diff --git a/argocd-apps/extra-resources-my-apps.yaml b/argocd-apps/extra-resources-my-apps.yaml
new file mode 100644
index 0000000..0b73b14
--- /dev/null
+++ b/argocd-apps/extra-resources-my-apps.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-apps-extra-resources
+  namespace: argocd
+spec:
+  project: infra
+  source:
+    repoURL: https://git.dvirlabs.com/dvirlabs/my-apps.git
+    targetRevision: HEAD
+    path: manifests/extra-resources
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: my-apps
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/manifests/extra-resources/nextcloud/external-secret.yaml b/manifests/extra-resources/nextcloud/external-secret.yaml
new file mode 100644
index 0000000..0c252f1
--- /dev/null
+++ b/manifests/extra-resources/nextcloud/external-secret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-client-secret
+  namespace: my-apps
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: my-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: keycloak-client-secret
+    template:
+      engineVersion: v2
+      data:
+        keycloak-client-secret: "{{ .client_secret }}"
+  data:
+    - secretKey: client_secret
+      remoteRef:
+        key: oidc-clients/nextcloud-oidc
+        property: client_secret
diff --git a/manifests/extra-resources/nextcloud/keycloak-post-install-cm.yaml b/manifests/extra-resources/nextcloud/keycloak-post-install-cm.yaml
new file mode 100644
index 0000000..fdd3707
--- /dev/null
+++ b/manifests/extra-resources/nextcloud/keycloak-post-install-cm.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-post-install
+  namespace: my-apps
+data:
+  keycloak-post-install.sh: |
+    #!/bin/bash
+    echo "🔐 Enabling sociallogin app..."
+    occ app:install sociallogin || true
+    occ app:enable sociallogin
+
+    echo "🔐 Configuring Keycloak OIDC provider..."
+    occ sociallogin:custom_oidc keycloak \
+      --client-id="nextcloud" \
+      --client-secret="$(cat /secrets/keycloak-client-secret)" \
+      --issuer-uri="https://keycloak.dvirlabs.com/realms/dvirlabs" \
+      --auto-provision 1 \
+      --hide-login-form 0 \
+      --scope="openid profile email"
diff --git a/manifests/extra-resources/nextcloud/keycloak-post-install.sh b/manifests/extra-resources/nextcloud/keycloak-post-install.sh
new file mode 100644
index 0000000..e2899ba
--- /dev/null
+++ b/manifests/extra-resources/nextcloud/keycloak-post-install.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+echo "🔐 Enabling sociallogin app..."
+occ app:install sociallogin || true
+occ app:enable sociallogin
+
+echo "🔐 Configuring Keycloak OIDC provider..."
+occ sociallogin:custom_oidc keycloak \
+  --client-id="nextcloud" \
+  --client-secret="$(cat /secrets/keycloak-client-secret)" \
+  --issuer-uri="https://keycloak.dvirlabs.com/realms/dvirlabs" \
+  --auto-provision 1 \
+  --hide-login-form 0 \
+  --scope="openid profile email"
diff --git a/manifests/nextcloud/values.yaml b/manifests/nextcloud/values.yaml
index 489d910..ca5a1bc 100644
--- a/manifests/nextcloud/values.yaml
+++ b/manifests/nextcloud/values.yaml
@@ -24,6 +24,20 @@ nextcloud:
     - name: OVERWRITEPROTOCOL
       value: https
 
+  extraVolumes:
+    - name: keycloak-post-install
+      configMap:
+        name: nextcloud-post-install
+    - name: keycloak-secret
+      secret:
+        secretName: keycloak-client-secret
+
+  extraVolumeMounts:
+    - name: keycloak-post-install
+      mountPath: /docker-entrypoint-hooks.d/post-installation
+    - name: keycloak-secret
+      mountPath: /secrets
+
 internalDatabase:
   enabled: false
 
@@ -39,7 +53,7 @@ persistence:
   enabled: true
   storageClass: nfs-client
   accessMode: ReadWriteOnce
-  size: 500Gi
+  size: 1000Gi
 
 mariadb:
   enabled: true