diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 8cf37ee..b1dd2b4 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -4,54 +4,36 @@ let
 in
 {
   sops.secrets = {
-    nextcloud_adminpass = {
+    nextcloud_adminpass.owner = "nextcloud";
+    nextcloud_ldap_search = {
+      key = "portunus/search-password";
       owner = "nextcloud";
-      group = "nextcloud";
     };
   };
 
   services = {
-    postgresql = {
-      enable = true;
-      ensureUsers = [
-        {
-          name = "nextcloud";
-          ensurePermissions = {
-            "DATABASE nextcloud" = "ALL PRIVILEGES";
-          };
-        }
-      ];
-      ensureDatabases = [ "nextcloud" ];
-    };
-
     nextcloud = {
       enable = true;
-      package = pkgs.nextcloud26; # Use current latest nextcloud package
+      package = pkgs.nextcloud25;
       enableBrokenCiphersForSSE = false; # disable the openssl warning
-      hostName = "${domain}";
+      hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [
         all.ldap # Enable ldap php extension
       ];
       config = {
         dbtype = "pgsql";
-        dbuser = "nextcloud";
-        dbhost = "/run/postgresql";
-        dbname = "nextcloud";
         adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
         adminuser = "root";
       };
+      # postgres database is configured automatically
+      database.createLocally = true;
     };
 
     # Enable ACME and force SSL
-    nginx = {
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${domain}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-      };
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
     };
   };
 
@@ -60,4 +42,45 @@ in
     requires = [ "postgresql.service" ];
     after = [ "postgresql.service" ];
   };
+
+  # configure some settings automatically
+  systemd.services."phpfpm-nextcloud" =
+    let
+      occ = lib.getExe config.services.nextcloud.occ;
+      ldapConfig = rec {
+        ldapAgentName = "uid=search,ou=users,${ldapBase}";
+        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBaseGroups = "ou=groups,${ldapBase}";
+        ldapBaseUsers = "ou=users,${ldapBase}";
+        ldapConfigurationActive = "1";
+        ldapEmailAttribute = "mail";
+        ldapGroupFilterObjectclass = "groupOfNames";
+        ldapGroupMemberAssocAttr = "member";
+        ldapHost = "localhost";
+        ldapPort = "389";
+        ldapUserDisplayName = "cn";
+        ldapUserFilterObjectclass = "posixAccount";
+        # generated by nextcloud
+        ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
+        ldapUserFilter = "(|(objectclass=posixAccount))";
+        ldapLoginFilter = "(&(|(objectclass=posixAccount))(uid=%uid))";
+      };
+      preStart = pkgs.writeScript "nextcloud-preStart" ''
+        # enable included LDAP app
+        ${occ} app:enable user_ldap
+
+        # set up new LDAP config if it does not exist
+        if ! ${occ} ldap:show-config s01 > /dev/null; then
+          ${occ} ldap:create-empty-config
+        fi
+
+        # update LDAP config
+        ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
+        ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
+      '';
+    in
+    {
+      # run the whole preStart as nextcloud user, so that the log won't be cluttered by lots of sudo calls
+      serviceConfig.ExecStartPre = "/run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS ${preStart}";
+    };
 }