diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml
index ef727eb..7007047 100644
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@@ -29,7 +29,7 @@ services:
         target: /var/run/docker.sock
         read_only: true
       - type: bind
-        source: /mnt/ext/srv/traefik/acme.json
+        source: /srv/ext/sys/traefik/acme.json
         target: /acme.json
     deploy:
       labels:
@@ -60,11 +60,11 @@ services:
       TZ: US/Mountain
     volumes:
       - type: bind
-        source: /mnt/ext/srv/plex
+        source: /srv/ext/sys/plex
         target: /config
       - type: bind
-        source: /media
-        target: /media
+        source: /srv
+        target: /srv
         read_only: true
         bind:
           propagation: rslave
@@ -75,11 +75,11 @@ services:
       - hostnet
     volumes:
       - type: bind
-        source: /mnt/ext/srv/transmission
+        source: /srv/ext/sys/transmission
         target: /config
       - type: bind
-        source: /mnt/ext/torrents
-        target: /mnt/ext/torrents
+        source: /srv/ext/incoming
+        target: /srv/ext/incoming
     deploy:
       labels:
         traefik.enable: "true"
@@ -88,40 +88,58 @@ services:
         traefik.http.routers.transmission.middlewares: forward-auth
         traefik.http.services.transmission.loadbalancer.server.port: "9091"
   nextcloud:
-    image: ghcr.io/linuxserver/nextcloud:23.0.0
+    image: ghcr.io/linuxserver/nextcloud:23.0.0-ls168
     environment:
       OVERWRITEPROTOCOL: https
     volumes:
       - type: bind
-        source: /mnt/ext/srv/nextcloud
+        source: /srv/ext/sys/nextcloud
         target: /config
       - type: bind
-        source: /mnt/ext/storage
+        source: /srv/ext/storage
         target: /data
       - type: bind
-        source: /mnt/ext
-        target: /mnt/ext
+        source: /srv/ext
+        target: /srv/ext
         read_only: true
         bind:
           propagation: rslave
+      - type: bind
+        source: /srv/ext/incoming
+        target: /srv/ext/incoming
     deploy:
       labels:
         traefik.enable: "true"
         traefik.http.routers.nextcloud.rule: "Host(`drive.woozle.org`) || PathPrefix(`/nextcloud`)"
         traefik.http.routers.nextcloud.tls: "true"
         traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
-        traefik.http.routers.nextcloud.middlewares: nextcloud-caldav@docker
+        traefik.http.routers.nextcloud.middlewares: nextcloud-caldav@docker,sts
         traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent: "true"
         traefik.http.middlewares.nextcloud-caldav.redirectregex.regex: ^https://(.*)/.well-known/(card|cal)dav
         traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement: https://$${1}/remote.php/dav/
+        traefik.http.middlewares.sts.headers.stsincludesubdomains: "false"
+        traefik.http.middlewares.sts.headers.stspreload: "true"
+        traefik.http.middlewares.sts.headers.stsseconds: "31536000"
         traefik.http.services.nextcloud.loadbalancer.server.port: "80"
   redis:
     image: redis
     volumes:
       - type: bind
-        source: /mnt/ext/srv/redis
+        source: /srv/ext/sys/redis
         target: /var/lib/redis
 
+  atlas:
+    image: ctassisf/ripe-atlas-alpine:arm64v8
+    volumes:
+      - type: bind
+        source: /srv/ext/sys/atlas/etc
+        target: /var/atlas-probe/etc
+      - type: bind
+        source: /srv/ext/sys/atlas/status
+        target: /var/atlas-probe/status
+    networks:
+      - hostnet
+
 secrets:
   password:
     file: password