diff --git a/configuration.nix b/configuration.nix
index 7e9a5bd..cd9d9b4 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -14,7 +14,6 @@
     ./passmgr/bitwarden.nix
     ./webserver/nginx.nix
     ./webserver/memcached.nix
-    ./nextcloud/nextcloud.nix
     ./resources/limits.nix
     ./videomeet/jitsi.nix
     ./git/gitea.nix
diff --git a/files.nix b/files.nix
index 353851f..7e08095 100644
--- a/files.nix
+++ b/files.nix
@@ -32,21 +32,6 @@ in
       sed = "${pkgs.gnused}/bin/sed";
     in
     {
-      nextcloudSecrets =
-        if cfg.nextcloud.enable then ''
-          mkdir -p /var/lib/nextcloud
-          cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
-          chmod 0440 /var/lib/nextcloud/db-pass
-          chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
-
-          cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
-          chmod 0440 /var/lib/nextcloud/admin-pass
-          chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
-        ''
-        else ''
-          rm -f /var/lib/nextcloud/db-pass
-          rm -f /var/lib/nextcloud/admin-pass
-        '';
       cloudflareCredentials = ''
         mkdir -p /var/lib/cloudflare
         chmod 0440 /var/lib/cloudflare
diff --git a/nextcloud/nextcloud.nix b/nextcloud/nextcloud.nix
deleted file mode 100644
index 092da05..0000000
--- a/nextcloud/nextcloud.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.selfprivacy.userdata;
-in
-{
-  fileSystems = lib.mkIf cfg.useBinds {
-    "/var/lib/nextcloud" = {
-      device = "/volumes/${cfg.nextcloud.location}/nextcloud";
-      options = [ "bind" ];
-    };
-  };
-  services.nextcloud = {
-    enable = cfg.nextcloud.enable;
-    package = pkgs.nextcloud25;
-    hostName = "cloud.${cfg.domain}";
-
-    # Use HTTPS for links
-    https = false;
-
-    # Auto-update Nextcloud Apps
-    autoUpdateApps.enable = true;
-    # Set what time makes sense for you
-    autoUpdateApps.startAt = "05:00:00";
-
-    config = {
-      # Further forces Nextcloud to use HTTPS
-      overwriteProtocol = "https";
-
-      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
-      dbtype = "sqlite";
-      dbuser = "nextcloud";
-      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-      dbname = "nextcloud";
-      dbpassFile = "/var/lib/nextcloud/db-pass";
-
-      adminpassFile = "/var/lib/nextcloud/admin-pass";
-      adminuser = "admin";
-    };
-  };
-}
diff --git a/sp-modules/nextcloud/config-paths-needed.json b/sp-modules/nextcloud/config-paths-needed.json
new file mode 100644
index 0000000..7425822
--- /dev/null
+++ b/sp-modules/nextcloud/config-paths-needed.json
@@ -0,0 +1,5 @@
+[
+  [ "selfprivacy", "userdata", "domain" ],
+  [ "selfprivacy", "userdata", "nextcloud" ],
+  [ "selfprivacy", "userdata", "useBinds" ]
+]
diff --git a/sp-modules/nextcloud/flake.nix b/sp-modules/nextcloud/flake.nix
new file mode 100644
index 0000000..738beff
--- /dev/null
+++ b/sp-modules/nextcloud/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for nextcloud";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
new file mode 100644
index 0000000..19c4469
--- /dev/null
+++ b/sp-modules/nextcloud/module.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+{
+  options.selfprivacy.userdata.nextcloud = with lib; {
+    enable = mkOption {
+      type = types.nullOr types.bool;
+      default = false;
+    };
+    location = mkOption {
+      type = types.nullOr types.str;
+      default = "sda1";
+    };
+  };
+
+  config =
+    let
+      cfg = config.selfprivacy.userdata;
+      secrets-filepath = "/etc/nixos/userdata/userdata.json";
+      db-pass-filepath = "/var/lib/nextcloud/db-pass";
+      admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
+    in
+    lib.mkIf cfg.nextcloud.enable
+      {
+        system.activationScripts.nextcloudSecrets = ''
+          mkdir -p /var/lib/nextcloud
+          ${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.nextcloud.databasePassword' > ${db-pass-filepath}
+          chmod 0440 ${db-pass-filepath}
+          chown nextcloud:nextcloud ${db-pass-filepath}
+
+          ${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.nextcloud.adminPassword' > ${admin-pass-filepath}
+          chmod 0440 ${admin-pass-filepath}
+          chown nextcloud:nextcloud ${admin-pass-filepath}
+        '';
+        fileSystems = lib.mkIf cfg.useBinds {
+          "/var/lib/nextcloud" = {
+            device = "/volumes/${cfg.nextcloud.location}/nextcloud";
+            options = [ "bind" ];
+          };
+        };
+        services.nextcloud = {
+          enable = true;
+          package = pkgs.nextcloud25;
+          hostName = "cloud.${cfg.domain}";
+
+          # Use HTTPS for links
+          https = false;
+
+          # auto-update Nextcloud Apps
+          autoUpdateApps.enable = true;
+          # set what time makes sense for you
+          autoUpdateApps.startAt = "05:00:00";
+
+          config = {
+            # further forces Nextcloud to use HTTPS
+            overwriteProtocol = "https";
+
+            dbtype = "sqlite";
+            dbuser = "nextcloud";
+            dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
+            dbname = "nextcloud";
+            dbpassFile = db-pass-filepath;
+            adminpassFile = admin-pass-filepath;
+            adminuser = "admin";
+          };
+        };
+      }
+    # FIXME do we really want to delete passwords on module deactivation!?
+    //
+    lib.mkIf (!cfg.nextcloud.enable) {
+      system.activationScripts.nextcloudSecrets =
+        lib.trivial.warn
+          (
+            "nextcloud service is disabled, " +
+            "${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
+          )
+          ''
+            rm -f ${db-pass-filepath}
+            rm -f ${admin-pass-filepath}
+          '';
+    };
+}
diff --git a/userdata-variables.nix b/userdata-variables.nix
index 121e4f0..317ed78 100644
--- a/userdata-variables.nix
+++ b/userdata-variables.nix
@@ -34,10 +34,6 @@ jsonData: { lib, ... }:
       enable = lib.attrsets.attrByPath [ "gitea" "enable" ] false jsonData;
       location = lib.attrsets.attrByPath [ "gitea" "location" ] "sda1" jsonData;
     };
-    nextcloud = {
-      enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData;
-      location = lib.attrsets.attrByPath [ "nextcloud" "location" ] "sda1" jsonData;
-    };
     pleroma = {
       enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData;
       location = lib.attrsets.attrByPath [ "pleroma" "location" ] "sda1" jsonData;
diff --git a/variables-module.nix b/variables-module.nix
index 8ccba91..dd47997 100644
--- a/variables-module.nix
+++ b/variables-module.nix
@@ -135,16 +135,6 @@ with lib;
         type = types.nullOr types.str;
       };
     };
-    nextcloud = {
-      enable = mkOption {
-        default = true;
-        type = types.nullOr types.bool;
-      };
-      location = mkOption {
-        default = "sda1";
-        type = types.nullOr types.str;
-      };
-    };
     pleroma = {
       enable = mkOption {
         default = false;