diff --git a/flake.lock b/flake.lock
index b3a341c..301b821 100644
--- a/flake.lock
+++ b/flake.lock
@@ -169,11 +169,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1745503349,
-        "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=",
+        "lastModified": 1744633460,
+        "narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1",
+        "rev": "9a049b4a421076d27fee3eec664a18b2066824cb",
         "type": "github"
       },
       "original": {
@@ -216,11 +216,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1745391562,
-        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
+        "lastModified": 1744463964,
+        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
+        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
         "type": "github"
       },
       "original": {
@@ -244,11 +244,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1745487689,
-        "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=",
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
         "type": "github"
       },
       "original": {
diff --git a/hosts/hub/apps/actual.nix b/hosts/hub/apps/actual.nix
index 739f465..8bf4170 100644
--- a/hosts/hub/apps/actual.nix
+++ b/hosts/hub/apps/actual.nix
@@ -8,7 +8,7 @@
   virtualisation.oci-containers.containers.actual = {
     image = "actualbudget/actual-server:latest";
     ports = [
-      "127.0.0.1:5006:5006"
+      "5006:5006"
     ];
     environment = {
       ACTUAL_LOGIN_METHOD = "header";
diff --git a/hosts/hub/apps/grafana.nix b/hosts/hub/apps/grafana.nix
index a41f8a5..e37ceb0 100644
--- a/hosts/hub/apps/grafana.nix
+++ b/hosts/hub/apps/grafana.nix
@@ -3,22 +3,19 @@
     grafana = {
       enable = true;
       settings = {
-        server = {
-          root_url = "https://grafana.tailc50184.ts.net";
+        auth.proxy = {
+          enabled = true;
+          header_name = "Remote-User";
+          headers = "Name:Remote-Name Email:Remote-Email Groups:Remote-Groups";
         };
-        # "auth.proxy" = {
-        #   enabled = true;
-        #   header_name = "Remote-User";
-        #   headers = "Name:Remote-Name Email:Remote-Email Groups:Remote-Groups";
-        # };
       };
     };
     caddy.virtualHosts."grafana.tailc50184.ts.net".extraConfig = ''
       bind tailscale/grafana
-      # forward_auth localhost:9091 {
-      #   uri /api/authz/forward-auth
-      #   copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
-      # }
+      forward_auth localhost:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
+      }
       reverse_proxy localhost:3000
     '';
   };
diff --git a/hosts/hub/apps/karakeep.nix b/hosts/hub/apps/karakeep.nix
deleted file mode 100644
index 8bf4170..0000000
--- a/hosts/hub/apps/karakeep.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  systemd.tmpfiles.rules = [
-    "d /var/lib/actual 0755 root root"
-  ];
-
-  virtualisation.oci-containers.containers.actual = {
-    image = "actualbudget/actual-server:latest";
-    ports = [
-      "5006:5006"
-    ];
-    environment = {
-      ACTUAL_LOGIN_METHOD = "header";
-    };
-    volumes = [ "/var/lib/actual:/data" ];
-  };
-
-  services.caddy.virtualHosts."https://budget.tailc50184.ts.net".extraConfig = ''
-    bind tailscale/budget
-    reverse_proxy http://localhost:5006
-  '';
-}
diff --git a/hosts/hub/apps/open-webui.nix b/hosts/hub/apps/open-webui.nix
index 840bf5e..e9662d0 100644
--- a/hosts/hub/apps/open-webui.nix
+++ b/hosts/hub/apps/open-webui.nix
@@ -10,7 +10,7 @@ in
   virtualisation.oci-containers.containers.open-webui = {
     image = "ghcr.io/open-webui/open-webui:main";
     ports = [
-      "127.0.0.1:8090:8080"
+      "8090:8080"
     ];
     volumes = [ "/var/lib/open-webui:/app/backend/data" ];
     environment = {
diff --git a/hosts/hub/apps/prometheus.nix b/hosts/hub/apps/prometheus.nix
index 8a90c38..e69de29 100644
--- a/hosts/hub/apps/prometheus.nix
+++ b/hosts/hub/apps/prometheus.nix
@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    prometheus = {
-      enable = true;
-      scrapeConfigs = [
-        {
-          job_name = "thewordnerd";
-          static_configs = [
-            {
-              targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
-            }
-          ];
-        }
-      ];
-    };
-    caddy.virtualHosts."prometheus.tailc50184.ts.net".extraConfig = ''
-      bind tailscale/prometheus
-      reverse_proxy localhost:9090
-    '';
-  };
-}
diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix
index 5efc676..c2feb93 100644
--- a/hosts/hub/default.nix
+++ b/hosts/hub/default.nix
@@ -11,10 +11,8 @@
     ../../roles/restic.nix
     ../../base.nix
     ../../users/root.nix
-    ../../roles/restic.nix
     ../../roles/fail2ban.nix
     ../../roles/tailscale.nix
-    ../../roles/prometheus.nix
     ../../roles/lldap.nix
     ../../roles/authelia.nix
     ../../roles/podman.nix
@@ -23,8 +21,6 @@
     ../../roles/vscode-remote.nix
     ../../roles/postgres.nix
     ../../roles/syncthing.nix
-    ./apps/grafana.nix
-    ./apps/prometheus.nix
     ./apps/dev.nix
     ./apps/nextcloud.nix
     ./apps/paperless.nix