diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix
index 4e23799..940f52a 100644
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -6,10 +6,12 @@ let
   containerSetsList = lib.mapAttrsToList (name: containerCfg:
   let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
   in{
+    name = name;
     containers = lib.mapAttrs' (cName: cValue: 
       lib.nameValuePair "${name}-${cName}" cValue
     ) defs.containers;
     paths = defs.paths or [];
+    setup = defs.setup or null;
   }
 ) enabledConfigs;
   mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
@@ -24,15 +26,7 @@ in
       containers = mergedContainers;
     };
 
-    systemd.services.podman-gc = {
-      description = "Podman garbage collection";
-      serviceConfig.Type = "oneshot";
-      script = ''
-        ${pkgs.podman}/bin/podman container prune -f
-        ${pkgs.podman}/bin/podman image prune -f
-      '';
-      startAt = "weekly";
-    };
+    systemd.services
     
     system.activationScripts.container-setup-dirs = {
       deps = [ "users" "groups" ];
@@ -42,5 +36,46 @@ in
         ${pkgs.coreutils}/bin/chmod ${cfg.mode} "${cfg.path}"
       '') allPathConfigs);
     };
+
+
+    # systemd.services.${name}-init-settings = {
+    #   description = "Initialize ${NAME} settings";
+    #   after = [ "podman-${name}-${setup.trigger}.service" ];
+    #   requires = [ "podman-${name}-${setup.trigger}.service" ];
+    #   wantedBy = [ "multi-user.target" ];
+    #   serviceConfig = {
+    #     Type = "oneshot";
+    #     ExecStart = "${container.setup.script}";
+    #     RemainAfterExit = true;
+    #   };
+    # };
+    systemd.services = {
+      podman-gc = {
+        description = "Podman garbage collection";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          ${pkgs.podman}/bin/podman container prune -f
+          ${pkgs.podman}/bin/podman image prune -f
+        '';
+        startAt = "weekly";
+      };
+    } // lib.listToAttrs (lib.concatMap (containerSet: 
+      if containerSet.setup != null then [{
+        name = "${containerSet.name}-setup";
+        value = {
+          description = "Run ${containerSet.name} setup";
+          after = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
+          requires = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${containerSet.setup.script}";
+            RemainAfterExit = true;
+            User = "root";
+          };
+        };
+      }] else []
+    ) containerSetsList);
+
   };
 }
\ No newline at end of file
diff --git a/modules/server/containers/defs/nextcloud.nix b/modules/server/containers/defs/nextcloud.nix
index 2df4974..6a8ed53 100644
--- a/modules/server/containers/defs/nextcloud.nix
+++ b/modules/server/containers/defs/nextcloud.nix
@@ -33,13 +33,13 @@ in {
         "SMTP_PASSWORD" = "mail_password";
         "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
         "MAIL_DOMAIN" = serverCfg.mailDomain;
-        "TRUSTED_PROXIES" = "...";
+        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
       };
       extraLabels = {
         "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
         "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "^https://(.*)/.well-known/(card|cal)dav";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$\${1}/remote.php/dav/";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement=https://$${1}/remote.php/dav"
         "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
         "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
       };
@@ -54,6 +54,29 @@ in {
         ];
       };
     };
+  };
 
+  setup = {
+    trigger="server";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      OCC="${pkgs.podman}/bin/podman exec -u www-data nextcloud php occ"
+
+      echo "Waiting for Nextcloud container to start..."
+      until $OCC status > /dev/null 2>&1; do
+        sleep 2
+      done
+
+      echo "Maintenance ..."
+      $OCC maintenance:repair --include-expensive --non-interaction
+      $OCC db:add-missing-indices --non-interaction
+      
+      echo "Applying settings..."
+      
+      $OCC app:install calendar || true
+      $OCC config:system:set phone_region --value="CH"
+      $OCC config:app:set core backgroundjobs_mode --value="cron"
+
+    '';
   };
 }