diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml
index 7e0fdf0..7ea375a 100644
--- a/ansible/inventory/group_vars/all.yml
+++ b/ansible/inventory/group_vars/all.yml
@@ -1,2 +1,16 @@
 data_directory_base: /mnt/data
 git_ssh_port: 56287
+
+nfs_shares:
+  - name: nextcloud_data
+    path: "/mnt/data/nextcloud/data"
+
+database_passwords:
+  nextcloud: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    66326230303135303930363761316534313439383365376231623661316635393839336431313262
+    3832626365376533646561653863316364313135343366330a356136343938666133356532613263
+    39663037623232363266376335643834353735363431636535386566643763386463353962663930
+    3466343563353162320a376437353933656166323364323166376663323531373338656563653463
+    33346263626430616164613937363836343430383233393061643231346661656539623938333631
+    3632373964346139316637663364646132636636373461613534
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
index 983401e..aea4b94 100644
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@@ -2,6 +2,8 @@ all:
   hosts:
     manager:
       ansible_host: maestro.dmz
+    thecloud:
+      ansible_host: thecloud.dmz
   children:
     workers:
       hosts:
diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml
index 258779a..7daa6ba 100644
--- a/ansible/playbooks/setup.yml
+++ b/ansible/playbooks/setup.yml
@@ -1,12 +1,12 @@
 ---
 - name: Wait for Cloud-init to finish
-  hosts: all
+  hosts: manager, workers
   gather_facts: no
   roles:
     - cloudinit_wait
 
 - name: Initialize Docker Swarm nodes
-  hosts: all
+  hosts: manager, workers
   pre_tasks:
     - name: Delete externally managed environment file
       shell:
diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml
index dad95ac..242c3f7 100644
--- a/ansible/playbooks/stacks.yml
+++ b/ansible/playbooks/stacks.yml
@@ -17,4 +17,4 @@
     - {role: shephard, tags: shephard}
     - {role: jitsi, tags: jitsi}
     - {role: pihole, tags: pihole}
-    - {role: discourse, tags: discourse}
+    - {role: nextcloud, tags: nextcloud}
diff --git a/ansible/playbooks/thecloud.yml b/ansible/playbooks/thecloud.yml
new file mode 100644
index 0000000..ca639d1
--- /dev/null
+++ b/ansible/playbooks/thecloud.yml
@@ -0,0 +1,24 @@
+---
+- name: Create databases and NFS shares
+  hosts: thecloud
+  handlers:
+    - name: reload nfs
+      systemd:
+        name: nfs-kernel-server
+        state: restarted
+
+  tasks:
+    - name: Create nfs shares
+      with_items: "{{ nfs_shares }}"
+      copy:
+        dest: "/etc/exports.d/{{ item.name }}.exports"
+        content: "{{ item.path }} *(rw,sync,no_subtree_check,no_root_squash)"
+      notify: reload nfs
+
+    - name: Create databases
+      with_items: "{{ database_passwords | dict2items }}"
+      include_role:
+        name: database
+      vars:
+        database_name: "{{ item.key }}"
+        database_password: "{{ item.value }}"
diff --git a/ansible/roles/database/handlers/main.yml b/ansible/roles/database/handlers/main.yml
new file mode 100644
index 0000000..a09812e
--- /dev/null
+++ b/ansible/roles/database/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart postgres
+  systemd:
+    name: postgresql
+    state: restarted
diff --git a/ansible/roles/database/tasks/main.yml b/ansible/roles/database/tasks/main.yml
new file mode 100644
index 0000000..e137486
--- /dev/null
+++ b/ansible/roles/database/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: Create database user
+  postgresql_user:
+    name: swarm
+    password: "{{ database_password }}"
+  become: true
+  become_user: postgres
+
+- name: Create database
+  postgresql_db:
+    name: "{{ database_name }}"
+    owner: swarm
+  become: true
+  become_user: postgres
+
+- name: Grant access to database
+  postgresql_privs:
+    type: database
+    database: "{{ database_name }}"
+    role: swarm
+    grant_option: no
+    privs: all
+  become: true
+  become_user: postgres
+  notify: restart postgres
+
+- name: Allow remote access to database
+  postgresql_pg_hba:
+    dest: /etc/postgresql/15/main/pg_hba.conf
+    contype: host
+    databases: "{{ database_name }}"
+    users: swarm
+    address: all
+    create: true
+  become: true
+  become_user: postgres
+  notify: restart postgres
diff --git a/ansible/roles/nextcloud/docker-stack.yml.j2 b/ansible/roles/nextcloud/docker-stack.yml.j2
new file mode 100644
index 0000000..4d535f4
--- /dev/null
+++ b/ansible/roles/nextcloud/docker-stack.yml.j2
@@ -0,0 +1,40 @@
+# vi: ft=yaml
+version: '3.8'
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.30.10,nolock,soft,rw"
+      device: ":/mnt/data/nextcloud/data"
+
+services:
+  app:
+    image: nextcloud:26
+    volumes:
+      - type: volume
+        source: data
+        target: /var/www/html
+        volume:
+          nocopy: true
+    environment:
+      - POSTGRES_USER=swarm
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_PASSWORD={{ database_passwords.nextcloud }}
+      - POSTGRES_HOST=192.168.30.10
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.nextcloud.entrypoints=websecure
+        - traefik.http.routers.nextcloud.rule=Host(`cloud.pim.kunis.nl`)
+        - traefik.http.routers.nextcloud.tls=true
+        - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
+        - traefik.http.routers.nextcloud.service=nextcloud
+        - traefik.http.services.nextcloud.loadbalancer.server.port=80
+        - traefik.docker.network=traefik
diff --git a/ansible/roles/nextcloud/tasks/main.yml b/ansible/roles/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..9b3430e
--- /dev/null
+++ b/ansible/roles/nextcloud/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: nextcloud
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/ansible/roles/traefik/docker-stack.yml.j2 b/ansible/roles/traefik/docker-stack.yml.j2
index ed0bec3..a540c80 100644
--- a/ansible/roles/traefik/docker-stack.yml.j2
+++ b/ansible/roles/traefik/docker-stack.yml.j2
@@ -39,12 +39,6 @@ services:
         - traefik.http.routers.esrom.tls=true
         - traefik.http.routers.esrom.tls.certresolver=letsencrypt
 
-        - traefik.http.routers.nextcloud.entrypoints=websecure
-        - traefik.http.routers.nextcloud.service=nextcloud@file
-        - traefik.http.routers.nextcloud.rule=Host(`cloud.pim.kunis.nl`)
-        - traefik.http.routers.nextcloud.tls=true
-        - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
-
         - traefik.http.routers.uptime.entrypoints=localsecure
         - traefik.http.routers.uptime.rule=Host(`uptime.pim.kunis.nl`)
         - traefik.http.routers.uptime.service=uptime@file
diff --git a/ansible/roles/traefik/services.yml b/ansible/roles/traefik/services.yml
index 9e5906f..206bec4 100644
--- a/ansible/roles/traefik/services.yml
+++ b/ansible/roles/traefik/services.yml
@@ -4,10 +4,6 @@ http:
       loadBalancer:
         servers:
           - url: http://esrom.dmz:80/
-    nextcloud:
-      loadBalancer:
-        servers:
-          - url: http://nextcloud.dmz:80/
     uptime:
       loadBalancer:
         servers: