diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a4df171efb9384ef394c3bce4d30d9344dfbe699..d3bff357f5d3b3e780821462e23ccb11a1848966 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,7 +14,7 @@ ci_test_image:
     DOCKER_DRIVER: overlay2
   image: docker:stable
   services:
-    - docker:dind
+    - docker:18-dind  # FIXME This is an older version of DIND. Update when gitlab-runner fixes https://gitlab.com/gitlab-org/gitlab-runner/issues/4501
   before_script:
     - docker info
   script:
diff --git a/helmfiles/values/nextcloud.yaml.gotmpl b/helmfiles/values/nextcloud.yaml.gotmpl
index 5edca0dc51ddbd1b5f40317a661b4eb95c7fc11f..376beded449485e9c6a33914d701cd09326d2090 100644
--- a/helmfiles/values/nextcloud.yaml.gotmpl
+++ b/helmfiles/values/nextcloud.yaml.gotmpl
@@ -10,6 +10,26 @@ nextcloud:
       kubernetes.io/tls-acme: "true"
       # Set max body size high to allow big NextCloud uploads
       nginx.ingress.kubernetes.io/proxy-body-size: 1G
+      nginx.ingress.kubernetes.io/server-snippet: |-
+        server_tokens off;
+        proxy_hide_header X-Powered-By;
+        rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+        location = /.well-known/carddav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+        location = /.well-known/caldav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+        location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+        }
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+          try_files $uri /index.php$request_uri;
+        }
     hosts:
       - "files.{{ .Environment.Values.domain }}"
     tls: