diff --git a/nextcloud/application.yaml b/nextcloud/application.yaml
index 0a426d3..464f333 100644
--- a/nextcloud/application.yaml
+++ b/nextcloud/application.yaml
@@ -56,9 +56,25 @@ spec:
         app.kubernetes.io/name: nextcloud
     spec:
       enableServiceLinks: false
+      initContainers:
+        - name: setup-php-config
+          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
+          command: [ "/bin/sh","-c" ]
+          args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
+          volumeMounts:
+            - mountPath: /config
+              name: php-config
       containers:
         - name: nextcloud
-          image: nextcloud:production-apache
+          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
+          readinessProbe:
+            exec:
+              command:
+                - /usr/local/bin/php
+                - /var/www/html/cron.php
+            initialDelaySeconds: 1
+            periodSeconds: 300
+            timeoutSeconds: 30
           env:
             - name: OIDC_CLIENT_ID
               valueFrom:
@@ -91,7 +107,7 @@ spec:
             - name: NEXTCLOUD_ADMIN_USER
               value: admin
             - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: nextcloud.k-space.ee
+              value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
             - name: OBJECTSTORE_S3_HOST
               value: 172.20.9.2
             - name: OBJECTSTORE_S3_PORT
@@ -148,12 +164,31 @@ spec:
             - mountPath: /var/www/html/config/oidc.config.php
               name: config
               subPath: oidc.config.php
+            - name: php-config
+              mountPath: /usr/local/etc/php/conf.d/
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
       volumes:
+        - name: php-config
+          emptyDir: {}
         - name: config
           projected:
             sources:
               - configMap:
                   name: nextcloud-config
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+        sysctls:
+          - name: net.ipv4.ip_unprivileged_port_start
+            value: "0"
   volumeClaimTemplates:
     - metadata:
         name: data
@@ -185,6 +220,7 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
 spec:
   rules:
   - host: nextcloud.k-space.ee
@@ -201,6 +237,15 @@ spec:
   - hosts:
     - "*.k-space.ee"
 ---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-block-external-cron
+spec:
+  replacePathRegex:
+    regex: /cron.php
+    replacement: /
+---
 apiVersion: v1
 kind: ConfigMap
 metadata: