diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index 6be96b9..fb4e3df 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -15,6 +15,32 @@
 
         locations."/.well-known/carddav".extraConfig = "return 301 $scheme://$host/remote.php/dav;";
         locations."/.well-known/caldav".extraConfig = "return 301 $scheme://$host/remote.php/dav;";
+        locations."/" = "rewrite ^ /index.php$uri;";
+        locations."~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = "deny all;";
+        locations."~ ^/(?:\.|autotest|occ|issue|indie|db_|console)" = "deny all;";
+        locations."~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/)" =''
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            #Avoid sending the security headers twice
+            fastcgi_param modHeadersAvailable true;
+            fastcgi_param front_controller_active true;
+            fastcgi_pass php-handler;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+        '';
+
+        locations."~ ^/(?:updater|ocs-provider)(?:$|/)" = ''
+            try_files $uri/ =404;
+            index index.php;
+        '';
+        locations."~ \.(?:png|html|ttf|ico|jpg|jpeg)$" = ''
+            try_files $uri /index.php$uri$is_args$args;
+            # Optional: Don't log access to other assets
+            access_log off;
+        '';
       };
 
     users.extraUsers.nextcloud.packages = [pkgs.nextcloud];
@@ -33,4 +59,6 @@
         pm.max_requests = 500
       '';
     };
+
+    services.nginx.upstreams.php-handler.servers = ["unix:/run/php-fpm/php-fpm.sock"];
 }