diff --git a/modules/server/containers/apps/nextcloud.nix b/modules/server/containers/apps/nextcloud.nix
index 582b12a..dd93498 100644
--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -50,12 +50,10 @@ in {
           NEXTCLOUD_DATA_DIR = "/var/www/html/data";
         };
         extraLabels = {
-          "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "hsts-headers@docker,${containerCfg.subdomain}-caldav";
           "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
           "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
           "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
-          "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
-          "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
         };
         overrides = {
           ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
diff --git a/modules/server/containers/apps/traefik.nix b/modules/server/containers/apps/traefik.nix
index 48517d5..88a3467 100644
--- a/modules/server/containers/apps/traefik.nix
+++ b/modules/server/containers/apps/traefik.nix
@@ -29,6 +29,12 @@ in {
         extraLabels = {
           "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
           "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
+
+
+          "traefik.http.middlewares.hsts-headers.headers.stsSeconds" = "15552000";
+          "traefik.http.middlewares.hsts-headers.headers.stsIncludeSubdomains" = "true";
+          "traefik.http.middlewares.hsts-headers.headers.stsPreload" = "true";
+          "traefik.http.middlewares.hsts-headers.headers.forceSTSHeader" = "true";
                   
           "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
         } // (if serverCfg.containers?authentik then {
diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix
index 412dcf7..e969b3a 100644
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -14,7 +14,7 @@ let
     lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
   ) loadedContainers;
   allPathConfigs =
-    (lib.mapAttrsToList (_: cfg: cfg) serverCfg.path)
+    (lib.mapAttrsToList (_: cfg: cfg) (lib.filterAttrs (name: _: name != "config") serverCfg.path))
     ++ concatRuntimeLists "paths";
   allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
   allCronsConfigs = concatRuntimeLists "cron";