diff --git a/configs/sputnik/configuration.nix b/configs/sputnik/configuration.nix
index ae7fd56..77aea0c 100644
--- a/configs/sputnik/configuration.nix
+++ b/configs/sputnik/configuration.nix
@@ -38,5 +38,15 @@
     iptables -t nat -A PREROUTING ! -i tinc.private -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0
   '';
 
+  # enable all subdomains to be reached to make nginx rules easier
+  services.dnsmasq = with lib; {
+    enable = true;
+    extraConfig = ''
+      ${concatStringsSep "\n"
+      (flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
+        (name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
+    '';
+  };
+
 }
 
diff --git a/configs/sputnik/nginx.nix b/configs/sputnik/nginx.nix
index 19e4865..5803790 100644
--- a/configs/sputnik/nginx.nix
+++ b/configs/sputnik/nginx.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }: {
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 4443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 4443 ];
 
   services.nginx = {
     enable = true;
@@ -130,6 +131,56 @@
         };
       };
 
+      "nextcloud.ingolf-wagner.de" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 4443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+        ];
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://nextcloud.workhorse.private";
+          extraConfig = ''
+            sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
+            # used for view/edit office file via Office Online Server
+            client_max_body_size 0;
+          '';
+        };
+      };
+
+      "nextcloud.gaykraft.com" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 4443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+        ];
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://nextcloud.workhorse.private";
+          extraConfig = ''
+            sub_filter "http://nextcloud.gaykraft.com" "https://nextcloud.gaykraft.com";
+            # used for view/edit office file via Office Online Server
+            client_max_body_size 0;
+          '';
+        };
+      };
+
       "seafile.gaykraft.com" = {
         listen = [
           {
diff --git a/configs/workhorse/configuration.nix b/configs/workhorse/configuration.nix
index 189dde8..943fa31 100644
--- a/configs/workhorse/configuration.nix
+++ b/configs/workhorse/configuration.nix
@@ -24,6 +24,7 @@
     ./transmission.nix
     ./weechat.nix
     ./wetten.nix
+    ./nextcloud.nix
 
   ];
 
diff --git a/configs/workhorse/nextcloud.nix b/configs/workhorse/nextcloud.nix
new file mode 100644
index 0000000..4058a04
--- /dev/null
+++ b/configs/workhorse/nextcloud.nix
@@ -0,0 +1,12 @@
+{
+  services.nextcloud = {
+    enable = true;
+    autoUpdateApps.enable = true;
+    config.adminpassFile = toString <secrets/nextcloud/rootpassword>;
+    #home = "/home/nextcloud";
+    nginx.enable = true;
+    hostName = "nextcloud.workhorse.private";
+    logLevel = 0;
+    config.extraTrustedDomains = [ "nextcloud.gaykraft.com" ];
+  };
+}