diff --git a/modules/services/nextcloud/module.nix b/modules/services/nextcloud/module.nix
new file mode 100644
index 0000000..53456e5
--- /dev/null
+++ b/modules/services/nextcloud/module.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib.meta) getExe';
+  inherit (lib.modules) mkIf;
+  cfg = config.modules.system.services.nextcloud;
+in {
+  options.modules.system.services.nextcloud.enable = lib.mkEnableOption "nextcloud";
+
+  config = {
+    systemd.user.services.nextcloud = mkIf cfg.enable {
+      description = "Nextcloud client service";
+
+      # makes the graphical session start this service when it starts
+      wantedBy = ["graphical-session.target"];
+      # when graphical session restarts or gets stopped, this also gets restarted/stopped.
+      partOf = ["graphical-session.target"];
+      # gets started only after graphical session
+      after = ["graphical-session.target"];
+
+      serviceConfig = {
+        ExecStart = "${getExe' pkgs.nextcloud-client "nextcloud"} --background";
+        Restart = "always";
+        RestartSec = 30;
+
+        # User = "cr";
+        # Group = "cr";
+
+        Keyringmode = "shared";
+        DevicePolicy = "closed";
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectControlGroup = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+
+        ProtectSystem = "strict";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
+      };
+    };
+  };
+}