diff --git a/deployment/npm/.env.example b/deployment/npm/.env.example
new file mode 100644
index 0000000..7377d75
--- /dev/null
+++ b/deployment/npm/.env.example
@@ -0,0 +1,4 @@
+TZ=Etc/UTC
+NPM_ADMIN_BIND_IP=100.87.130.79
+NPM_EDGE_NETWORK=nextcloud_edge
+NPM_SHARED_NETWORK=npm-shared
diff --git a/deployment/npm/.gitignore b/deployment/npm/.gitignore
new file mode 100644
index 0000000..383dbe5
--- /dev/null
+++ b/deployment/npm/.gitignore
@@ -0,0 +1,3 @@
+data/
+letsencrypt/
+.env
diff --git a/deployment/npm/README.md b/deployment/npm/README.md
new file mode 100644
index 0000000..38d4aa6
--- /dev/null
+++ b/deployment/npm/README.md
@@ -0,0 +1,65 @@
+# Nginx Proxy Manager
+
+This stack runs Nginx Proxy Manager separately from the Nextcloud stack while preserving the existing proxy host database and certificates.
+
+## Layout
+
+- `docker-compose.yml` defines the standalone NPM service.
+- `.env` holds only stack-local settings like `TZ` and the admin bind IP.
+- Runtime state lives in:
+  - `./data`
+  - `./letsencrypt`
+
+## Networks
+
+This stack joins the same external Docker networks that the current proxy hosts depend on:
+
+- `nextcloud_edge` for `nextcloud-app` and `portainer`
+- `npm-shared` for Islandflow services like `web` and `api`
+
+Because the container name stays `nginx-proxy-manager`, the existing `proxy.deltaisland.io -> nginx-proxy-manager:81` host continues to work after migration.
+
+### Upstream alias collisions
+
+This NPM instance is attached to multiple Docker networks. If two stacks both expose a generic alias like `api` or `web`, Nginx can resolve the wrong upstream.
+
+For Islandflow hosts, prefer explicit upstream hostnames in NPM:
+
+- `islandflow-vps-web-1` on port `3000`
+- `islandflow-vps-api-1` on port `4000`
+
+This avoids routing Islandflow traffic to similarly named containers from other stacks.
+
+## Migration
+
+1. Copy `.env.example` to `.env` and adjust values if needed.
+2. Stop the old NPM service from `/home/delta/nextcloud`.
+3. Copy the existing state directories into this stack:
+
+```bash
+cp -rf /home/delta/nextcloud/npm/data /home/delta/islandflow/deployment/npm/
+cp -rf /home/delta/nextcloud/npm/letsencrypt /home/delta/islandflow/deployment/npm/
+```
+
+4. Start the new stack:
+
+```bash
+docker compose up -d
+```
+
+5. Verify the expected hosts still load:
+
+- `https://proxy.deltaisland.io`
+- `https://portainer.deltaisland.io`
+- `https://cloud.dpdrm.com`
+
+## Current Live Proxy Hosts
+
+- `cloud.dpdrm.com` -> `nextcloud-app:80`
+- `portainer.deltaisland.io` -> `portainer:9000`
+- `proxy.deltaisland.io` -> `nginx-proxy-manager:81`
+
+Islandflow-specific host mapping should use explicit upstream container names whenever possible:
+
+- `flow.deltaisland.io` -> `islandflow-vps-web-1:3000`
+- `api.flow.deltaisland.io` -> `islandflow-vps-api-1:4000`
diff --git a/deployment/npm/docker-compose.yml b/deployment/npm/docker-compose.yml
new file mode 100644
index 0000000..4b7372d
--- /dev/null
+++ b/deployment/npm/docker-compose.yml
@@ -0,0 +1,29 @@
+name: nginx-proxy-manager
+
+services:
+  npm:
+    image: jc21/nginx-proxy-manager:2
+    container_name: nginx-proxy-manager
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "${NPM_ADMIN_BIND_IP:-100.87.130.79}:81:81"
+      - "443:443"
+    env_file:
+      - ./.env
+    environment:
+      TZ: ${TZ}
+    volumes:
+      - ./data:/data
+      - ./letsencrypt:/etc/letsencrypt
+    networks:
+      - edge
+      - shared
+
+networks:
+  edge:
+    external: true
+    name: ${NPM_EDGE_NETWORK:-nextcloud_edge}
+  shared:
+    external: true
+    name: ${NPM_SHARED_NETWORK:-npm-shared}