diff --git a/type/__nextcloud/explorer/config b/type/__nextcloud/explorer/config
new file mode 100755
index 0000000..6637ad6
--- /dev/null
+++ b/type/__nextcloud/explorer/config
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+# __nextcloud/explorer/config
+
+# Checks the nextcloud configuration
+
+
+# Get the installdir
+installdir="/$__object_id"
+
+# Check if the tools are available
+if [ -d "$installdir" ]; then
+    cd "$installdir"
+
+    # if those files exist, everything should be good
+    if [ -f "occ" ] && [ -f "config/config.php" ]; then
+        # Dump out config instead of fuzz every possible option through
+        # `occ config:system:get`. Or parse through the whole json or
+        # yaml-like output of `occ config:list system --private`.
+        #
+        # shellcheck disable=SC2016  # cause of the php inline code
+        php -r 'require("lib/private/Config.php"); $config = new OC\Config("config/");
+                function printv($key, $value) {printf("%s = %s\n", $key, $value);}
+                foreach($config->getKeys() as $key){
+                    $value = $config->getValue($key);
+                    if(is_array($value)) foreach($value as $n => $in) printv($n."|".$key, $in);
+                    else printv($key, $value);
+                };'
+    fi
+fi
diff --git a/type/__nextcloud/explorer/version b/type/__nextcloud/explorer/version
new file mode 100755
index 0000000..1e1cda9
--- /dev/null
+++ b/type/__nextcloud/explorer/version
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+# __nextcloud/explorer/version
+
+# Check the currently installed version. Outputs nothing if nothing found.
+
+
+# Get the install directory
+installdir="/$__object_id"
+
+# Check if the installation directory exists
+if [ -d "$installdir" ]; then
+    cd "$installdir"
+
+    # if those files exist, everything should be good
+    if [ -f "occ" ] && [ -f "version.php" ]; then
+        # Detect php version with the version file.
+        # shellcheck disable=SC2016  # cause of the php inline code
+        php -r 'require("version.php"); print($OC_VersionString);'
+    fi
+fi
diff --git a/type/__nextcloud/gencode-remote b/type/__nextcloud/gencode-remote
new file mode 100755
index 0000000..6812c68
--- /dev/null
+++ b/type/__nextcloud/gencode-remote
@@ -0,0 +1,257 @@
+#!/bin/sh -e
+# __nextcloud/gencode-remote
+
+# Install if not installed
+
+# Legacy:
+# curl -sS -L '$nextcloud_uri' | tar xj --strip-components=1 nextcloud/
+
+
+# Call the nextcloud occ script as the designed user. Maybe this can be a bit
+# more effictive with user switching, but currently the easiest way of doing
+# it.
+#
+# All arguments are directly passed to occ (injection alarm ;-) )
+occ() {
+    # su creates a new shell, so it does not affect the current session
+    #  will not use -q as it supresses errors, too
+    cat << SHELL
+su -s /bin/sh -l "$user" -- -e <<'SU'
+cd '$installdir' && php occ --no-warnings --no-interaction --no-ansi $@
+SU
+SHELL
+}
+
+# Turn the maintainer mode on, but print it only once at all.
+#
+# No arguments.
+occ_maintainer_mode_on() {
+    # Check if this was not already done
+    if [ "$_maintainer_mode_on" != "yes" ]; then
+        occ maintenance:mode --on
+        _maintainer_mode_on="yes"
+    fi
+}
+
+# Print the value of the given configuration.
+#
+# Arguments:
+#  1: the nextcloud configuration name
+getparam() {
+    awk -v FS=" = " -v name="$1" '
+             function ntostring(n) { ret=""; for(i=n; i<=NF; i++) ret=ret $i (i<NF ? OFS : ""); return ret }
+             $1 == name { print ntostring(2); }
+             ' "$__object/explorer/config"
+}
+
+# Get existing versions
+version_is="$( cat "$__object/explorer/version" )"
+version_should="$( cat "$__object/parameter/version" )"
+
+# the install directory
+installdir="/$__object_id"
+tarballdir="$(dirname "$installdir")/.$(basename "$installdir")"
+
+# get used user and group
+user="$( cat "$__object/parameter/user" )"
+group="$( cat "$__object/parameter/group" )"
+
+
+
+# Detect if we can install or upgrade.
+# Check if this will be a new installation.
+if [ -z "$version_is" ]; then
+    install="yes"
+
+# Check if upgrades are available. Not do this if it's not wanted by the user.
+elif ! [ -f "$__object/parameter/install-only" ]; then
+    # installation upgrade
+    if [ "$version_is" != "$version_should" ]; then
+        upgrade="yes"
+    fi
+fi
+
+
+# Check if the installation will be upgraded.
+# Remove the old folder and replace it with the new one.
+if [ "$upgrade" ]; then
+    cat << REMOTE
+chown '$user':'$group' -R '$tarballdir'
+REMOTE
+
+    # no more changes from the user
+    occ_maintainer_mode_on
+    cat << REMOTE
+
+cp -pf '$installdir/config/config.php' '$tarballdir/config/config.php'
+mv '$installdir/data' '$tarballdir'
+
+rm -rf '$installdir'
+mv '$tarballdir' '$installdir'
+
+REMOTE
+
+    # do some maintainer stuff
+    occ upgrade
+    # gamble a bit with database maintainer commands
+    occ db:add-missing-primary-keys
+    occ db:add-missing-columns
+    occ db:add-missing-indices
+    occ db:convert-filecache-bigint
+
+    # send upgrade message
+    printf "upgraded %s to %s\n" "$version_is" "$version_should" >> "$__messages_out"
+
+# Apply some misc to the installation folder.
+elif [ "$install" ]; then
+    # Maintainer mode is not available before installation
+
+    # Correct all file permissions of the new installation
+    cat << REMOTE
+chown '$user':'$group' -R '$installdir'
+REMOTE
+fi
+
+
+# Check if the nextcloud application needs to be installed.
+# This checks the state of the configuration, not of the directory.
+#
+# shellcheck disable=SC2089  # disabled to write args string
+if ! grep -q -F "installed = 1" "$__object/explorer/config"; then
+    # argument construction
+    occ_install_args=""
+
+    # Error function if value not found
+    die_err() {
+        echo "parameter not found but required; can't continue!!" >&2
+        exit 1
+    }
+    # Database setup for mysql and pgsql
+    db_setup() {
+        # add type and other database values
+        occ_install_args="$occ_install_args --database '$1'"
+        occ_install_args="$occ_install_args --database-host '$(cat "$__object/parameter/database-host" || die_err)'"
+        occ_install_args="$occ_install_args --database-name '$(cat "$__object/parameter/database-name" || die_err)'"
+        occ_install_args="$occ_install_args --database-user '$(cat "$__object/parameter/database-user" || die_err)'"
+        occ_install_args="$occ_install_args --database-pass '$(cat "$__object/parameter/database-password" || die_err)'"
+
+        db_prefix="$__object/parameter/database-prefix"
+        if [ -f "$db_prefix" ]; then
+            occ_install_args="$occ_install_args --database-table-prefix '$(cat "$db_prefix")'"
+        fi
+    }
+
+    database_type="$(cat "$__object/parameter/database-type")"
+    case "$database_type" in
+        sqlite3)
+            occ_install_args="$occ_install_args --database sqlite"
+            ;;
+        mysql)
+            db_setup mysql
+            ;;
+        pgsql)
+            db_setup pgsql
+            ;;
+
+        *)
+            printf "Database type '%s' is unkown!\n" "$database_type" >&2
+            exit 3
+            ;;
+    esac
+
+    # Admin stuff
+    occ_install_args="$occ_install_args --admin-pass '$(cat "$__object/parameter/admin-password")'"
+
+    admin_user="$__object/parameter/admin-user"
+    if [ -f "$admin_user" ]; then
+        occ_install_args="$occ_install_args --admin-user '$(cat "$admin_user")'"
+    fi
+    admin_email="$__object/parameter/admin-email"
+    if [ -f "$admin_email" ]; then
+        occ_install_args="$occ_install_args --admin-email '$(cat "$admin_email")'"
+    fi
+
+    # Data directory
+    datadir="$__object/parameter/data-directory"
+    if [ -f "$datadir" ]; then
+        occ_install_args="$occ_install_args --data-dir '$(cat "$datadir")'"
+    fi
+
+
+    # Execute the install command.
+    # generated parameters will be splited in the remote shell
+    occ maintenance:install "$occ_install_args"
+
+    # send install message
+    echo installed >> "$__messages_out"
+fi
+
+
+# Handle the config
+mkdir "$__object/files"
+"$__type/map-conf-changes.sh" > "$__object/files/conf-cmds"
+
+# only print if there are changes listed
+if [ -s "$__object/files/conf-cmds" ]; then
+    # save that we did changes
+    changes="yes"
+    occ_maintainer_mode_on
+
+    # print change commands incl. the switch of user context
+    #  using -e to abort if the commands failed
+    printf "su -s /bin/sh -l '%s' -- -e << 'SU'\n" "$user"
+    printf "cd '%s'\n" "$installdir"
+    cat "$__object/files/conf-cmds"
+    printf "SU\n"
+fi
+
+
+# Get the current and future data directory
+data_old="$(getparam datadirectory)"
+data_new="$(cat "$__object/parameter/data-directory" 2>/dev/null || printf "%s/data" "$installdir")"
+
+# Move if they should be moved. Avoid false positives if $data_old is empty
+if [ "$data_old" ] && [ "$data_old" != "$data_new" ]; then
+    # save that we did changes
+    changes="yes"
+    occ_maintainer_mode_on
+
+    # Change the configuration variable and then move the folder. This order is
+    # important if SQLite is used, but the config already corrupted if it can
+    # not be moved.
+    occ config:system:set datadirectory --type=string --value "'$data_new'"
+    cat << REMOTE
+cd '$installdir'  # only for the users safety
+
+rm -rf '$data_new'
+mkdir -p '$(dirname "$data_new")'  # if the parent not exists
+mv -T '$data_old' '$data_new'
+
+REMOTE
+fi
+
+# Print configured message if changes where done to the configuration
+if [ "$changes" ]; then
+    echo configured >> "$__messages_out"
+fi
+
+
+# Check if this is the fist install
+if [ "$install" ]; then
+    # do some convert stuff etc.
+
+    # variable accessible from the last $install if-clause
+    case "$database_type" in
+        mysql)
+            # only available for mysql
+            occ db:convert-mysql-charset
+            ;;
+    esac
+
+    occ db:convert-filecache-bigint
+fi
+
+# Disable maintainer mode
+if [ "$_maintainer_mode_on" = "yes" ]; then
+    occ maintenance:mode --off
+fi
diff --git a/type/__nextcloud/man.rst b/type/__nextcloud/man.rst
new file mode 100644
index 0000000..1e0238d
--- /dev/null
+++ b/type/__nextcloud/man.rst
@@ -0,0 +1,294 @@
+cdist-type__nextcloud(7)
+========================
+
+NAME
+----
+cdist-type__nextcloud - Installs and manages a nextcloud instance
+
+
+DESCRIPTION
+-----------
+This type installs, upgrades and configure a nextcloud instance. The object
+id is the absolute path for the installation directory. Nextcloud will be
+installed unter that directory.
+
+
+REQUIRED PARAMETERS
+-------------------
+version
+    The version that should be installed. If it is already installed and the
+    installed version lower, it will upgrade nextcloud if ``--install-only`` is
+    not set.
+
+    You get version numbers from the `official changelog
+    <https://nextcloud.com/changelog/>`_ or from the `GitHub Releases
+    <https://github.com/nextcloud/server/releases>`_ page. The type will
+    download the tarball over the official nextcloud website.
+
+    The type will never downgrade a nextcloud instance. Rather, it will fail,
+    as this is a missconfiguration. Downgrades are not recommended and
+    supported by upstream. Such cases can happen if the nextcloud instance was
+    upgraded via the built-in nextcloud installer. In such cases, it is
+    recommended to use the ``--install-only`` option.
+
+admin-password
+    The administrator password to access the nextcloud instance. Must be given
+    in plain text. This parameter has no effect if nextcloud will not be
+    installed.
+
+
+OPTIONAL PARAMETERS
+-------------------
+mode
+    Sets the unix file mode of the nextcloud directory. This is not inherited
+    to child files or folders. Defaults to `755`.
+
+user
+    The user which owns the complete nextcloud directory. The php application
+    should be executed with this user. All nextcloud commands will be executed
+    with this user. This type will not create the unix user.
+
+    The type assumes the default `www-data` user, which is common on Debian
+    systems. **If you change this option, please do the same with the group
+    parameter!**
+
+group
+    The group all files and folders of the nextcloud installation should have.
+    Defaults to `www-data`. Should be changed with ``--user``.
+
+
+BOOLEAN PARAMETERS
+------------------
+install-only
+    Skips all nextcloud upgrades done by this type. Should be used when
+    nextcloud upgrades are (*exclusively*) done via the built-in updater.
+
+
+NEXTCLOUD CONFIG PARAMETERS
+---------------------------
+host
+    All hostnames where the the users can log into nextcloud. If you access
+    nextcloud via a hostname not given to this list, the access fails. This
+    parameter can be set multiple times.
+
+admin-user
+    The username of the administrative user which will be created while the
+    installation. If not set, nextcloud defaults to "admin". This parameter has
+    no effect if nextcloud will not be installed.
+
+admin-email
+    The email address of the administrative user. This parameter has no effect
+    if nextcloud will not be installed.
+
+data-directory
+    This will set or change the data directory where nextcloud will keep all
+    its data, including the SQLite database if any. By default, it will be
+    saved in the ``data`` directory below the nextcloud directory.
+
+    If this directory change, this type will move the old location to the new
+    one to preserve all data. This is not supported by upstream, as some apps
+    may not handle this.
+
+database-type
+    Sets the type of database that should be used as backend. Possible backends
+    are:
+
+    SQLite
+        Use ``sqlite3`` as value. Saves everything in a database file
+        stored in the data directory. It is only recommended for very small
+        installations or test environments from upstream.
+
+        *All further database options are ignored if SQLite is selected as
+        database backend.*
+
+    MariaDB
+        Use ``mysql`` as value. MariaDB and MySQL are threated the same
+        way. They are the recommended database backends recommended from
+        upstream.
+
+    PostgreSQL
+        Use ``pgsql`` as value.
+
+    **This parameter defaults to the SQLite database backend, as it is the
+    simplest one to setup and do not require extra parameters.**
+
+    If this parameter change, the type will migrate to the new database type.
+    It will not work for SQLite because the upstream migration script does not
+    support it. **Be aware that migrations take there time, plan at minimum
+    40 seconds of migration for a stock installation.**
+
+database-host
+    The database host to connect to. Possible are hostnames, ip addresses or
+    UNIX sockets. UNIX sockets must set in the format of
+    ``localhost:/path/to/socket``. If an non-standard port is used, set it
+    after the hostname or ip address seperated by an colon (``:``). If this
+    value is not set, nextcloud defaults to the value ``localhost``.
+
+    This type will not migrate data if the type does not change. You must do
+    this manually by setting the maintainer mode (to avoid data changes) and
+    then cloning the database to the new destination. After that, run cdist to
+    apply the config changes. It should automaticly remove the maintainer mode.
+
+database-name
+    The name of the database to connect to. Required if MariaDB or PostgreSQL
+    is used.
+
+database-user
+    The username to access the database. Required if MariaDB or PostgreSQL is
+    used.
+
+database-password
+    The password required to authorize the given user. Required if MariaDB or
+    PostgreSQL is used.
+
+database-prefix
+    The table prefix used by nextcloud. If nothing set, nextcloud defaults to
+    ``oc_``.
+
+
+MESSAGES
+--------
+installed
+    Nextcloud was successfully installed.
+
+upgraded $old to $new
+    The nextcloud version was upgraded from `$old` to `$new`.
+
+configured
+    Nextcloud configuration was changed.
+
+
+ABORTS
+------
+Aborts in the following cases:
+
+The current installed version is greather than the version that should be
+installed. See the parameter description of `--version` for detailed
+information. The problem can be fixed by bumping the version value to at least
+the version that is currently installed or use the parameter `--install-only`.
+
+It may abort if the data directory can not be moved correctly. Then, the
+nextcloud configuration is broken and must be resolved manually: Move the data
+directory to the correct location or change the configuration to point to the
+old destination and retry.
+
+It aborts if it should migrate to a SQLite database. This will be done before
+the upstream migration script is executed, as it would throw the same error.
+
+The explorers will abort if they found a valid nextcloud installation, but no
+installed `php`. Currently, this is intended behaviour, because it can not
+safely get the current nextcloud version, also do not get the nextcloud
+configuration. For more information, see the *NOTES section*.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+  # minimal nextcloud installation with sqlite and other defaults
+  # please only use sqlite for minimal or test installations as recommend :)
+  __nextcloud /var/www/html/nextcloud --version 20.0.0 \
+        --admin-password "iaminsecure" \
+        --host localhost --host nextcloud
+
+  # installation under the webroot
+  __nextcloud /var/www/html/ --version 20.0.0
+        --admin-password "notthatsecure" --host mycloud.example.com
+
+  # more extensive configuration
+  __nextcloud /var/www/cloud --version 20.0.0 --admin-password "iaminsecure" \
+        --host localhost --host nextcloud --host 192.168.1.67 \
+        --data-directory /var/lib/nextcloud/what \
+        --database-type mysql --database-host "localhost" --database-name "nextcloud" \
+        --database-user "test" --database-password "not-a-good-password"
+
+
+NOTES
+-----
+This cdist type does not cover all configuration options that nextcloud offer.
+If you need more configuration options for nextcloud, you are welcome to extend
+this type and contribute it upstream!
+
+- `Nextcloud configuration reference
+  <https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html>`_
+
+Currently, the state of this object is always `present`. So it will always be
+installed without the option to uninstall it again (`absent`). This was done
+because it will not be a common demand to uninstall nextcloud again. If you
+need to toggle the state, you are welcome to contirbute!
+
+Parameters given for the admin user which will be set up at installation time
+(`--admin-*` ones) are not applied if nextcloud will not be installed.
+Therefor, parameter changes are not applied to the installation. Currently not
+implemented - but possible - is to use the type
+:strong:`cdist-type__nextcloud_user`\ (7) to do all the later work.
+
+Database migration is only partly supported if the database will be changed to
+``mysql`` or ``pgsql``, because it is supported by an upstream script. You are
+welcome to extend this type for database migrations between the same database
+type. For an implementation, you may use shell utilites like ``mysqldump(1)``
+(be aware that this may not already be installed) or use the already installed
+php code to migrate.
+
+The type will abort if a valid nextcloud directory already exists in the
+explorer execution, but no `php` exists to explore the setup. Therefor, the
+manifest could not install `php` yet. This is not the case for a new
+installation, as there does not exist a nextcloud directory with a valid
+structure. While some code could be skipped and the other replaced with `awk`
+with something like
+``awk '$1 == "$OC_VersionString" {gsub(/['\'';]/, "", $3); print $3}' version.php``,
+it is not handled for the following cases:
+
+1.  This case should not happen very often.
+2.  Maybe because of ``libapache2-mod-php`` or ``php-fpm``, `php` already
+    exists for the cli.
+3.  While the `awk` replacement for the version is just a bit worser, it would
+    bring stable results, while it would be more difficult to dump out the
+    configuration without custom `php` or the help from ``php occ``. Therefor,
+    it would make false assumptions like it want to install nextcloud again,
+    do not delete configuration options and set all available nextcloud options
+    that are available through this type.
+
+If the nextcloud installation does not work and you stuck in a plaintext error
+screen, try to restart your Apache WWW server first! This type will install all
+php dependencies, but there are not recognised by the server-internal php
+environment. This can happen after a database migration between different
+database types, as it installs the database module only when it is required.
+
+If the tarball needs to be downloaded, it will be directly downloaded into the
+directory ``/tmp`` and will be unpacked to the destination for an installation
+or to the same directory but prefixed with a dot for an update. It will
+download it into the temp directory because it does not find a better location.
+In legacy, it was downloaded to the parent directory, but this may not the best
+location as the installation dir can be everywhere.
+
+This type does not garantee to always show the maintenance mode screen because
+nextcloud does not show it in every case:
+
+1.  For fresh installations, the maintenance mode can not be set.
+2.  While upgrades starting at version 20, the user is promted to execute the
+    update manually via the webinterface instead of the maintenance screen.
+
+It is recommended to show an own maintanance screen via the webserver if this
+is critical for you.
+
+
+SEE ALSO
+--------
+`Nextcloud documentation <https://docs.nextcloud.com/server/latest/admin_manual/index.html>`_
+
+:strong:`cdist-type__nextcloud_user`\ (7)
+
+
+AUTHORS
+-------
+Matthias Stecher <matthiasstecher at gmx.de>
+
+
+COPYING
+---------
+Copyright \(C) 2020 Matthias Stecher. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/type/__nextcloud/manifest b/type/__nextcloud/manifest
new file mode 100755
index 0000000..90508d8
--- /dev/null
+++ b/type/__nextcloud/manifest
@@ -0,0 +1,134 @@
+#!/bin/sh -e
+# __nextcloud/manifest
+
+
+# Version compare function original from __sensible_editor
+#
+# Arguments:
+#  1: version of which $2 should be checked against
+#  2: version which should be bigger than or equal with $1
+#
+# Return code:
+#  0: $1 is bigger than $2
+#  1-n: $1 is smaller than or equal $2
+version_ge() {
+    printf "%s" "$1" | awk -F '[^0-9.]' -v target="$2" '
+    function max(x, y) { return x > y ? x : y }
+    BEGIN {
+        getline
+        nx = split($1, x, ".")
+        ny = split(target, y, ".")
+        for (i = 1; i <= max(nx, ny); ++i) {
+            diff = int(x[i]) - int(y[i])
+            if (diff == 0) continue
+            exit (diff < 0)
+        }
+        exit 1
+    }'; return $?
+}
+
+
+# Check support status
+os="$(cat "$__global/explorer/os")"
+
+case "$os" in
+    debian|ubuntu)
+        # PHP main
+        __package php-cli
+        # to unpack the package
+        __package bzip2
+        # install misc packages for nextcloud
+        __package ffmpeg
+
+        # PHP modules
+        for package in php-gd php-json php-mysql php-curl php-mbstring php-intl \
+                        php-imagick php-xml php-zip php-bz2 php-bcmath php-gmp
+        do
+            require="__package/php-cli" __package $package
+        done
+
+        # check support database additions (but don't remove junk of old ones)
+        case "$(cat "$__object/parameter/database-type")" in
+            sqlite|sqlite3)
+                __package php-sqlite3
+                ;;
+            mysql|mariadb)
+                __package php-mysql
+                ;;
+            pgsql|postgres|postgresql)
+                __package php-pgsql
+                ;;
+        esac
+        ;;
+
+    # unkown distro - what to install?
+    *)
+        printf "unkown %s, don't know what to install ..\n" "$os" >&2
+        echo "checkout the __nextcloud/manifest to contribute a working package list" >&2
+        exit 1
+        ;;
+esac
+
+
+# Get the user and group
+mode="$(cat "$__object/parameter/mode")"
+user="$(cat "$__object/parameter/user")"
+group="$(cat "$__object/parameter/group")"
+
+# Get the installation directory
+installdir="/$__object_id"
+
+# Set permissions after the nextcloud installation/upgrade is done
+# FIXME maybe less strict if some parameter is not given by the user?
+#       permissions also partily set via the gencode-remote
+require="__nextcloud/$__object_id" __directory "$installdir" \
+    --mode "$mode" --owner "$user" --group "$group"
+
+
+# Get version information
+version_is="$( cat "$__object/explorer/version" )"
+version_should="$( cat "$__object/parameter/version" )"
+# The version URI
+nextcloud_uri="https://download.nextcloud.com/server/releases/nextcloud-${version_should}.tar.bz2"
+nextcloud_sum="${nextcloud_uri}.sha256"
+
+
+# Check if there is a current installation. It depends where the upstream
+# tarball should be unpacked (directly or moved in a later stage).
+if [ "$version_is" ]; then
+    # Only set and check the version if a upgrade is allowed.
+    #  if this block will be skipped, no upgrade will be done
+    if ! [ -f "$__object/parameter/install-only" ]; then
+        # Block downgrades as there are may caused from the automatic upgrader
+        # if the current version is higher than the version that should be installed
+        if version_ge "$version_is" "$version_should"; then
+            # it's an error if the current version is higher than the one that should be installed
+            printf "The current nextcloud version '%s' is higher than the version that should be installed (%s)\n" \
+               "$version_is" "$version_should" >&2
+            printf "Please bump the nextcloud version to '%s' or higher!\n" "$version_is" >&2
+            exit 2
+        fi
+
+        # Set destination to a temporary directory
+        destination="$(dirname "$installdir")/.$(basename "$installdir")"
+    fi
+else
+    # Set destination to the real destination
+    destination="$installdir"
+fi
+
+# Install/Upgrade the nextcloud version if there is a destination set.
+#  it checks if it is necessary and intended to upgrade
+if [ "$destination" ] && [ "$version_is" != "$version_should" ]; then
+    # download it to the tmp directory
+    # FIXME --sum is currently rather a hack, see cdist#844
+    __download "/tmp/nextcloud-${version_should}.tar.bz2" \
+       --url "$nextcloud_uri" \
+       --sum "sha256:$(curl -sS -L "$nextcloud_sum" | awk '{print $1}')"
+
+    # after this, unpack it from /tmp to $destination
+    require="__download/tmp/nextcloud-${version_should}.tar.bz2" \
+        __unpack "/tmp/nextcloud-${version_should}.tar.bz2" \
+            --tar-strip 1 \
+            --destination "$destination"
+fi
diff --git a/type/__nextcloud/map-conf-changes.sh b/type/__nextcloud/map-conf-changes.sh
new file mode 100755
index 0000000..9b6ffe3
--- /dev/null
+++ b/type/__nextcloud/map-conf-changes.sh
@@ -0,0 +1,316 @@
+#!/bin/sh -e
+# __nextcloud/map-conf-changes.sh
+
+
+# The environment variable "$install" should be set if nextcloud was installed
+# now. This changes the behaviour to not trust gathered values from the
+# explorer.
+
+
+# Print the value of the given configuration.
+#
+# Arguments:
+#  1: the nextcloud configuration name
+#
+# Returns with a unsuccessful return code if no parameter found.
+getparam() {
+    awk -v FS=" = " -v name="$1" '
+             function ntostring(n) { ret=""; for(i=n; i<=NF; i++) ret=ret $i (i<NF ? OFS : ""); return ret }
+             $1 == name { print ntostring(2); success = 1 }
+             END { if(!success) exit 4 }
+             ' "$__object/explorer/config"
+    return $?
+}
+
+# Test if the value exists as given.
+#
+# Arguments:
+#  1: The nextcloud config name
+#  2: The value that should be set
+#
+# Return code:
+#  0: value exactly matched
+#  1: value not matched or do not exist
+testparam() {
+    # short-circuit after installation; the explorer may not be valid
+    if [ "$install" ]; then return 1; fi
+
+    if grep -q -Fx "$1 = $2" "$__object/explorer/config"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Test if the parameter is somehow set.
+#
+# Arguments:
+#  1: The nextcloud config name
+#
+# Return code:
+#  0: param exists
+#  1: param not found
+paramexist() {
+    # short-circuit after installation; the explorer may not be valid
+    if [ "$install" ]; then return 0; fi
+
+    if grep -q "^$1 = " "$__object/explorer/config"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Base for the basic function types.
+#
+# Arguments:
+#  1: cdist type parameter name
+#  2: nextcloud config name
+#  3: conditially mandatory argument, value "required" if true
+#  4: occ printf pattern to set the value
+#  5: "installation" default value, can be used to backup the user value
+conf_base() {
+    if [ -f "$__object/parameter/$1" ] || [ "$5" ]; then
+        value="$(cat "$__object/parameter/$1" || printf "%s" "$5")"
+        if ! testparam "$2" "$value"; then
+            # set it because it does not exist
+            # shellcheck disable=SC2059  # $4 contains patterns
+            printf "php occ config:system:$4\n" "$2" "$value"
+        fi
+    else
+        if [ "$3" = "required" ]; then
+            # error because the parameter should be set
+            printf "Parameter '%s' not set by user, but required!\n" "$1" >&2
+            exit 4
+        fi
+
+        if paramexist "$2"; then
+            # remove it because it exists
+            printf "php occ config:system:delete '%s'\n" "$2"
+        fi
+    fi
+}
+
+# Set's the cdist parameter value to nextcloud as specific value.
+#
+# Arguments:
+#  1: cdist type parameter name
+#  2: nextcloud config name
+#  3: conditional mandatory of this parameter; value "required" if true
+#  4: default value; will be used if parameter is absent
+conf_string() {
+    conf_base "$1" "$2" "$3" "set '%s' --type=string --value='%s'" "$4"
+}
+conf_number() {
+    conf_base "$1" "$2" "$3" "set '%s' --type=integer --value='%s'" "$4"
+}
+conf_decimal() {
+    conf_base "$1" "$2" "$3" "set '%s' --type=double --value='%s'" "$4"
+}
+
+# Sets the nextcloud configuration option after a boolean cdist parameter.
+#
+# Arguments:
+#  1: cdist type parameter name
+#  2: nextcloud config name
+conf_boolean() {
+    # map parameter to a php boolean (are outputted as 0 or 1)
+    if [ -f "$__object/parameter/$1" ]; then
+        testval="1"
+        value="true"
+    else
+        testval="0"
+        value="false"
+    fi
+
+    if ! testparam "$2" "$testval"; then
+        # set it if does not already exist
+        printf "php occ config:system:set '%s' --type=boolean --value=%s\n" "$2" "$value"
+    fi
+}
+
+# Corrects the array after all values given by the parameter. Values not given
+# to this type will be removed.
+#
+# Arguments:
+#  1: cdist type parameter name
+#  2: nextcloud config name
+#  3: conditional mandatory of this parameter; value "required" if true
+# FIXME currently no default value due to complexity of arrays
+conf_array() {
+    if [ -f "$__object/parameter/$1" ]; then
+        # reset array if installation is fresh
+        if [ "$install" ]; then
+            # just remove everything, because we don't know it
+            printf "php occ config:system:delete '%s' || true\n" "$2"
+
+            # counter is zero for sure
+            counter=0
+
+        # else, default behaviour of the array
+        else
+            # save counter of the next free index
+            # shellcheck disable=SC1004  # the \ is required for awk
+            counter=$( awk -v FS=" = " -v name="$2" '
+                        BEGIN { counter = 0 }
+                        split($1, header, "|") == 2 && header[1] ~ /^[[:digit:]]+$/ && header[2] == name \
+                            { if(counter < header[1]) counter = header[1] }
+                        END { print counter + 1 }
+                        ' "$__object/explorer/config"
+            )
+
+            # create a file which contains all lines not already resolved by this function
+            _dir="$__object/files/conf-arrays"
+            mkdir -p "$_dir"
+            grep "^[[:digit:]]*|$2 = " "$__object/explorer/config" > "$_dir/$2" || true  # ignore not found
+        fi
+
+        # iterate through every value
+        while read -r value; do
+            # check every value if he exists
+            if ! grep -q "^[[:digit:]]*|$2 = $value$" "$__object/explorer/config"; then
+                # add this value
+                printf "php occ config:system:set '%s' '%s' --type=string --value='%s'\n" \
+                    "$2" "$(( counter ))" "$value"
+                counter=$(( counter + 1 ))
+            fi
+
+            if [ -z "$install" ]; then
+                # removes it from the list of unhandled values
+                grep -v "^[[:digit:]]*|$2 = $value$" "$_dir/$2" > "$_dir/$2_tmp" || true  # ignore not found
+                mv "$_dir/$2_tmp" "$_dir/$2"  # because we can't do `cat foo > foo`
+            fi
+        done < "$__object/parameter/$1"
+
+        if [ -z "$install" ]; then
+            # interate through the leftover values
+            # remove them, as they should not exist (at least can be)
+            #
+            # shellcheck disable=SC2034  # $equal left for readability
+            while read -r start equal value; do
+                # remove those specific elements from the array
+                printf "php occ config:system:delete '%s' '%s' --error-if-not-exists\n" \
+                    "$2" "$( printf "%s" "$start" | awk -F'|' '{print $1}' )"
+            done < "$_dir/$2"
+        fi
+    else
+        if [ "$3" = "required" ]; then
+            # error because the parameter should be set
+            printf "Parameter '%s' not set by user, but required!\n" "$1" >&2
+            exit 4
+        fi
+
+        # remove everything because we don't know which was set by the user
+        if paramexist "$2"; then
+            # remove the whole array
+            printf "php occ config:system:delete '%s'\n" "$2"
+        fi
+    fi
+}
+
+# Migrate the database to a new database type
+#
+# Arguments:
+#  1: the database type to convert to
+migrate_db() {
+    # from argument
+    database_type="$1"
+
+    # hostname, database, username and password
+    database_host="$(cat "$__object/parameter/database-host" 2>/dev/null || printf "localhost")"
+    database_name="$(cat "$__object/parameter/database-name")"
+    database_user="$(cat "$__object/parameter/database-user")"
+    database_pass="$(cat "$__object/parameter/database-password")"
+
+    # Extract the port from the host
+    # this is required for pgsql, but mysql can do it itself, too
+    if printf "%s" "$database_host" | grep -q ":[[:digit:]]\+$"; then
+        # extract the last part, which is the port number
+        database_port="${database_host##*:}"
+    else
+        # set default port because the tool can not do this for pgsql
+        # it looks like mysql get struggles, too
+        case "$database_type" in
+            mysql)
+                database_port=3306
+                ;;
+            pgsql)
+                database_port=5432
+                ;;
+        esac
+
+        # Correct this value to the value set by the parameter
+        # this will prevent codegen in the run after the migration
+        correct_standard_port="yes"
+    fi
+
+    # print out the correct command
+    printf "php occ db:convert-type --no-interaction --no-ansi --clear-schema --all-apps \
+        '%s' '%s' --password '%s' '%s' --port '%u' '%s'\n" \
+        "$database_type" "$database_user" "$database_pass" "$database_host" "$database_port" "$database_name"
+    printf "php occ maintenance:mode --on\n"  # was disabled by database convertion
+
+    # Correct the database host value if it was not correctly set by the migration script
+    if [ "$correct_standard_port" = "yes" ]; then
+        printf "php occ config:system:set '%s' --type=string --value '%s'\n" "dbhost" "$database_host"
+    fi
+}
+
+
+# Set the install variable if nextcloud was not installed before this type.
+if ! testparam installed 1; then
+    install="yes"
+fi
+
+
+# Map all parameters
+
+# Generate the config changes
+
+# misc
+conf_array host trusted_domains
+
+# If already set via the installer, we don't need to do this
+# set default values from the nextcloud installer to do not override them
+if [ -z "$install" ]; then
+    # Database to check if the type changed
+    # use the current type if no old type found to match instead of migrate
+    database_type="$(cat "$__object/parameter/database-type")"
+    old_db_type="$(getparam dbtype || printf "%s" "$database_type")"
+
+    case "$database_type" in
+        sqlite3)
+            if [ "$old_db_type" != "sqlite3" ]; then
+                echo "Migrating to a SQLite database is not supported by upstream!" >&2
+                echo "Do it manually or reinstall nextcloud .." >&2
+                exit 1
+            fi
+            conf_string database-type dbtype
+            ;;
+
+        mysql|pgsql)
+            if [ "$old_db_type" != "$database_type" ]; then
+                # the migration will change all database parameters itself
+                migrate_db "$database_type"
+            else
+                # no change of dbtype cause it will cause a migration
+                conf_string database-host dbhost installdef "localhost"
+                conf_string database-name dbname required
+                conf_string database-user dbuser required
+                conf_string database-password dbpassword required
+            fi
+
+            # It may not be a good idea to change this parameter, but do what
+            # the user want to do.
+            conf_string database-prefix dbtableprefix
+            ;;
+
+        *)
+            printf "Databasetype '%s' is unkown!\n" "$database_type" >&2
+            exit 3
+            ;;
+    esac
+
+    # data-dir is handled in the gencode-remote
+    #conf_string data-directory datadirectory installdef "/$__object_id/data"
+fi
diff --git a/type/__nextcloud/parameter/boolean b/type/__nextcloud/parameter/boolean
new file mode 100644
index 0000000..0853f49
--- /dev/null
+++ b/type/__nextcloud/parameter/boolean
@@ -0,0 +1 @@
+install-only
diff --git a/type/__nextcloud/parameter/default/database-type b/type/__nextcloud/parameter/default/database-type
new file mode 100644
index 0000000..8b2f60c
--- /dev/null
+++ b/type/__nextcloud/parameter/default/database-type
@@ -0,0 +1 @@
+sqlite3
diff --git a/type/__nextcloud/parameter/default/group b/type/__nextcloud/parameter/default/group
new file mode 100644
index 0000000..5bbad18
--- /dev/null
+++ b/type/__nextcloud/parameter/default/group
@@ -0,0 +1 @@
+www-data
diff --git a/type/__nextcloud/parameter/default/mode b/type/__nextcloud/parameter/default/mode
new file mode 100644
index 0000000..20610ea
--- /dev/null
+++ b/type/__nextcloud/parameter/default/mode
@@ -0,0 +1 @@
+755
diff --git a/type/__nextcloud/parameter/default/user b/type/__nextcloud/parameter/default/user
new file mode 100644
index 0000000..5bbad18
--- /dev/null
+++ b/type/__nextcloud/parameter/default/user
@@ -0,0 +1 @@
+www-data
diff --git a/type/__nextcloud/parameter/optional b/type/__nextcloud/parameter/optional
new file mode 100644
index 0000000..b51ef3d
--- /dev/null
+++ b/type/__nextcloud/parameter/optional
@@ -0,0 +1,12 @@
+mode
+user
+group
+database-type
+database-host
+database-name
+database-user
+database-password
+database-prefix
+admin-user
+admin-email
+data-directory
diff --git a/type/__nextcloud/parameter/optional_multiple b/type/__nextcloud/parameter/optional_multiple
new file mode 100644
index 0000000..c70dc2d
--- /dev/null
+++ b/type/__nextcloud/parameter/optional_multiple
@@ -0,0 +1 @@
+host
diff --git a/type/__nextcloud/parameter/required b/type/__nextcloud/parameter/required
new file mode 100644
index 0000000..3e83467
--- /dev/null
+++ b/type/__nextcloud/parameter/required
@@ -0,0 +1,2 @@
+version
+admin-password
diff --git a/type/__nextcloud_app/explorer/state b/type/__nextcloud_app/explorer/state
new file mode 100755
index 0000000..d7572ce
--- /dev/null
+++ b/type/__nextcloud_app/explorer/state
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+# __nextcloud_app/explorer/state
+
+# Outputs the current state of the app. There are:
+#  - `enabled` if the app is enabled
+#  - `disabled` if the app is disabled
+#  - `absent` if the app does not exist
+#  - nothing if nextcloud is not installed
+
+
+# Get the app id
+appid="$__object/parameter/appid"
+if [ -f "$appid" ]; then
+    appid="$(cat "$appid")"
+else
+    appid="$__object_id"
+fi
+
+# Get the installation directory
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Check if the installation directory exists
+if [ -d "$cloud" ]; then
+    # if those files exist, everything should be fine
+    if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
+        # Check if the app exists in the correct user context
+        su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+
+# Output all apps and search in which category it is
+php occ --no-warnings --no-interaction --no-ansi --output=plain app:list \
+    | awk '\$0 == "Enabled:"{state="enabled"} \$0 == "Disabled:"{state="disabled"}
+           /^  - ${appid}:?/{found=1; print state; exit} END{if(!found) print "absent"}'
+SU
+    fi
+fi
diff --git a/type/__nextcloud_app/gencode-remote b/type/__nextcloud_app/gencode-remote
new file mode 100755
index 0000000..7807444
--- /dev/null
+++ b/type/__nextcloud_app/gencode-remote
@@ -0,0 +1,85 @@
+#!/bin/sh -e
+# __nextcloud_app/gencode-remote
+
+# Handles a nextcloud app.
+
+
+# Call the nextcloud occ script as the intended user. Maybe this can be a bit
+# more effictive with user switching, but currently the easiest way of doing
+# it.
+#
+# All arguments are directly passed to occ (injection alarm ;-) )
+occ() {
+    # su creates a new shell, so it does not affect the current session
+    #  will not use -q as it supresses errors, too
+    cat << SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud' && php occ --no-warnings --no-interaction --no-ansi $@
+SU
+SHELL
+}
+
+
+# Get the app id
+appid="$__object/parameter/appid"
+if [ -f "$appid" ]; then
+    appid="$(cat "$appid")"
+else
+    appid="$__object_id"
+fi
+
+# Get the app state
+state_is="$(cat "$__object/explorer/state")"
+state_should="$(cat "$__object/parameter/state")"
+
+# Get general parameters
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Abort if nextcloud is not installed
+if [ -z "$state_is" ]; then
+    printf "No nextcloud installation could be detected in '%s' ..\n" "$cloud" >&2
+    echo "Use the type __nextcloud to ensure the installation and mark it as dependency for this type!" >&2
+    exit 2
+fi
+
+
+# Check if the state changes
+if [ "$state_is" != "$state_should" ]; then
+    # check what to do
+    case "$state_should" in
+        enabled)
+            if [ "$state_is" = "disabled" ]; then
+                occ app:enable "'$appid'"
+                echo enabled >> "$__messages_out"
+            else
+                occ app:install "'$appid'"
+                echo installed >> "$__messages_out"
+            fi
+            ;;
+
+        disabled)
+            if [ "$state_is" = "absent" ]; then
+                occ app:install --keep-disabled "'$appid'"
+                echo installed >> "$__messages_out"
+            else
+                occ app:disable "'$appid'"
+                echo disabled >> "$__messages_out"
+            fi
+            ;;
+
+        present)
+            if [ "$state_is" = "absent" ]; then
+                occ app:install "'$appid'"
+                echo installed >> "$__messages_out"
+            fi
+            # else, everything is ok
+            ;;
+
+        absent)
+            occ app:remove "'$appid'"
+            echo removed >> "$__messages_out"
+            ;;
+    esac
+fi
diff --git a/type/__nextcloud_app/man.rst b/type/__nextcloud_app/man.rst
new file mode 100644
index 0000000..9074b03
--- /dev/null
+++ b/type/__nextcloud_app/man.rst
@@ -0,0 +1,138 @@
+cdist-type__nextcloud_app(7)
+============================
+
+NAME
+----
+cdist-type__nextcloud_app - Managese a Nextcloud app installation
+
+
+DESCRIPTION
+-----------
+This types manages an app for a Nextcloud installation. For now, you can only
+(un-)install or enable/disable an app.
+
+The object id is the appid of the app which will be managed by this type. It
+will be overwritten by the parameter `--appid`. See this parameter for more
+information about the appid.
+
+
+REQUIRED PARAMETERS
+-------------------
+cloud
+    The absolute path of the Nextcloud installation.
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    The state of the app. Can be the following:
+
+    present *(default)*
+        The app is installed.
+
+    enabled
+        The app is installed and enabled.
+
+    disabled
+        The app is installed, but disabled.
+
+    absent
+        The app is not installed.
+
+appid
+    The appid is the uniquie identifier for an app in the Nextcloud app store.
+    It is required to know which app should be installed, which is expressed
+    via the appid. Apps who are shipped by the installation can not be removed.
+    Doing this will throw an error at exeuction time.
+
+    To find the appid, you must select the app in the Nextcloud app menu or on
+    the app page in the Nextcloud app store. Then, examine the URL and use the
+    lastest part (e.g. "the filename") as appid.
+
+www-user
+    The unix user which will be used to execute Nextcloud related stuff. You
+    should always use the same user for all Nextcloud interactions, for the
+    webserver and cli execution. As default, `www-data` will be used.
+
+
+MESSAGES
+--------
+installed
+    The app was installed.
+
+enabled
+    The app is already installed and was enabled.
+
+disabled
+    The app is already installed and was disabled.
+
+removed
+    The app was removed.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Nextcloud base installation
+    __nextcloud /var/www/html/cloud $args
+
+    # install the music app
+    require="__nextcloud/var/www/html/cloud" __nextcloud_app music \
+        --cloud /var/www/html/cloud/ --state enabled
+
+    # enable a shipped app (already installed)
+    require="__nextcloud/var/www/html/cloud" __nextcloud_app files_external \
+        --cloud /var/www/html/cloud/ --state enabled
+
+    # remove some app
+    require="__nextcloud/var/www/html/cloud" __nextcloud_app drawio \
+        --cloud /var/www/html/cloud/ --state absent
+
+
+    # Different cloud
+    __nextcloud /var/www/html/nextcloud $args
+    # but same app name
+    require="__nextcloud/var/www/html/nextcloud" __nextcloud_user next_music \
+        --cloud /var/www/html/nextcloud/ --appid music
+
+
+NOTES
+-----
+Currently, it manages just if the app is installed and enabled. Further
+implementation is possible, but not done yet. This contains the management of
+the app settings (via ``occ config:app:*``) and further finetuning to the
+possibilities of installation and enablement (force-enable an app or restrict
+enablement only to some groups).
+
+Special app settings could also be written as a new type which completly
+handles this one app with all configuration options.
+
+Upgrading an Nextcloud app may be possible, but not the scope of this type.
+Also, the upgrade can not be done to a given version, which results that this
+type will loose the control over the state of the app. Installing the app
+manually or hooking into the Nextcloud code is too unsafe and complex, in
+addition it will be used rarely. Most admins would propably just update the app
+via the web interface.
+
+
+SEE ALSO
+--------
+`Nextcloud app store <https://apps.nextcloud.com/>`_
+
+:strong:`cdist-type__nextcloud`\ (7)
+:strong:`cdist-type__nextcloud_user`\ (7)
+
+
+AUTHORS
+-------
+Matthias Stecher <matthiasstecher at gmx.de>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Matthias Stecher.
+You can redistribute it and/or modify it under the terms of the GNU
+General Public License as published by the Free Software Foundation,
+either version 3 of the License, or (at your option) any later version.
diff --git a/type/__nextcloud_app/parameter/default/state b/type/__nextcloud_app/parameter/default/state
new file mode 100644
index 0000000..e7f6134
--- /dev/null
+++ b/type/__nextcloud_app/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/type/__nextcloud_app/parameter/default/www-user b/type/__nextcloud_app/parameter/default/www-user
new file mode 100644
index 0000000..5bbad18
--- /dev/null
+++ b/type/__nextcloud_app/parameter/default/www-user
@@ -0,0 +1 @@
+www-data
diff --git a/type/__nextcloud_app/parameter/optional b/type/__nextcloud_app/parameter/optional
new file mode 100644
index 0000000..0f2a3eb
--- /dev/null
+++ b/type/__nextcloud_app/parameter/optional
@@ -0,0 +1,3 @@
+state
+appid
+www-user
diff --git a/type/__nextcloud_app/parameter/required b/type/__nextcloud_app/parameter/required
new file mode 100644
index 0000000..c3de202
--- /dev/null
+++ b/type/__nextcloud_app/parameter/required
@@ -0,0 +1 @@
+cloud
diff --git a/type/__nextcloud_user/explorer/password b/type/__nextcloud_user/explorer/password
new file mode 100755
index 0000000..88260ec
--- /dev/null
+++ b/type/__nextcloud_user/explorer/password
@@ -0,0 +1,49 @@
+#!/bin/sh
+# __nextcloud/explorer/password
+
+# Checks if the given password is working by hacking somehow into the nextcloud
+# php libary.
+#
+# Outputs:
+#  - "noop" if no password given as parameter
+#  - "matched" if the given parameter matched the password
+#  - "mismatched" if the given parameter did not matched
+#  - "" if no nextcloud directory could be detected
+
+
+# Check if the password exists, else this is nonsense
+password="$__object/parameter/password"
+if [ -f "$password" ]; then
+    password="$(cat "$password")"
+else
+    # no password to compare - it's managed by someone other
+    echo noop
+    exit
+fi
+
+# Get parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+
+# Check if there exists the installation
+if [ -d "$cloud" ]; then
+    # if those files exist, everything should be good
+    if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
+        # Output the information from the custom php
+        # change the user to be on the safe side if something is written
+        su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+pw='$password' \
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        print(\\OC::\$server->getUserSession()->getManager()->checkPasswordNoLogging("$user", getenv("pw")) ? "matched" : "mismatched");'
+SU
+    fi
+fi
diff --git a/type/__nextcloud_user/explorer/user b/type/__nextcloud_user/explorer/user
new file mode 100755
index 0000000..face683
--- /dev/null
+++ b/type/__nextcloud_user/explorer/user
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+# __nextcloud_user/explorer/user
+
+# Outputs the raw nextcloud command output of the given user.
+#
+# The output is extended by the following fields (in the same syntax):
+#  1.  quota_param which outputs the real quota value instead of resolved values
+
+
+# Parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Check if there exists the installation
+if [ -d "$cloud" ]; then
+    # if those files exist, everything should be good
+    if [ -f "$cloud/occ" ] && [ -f "$cloud/config/config.php" ]; then
+        # Content could be gathered through php code directly, too. This can
+        # be done if more parameters are required than user:info will output
+        # or if there will be too much fuzz in the output.
+
+        # Output the information of the user
+        # type will abort if explorer is empty, not if occ aborts
+        su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+
+# Check if the user exists before the later command will produce an error
+if php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+           exit(\\OC::\$server->getUserSession()->getManager()->userExists("$user") ? 0 : 1);'
+then
+    php occ --no-warnings --no-interaction --no-ansi --output=plain user:info '$user'
+    # also output the quota parameter
+    printf "  - quota_param: %s\n" \
+        "\$(php occ --no-warnings --no-interaction --no-ansi user:setting '$user' files quota)"
+fi
+SU
+    fi
+fi
diff --git a/type/__nextcloud_user/gencode-remote b/type/__nextcloud_user/gencode-remote
new file mode 100755
index 0000000..c76f74e
--- /dev/null
+++ b/type/__nextcloud_user/gencode-remote
@@ -0,0 +1,249 @@
+#!/bin/sh -e
+# __nextcloud_user/gencode-remote
+
+
+# Call the nextcloud occ script as the designed user. Maybe this can be a bit
+# more effictive with user switching, but currently the easiest way of doing
+# it.
+#
+# All arguments are directly passed to occ (injection alarm ;-) )
+occ() {
+    # su creates a new shell, so it does not affect the current session
+    #  will not use -q as it supresses errors, too
+    cat << SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud' && php occ --no-warnings --no-interaction --no-ansi $@
+SU
+SHELL
+}
+
+# Creates the output for the nextcloud command to create a user. Takes all
+# required parameters from existing variables.
+occ_create() {
+    cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<SU
+cd '$cloud'
+SHELL
+    create_args=""
+
+    if [ -f "$__object/parameter/password" ]; then
+        printf "export OC_PASS='%s'\n" "$(cat "$__object/parameter/password")"
+        create_args="$create_args --password-from-env"
+    fi
+    if [ -f "$__object/parameter/displayname" ]; then
+        create_args="$create_args --display-name '$(cat "$__object/parameter/displayname")'"
+    fi
+
+    # groups
+    if [ -f "$__object/parameter/group" ]; then
+        while read -r GROUP; do
+            create_args="$create_args --group '$GROUP'"
+        done < "$__object/parameter/group"
+    fi
+
+    cat <<SHELL
+php occ --no-interaction --no-ansi user:add $create_args -- '$user'
+SU
+SHELL
+
+    # add email if set - not doable via the create command
+    if [ -f "$__object/parameter/email" ]; then
+        occ user:setting -- "'$user'" settings email "'$(cat "$__object/parameter/email")'"
+    fi
+
+    # add the set quota - the default value don't hurt if it's explicitly set
+    occ user:setting -- "'$user'" files quota "'$(cat "$__object/parameter/quota")'"
+
+    # save that use user will be created and no further steps are required
+    ignore_config="yes"
+}
+
+# Checks if the key-value exists on the remote side. Only matches first-level
+# parameters; not checking deeper levers.
+#
+# Arguments:
+#  1: the key
+#  2: the value
+#
+# Return-Code:
+#  0: matched the key-value
+#  1: not matched
+match_param() {
+    # first level intend two spaces
+    if grep -q -Fx "  - $1: $2" "$__object/explorer/user"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+
+# Get parameters
+user="$__object/parameter/user"
+if [ -f "$user" ]; then
+    user="$(cat "$user")"
+else
+    user="$__object_id"
+fi
+if [ -s "$__object/explorer/user" ]; then
+    if match_param enabled true; then
+        state_is="enabled"
+    else
+        state_is="disabled"
+    fi
+else
+    state_is="absent"
+fi
+
+state_should="$(cat "$__object/parameter/state")"
+cloud="$(cat "$__object/parameter/cloud")"
+www_user="$(cat "$__object/parameter/www-user")"
+
+
+# Check if the state changes
+if [ "$state_is" != "$state_should" ]; then
+    # check what to do
+    case "$state_should" in
+        enabled)
+            if [ "$state_is" = "disabled" ]; then
+                occ user:enable "'$user'"
+                echo enabled >> "$__messages_out"
+            else
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+            ;;
+
+        disabled)
+            if [ "$state_is" = "absent" ]; then
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+
+            occ user:disable "'$user'"
+            echo disabled >> "$__messages_out"
+            ;;
+
+        present)
+            if [ "$state_is" = "absent" ]; then
+                occ_create
+                echo created >> "$__messages_out"
+            fi
+            # else, everything is ok
+            ;;
+
+        absent)
+            occ user:delete "'$user'"
+            echo removed >> "$__messages_out"
+            ;;
+    esac
+fi
+
+# Check if the user should not be modified further from the initial setup.
+if [ -f "$__object/parameter/only-setup" ]; then
+    ignore_config="yes"
+fi
+
+
+# Check if some user configuration should be changed
+# do not run this code if the user will be created in the previous code
+if [ "$state_should" != "absent" ] && [ "$ignore_config" != "yes" ]; then
+    if ! [ -f "$__object/parameter/keep-displayname" ]; then
+        # Check if the display name is correct if someone is set
+        if [ -f "$__object/parameter/displayname" ]; then
+            displayname="$(cat "$__object/parameter/displayname")"
+            if ! match_param display_name "$displayname"; then
+                cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+php -r 'define("OC_CONSOLE",1); require_once(__DIR__."/lib/base.php");
+        \\OC::\$server->getUserSession()->getManager()->get("$user")->setDisplayName("$displayname")
+          or print("Couldn'\''t modify $user display name! Maybe unsupported or already set ..".PHP_EOL)
+            and die(1);'
+SU
+SHELL
+            fi
+        fi
+        # the display name can not be unset
+    fi
+
+    if ! [ -f "$__object/paramter/keep-email" ]; then
+        # Check if the email address is correct
+        if [ -f "$__object/parameter/email" ]; then
+            email="$(cat "$__object/parameter/email")"
+            if ! match_param email "$email"; then
+                occ user:setting -- "'$user'" settings email "'$email'"
+            fi
+        else
+            # remove if it doesn't exist
+            if ! match_param email ""; then
+                occ user:setting --delete -- "'$user'" settings email
+            fi
+        fi
+    fi
+
+    if ! [ -f "$__object/parameter/keep-password" ]; then
+        # Check state of the password
+        # explorer handles missing passwords already
+        if [ "$(cat "$__object/explorer/password")" = "mismatched" ]; then
+            cat <<SHELL
+su -s /bin/sh -l "$www_user" -- -e <<'SU'
+cd '$cloud'
+export OC_PASS='$(cat "$__object/parameter/password")'
+php occ --no-interaction --no-ansi user:resetpassword --password-from-env -- '$user'
+SU
+SHELL
+        fi
+    fi
+
+    if ! [ -f "$__object/parameter/keep-quota" ]; then
+        # Handle the qouta
+        # the parameter is always set cause of the default value
+        quota="$(cat "$__object/parameter/quota")"
+        if ! match_param quota_param "$quota"; then
+            occ user:setting -- "'$user'" files quota "'$quota'"
+        fi
+    fi
+
+    if ! [ -f "$__object/parameter/keep-groups" ]; then
+        # Handle the user groups
+        # extract all groups set by remote
+        mkdir -p "$__object/files"
+        # check the spaces before the value to match all sub-categories
+        awk '/^  -/{start=0} start{print $2} $0 == "  - groups:"{start=1}' \
+            "$__object/explorer/user" > "$__object/files/explorer_groups"
+
+        # Add/Remove groups not set via the parameter
+        if [ -s "$__object/parameter/group" ]; then
+            # Get all groups to remove
+            grep -Fxv -f "$__object/parameter/group" \
+                "$__object/files/explorer_groups" > "$__object/files/group.del" || true
+            # Get all groups to add
+            grep -Fxv -f "$__object/files/explorer_groups" \
+                "$__object/parameter/group" > "$__object/files/group.add" || true
+
+        # No user groups at all if nothing wanted by the user
+        else
+            # remove all groups to stay inline with the user parameter
+            cp "$__object/files/explorer_groups" "$__object/files/group.del"
+        fi
+
+        # Remove all groups not exist anymore
+        if [ -s "$__object/files/group.del" ]; then
+            while read -r GROUP; do
+                occ group:removeuser "'$GROUP'" "'$user'"
+            done < "$__object/files/group.del"
+        fi
+
+        # Add all existing groups
+        if [ -s "$__object/files/group.add" ]; then
+            while read -r GROUP; do
+                occ group:adduser "'$GROUP'" "'$user'"
+            done < "$__object/files/group.add"
+        fi
+    fi
+
+
+    # These parameters are only set if they exist
+    # ...
+fi
diff --git a/type/__nextcloud_user/man.rst b/type/__nextcloud_user/man.rst
new file mode 100644
index 0000000..200769f
--- /dev/null
+++ b/type/__nextcloud_user/man.rst
@@ -0,0 +1,215 @@
+cdist-type__nextcloud_user(7)
+=============================
+
+NAME
+----
+cdist-type__nextcloud_user - Setup a Nextcloud user
+
+
+DESCRIPTION
+-----------
+It manages a single Nextcloud user given by the object id or parameter `--user`.
+This type can create and manage most properties of the Nextcloud user. If you
+only want to setup the user, but want that the user will take full control over
+all settings (so cdist will not touch the user anymore), use the parameter
+`--only-setup` or `--keep-*` for special parameters.
+
+
+REQUIRED PARAMETERS
+-------------------
+cloud
+    The absolute path of the Nextcloud installation.
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    The state the user should be in. Can be the following:
+
+    present *(default)*
+        The user exists.
+
+    enabled
+        The user exists and is enabled.
+
+    disabled
+        The user exists and is disabled.
+
+    absent
+        The user does not exist.
+
+user
+    Takes the uid of the Nextcloud user which will be handled by this type. If
+    this is not set, the object id will be taken instead.
+
+www-user
+    The unix user which will be used to execute Nextcloud related stuff. You
+    should always use the same user for all Nextcloud interactions, for the
+    webserver and cli execution. As default, `www-data` will be used.
+
+displayname
+    The display name the user should have. As the display name can not be unset
+    or set to empty, this type will ignore the display name if this parameter
+    is not set. Setting the parameter to an empty string leads to an error from
+    the Nextcloud side.
+
+email
+    The email address of the Nextcloud user. Will be unset if no parameter
+    given.
+
+password
+    The password of the Nextcloud user. If the password not match, the new
+    password will be set to the user. If no password is given, it will not
+    touch the current password. **A password is required for the user setup!**
+    If you do not want to modify the user password, set a password via this
+    parameter and set the parameter `--keep-password`.
+
+    Note that Nextcloud will check for the security of passwords. The type
+    will abort if Nextcloud refuses that password!
+
+quota
+    The quota the Nextcloud user have to store it data. Defaults to `default`.
+    Following values are accepted by Nextcloud:
+
+    default
+        Uses the quota set as default in Nextcloud.
+
+    none
+        No quota limit set; unlimited.
+
+    $size
+        The quota that should be used. Same values as set over the user
+        interface. First the number, then a space and then the unit like `GB`.
+
+group
+    Multiple group names which the Nextcloud user belongs to. If not set, the
+    user will be removed from every group he is in.
+
+
+BOOLEAN PARAMETERS
+------------------
+only-setup
+    Only provisioning the user if he does not exist. Do not touch the user if
+    he already exists (except to enforce the given state).
+
+keep-displayname
+    Do not touch the display name of the user if he is already set up. This
+    will avoid to delete the user-set value because it does not match with the
+    predefined state. If the parameter `--displayname` is set despite of this
+    parameter, it will only be used in the user setup if he does not already
+    exist.
+
+keep-email
+    Do not touch the email attributes of the user if he is already set up. This
+    will avoid to delete the user-set value because it does not match with the
+    predefined state. If the parameter `--email` is set despite of this
+    parameter, it will only be used in the user setup if he does not already
+    exist.
+
+keep-password
+    Do not touch the password if the user is already set up. This will avoid to
+    delete user-set passwords because they do not match with the predefined
+    state. If the parameter `--password` is set despite of this parameter, it
+    will only be used in the user setup if he does not already exists.
+
+keep-quota
+    Do not touch the user quota if he is already set up. This will avoid to
+    delete the configuration set by an administrator. If the parameter `--quota`
+    is set despite of this parameter, it will only be used in the user setup if
+    he does not already exist.
+
+keep-groups
+    Do not touch the user groups if the user is already set up. This will avoid
+    to delete group assosiactions not defined via cdist. If the parameter
+    `--group` is set despite of this parameter, it will only be used in the user
+    setup if he does not already exists.
+
+
+MESSAGES
+--------
+created
+    The user as created.
+
+enabled
+    The user already exists and was enabled.
+
+disabled
+    The user already exists and was disabled.
+
+removed
+    The user was removed.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Nextcloud base installation
+    __nextcloud /var/www/html/cloud $args
+
+    # setups an user, but do not touch it after it was created
+    require="__nextcloud/var/www/html/cloud" __nextcloud_user foo \
+        --cloud /var/www/html/cloud/ \
+        --displayname "Big Fooo" \
+        --email "foo@bar.tld" \
+        --password "do-not-use-this-password" \
+        --group "team_a" --group "xxxx" \
+        --quota "2 GB"
+        --only-setup
+
+    # manages an admin user fully controlled by cdist
+    require="__nextcloud/var/www/html/cloud" __nextcloud_user bar \
+        --cloud /var/www/html/cloud/ \
+        --displayname "Bar" \
+        --email "bar@bar.tld" \
+        --password "nope_insecure" \
+        --group "admin"
+
+    # disables an user
+    require="__nextcloud/var/www/html/cloud" __nextcloud_user bb \
+        --state disabled \
+        --cloud /var/www/html/cloud/ \
+        --displayname "byebye" \
+        --password "do_not_copy" \
+        --keep-email --keep-password --keep-quota --keep-groups
+
+    # removes an user
+    require="__nextcloud/var/www/html/cloud" __nextcloud_user foobar \
+        --state absent \
+        --cloud /var/www/html/cloud/
+
+
+    # Different cloud
+    __nextcloud /var/www/html/nextcloud $args
+    # but same user name
+    require="__nextcloud/var/www/html/nextcloud" __nextcloud_user next_foobar \
+        --cloud /var/www/html/nextcloud/ --user foobar
+
+
+NOTES
+-----
+This type may be extended by more user settings. If you think some
+configuration is missing, you are welcome to contribute!
+
+Sometimes, this type uses custom php code to hack into Nextcloud to gather some
+information not possible to get via the `occ` command or even set a value.
+
+
+SEE ALSO
+--------
+:strong:`cdist-type__nextcloud`\ (7)
+:strong:`cdist-type__nextcloud_app`\ (7)
+
+
+AUTHORS
+-------
+Matthias Stecher <matthiasstecher at gmx.de>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Matthias Stecher.
+You can redistribute it and/or modify it under the terms of the GNU
+General Public License as published by the Free Software Foundation,
+either version 3 of the License, or (at your option) any later version.
diff --git a/type/__nextcloud_user/parameter/boolean b/type/__nextcloud_user/parameter/boolean
new file mode 100644
index 0000000..cf0a40a
--- /dev/null
+++ b/type/__nextcloud_user/parameter/boolean
@@ -0,0 +1,6 @@
+only-setup
+keep-displayname
+keep-email
+keep-password
+keep-quota
+keep-groups
diff --git a/type/__nextcloud_user/parameter/default/quota b/type/__nextcloud_user/parameter/default/quota
new file mode 100644
index 0000000..4ad96d5
--- /dev/null
+++ b/type/__nextcloud_user/parameter/default/quota
@@ -0,0 +1 @@
+default
diff --git a/type/__nextcloud_user/parameter/default/state b/type/__nextcloud_user/parameter/default/state
new file mode 100644
index 0000000..e7f6134
--- /dev/null
+++ b/type/__nextcloud_user/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/type/__nextcloud_user/parameter/default/www-user b/type/__nextcloud_user/parameter/default/www-user
new file mode 100644
index 0000000..5bbad18
--- /dev/null
+++ b/type/__nextcloud_user/parameter/default/www-user
@@ -0,0 +1 @@
+www-data
diff --git a/type/__nextcloud_user/parameter/optional b/type/__nextcloud_user/parameter/optional
new file mode 100644
index 0000000..aaf31d0
--- /dev/null
+++ b/type/__nextcloud_user/parameter/optional
@@ -0,0 +1,7 @@
+user
+www-user
+state
+displayname
+email
+password
+quota
diff --git a/type/__nextcloud_user/parameter/optional_multiple b/type/__nextcloud_user/parameter/optional_multiple
new file mode 100644
index 0000000..3a60cce
--- /dev/null
+++ b/type/__nextcloud_user/parameter/optional_multiple
@@ -0,0 +1 @@
+group
diff --git a/type/__nextcloud_user/parameter/required b/type/__nextcloud_user/parameter/required
new file mode 100644
index 0000000..c3de202
--- /dev/null
+++ b/type/__nextcloud_user/parameter/required
@@ -0,0 +1 @@
+cloud