diff --git a/defaults.sh b/defaults.sh
index 0b09dfc..e4468c3 100755
--- a/defaults.sh
+++ b/defaults.sh
@@ -111,7 +111,9 @@ DEFAULT_DB_IMAGE="mariadb:10.9.3-jammy"
 export GHOST_IMAGE="ghost:5.18.0"
 export GHOST_DB_IMAGE="$DEFAULT_DB_IMAGE"
 export NGINX_IMAGE="nginx:1.23.1"
-export NEXTCLOUD_IMAGE="nextcloud:24.0.5"
+
+# version of backup is 24.0.3
+export NEXTCLOUD_IMAGE="nextcloud:25.0.0"
 export NEXTCLOUD_DB_IMAGE="$DEFAULT_DB_IMAGE"
 
 # TODO PIN the gitea version number.
@@ -140,4 +142,4 @@ export BTCPAY_SERVER_APPPATH="$REMOTE_HOME/btcpayserver-docker"
 export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
 
 # this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
-export ROOT_DISK_SIZE_GB=20
\ No newline at end of file
+export ROOT_DISK_SIZE_GB=20
diff --git a/deploy.sh b/deploy.sh
index 79727cd..21226ff 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -23,13 +23,12 @@ if ! lsb_release -d | grep -q "Ubuntu 22.04"; then
     exit 1
 fi
 
-
 DOMAIN_NAME=
 RESTORE_ARCHIVE=
 VPS_HOSTING_TARGET=lxd
 RUN_CERT_RENEWAL=false
 RESTORE_WWW=false
-BACKUP_CERTS=true
+BACKUP_CERTS=false
 BACKUP_APPS=true
 BACKUP_BTCPAY=false
 RESTORE_BTCPAY=false
@@ -41,6 +40,7 @@ UPDATE_BTCPAY=false
 RECONFIGURE_BTCPAY_SERVER=false
 DEPLOY_BTCPAY_SERVER=false
 CLUSTER_NAME="$(lxc remote get-default)"
+STOP_SERVICES=false
 
 # grab any modifications from the command line.
 for i in "$@"; do
@@ -65,6 +65,10 @@ for i in "$@"; do
             BACKUP_CERTS=true
             shift
         ;;
+        --stop)
+            STOP_SERVICES=true
+            shift
+        ;;
         --archive=*)
             RESTORE_ARCHIVE="${i#*=}"
             shift
@@ -126,7 +130,7 @@ export DOMAIN_NAME="$DOMAIN_NAME"
 export REGISTRY_DOCKER_IMAGE="registry:2"
 export RESTORE_ARCHIVE="$RESTORE_ARCHIVE"
 export RESTORE_WWW="$RESTORE_WWW"
-
+export STOP_SERVICES="$STOP_SERVICES"
 export BACKUP_CERTS="$BACKUP_CERTS"
 export BACKUP_APPS="$BACKUP_APPS"
 export RESTORE_BTCPAY="$RESTORE_BTCPAY"
@@ -435,9 +439,9 @@ export SITE_LANGUAGE_CODES="en"
 export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
 #export BTCPAY_HOSTNAME_IN_CERT="store"
 export DEPLOY_GHOST=true
-export DEPLOY_NEXTCLOUD=true
+export DEPLOY_NEXTCLOUD=false
 export DEPLOY_NOSTR_RELAY=true
-export NOSTR_ACCOUNT_PUBKEY="CHANGE_ME"
+export NOSTR_ACCOUNT_PUBKEY="NOSTR_IDENTITY_PUBKEY_GOES_HERE"
 export DEPLOY_GITEA=false
 #export DEPLOY_ONION_SITE=false
 export GHOST_MYSQL_PASSWORD="$(new_pass)"
diff --git a/deployment/www/go.sh b/deployment/www/go.sh
index 41744e8..c83ac9e 100755
--- a/deployment/www/go.sh
+++ b/deployment/www/go.sh
@@ -64,7 +64,7 @@ for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
         if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
             echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
             exit 1
-        fi    
+        fi
     fi
 
     if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
@@ -114,15 +114,13 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
     # fi
 fi
 
-bash -c ./stub/nginx_yml.sh
+./stub/nginx_yml.sh
 
-sleep 3
+./stub/ghost_yml.sh
 
-bash -c ./stub/ghost_yml.sh
+./stub/nextcloud_yml.sh
 
-sleep 3
-
-bash -c ./stub/gitea_yml.sh
+./stub/gitea_yml.sh
 
 
 # # start a browser session; point it to port 80 to ensure HTTPS redirect.
diff --git a/deployment/www/stop_docker_stacks.sh b/deployment/www/stop_docker_stacks.sh
index a6999fb..0d4d27c 100755
--- a/deployment/www/stop_docker_stacks.sh
+++ b/deployment/www/stop_docker_stacks.sh
@@ -14,7 +14,7 @@ for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
     source ../../domain_env.sh
 
     ### Stop all services.
-    for APP in ghost gitea; do
+    for APP in ghost nextcloud gitea; do
         # backup each language for each app.
         for LANGUAGE_CODE in ${SITE_LANGUAGE_CODES//,/ }; do
             STACK_NAME="$DOMAIN_IDENTIFIER-$APP-$LANGUAGE_CODE"
@@ -52,6 +52,11 @@ done
 if docker stack list --format "{{.Name}}" | grep -q reverse-proxy; then
     docker stack rm reverse-proxy
 
+    if [ "$STOP_SERVICES" = true ]; then
+        echo "STOPPING as indicated by the --stop flag."
+        exit 1
+    fi
+
     # wait for all docker containers to stop.
     # TODO see if there's a way to check for this.
     sleep 10
diff --git a/deployment/www/stub/nextcloud_yml.sh b/deployment/www/stub/nextcloud_yml.sh
old mode 100644
new mode 100755
index 818f81d..d427231
--- a/deployment/www/stub/nextcloud_yml.sh
+++ b/deployment/www/stub/nextcloud_yml.sh
@@ -1,48 +1,82 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
 
 
+
+for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
+    export DOMAIN_NAME="$DOMAIN_NAME"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+
+    # source the site path so we know what features it has.
+    source ../../../reset_env.sh
+    source "$SITE_PATH/site_definition"
+    source ../../../domain_env.sh
+
+    # ensure remote directories exist
     if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
-        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
-        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
+
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/$DOMAIN_NAME/en/db"
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/$DOMAIN_NAME/en/html"
+
+        sleep 2
+
+        WEBSTACK_PATH="$SITE_PATH/webstack"
+        mkdir -p "$WEBSTACK_PATH"
+        export DOCKER_YAML_PATH="$WEBSTACK_PATH/nextcloud-en.yml"
+
+        # here's the NGINX config. We support ghost and nextcloud.
+        cat > "$DOCKER_YAML_PATH" <<EOL
+version: "3.8"
+services:
+
+  ${NEXTCLOUD_STACK_TAG}:
+    image: ${NEXTCLOUD_IMAGE}
+    networks:
+      - nextcloud-${DOMAIN_IDENTIFIER}-en
+      - nextclouddb-${DOMAIN_IDENTIFIER}-en
+    volumes:
+      - ${REMOTE_HOME}/nextcloud/${DOMAIN_NAME}/en/html:/var/www/html
+    environment:
+      - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=${NEXTCLOUD_DB_STACK_TAG}
+      - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
+      - OVERWRITEHOST=${NEXTCLOUD_FQDN}
+      - OVERWRITEPROTOCOL=https
+      - SERVERNAME=${NEXTCLOUD_FQDN}
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+  ${NEXTCLOUD_DB_STACK_TAG}:
+    image: ${NEXTCLOUD_DB_IMAGE}
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
+    networks:
+      - nextclouddb-${DOMAIN_IDENTIFIER}-en
+    volumes:
+      - ${REMOTE_HOME}/nextcloud/${DOMAIN_NAME}/en/db:/var/lib/mysql
+    environment:
+       - MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
+       - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
+       - MYSQL_DATABASE=nextcloud
+       - MYSQL_USER=nextcloud
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+networks:
+    nextcloud-${DOMAIN_IDENTIFIER}-en:
+      name: "reverse-proxy_nextcloudnet-$DOMAIN_IDENTIFIER-$LANGUAGE_CODE"
+      external: true
+
+    nextclouddb-${DOMAIN_IDENTIFIER}-en:
+
+EOL
+
+        docker stack deploy -c "$DOCKER_YAML_PATH" "$DOMAIN_IDENTIFIER-nextcloud-en"
+
     fi
-
-
-
-#     if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-#         cat >>"$NGINX_CONF_PATH" <<EOL
-#     # TLS listener for ${NEXTCLOUD_FQDN}
-#     server {
-#         listen 443 ssl http2;
-#         listen [::]:443 ssl http2;
-
-#         ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
-#         ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
-#         ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
-
-#         server_name ${NEXTCLOUD_FQDN};
-        
-#         location / {
-#             proxy_headers_hash_max_size 512;
-#             proxy_headers_hash_bucket_size 64;
-#             proxy_set_header X-Real-IP \$remote_addr;
-#             proxy_set_header Host \$host;
-#             proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-#             proxy_set_header X-Forwarded-Proto \$scheme;
-#             proxy_set_header X-NginX-Proxy true;
-            
-#             proxy_pass http://nextcloud:80;
-#         }
-                    
-#         # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
-#         location /.well-known/carddav {
-#             return 301 \$scheme://\$host/remote.php/dav;
-#         }
-
-#         location /.well-known/caldav {
-#             return 301 \$scheme://\$host/remote.php/dav;
-#         }
-#     }
-# EOL
-
-#     fi
-
+done
\ No newline at end of file
diff --git a/deployment/www/stub/nginx_config.sh b/deployment/www/stub/nginx_config.sh
index d703c5b..1ad0404 100755
--- a/deployment/www/stub/nginx_config.sh
+++ b/deployment/www/stub/nginx_config.sh
@@ -395,6 +395,48 @@ EOL
 
 EOL
 
+
+    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
+    # TLS listener for ${NEXTCLOUD_FQDN}
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+
+        server_name ${NEXTCLOUD_FQDN};
+        
+        location / {
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 64;
+            proxy_set_header X-Real-IP \$remote_addr;
+            proxy_set_header Host \$host;
+            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto \$scheme;
+            proxy_set_header X-NginX-Proxy true;
+            
+            proxy_pass http://${NEXTCLOUD_STACK_TAG}:80;
+        }
+                    
+        # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
+        location /.well-known/carddav {
+            return 301 \$scheme://\$host/remote.php/dav;
+        }
+
+        location /.well-known/caldav {
+            return 301 \$scheme://\$host/remote.php/dav;
+        }
+    }
+EOL
+
+    fi
+
+
+
+
 # TODO this MIGHT be part of the solution for Twitter Cards.
         # location /contents {
         #     resolver 127.0.0.11 ipv6=off valid=5m;
diff --git a/deployment/www/stub/nginx_yml.sh b/deployment/www/stub/nginx_yml.sh
index e5afff0..b48698e 100755
--- a/deployment/www/stub/nginx_yml.sh
+++ b/deployment/www/stub/nginx_yml.sh
@@ -36,10 +36,17 @@ EOL
         
             if [ "$LANGUAGE_CODE" = en ]; then
                 if [ "$DEPLOY_GITEA" = "true" ]; then
-                cat >> "$DOCKER_YAML_PATH" <<EOL
+                    cat >> "$DOCKER_YAML_PATH" <<EOL
         - giteanet-$DOMAIN_IDENTIFIER-en
 EOL
                 fi
+
+                if [ "$DEPLOY_NEXTCLOUD" = "true" ]; then
+                    cat >> "$DOCKER_YAML_PATH" <<EOL
+        - nextcloudnet-$DOMAIN_IDENTIFIER-en
+EOL
+
+                fi
             fi
 
         done
@@ -97,6 +104,14 @@ EOL
   giteanet-$DOMAIN_IDENTIFIER-en:
     attachable: true
 
+EOL
+        fi
+
+        if [ "$DEPLOY_NEXTCLOUD" = "true" ]; then
+            cat >> "$DOCKER_YAML_PATH" <<EOL
+  nextcloudnet-$DOMAIN_IDENTIFIER-en:
+    attachable: true
+
 EOL
         fi
 
diff --git a/deployment/www/stub_docker_yml.sh b/deployment/www/stub_docker_yml.sh
index ddbd22d..1abab71 100755
--- a/deployment/www/stub_docker_yml.sh
+++ b/deployment/www/stub_docker_yml.sh
@@ -10,7 +10,7 @@
 #         cat >>"$DOCKER_YAML_PATH" <<EOL
 #   nextcloud-db:
 #     image: ${NEXTCLOUD_DB_IMAGE}
-#     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
+#     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --log-bin --innodb_read_only_compressed=OFF
 #     networks:
 #       - nextclouddb-net
 #     volumes:
diff --git a/domain_env.sh b/domain_env.sh
index b831a11..bbe55a1 100755
--- a/domain_env.sh
+++ b/domain_env.sh
@@ -28,3 +28,7 @@ export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
 export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
 
 export LANGUAGE_CODE_COUNT=$(("$(echo "$SITE_LANGUAGE_CODES" | tr -cd , | wc -c)"+1))
+
+STACK_NAME="$DOMAIN_IDENTIFIER-en"
+export NEXTCLOUD_STACK_TAG="nextcloud-$STACK_NAME"
+export NEXTCLOUD_DB_STACK_TAG="nextclouddb-$STACK_NAME"
diff --git a/reset_env.sh b/reset_env.sh
index ac0299f..da662c4 100755
--- a/reset_env.sh
+++ b/reset_env.sh
@@ -6,7 +6,7 @@ export DOMAIN_NAME=
 export DUPLICITY_BACKUP_PASSPHRASE=
 export BTCPAY_HOSTNAME_IN_CERT=
 export DEPLOY_GHOST=true
-export DEPLOY_NEXTCLOUD=true
+export DEPLOY_NEXTCLOUD=false
 export DEPLOY_NOSTR_RELAY=true
 export NOSTR_ACCOUNT_PUBKEY=
 export DEPLOY_GITEA=false