diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index d74b907..00554f4 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -9,6 +9,9 @@ RSYSLOG_SERVER: internal.monitoring.atlantishq.de
 influxdb_telegraf_password: HISTORY_PURGED_SECRET
 code_server_password: HISTORY_PURGED_SECRET
 
+nextcloud_ssl_enabled: false
+nextcloud_cert_name: nextcloud.atlantishq.de
+
 tor_bridge_name: HISTORY_PURGED_SECRET
 tor_bridge_email: nobody@HISTORY_PURGED_SECRET.com
 
diff --git a/group_vars/nextcloud.yaml b/group_vars/nextcloud.yaml
new file mode 100644
index 0000000..74a1e75
--- /dev/null
+++ b/group_vars/nextcloud.yaml
@@ -0,0 +1 @@
+nextcloud_nginx_ssl_enabled: true
diff --git a/group_vars/ths.yaml b/group_vars/ths.yaml
index 5d4d887..d44ee55 100644
--- a/group_vars/ths.yaml
+++ b/group_vars/ths.yaml
@@ -1,3 +1,4 @@
 ---
+nextcloud_nginx_ssl_enabled: false
 checks :
     - { user : sheppy, name : irc, cmd : ""}
diff --git a/roles/nextcloud/templates/nginx-nextcloud.conf b/roles/nextcloud/templates/nginx-nextcloud.conf
index bc43b97..5898f19 100644
--- a/roles/nextcloud/templates/nginx-nextcloud.conf
+++ b/roles/nextcloud/templates/nginx-nextcloud.conf
@@ -1,8 +1,10 @@
 server {
     listen 80;
     listen [::]:80;
+    {% if nextcloud_nginx_ssl_enabled %}
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
+    {% endif %}
 
     add_header X-Frame-Options "SAMEORIGIN";
     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
@@ -13,8 +15,14 @@ server {
     add_header X-Permitted-Cross-Domain-Policies none;
     add_header Referrer-Policy no-referrer;
 
-    ssl_certificate         /etc/letsencrypt/live/nextcloud.atlantishq.de/fullchain.pem;
-    ssl_certificate_key     /etc/letsencrypt/live/nextcloud.atlantishq.de/privkey.pem;
+    set_real_ip_from  192.168.122.1;
+    real_ip_header    X-Forwarded-For;
+    real_ip_recursive on;
+
+    {% if nextcloud_nginx_ssl_enabled %}
+    ssl_certificate         /etc/letsencrypt/live/{{ nextcloud_cert_name }}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{{ nextcloud_cert_name }}/privkey.pem;
+    {% endif %}
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;