diff --git a/helmfiles/values/nextcloud.yaml.gotmpl b/helmfiles/values/nextcloud.yaml.gotmpl
index 5edca0dc51ddbd1b5f40317a661b4eb95c7fc11f..75e4c3305fd494121eb999e430d62e35de69bafb 100644
--- a/helmfiles/values/nextcloud.yaml.gotmpl
+++ b/helmfiles/values/nextcloud.yaml.gotmpl
@@ -10,6 +10,34 @@ nextcloud:
       kubernetes.io/tls-acme: "true"
       # Set max body size high to allow big NextCloud uploads
       nginx.ingress.kubernetes.io/proxy-body-size: 1G
+      nginx.ingress.kubernetes.io/server-snippet: |-
+        server_tokens off;
+        proxy_hide_header X-Powered-By;
+        rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+        location = /.well-known/carddav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+        location = /.well-known/caldav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+        location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+        }
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+          try_files $uri /index.php$request_uri;
+          # Optional: Don't log access to other assets
+          access_log off;
+        }
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+          deny all;
+        }
+        location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+          deny all;
+        }
     hosts:
       - "files.{{ .Environment.Values.domain }}"
     tls: