diff --git a/hosts/harbor/configuration.nix b/hosts/harbor/configuration.nix
index 32387dd..c1ede65 100644
--- a/hosts/harbor/configuration.nix
+++ b/hosts/harbor/configuration.nix
@@ -2,6 +2,7 @@
   imports = [
     # Include the results of the hardware scan.
     # ./hardware-configuration.nix
+    ../../modules/services/nextcloud-instance.nix
   ];
 
   # Configure nix and garbage collection
@@ -35,6 +36,9 @@
     settings.KbdInteractiveAuthentication = false;
   };
 
+  services.nextcloud-instance.enable = true;
+  services.nextcloud-instance.instanceFQDN = "replace.me";
+
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
diff --git a/modules/services/nextcloud-instance.nix b/modules/services/nextcloud-instance.nix
new file mode 100644
index 0000000..6d17e89
--- /dev/null
+++ b/modules/services/nextcloud-instance.nix
@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.nextcloud-instance;
+in {
+  options.services.nextcloud-instance = {
+    enable = lib.mkEnableOption "Enable the Nextcloud instance";
+
+    instanceFQDN = lib.mkOption {
+      type = lib.types.str;
+      example = "nextcloud.example.com";
+      description = "Fully qualified domain name of the Nextcloud instance";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc."nc-admin-pass.txt".text = "replace-me-with-a-sops-secret";
+
+    services.nextcloud = {
+      enable = true;
+      hostName = cfg.instanceFQDN;
+      https = false;
+      config.dbtype = "mysql";
+      config.adminpassFile = "/etc/nc-admin-pass.txt"; # FIXME: sops
+    };
+
+    services.nginx.virtualHosts.${cfg.instanceFQDN}.listen = [
+      {
+        port = 8080;
+        addr = "0.0.0.0";
+      }
+    ];
+
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+    };
+  };
+}