diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 8cf37ee..4a2d077 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -4,23 +4,22 @@ let
 in
 {
   sops.secrets = {
-    nextcloud_adminpass = {
+    nextcloud_adminpass.owner = "nextcloud";
+    nextcloud_ldap_search = {
+      key = "portunus/search-password";
       owner = "nextcloud";
-      group = "nextcloud";
     };
   };
 
   services = {
     postgresql = {
       enable = true;
-      ensureUsers = [
-        {
-          name = "nextcloud";
-          ensurePermissions = {
-            "DATABASE nextcloud" = "ALL PRIVILEGES";
-          };
-        }
-      ];
+      ensureUsers = [{
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }];
       ensureDatabases = [ "nextcloud" ];
     };
 
@@ -28,7 +27,7 @@ in
       enable = true;
       package = pkgs.nextcloud26; # Use current latest nextcloud package
       enableBrokenCiphersForSSE = false; # disable the openssl warning
-      hostName = "${domain}";
+      hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [
         all.ldap # Enable ldap php extension
@@ -44,14 +43,9 @@ in
     };
 
     # Enable ACME and force SSL
-    nginx = {
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${domain}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-      };
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
     };
   };
 
@@ -60,4 +54,43 @@ in
     requires = [ "postgresql.service" ];
     after = [ "postgresql.service" ];
   };
+
+  # configure some settings automatically
+  systemd.services."phpfpm-nextcloud" =
+    let
+      occ = lib.getExe config.services.nextcloud.occ;
+      ldapConfig = rec {
+        ldapAgentName = "uid=search,ou=users,${ldapBase}";
+        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBaseGroups = "ou=groups,${ldapBase}";
+        ldapBaseUsers = "ou=users,${ldapBase}";
+        ldapConfigurationActive = "1";
+        ldapEmailAttribute = "mail";
+        ldapGroupFilterObjectclass = "groupOfNames";
+        ldapGroupMemberAssocAttr = "member";
+        ldapHost = "localhost";
+        ldapPort = "389";
+        ldapUserDisplayName = "cn";
+        ldapUserFilterObjectclass = "inetOrgPerson";
+        # generated by nextcloud
+        ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
+        ldapUserFilter = "(|(objectclass=inetOrgPerson))";
+        ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
+      };
+    in
+    {
+      preStart = ''
+        # enable included LDAP app
+        ${occ} app:enable user_ldap
+
+        # set up new LDAP config if it does not exist
+        if ! ${occ} ldap:show-config s01 > /dev/null; then
+          ${occ} ldap:create-empty-config
+        fi
+
+        # update LDAP config
+        ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
+        ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
+      '';
+    };
 }