diff --git a/CHANGELOG.md b/CHANGELOG.md
index b2e694eda383e4d162cc83aa15eb79af91ded64c..df176292a4e563c82ec52650b120b2ee31ff4907 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+* Set `trusted_domains` setting explicitly in our config.
+
 ## [0.15.5] - 2022-11-09
 
 * Update nextcloud helm chart to 3.3.3.
diff --git a/templates/nextcloud-onlyoffice-config.yaml b/templates/nextcloud-onlyoffice-config.yaml
index 6b0c4bc564b6ad03c3564aa3b32b099753e2ea40..6b4aaa1e3306cb127861071ef252ad208826501a 100644
--- a/templates/nextcloud-onlyoffice-config.yaml
+++ b/templates/nextcloud-onlyoffice-config.yaml
@@ -172,6 +172,10 @@ data:
   #   to be trusted. 10.42.0.0/16 contains all ip addresses that are
   #   assigned to kubernetes pods, which includes the ip address of
   #   the ingress controller that functions as a reverse proxy.
+  # system.trusted_domains is actually also set by the nextcloud docker
+  #   entrypoint script from the `NEXTCLOUD_TRUSTED_DOMAINS` env var which we
+  #   also set, but that fails sometimes for unknown reasons, so we also set it
+  #   here.
   # system.overwriteprotocol overwrites the protocol of links that are
   #   generated by nextcloud to HTTPS.
   # apps.core.backgroundjobs_mode set to cron disables the unreliable ajax
@@ -182,6 +186,7 @@ data:
     {
         "system":{
             "trusted_proxies": ["10.42.0.0/16"],
+            "trusted_domains": ["localhost", {{ .Values.nextcloud.nextcloud.host | quote }}],
             "overwriteprotocol": "https",
             "appstoreenabled": false,
             "debug": {{ .Values.nextcloud.debug | quote }}