diff --git a/sp-modules/nextcloud/cleanup-module.nix b/sp-modules/nextcloud/cleanup-module.nix
new file mode 100644
index 0000000..d3f916f
--- /dev/null
+++ b/sp-modules/nextcloud/cleanup-module.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  inherit (import ./common.nix config) sp db-pass-filepath admin-pass-filepath;
+in
+# FIXME do we really want to delete passwords on module deactivation!?
+{
+  config = lib.mkIf (!sp.modules.nextcloud.enable) {
+    system.activationScripts.nextcloudSecrets =
+      lib.trivial.warn
+        (
+          "nextcloud service is disabled, " +
+          "${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
+        )
+        ''
+          rm -f ${db-pass-filepath}
+          rm -f ${admin-pass-filepath}
+        '';
+  };
+}
diff --git a/sp-modules/nextcloud/common.nix b/sp-modules/nextcloud/common.nix
new file mode 100644
index 0000000..99a3d8e
--- /dev/null
+++ b/sp-modules/nextcloud/common.nix
@@ -0,0 +1,7 @@
+config: rec {
+  sp = config.selfprivacy;
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  db-pass-filepath = "/var/lib/nextcloud/db-pass";
+  admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
+  hostName = "cloud.${sp.domain}";
+}
diff --git a/sp-modules/nextcloud/flake.nix b/sp-modules/nextcloud/flake.nix
index 738beff..2cf384e 100644
--- a/sp-modules/nextcloud/flake.nix
+++ b/sp-modules/nextcloud/flake.nix
@@ -2,7 +2,8 @@
   description = "PoC SP module for nextcloud";
 
   outputs = { self }: {
-    nixosModules.default = import ./module.nix;
+    nixosModules.default = _:
+      { imports = [ ./module.nix ./cleanup-module.nix ]; };
     configPathsNeeded =
       builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
   };
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
index df6ab8c..b084969 100644
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -13,11 +13,8 @@
 
   config =
     let
-      sp = config.selfprivacy;
-      secrets-filepath = "/etc/selfprivacy/secrets.json";
-      db-pass-filepath = "/var/lib/nextcloud/db-pass";
-      admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
-      hostName = "cloud.${sp.domain}";
+      inherit (import ./common.nix config)
+        sp secrets-filepath db-pass-filepath admin-pass-filepath hostName;
     in
     lib.mkIf sp.modules.nextcloud.enable
       {
@@ -83,19 +80,5 @@
             };
           };
         };
-      }
-    # FIXME do we really want to delete passwords on module deactivation!?
-    //
-    lib.mkIf (!sp.modules.nextcloud.enable) {
-      system.activationScripts.nextcloudSecrets =
-        lib.trivial.warn
-          (
-            "nextcloud service is disabled, " +
-            "${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
-          )
-          ''
-            rm -f ${db-pass-filepath}
-            rm -f ${admin-pass-filepath}
-          '';
-    };
+      };
 }