     ../hut/msmtp.nix
     ../module/p.nix
diff --git a/m/tent/nextcloud.nix b/m/tent/nextcloud.nix
new file mode 100644
index 00000000..f9b1fc5c
--- /dev/null
+++ b/m/tent/nextcloud.nix
@@ -0,0 +1,71 @@
+{ pkgs, config, ... }:
+{
+  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
+
+  services.nextcloud = {
+    package = pkgs.nextcloud32;
+    enable = true;
+    hostName = "localhost";
+    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
+    config.dbtype = "sqlite";
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        news
+        contacts
+        calendar
+        tasks;
+        # The app richdocuments (i.e. office) is not enabled yet as there are
+        # problems with the WOPI protocol in a subdir.
+    };
+    extraAppsEnable = true;
+    settings = let
+      prot = "https";
+      host = "jungle.bsc.es";
+      dir = "/nextcloud";
+    in {
+      overwriteprotocol = prot;
+      overwritehost = host;
+      overwritewebroot = dir;
+      overwrite.cli.url = "${prot}://${host}${dir}/";
+      htaccess.RewriteBase = dir;
+    };
+  };
+
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
+    addr = "127.0.0.1";
+    port = 8066; # NOT an exposed port
+  } ];
+
+  services.nginx.virtualHosts."jungle.bsc.es".locations = {
+    "^~ /.well-known" = {
+      priority = 9000;
+      extraConfig = ''
+              absolute_redirect off;
+              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
+                return 301 /nextcloud/remote.php/dav;
+              }
+              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
+                return 301 /nextcloud/public.php?service=host-meta-json;
+              }
+              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
+                return 301 /nextcloud/index.php$request_uri;
+              }
+              try_files $uri $uri/ =404;
+      '';
+    };
+
+    "/nextcloud/" = {
+      priority = 9999;
+      extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-NginX-Proxy true;
+          proxy_set_header X-Forwarded-Proto http;
+          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+          proxy_redirect off;
+      '';
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 920d52dc..036df5b1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in
   "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
   "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
   "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
+  "tent-nextcloud-admin-pass.age".publicKeys = tent;
   "vpn-dac-login.age".publicKeys = tent;
   "vpn-dac-client-key.age".publicKeys = tent;
 
diff --git a/secrets/tent-nextcloud-admin-pass.age b/secrets/tent-nextcloud-admin-pass.age
new file mode 100644
index 00000000..7d034789
Binary files /dev/null and b/secrets/tent-nextcloud-admin-pass.age differ