diff --git a/machines/gerd/services/lldap/default.nix b/machines/gerd/services/lldap/default.nix
index 476fb1b..9115f69 100644
--- a/machines/gerd/services/lldap/default.nix
+++ b/machines/gerd/services/lldap/default.nix
@@ -246,10 +246,12 @@ in {
     mkProvisionEmail = name: "${name}@${config.mine.shared.settings.domain}";
     mkProvisionUserNormal = name: config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
       user_id = name;
+      display_name = name; # required for nextcloud
       membermail = mkProvisionEmail name;
       mail = "env:EMAIL_${lib.toUpper name}";
       groups = [ lconfig.groups.member ];
       membermaildiskquota = 100*1024*1024; # mb
+      nextcloudquota = 5*1024*1024; # mb
     });
 
     mkProvisionUserSystem = name: password_file: config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
@@ -261,11 +263,21 @@ in {
       membermaildiskquota = 10*1024*1024; # mb
     });
 
+    mkProvisionUserSystemExt = name: password_file: custom_attrs: lib.recursiveUpdate (config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+      user_id = name;
+      membermail = mkProvisionEmail name;
+      password = "file:${password_file}";
+      groups = [ lconfig.groups.system_mail lconfig.groups.system_service ];
+      membermaildiskquota = 10*1024*1024; # mb
+    })) custom_attrs;
+
     mkProvisionUserAdmin = name: config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
       user_id = name;
+      display_name = name; # required for nextcloud
       membermail = mkProvisionEmail name;
       groups = [ lconfig.groups.admin lconfig.groups.member ];
       membermaildiskquota = 100*1024*1024; # mb
+      nextcloudquota = 100*1024*1024; # mb
     });
   };
 
diff --git a/machines/gerd/services/lldap/provision.nix b/machines/gerd/services/lldap/provision.nix
index 2792d8c..b80df2c 100644
--- a/machines/gerd/services/lldap/provision.nix
+++ b/machines/gerd/services/lldap/provision.nix
@@ -59,6 +59,9 @@
         membermaildiskquota = {
           attributeType = "INTEGER";
         };
+        nextcloudquota = {
+          attributeType = "INTEGER";
+        };
       };
 
     });
diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix
index 598ce21..a3387aa 100644
--- a/machines/gerd/services/nextcloud.nix
+++ b/machines/gerd/services/nextcloud.nix
@@ -3,7 +3,7 @@
 let
   svc_domain = "nextcloud.${config.mine.shared.settings.domain}";
 
-  default_storage_quota = "100MB";
+  default_storage_quota = "1mb";
 
   # place data into own zfs dataset
   stateDir = config.mine.zfsMounts."rpool/safe/svcs/nextcloud";
@@ -59,6 +59,8 @@ let
       ldapUserFilterMode = 1;
       ldapExpertUsernameAttr = config.mine.shared.settings.ldap.attr.uid;
       ldapConfigurationActive = 1;
+      ldapQuotaDefault = 1;
+      ldapQuotaAttribute = config.mine.shared.settings.ldap.attr.nextcloudquota;
     };
     ldap_commands = lib.mapAttrsToList (n: v: "${occ} ldap:set-config $NEW_CONFIG_ID ${n} '${builtins.toString v}'") ldap_settings;
   in pkgs.writeShellScript "nextcloud-add-ldap.sh" ''