diff --git a/roles/backup/defaults/main.yml b/roles/backup/defaults/main.yml
index 63b110b..172d822 100644
--- a/roles/backup/defaults/main.yml
+++ b/roles/backup/defaults/main.yml
@@ -1,4 +1,4 @@
-borg_pwd: "{{ lookup('password', '/tmp/borg.pwd length=24') }}"
+borg_pwd: "{{ lookup('password', '/tmp/borg.pwd length=32') }}"
 borg_pwd_file: "/root/borg.pwd"
 borg_key_backup: "/root/borg-key.backup"
 
diff --git a/roles/backup/templates/backup b/roles/backup/templates/backup
index b20e97c..4d5c6e7 100755
--- a/roles/backup/templates/backup
+++ b/roles/backup/templates/backup
@@ -6,6 +6,7 @@ OPTIONS=({{ backup_opts }} {{ backup_opts_extra }})
 
 export BORG_REPO="{{ backup_repo }}"
 export BORG_PASSCOMMAND="cat {{ borg_pwd_file }}"
+KEY_BACKUP="{{ borg_key_backup }}"
 
 MOUNTED=""
 
@@ -17,7 +18,7 @@ fi
 if [ ! -d "$BORG_REPO" ] ; then
     mkdir -vp --mode=0750 "$BORG_REPO"
     borg init --encryption=repokey
-    borg key export "{{ borg_key_backup }}"
+    borg key export "$BORG_REPO" "$KEY_BACKUP"
 fi
 
 if [ -e "{{ nc_dir }}/config/config.php" ] ; then
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 8dfd682..a8f0747 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -20,10 +20,11 @@
 
 ## We can start with the installation now:
 
-- name: install apache, php- and db-packages
+- name: install apache, firewalld, php- and db-packages
   apt:
     name:
       - apache2
+      - firewalld
       - mariadb-server
       - python3-pymysql
       - php-apcu
@@ -38,6 +39,7 @@
       - php-mysql
       - php-xml
       - php-zip
+      - unzip
     state: latest
 
 - name: disable apache modules
@@ -212,7 +214,7 @@
   changed_when: cmd_result.stdout is not search('Nothing to do.')
   when: allow_download
 
-### app installations:
+## app installations:
 - name: install extra apps
   command: "sudo -u www-data php ./occ app:install {{ item }}"
   args:
@@ -224,6 +226,14 @@
   failed_when:  cmd_result.stdout is not search('already installed') and cmd_result.rc != 0
   when: allow_download
 
+- name: allow https in firewalld
+  firewalld:
+    service: https
+    permanent: Yes
+    immediate: Yes
+    state: enabled
+
+
 ## ToDo kerberox integration:
 # sudo -u www-data php ./occ app:enable user_ldap
 # sudo -u www-data php ./occ app:install user_saml