diff --git a/ansible/inventory/host_vars/manager.yml b/ansible/inventory/host_vars/manager.yml
index 299decc..72cbd58 100644
--- a/ansible/inventory/host_vars/manager.yml
+++ b/ansible/inventory/host_vars/manager.yml
@@ -20,3 +20,4 @@ docker_node_labels:
       private: "true"
       seafile: "true"
       freshrss: "true"
+      nextcloud: "true"
diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml
index 7d49222..e8412c7 100644
--- a/ansible/playbooks/stacks.yml
+++ b/ansible/playbooks/stacks.yml
@@ -16,3 +16,4 @@
     - {role: kms, tags: kms}
     - {role: swarm_dashboard, tags: swarm_dashboard}
     - {role: shephard, tags: shephard}
+    - {role: nextcloud, tags: nextcloud}
diff --git a/ansible/roles/nextcloud/docker-stack.yml b/ansible/roles/nextcloud/docker-stack.yml
new file mode 100644
index 0000000..c8cce95
--- /dev/null
+++ b/ansible/roles/nextcloud/docker-stack.yml
@@ -0,0 +1,56 @@
+version: '3'
+
+networks:
+  traefik:
+    external: true
+  nextcloud:
+
+services:
+  db:
+    image: mariadb:10.6
+    networks:
+      - nextcloud
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
+    volumes:
+      - type: bind
+        source: /mnt/data/nextcloud/db
+        target: /var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=password
+      - MYSQL_PASSWORD=password
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+    deploy:
+      placement:
+        constraints:
+          - "node.labels.nextcloud == true"
+
+  app:
+    image: nextcloud
+    networks:
+      - traefik
+      - nextcloud
+    links:
+      - db
+    volumes:
+      - type: bind
+        source: /mnt/data/nextcloud/html
+        target: /var/www/html
+    environment:
+      - MYSQL_PASSWORD=password
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=db
+    deploy:
+      placement:
+        constraints:
+          - "node.labels.nextcloud == true"
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.nextcloud.entrypoints=websecure
+        - traefik.http.routers.nextcloud.rule=Host(`cloud.pim.kunis.nl`)
+        - traefik.http.routers.nextcloud.service=nextcloud
+        - traefik.http.routers.nextcloud.tls=true
+        - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
+        - traefik.docker.network=traefik
+        - traefik.http.services.nextcloud.loadbalancer.server.port=80
diff --git a/ansible/roles/nextcloud/tasks/main.yml b/ansible/roles/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..90f231f
--- /dev/null
+++ b/ansible/roles/nextcloud/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: Create working directory
+  file:
+    path: /srv/nextcloud
+    state: directory
+
+- name: Copy Docker stack file
+  copy:
+    src: "{{ role_path }}/docker-stack.yml"
+    dest: /srv/nextcloud/docker-stack.yml
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: nextcloud
+    compose:
+      - /srv/nextcloud/docker-stack.yml