diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile
index d428c4a6..7c4b632d 100644
--- a/docker/caddy/Caddyfile
+++ b/docker/caddy/Caddyfile
@@ -4,8 +4,12 @@ korhonen.cc, *.korhonen.cc {
 		resolvers 1.1.1.1
 	}
 
+	header {
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	}
+
 	@homepage host korhonen.cc
-  handle @homepage {
+	handle @homepage {
 		root * /var/www/korhonen.cc
 		file_server
 	}
@@ -69,11 +73,45 @@ korhonen.cc, *.korhonen.cc {
 
 	@umami host umami.korhonen.cc
 	handle @umami {
-    reverse_proxy umami:3000
+		reverse_proxy umami:3000
+	}
+
+	@nextcloud host cloud.korhonen.cc
+	handle @nextcloud {
+		encode gzip
+
+		# .htaccess / data / config / ... shouldn't be accessible from outside
+		@forbidden {
+			path /.htaccess
+			path /data/*
+			path /config/*
+			path /db_structure
+			path /.xml
+			path /README
+			path /3rdparty/*
+			path /lib/*
+			path /templates/*
+			path /occ
+			path /console.php
+		}
+		handle @forbidden {
+			respond 404
+		}
+
+		redir /.well-known/carddav /remote.php/dav 301
+		redir /.well-known/caldav /remote.php/dav 301
+
+		root * /var/www/nextcloud
+		php_fastcgi nextcloud:9000 {
+			root /var/www/html
+			# Tells nextcloud to remove /index.php from URLs in links
+			env front_controller_active true
+		}
+		file_server browse
 	}
 
 	# Fallback for unhandled domains
 	handle {
-		redir https://korhonen.cc/404.html
+		redir https://korhonen.cc/404.html 301
 	}
 }
diff --git a/docker/caddy/docker-compose.toml b/docker/caddy/docker-compose.toml
index e335ee2e..7a51f6fe 100644
--- a/docker/caddy/docker-compose.toml
+++ b/docker/caddy/docker-compose.toml
@@ -2,11 +2,13 @@
 image = "slothcroissant/caddy-cloudflaredns"
 container_name = "caddy"
 restart = "unless-stopped"
+user = "82:82"
 ports = ["80:80", "443:443/tcp", "443:443/udp"]
 networks = ["proxy"]
 volumes = [
   "/docker/caddy/data:/data",
   "/docker/caddy/config:/config",
+  "/docker/nextcloud:/var/www/nextcloud",
   "/var/www/korhonen.cc:/var/www/korhonen.cc",
   "/var/www/wkd:/var/www/wkd",
   "/var/www/index.korhonen.cc:/var/www/index.korhonen.cc",
diff --git a/docker/nextcloud/docker-compose.toml b/docker/nextcloud/docker-compose.toml
index 24d58518..c6f588c8 100644
--- a/docker/nextcloud/docker-compose.toml
+++ b/docker/nextcloud/docker-compose.toml
@@ -1,28 +1,3 @@
-[services]
-
-[services.nextcloud-web]
-image = "nginx:alpine"
-container_name = "nextcloud-web"
-restart = "unless-stopped"
-networks = ["nextcloud", "proxy"]
-volumes = [
-  "./nginx.conf:/etc/nginx/nginx.conf",
-  "/docker/nextcloud:/var/www/html:z",
-]
-depends_on = ["nextcloud"]
-labels = [
-  "traefik.enable=true",
-  "traefik.http.routers.nextcloud-redirect.entrypoints=http",
-  "traefik.http.routers.nextcloud-redirect.rule=Host(`cloud.korhonen.cc`)",
-  "traefik.http.routers.nextcloud-redirect.middlewares=http2https@file",
-  "traefik.http.routers.nextcloud.entrypoints=https",
-  "traefik.http.routers.nextcloud.rule=Host(`cloud.korhonen.cc`)",
-  "traefik.http.routers.nextcloud.service=nextcloud",
-  "traefik.http.routers.nextcloud.middlewares=secHeaders@file,nextcloud-security-headers@file,nextcloud-redirect-dav@file,nextcloud-redirect-extra@file,compress@file",
-  "traefik.docker.network=proxy",
-  "traefik.http.services.nextcloud.loadbalancer.server.port=80",
-]
-
 [services.nextcloud]
 image = "nextcloud:fpm-alpine"
 container_name = "nextcloud"