diff --git a/ansible/group_vars/cluster/settings.yml.example b/ansible/group_vars/cluster/settings.yml.example
index 57a25f34147678165e19065e1780293632443221..f2133a3e3beca97fef9d5339f216bd2b633c7469 100644
--- a/ansible/group_vars/cluster/settings.yml.example
+++ b/ansible/group_vars/cluster/settings.yml.example
@@ -12,6 +12,9 @@ release_name: "test"
 # generated and stored in ./secrets/keycloak_admin_password. You can also choose
 # your own password and fill it in here instead.
 keycloak_password: "{{ lookup('password', './secrets/keycloak_admin_password') }}"
+# Nextcloud administrator password. Works the same as keycloak password, except
+# it is stored in `secrets/nextcloud_admin_password`.
+nextcloud_password: "{{ lookup('password', './secrets/nextcloud_admin_password') }}"
 # If this is "true" TLS certificates will be requested at the Let's Encrypt
 # staging server. If this is "false", you use Let's Encrypt's production server.
 # Note that LE's production server has stricter rate limits, so set this to
diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml
index 8957cb7b82a67199add9032ae222e7027c48d1fa..57b1c70de81928e23a44d4fda436abdf22531ba4 100644
--- a/ansible/roles/setup/tasks/main.yml
+++ b/ansible/roles/setup/tasks/main.yml
@@ -152,4 +152,5 @@
     - keycloak
   environment:
     - KEYCLOAK_PASSWORD: "{{ keycloak_password }}"
+    - NEXTCLOUD_PASSWORD: "{{ nextcloud_password }}"
   command: '/usr/local/bin/helmfile -b /snap/bin/helm -e oas -f /oas/source/repos/helmfiles/helmfile.d/ apply --suppress-secrets'