diff --git a/machines/gerd/services/monitoring/default.nix b/machines/gerd/services/monitoring/default.nix
index bfa3f65..9704826 100644
--- a/machines/gerd/services/monitoring/default.nix
+++ b/machines/gerd/services/monitoring/default.nix
@@ -13,5 +13,6 @@
     ./mon-forgejo.nix
     ./mon-uptime-kuma.nix
     ./mon-searx.nix
+    ./mon-nextcloud.nix
   ];
 }
diff --git a/machines/gerd/services/monitoring/mon-nextcloud.nix b/machines/gerd/services/monitoring/mon-nextcloud.nix
new file mode 100644
index 0000000..823f4fb
--- /dev/null
+++ b/machines/gerd/services/monitoring/mon-nextcloud.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+let
+  # occ bin
+  occ = config.services.nextcloud.occ + "/bin/nextcloud-occ";
+
+  nextcloudSetupServerinfoToken = pkgs.writeShellScript "nextcloud-setup-serverinfo-token.sh" ''
+    # set serverinfo_token
+    SERVERINFO_TOKEN="$(cat $CREDENTIALS_DIRECTORY/nextcloud-serverinfo-token)"
+    ${occ} config:app:set serverinfo token --value "$SERVERINFO_TOKEN" > /dev/null 2>&1 
+  '';
+in {
+  systemd.services.nextcloud-setup = {
+    # runs this after all the main nextcloud-setup stuff
+    script = lib.mkAfter ''
+      ${nextcloudSetupServerinfoToken}
+    '';
+
+    # setup credentials for service
+    serviceConfig.LoadCredential = [
+      "nextcloud-serverinfo-token:${config.age.secrets.nextcloud-serverinfo-token.path}"
+    ];
+  };
+
+  services.prometheus.exporters.nextcloud = {
+    enable = true;
+    listenAddress = "localhost";
+    tokenFile = config.age.secrets.nextcloud-serverinfo-token.path;
+    url = let
+      scheme = if config.services.nextcloud.https then "https" else "http";
+    in "${scheme}://${config.services.nextcloud.hostName}";
+  };
+
+  # setup permissions
+  age.secrets.nextcloud-serverinfo-token.owner = config.services.prometheus.exporters.nextcloud.user;
+
+  services.prometheus.scrapeConfigs = [
+    {
+      job_name = "nextcloud";
+      static_configs = [{
+        targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.nextcloud.port}" ];
+      }];
+    }
+  ];
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 795e8d4..23e56f8 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -34,6 +34,7 @@
     nextcloud-admin-pass.file = ./nextcloud/admin-pass.age;
     nextcloud-secrets.file = ./nextcloud/secrets.age;
     nextcloud-smtp-pass.file = ./nextcloud/smtp-pass.age;
+    nextcloud-serverinfo-token.file = ./nextcloud/serverinfo-token.age;
 
     # stalwart
     stalwart-admin-fallback-password.file = ./stalwart/admin-fallback-password.age;
diff --git a/secrets/nextcloud/serverinfo-token.age b/secrets/nextcloud/serverinfo-token.age
new file mode 100644
index 0000000..c1da5c4
Binary files /dev/null and b/secrets/nextcloud/serverinfo-token.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e18b798..06414b1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -44,6 +44,7 @@ in
   "nextcloud/admin-pass.age".publicKeys = defaultAccess;
   "nextcloud/secrets.age".publicKeys = defaultAccess;
   "nextcloud/smtp-pass.age".publicKeys = defaultAccess;
+  "nextcloud/serverinfo-token.age".publicKeys = defaultAccess;
 
   # mailserver/stalwart
   "stalwart/admin-fallback-password.age".publicKeys = defaultAccess;