diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix
index 4fee6f3..5d337a9 100644
--- a/nixos/machines/orbi/configuration.nix
+++ b/nixos/machines/orbi/configuration.nix
@@ -13,7 +13,7 @@
     #./borg.nix
     #./codimd.nix
     #./gitea.nix
-    #./nextcloud.nix
+    ./nextcloud.nix
     #./packages.nix
     #./taskserver.nix
     #./vaultwarden.nix
diff --git a/nixos/machines/orbi/nextcloud.nix b/nixos/machines/orbi/nextcloud.nix
index 455f00c..0582c18 100644
--- a/nixos/machines/orbi/nextcloud.nix
+++ b/nixos/machines/orbi/nextcloud.nix
@@ -4,38 +4,20 @@
 # -------------------------------------------------
 # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
 # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
-#
-# ! use lvm snapshots to do rollback !
 
 let
-
-  hostInterface = "enp3s0";
-  hostAddress = "192.168.100.10";
-  containerAddress = "192.168.100.11";
   nextcloudUid = 1000;
-  borg_backup_folder = "/media/syncthing/nextcloud_backup/robi";
+  nextcloudGid = 1000;
+  nextcloudPort = 8080;
+  nextcloudHostName = "cloud.ingolf-wagner.de";
 
+  phpPackage = pkgs.php73;
+  nextcloudPackage = pkgs.nextcloud28;
+  mySQLPackage = pkgs.mysql;
 in
 {
 
 
-  # Host Setup
-  # ==========
-
-  # give containers internet access
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [ "ve-nextcloud" ];
-  networking.nat.externalInterface = hostInterface;
-
-  # don't let networkmanager manger container network
-  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
-
-  # open ports for logging
-  #networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
-  #  [ 5044 12304 12305 ];
-  #networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
-  #  [ 5044 12304 12305 ];
-
   # host nginx
   # ----------
 
@@ -46,14 +28,14 @@ in
     enable = true;
     recommendedProxySettings = true;
     virtualHosts = {
-      "nextcloud.ingolf-wagner.de" = {
+      "${nextcloudHostName}" = {
         forceSSL = true;
         enableACME = true;
         locations = {
           "/" = {
-            proxyPass = "http://${containerAddress}";
+            proxyPass = "http://localhost:${toString nextcloudPort}";
             extraConfig = ''
-              sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
+              sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}";
               # used for view/edit office file via Office Online Server
               client_max_body_size 0;
               proxy_buffering off;  # to download files bigger than 1GB
@@ -67,28 +49,6 @@ in
             priority = 210;
             extraConfig = "return 301 $scheme://$host/remote.php/dav;";
           };
-          #"~ .(?:css|js|svg|gif)$" = {
-          #  proxyPass = "http://${containerAddress}$request_uri";
-          #  extraConfig = ''
-          #    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
-          #    access_log off;     # Optional: Don't log access to assets
-          #    sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
-          #    sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
-          #    # used for view/edit office file via Office Online Server
-          #    client_max_body_size 0;
-          #  '';
-          #};
-          #"~ .woff2?$" = {
-          #  proxyPass = "http://${containerAddress}$request_uri";
-          #  extraConfig = ''
-          #    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
-          #    access_log off;     # Optional: Don't log access to assets
-          #    sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
-          #    sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
-          #    # used for view/edit office file via Office Online Server
-          #    client_max_body_size 0;
-          #  '';
-          #};
         };
       };
     };
@@ -102,7 +62,7 @@ in
     uid = nextcloudUid;
     group = "nextcloud";
   };
-  users.groups.nextcloud = { };
+  users.groups.nextcloud.gid = nextcloudGid;
 
 
   # Container Setup
@@ -126,34 +86,28 @@ in
         isReadOnly = true;
       };
 
-      home = {
-        # make sure this folder exist on the host
-        hostPath = toString "/var/lib/nextcloud";
-        mountPoint = "/var/lib/nextcloud";
-        isReadOnly = false;
-      };
-      db = {
-        # make sure this folder exist on the host
-        hostPath = toString "/var/lib/nextcloud_mysql";
-        mountPoint = "/var/lib/mysql";
-        isReadOnly = false;
-      };
-      media = {
-        #mountPoint = toString config.services.syncthing.folders.media.path;
-        #hostPath = toString config.services.syncthing.folders.media.path;
-        mountPoint = "/media/syncthing/media";
-        hostPath = "/media/media";
-        isReadOnly = true;
-      };
+      #home = {
+      #  # make sure this folder exist on the host
+      #  hostPath = toString "/var/lib/nextcloud";
+      #  mountPoint = "/var/lib/nextcloud";
+      #  isReadOnly = false;
+      #};
+      #db = {
+      #  # make sure this folder exist on the host
+      #  hostPath = toString "/var/lib/nextcloud_mysql";
+      #  mountPoint = "/var/lib/mysql";
+      #  isReadOnly = false;
+      #};
+      #media = {
+      #  #mountPoint = toString config.services.syncthing.folders.media.path;
+      #  #hostPath = toString config.services.syncthing.folders.media.path;
+      #  mountPoint = "/media/syncthing/media";
+      #  hostPath = "/media/media";
+      #  isReadOnly = true;
+      #};
     };
 
-    # container network setup
-    # see also nating on host system.
-    privateNetwork = true;
-    hostAddress = hostAddress;
-    localAddress = containerAddress;
-
-
+    privateNetwork = false;
     autoStart = true;
 
     config = { config, pkgs, lib, ... }: {
@@ -161,13 +115,16 @@ in
       # Configuring nameservers for containers is currently broken.
       # Therefore in some cases internet connectivity can be broken inside the containers.
       # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
-      environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+      #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
 
-      system.stateVersion = "21.05";
+      system.stateVersion = "23.11";
 
       users.users.nextcloud.uid = nextcloudUid;
 
       services.nginx = {
+        defaultListen = [
+          { addr = "0.0.0.0"; port = nextcloudPort; }
+        ];
         # Use recommended settings
         recommendedGzipSettings = lib.mkDefault true;
         recommendedOptimisation = lib.mkDefault true;
@@ -175,8 +132,8 @@ in
         recommendedTlsSettings = lib.mkDefault true;
       };
 
-      networking.firewall.allowedTCPPorts = [ 80 ];
-      networking.firewall.allowedUDPPorts = [ 80 ];
+      #networking.firewall.allowedTCPPorts = [ 80 ];
+      #networking.firewall.allowedUDPPorts = [ 80 ];
 
       # nextcloud database
       # ==================
@@ -201,7 +158,7 @@ in
       # if you do this don't forget --default-character-set=utf8mb4 for mysqldump
       services.mysql = {
         enable = true;
-        package = pkgs.mysql;
+        package = mySQLPackage;
         # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
         ensureDatabases = [ "nextcloud" ];
         ensureUsers = [{
@@ -222,7 +179,6 @@ in
         enable = true;
         databases = config.services.mysql.ensureDatabases;
         singleTransaction = true;
-        location = "/var/lib/nextcloud/database_backups";
       };
       systemd.services."mysql-backup".serviceConfig = {
         ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
@@ -231,7 +187,7 @@ in
 
       # in php
       services.phpfpm = {
-        phpPackage = pkgs.php73;
+        phpPackage = phpPackage;
         phpOptions = ''
           opcache.revalidate_freq = 10
         '';
@@ -240,17 +196,16 @@ in
       # nextcloud setup
       services.nextcloud = {
         enable = true;
-        package = pkgs.nextcloud27;
+        package = nextcloudPackage;
         autoUpdateApps.enable = true;
         # nginx.enable = true;
         # enableBrokenCiphersForSSE = false; # see https://github.com/NixOS/nixpkgs/pull/198470
-        hostName = "nextcloud.ingolf-wagner.de";
+        hostName = nextcloudHostName;
         logLevel = 2;
         https = true;
         config = {
           adminpassFile = "/run/secrets/nextcloud_root_password";
           overwriteProtocol = "https";
-          trustedProxies = [ "144.76.13.147" hostAddress ];
           dbtype = "mysql";
           dbpassFile = "/run/secrets/nextcloud_database_password";
           dbport = 3306;
@@ -260,42 +215,4 @@ in
     };
   };
 
-
-  # Backup Config
-  # -------------
-  #backup.dirs = [
-  #  "/home/nextcloud/config"
-  #  "/home/nextcloud/database_backups" # created by mysqlBackup
-  #];
-
-  # Backup Files
-  # ------------
-  services.borgbackup.jobs = {
-    "nextcloud-to-media" = {
-      repo = borg_backup_folder;
-      # make sure syncthing is capable of reading the files
-      postHook = ''
-        chown -R syncthing:syncthing ${borg_backup_folder}
-      '';
-      compression = "lz4";
-      paths = [
-        "/var/lib/nextcloud/data/tina/files"
-        "/var/lib/nextcloud/data/palo/files"
-        "/var/lib/nextcloud/data/palo-windows/files"
-      ];
-      doInit = true;
-      encryption = {
-        mode = "repokey-blake2";
-        passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}";
-      };
-      startAt = "0/3:00:00";
-      prune.keep = {
-        within = "2d"; # Keep all backups in the last 10 days.
-        daily = 10; # Keep 10 additional end of day archives
-        weekly = 8; # Keep 8 additional end of week archives.
-        month = 8; # Keep 8 additional end of month archives.
-      };
-    };
-  };
-
 }