diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
index 7864357..25f57c8 100644
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@@ -4,5 +4,6 @@
     ./configuration.nix
     ./secrets.nix
     ./wireguard-server.nix
+    ./nextcloud-proxy.nix
   ];
 }
diff --git a/hosts/cirrus/nextcloud-proxy.nix b/hosts/cirrus/nextcloud-proxy.nix
new file mode 100644
index 0000000..7e9a351
--- /dev/null
+++ b/hosts/cirrus/nextcloud-proxy.nix
@@ -0,0 +1,39 @@
+{ config, pkgs, ... }: {
+  security.acme = {
+    defaults.email = "acme@oxapentane.com";
+    acceptTerms = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+  };
+
+  services.nginx.virtualHosts."nc.oxapentane.com" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations = {
+      "/" = {
+      #  extraConfig = '' return 503; '';
+      proxyPass = "http://10.34.45.100:8080";
+      };
+      "/well-known/carddav" = {
+      return = "301 $scheme://$host/remote.php/dav";
+      };
+      "/well-known/caldav" = {
+      return = "301 $scheme://$host/remote.php/dav";
+      };
+
+    };
+  };
+}