diff --git a/modules/monitoring/prometheus.nix b/modules/monitoring/prometheus.nix
index d4adffa9..38321913 100644
--- a/modules/monitoring/prometheus.nix
+++ b/modules/monitoring/prometheus.nix
@@ -25,7 +25,7 @@ in
 
     jsonTargets = mkOption {
       type = types.listOf types.str;
-      # default = [ "https://pablo.tools" ];
+      default = [ ];
       example = [ "http://birne.wireguard/restic-ahorn.json" ];
       description = "Targets to probe with the json-exporter";
     };
diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix
index e733dbbb..f81f20d9 100644
--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@@ -42,11 +42,50 @@ in
     };
 
     services.nextcloud = {
+      caching.apcu = true;
+      caching.redis = true;
+      configureRedis = true;
+
+      phpOptions."opcache.interned_strings_buffer" = "64";
+      # opcache.memory_consumption=256
+      # opcache.interned_strings_buffer=64
+      # opcache.max_accelerated_files=100000
+
+      settings = {
+        maintenance_window_start = "4";
+
+        trusted_proxies = [
+          "192.168.7.1"
+          "94.16.108.229"
+        ];
+
+        trusted_domains = [ "birne.wireguard" ];
+        default_phone_region = "DE";
+
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          "OC\\Preview\\HEIC"
+          "OC\\Preview\\Movie"
+        ];
+      };
 
       enable = true;
       # Pin Nextcloud major version.
       # Refer to upstream docs for updating major versions
-      package = pkgs.nextcloud28;
+
+      # Workaround for nextcloud bug.
+      # TODO remove when https://github.com/nextcloud/server/pull/43794 hits
+      # the release
+      package = pkgs.nextcloud-patched;
 
       # Use HTTPS for links
       https = true;
@@ -82,30 +121,7 @@ in
         adminpassFile = "${config.lollypops.secrets.files."nextcloud/admin-pass".path}";
       };
 
-      extraOptions.trusted_proxies = [
-        "192.168.7.1"
-        "94.16.108.229"
-        "birne.wireguard"
-      ];
-      extraOptions.trusted_domains = [ "birne.wireguard" ];
-      extraOptions.default_phone_region = "DE";
-
       nginx.recommendedHttpHeaders = true;
-
-      extraOptions.enabledPreviewProviders = [
-        "OC\\Preview\\BMP"
-        "OC\\Preview\\GIF"
-        "OC\\Preview\\JPEG"
-        "OC\\Preview\\Krita"
-        "OC\\Preview\\MarkDown"
-        "OC\\Preview\\MP3"
-        "OC\\Preview\\OpenDocument"
-        "OC\\Preview\\PNG"
-        "OC\\Preview\\TXT"
-        "OC\\Preview\\XBitmap"
-        "OC\\Preview\\HEIC"
-        "OC\\Preview\\Movie"
-      ];
     };
 
     environment.systemPackages = with pkgs; [
@@ -113,22 +129,21 @@ in
       ffmpeg
     ];
 
-    # redis.servers.nextcloud = {
-    #   enable = true;
-    #   user = "nextcloud";
-    #   port = 0;
-    # };
-
     # To run nginx alongside caddy for nextcloud only
     services.nginx.enable = false;
     # services.nginx.virtualHosts."files.pablo.tools".listen = [{ addr = "0.0.0.0"; port = 8080; }];
 
     # reverse_proxy http://127.0.0.1:8080
     services.caddy.virtualHosts = {
+
       "files.pablo.tools".extraConfig = ''
 
-        redir /.well-known/carddav /remote.php/dav 301
-        redir /.well-known/caldav /remote.php/dav 301
+        header {
+            Strict-Transport-Security max-age=31536000;
+        }
+
+        redir /.well-known/carddav /remote.php/dav/ 301
+        redir /.well-known/caldav /remote.php/dav/ 301
 
         @forbidden {
             path /.htaccess
@@ -151,24 +166,6 @@ in
       '';
     };
 
-    # reverse_proxy 127.0.0.2:9876
-    # services.caddy.virtualHosts."files.pablo.tools".extraConfig = ''
-    #   root * ${pkgs.nextcloud26}
-    #   file_server
-    # '';
-
-    # Reverse proxy
-    # services.nginx.virtualHosts = {
-    #   "files.pablo.tools" = {
-    #     forceSSL = true;
-    #     enableACME = true;
-    #     locations."/" = {
-    #       proxyPass = "http://127.0.0.2:9876";
-    #       proxyWebsockets = true;
-    #     };
-    #   };
-    # };
-
     # Database configuration
     services.postgresql = {
       enable = true;
diff --git a/overlays/default.nix b/overlays/default.nix
index d727ef76..549505ed 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -15,6 +15,14 @@ self: super: {
   #   '';
   # });
 
+  nextcloud-patched = super.nextcloud29.overrideAttrs (old: {
+    patches = [ ./nextcloud.patch ];
+    # CXXFLAGS = [
+    #   # GCC 13: error: 'uint8_t' does not name a type
+    #   "-include cstdint"
+    # ];
+  });
+
   # TODO remove when fixed upsteam
   zynaddsubfx = super.zynaddsubfx.overrideAttrs (old: {
     CXXFLAGS = [
diff --git a/overlays/nextcloud.patch b/overlays/nextcloud.patch
new file mode 100644
index 00000000..e4f98eae
--- /dev/null
+++ b/overlays/nextcloud.patch
@@ -0,0 +1,79 @@
+From 3c3e45f0ad4b4f10161197f70daf46c8888ba91e Mon Sep 17 00:00:00 2001
+From: Josh <josh.t.richards@gmail.com>
+Date: Fri, 23 Feb 2024 12:55:58 -0500
+Subject: [PATCH] fix(Files): Change how scanner diffs for changed metadata
+
+Fixes #43408
+
+Signed-off-by: Josh <josh.t.richards@gmail.com>
+---
+ lib/private/Files/Cache/Scanner.php | 49 +++++++++++++++++++++++++++--
+ 1 file changed, 47 insertions(+), 2 deletions(-)
+
+diff --git a/lib/private/Files/Cache/Scanner.php b/lib/private/Files/Cache/Scanner.php
+index 1c66f3af8d2b0..4aef73b9b2522 100644
+--- a/lib/private/Files/Cache/Scanner.php
++++ b/lib/private/Files/Cache/Scanner.php
+@@ -221,8 +221,9 @@ public function scanFile($file, $reuseExisting = 0, $parentId = -1, $cacheData =
+ 						}
+ 
+ 						// Only update metadata that has changed
+-						$newData = array_diff_assoc($data, $cacheData->getData());
+-
++						// i.e. get all the values in $data that are not present in the cache already
++						$newData = $this->array_diff_assoc_multi($data, $cacheData->getData());
++						
+ 						// make it known to the caller that etag has been changed and needs propagation
+ 						if (isset($newData['etag'])) {
+ 							$data['etag_changed'] = true;
+@@ -369,6 +370,50 @@ public function scan($path, $recursive = self::SCAN_RECURSIVE, $reuse = -1, $loc
+ 		return $data;
+ 	}
+ 
++	/**
++	 * Compares $array1 against $array2 and returns all the values in $array1 that are not in $array2
++	 * Note this is a one-way check - i.e. we don't care about things that are in $array2 that aren't in $array1
++	 *
++	 * Supports multi-dimensional arrays
++	 * Also checks keys/indexes
++	 * Comparisons are strict just like array_diff_assoc
++	 * Order of keys/values does not matter
++	 *
++	 * @param array $array1
++	 * @param array $array2
++	 * @return array with the differences between $array1 and $array1
++	 * @throws \InvalidArgumentException if $array1 isn't an actual array
++	 *
++	 */
++	protected function array_diff_assoc_multi(array $array1, array $array2) {
++		
++		$result = [];
++
++		foreach ($array1 as $key => $value) {
++		
++			// if $array2 doesn't have the same key, that's a result
++			if (!array_key_exists($key, $array2)) {
++				$result[$key] = $value;
++				continue;
++			}
++		
++			// if $array2's value for the same key is different, that's a result
++			if ($array2[$key] !== $value && !is_array($value)) {
++				$result[$key] = $value;
++				continue;
++			}
++		
++			if (is_array($value)) {
++				$nestedDiff = $this->array_diff_assoc_multi($value, $array2[$key]);
++				if (!empty($nestedDiff)) {
++					$result[$key] = $nestedDiff;
++					continue;
++				}
++			}
++		}
++		return $result;
++	}
++
+ 	/**
+ 	 * Get the children currently in the cache
+ 	 *