diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml
index 11bad1e..29bedf5 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-http.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml
@@ -61,15 +61,16 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
-    - "{{ ci_server_name }}.http.conf"
-    - "{{ pi_server_name }}.conf"
-    - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
-    - "{{ video_server_name }}.conf"
+    - "{{ ci_server_name }}.http.conf"
+    - "{{ cloud_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
     - "{{ photos_server_name }}.conf"
-    - "{{ logs_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
   notify:
     - restorecon podman
     - restart nginx
@@ -84,15 +85,16 @@
     group: "{{ podman_user }}"
     state: link
   loop:
-    - "{{ ci_server_name }}.http.conf"
-    - "{{ pi_server_name }}.conf"
-    - "{{ parts_server_name }}.conf"
-    - "{{ photos_server_name }}.conf"
-    - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
-    - "{{ video_server_name }}.conf"
+    - "{{ ci_server_name }}.http.conf"
+    - "{{ cloud_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
     - "{{ logs_server_name }}.conf"
+    - "{{ parts_server_name }}.conf"
+    - "{{ photos_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
   notify:
     - restorecon podman
     - restart nginx
diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml
index 161fffc..1b3016b 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-https.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml
@@ -34,10 +34,11 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
+    - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
+    - "{{ cloud_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
-    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
@@ -52,10 +53,11 @@
     group: "{{ podman_user }}"
     state: link
   loop:
+    - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
+    - "{{ cloud_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
-    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml
new file mode 100644
index 0000000..5be9630
--- /dev/null
+++ b/ansible/roles/podman/tasks/container-cloud.yml
@@ -0,0 +1,89 @@
+---
+- name: create required cloud volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_subuid.stdout }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ cloud_path }}/mysql"
+    - "{{ cloud_path }}/data"
+  tags: cloud
+
+- name: unshare chown the elastic volume
+  become: true
+  become_user: "{{ podman_user }}"
+  changed_when: false
+  ansible.builtin.command: |
+    podman unshare chown -R 33:33 {{ cloud_path }}/data
+  tags: cloud
+
+- name: get user/group id from unshare
+  become: true
+  ansible.builtin.stat:
+    path: "{{ cloud_path }}/data"
+  register: cloud_owner
+  tags: cloud
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+  tags: cloud
+
+- name: create cloud-db container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: cloud-db
+    image: docker.io/mariadb:10.5
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      MYSQL_ROOT_PASSWORD: "{{ cloud_db_root_pass }}"
+      MYSQL_DATABASE: cloud
+      MYSQL_PASSWORD: "{{ cloud_db_pass }}"
+      MYSQL_USER: cloud
+    volumes:
+      - "{{ cloud_path }}/mysql:/var/lib/mysql"
+  tags: cloud
+
+- name: create systemd startup job for cloud-db
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: cloud-db
+  tags: cloud
+
+- name: create cloud container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: cloud
+    image: docker.io/nextcloud:24.0.5-apache
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      MYSQL_PASSWORD: "{{ cloud_db_pass }}"
+      MYSQL_DATABASE: cloud
+      MYSQL_HOST: cloud-db
+      MYSQL_USER: cloud
+    volumes:
+      - "{{ cloud_path }}/data:/var/www/html/data"
+    ports:
+      - "8089:80"
+  tags: cloud
+
+- name: create systemd startup job for cloud
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: cloud
+  tags: cloud
diff --git a/ansible/roles/podman/tasks/container-photos.yml b/ansible/roles/podman/tasks/container-photos.yml
index a9f6c8a..ed6c6aa 100644
--- a/ansible/roles/podman/tasks/container-photos.yml
+++ b/ansible/roles/podman/tasks/container-photos.yml
@@ -70,7 +70,7 @@
     env:
       PHOTOPRISM_ADMIN_PASSWORD: "{{ photos_user_pass }}"
       PHOTOPRISM_AUTH_MODE: "password"
-      PHOTOPRISM_SITE_URL: "http://localhost:2342/"
+      PHOTOPRISM_SITE_URL: "https://photos.bdebyl.net/"
       PHOTOPRISM_ORIGINALS_LIMIT: 5000
       PHOTOPRISM_HTTP_COMPRESSION: "gzip"
       PHOTOPRISM_LOG_LEVEL: "info"
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 03a945f..e4e58f4 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -10,4 +10,5 @@
 - import_tasks: container-pihole.yml
 - import_tasks: container-bookstack.yml
 - import_tasks: container-photos.yml
+- import_tasks: container-cloud.yml
 - import_tasks: container-nginx.yml
diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2
new file mode 100644
index 0000000..b437a48
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2
@@ -0,0 +1,16 @@
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  listen 80;
+  server_name {{ cloud_server_name }};
+
+  location '/.well-known/acme-challenge' {
+   default_type "text/plain";
+   root /srv/http/letsencrypt;
+  }
+
+  location / {
+   return 302 https://$host$request_uri;
+  }
+}
\ No newline at end of file
diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2
new file mode 100644
index 0000000..4465d54
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2
@@ -0,0 +1,42 @@
+upstream cloud {
+  server 127.0.0.1:8089;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
+  listen 443 ssl http2;
+  server_name {{ cloud_server_name }};
+  client_max_body_size 500M;
+
+  ssl_certificate         /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ cloud_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  location / {
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header Upgrade           $http_upgrade;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://cloud;
+  }
+}
\ No newline at end of file
diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml
index fb7c54e..c2efce7 100644
--- a/ansible/roles/ssl/tasks/certbot.yml
+++ b/ansible/roles/ssl/tasks/certbot.yml
@@ -10,8 +10,9 @@
   loop:
     - "{{ bookstack_server_name }}"
     - "{{ ci_server_name }}"
-    - "{{ photos_server_name }}"
+    - "{{ cloud_server_name }}"
     - "{{ parts_server_name }}"
+    - "{{ photos_server_name }}"
   tags: ssl
 
 - name: set group ownership for /etc/letsencrypt/
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 1ff343b..5632919 100644
Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ