diff --git a/modules/server/containers/defs/nextcloud.nix b/modules/server/containers/defs/nextcloud.nix
index 84ccd9d..8714fba 100644
--- a/modules/server/containers/defs/nextcloud.nix
+++ b/modules/server/containers/defs/nextcloud.nix
@@ -44,7 +44,7 @@ in {
         "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
       };
       extraOptions = [
-        "--tmpfs /tmp:rw,mode=1777"
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=64m"
       ];
       overrides = {
         ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
diff --git a/modules/server/containers/defs/traefik.nix b/modules/server/containers/defs/traefik.nix
index cb544ae..a3631d1 100644
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -17,7 +17,6 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       image = "traefik:${version}";
-      port = containerCfg.port;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {