diff --git a/container-config/nginx-home/git b/container-config/nginx-home/git
index a90747c..23591a8 100644
--- a/container-config/nginx-home/git
+++ b/container-config/nginx-home/git
@@ -5,8 +5,8 @@ server {
   include snippets/headers.conf;
   add_header Content-Security-Policy "default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
   location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8003;
+    set $upstream systemd-forgejo.;
+    proxy_pass http://$upstream:3000;
     include snippets/proxy.conf;
     proxy_hide_header Content-Security-Policy;
   }
diff --git a/containers/push-all.sh b/containers/push-all.sh
index 485a0c6..ead6b7d 100755
--- a/containers/push-all.sh
+++ b/containers/push-all.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cd "$(dirname "$0")"
 for container in */; do
   container=${container%/}
diff --git a/infra/etc/containers/systemd/certbot.container b/infra/etc/containers/systemd/certbot.container
index a42cd85..3b04632 100644
--- a/infra/etc/containers/systemd/certbot.container
+++ b/infra/etc/containers/systemd/certbot.container
@@ -2,7 +2,7 @@
 Image=docker.io/certbot/dns-cloudflare
 UserNS=host
 Entrypoint=run-certbot
-Volume=/etc/certificates:/etc/certificates:z
+Volume=/etc/certificates/certificates:/etc/certificates:z
 Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt
diff --git a/home/etc/containers/systemd/forgejo.container b/infra/etc/containers/systemd/forgejo.container
similarity index 94%
rename from home/etc/containers/systemd/forgejo.container
rename to infra/etc/containers/systemd/forgejo.container
index e2861b3..55870f0 100644
--- a/home/etc/containers/systemd/forgejo.container
+++ b/infra/etc/containers/systemd/forgejo.container
@@ -7,7 +7,6 @@ Secret=forgejo-token
 Secret=forgejo-jwt-secret
 Environment=GITEA_APP_INI=/etc/gitea/app.ini
 PublishPort=2222:2222
-PublishPort=8003:3000
 AutoUpdate=registry
 [Install]
 WantedBy=multi-user.target
diff --git a/home/etc/containers/systemd/forgejo.volume b/infra/etc/containers/systemd/forgejo.volume
similarity index 100%
rename from home/etc/containers/systemd/forgejo.volume
rename to infra/etc/containers/systemd/forgejo.volume
diff --git a/infra/etc/containers/systemd/nginx.container b/infra/etc/containers/systemd/nginx.container
index 5f1efa1..c2b0b1d 100644
--- a/infra/etc/containers/systemd/nginx.container
+++ b/infra/etc/containers/systemd/nginx.container
@@ -4,7 +4,7 @@ Network=nginx.network
 Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro
 Volume=/var/lib/system-config/container-config/nginx-home:/etc/nginx-sites:z,ro
 Volume=/var/lib/system-config/container-config/site:/var/www:z,ro
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Tmpfs=/var/lib/nginx/tmp
 Tmpfs=/var/lib/nginx/logs
 PublishPort=80:80
diff --git a/setup-common.sh b/setup-common.sh
index 4b7bb0c..2609c71 100644
--- a/setup-common.sh
+++ b/setup-common.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R common/* /
 sed -E "s/#(auth.+required)/\1/" -i /etc/pam.d/su
diff --git a/setup-desktop.sh b/setup-desktop.sh
index ec028fd..9ebe857 100644
--- a/setup-desktop.sh
+++ b/setup-desktop.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 flatpak remote-delete fedora || true
 dconf update
diff --git a/setup-home.sh b/setup-home.sh
index a9cf8f3..e03003b 100644
--- a/setup-home.sh
+++ b/setup-home.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R home/* /
 sh setup-server.sh
diff --git a/setup-infra.sh b/setup-infra.sh
index ea98a59..7f0c79d 100644
--- a/setup-infra.sh
+++ b/setup-infra.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R infra/* /
 sh setup-server.sh
diff --git a/setup-k8s.sh b/setup-k8s.sh
index e13fac8..ae8e193 100755
--- a/setup-k8s.sh
+++ b/setup-k8s.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 helm upgrade --install metallb metallb --repo https://metallb.github.io/metallb --namespace metallb-system --create-namespace
 kubectl label namespaces metallb-system pod-security.kubernetes.io/enforce=privileged
 kubectl apply -f k8s/metallb.yaml
diff --git a/setup-laptop.sh b/setup-laptop.sh
index f965f91..14c806f 100644
--- a/setup-laptop.sh
+++ b/setup-laptop.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R desktop/* laptop/* /
 sh setup-desktop.sh
 systemctl disable auditd
diff --git a/setup-qubes-fedora.sh b/setup-qubes-fedora.sh
index 5dfc118..a497967 100644
--- a/setup-qubes-fedora.sh
+++ b/setup-qubes-fedora.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R desktop/* qubes-fedora/* /
 dnf config-manager --set-enabled qubes-vm-r4.2-security-testing qubes-vm-r4.2-current-testing
 dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp
diff --git a/setup-qubes.sh b/setup-qubes.sh
index c12c8c8..5076b2a 100644
--- a/setup-qubes.sh
+++ b/setup-qubes.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 sudo cp -R qubes/* /
 qvm-pool set varlibqubes -o ephemeral_volatile=True
 qvm-features dom0 gui-default-secure-copy-sequence Ctrl-Mod4-c
diff --git a/setup-sandbox.sh b/setup-sandbox.sh
index 27229e4..58dbcdc 100644
--- a/setup-sandbox.sh
+++ b/setup-sandbox.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R sandbox/* /
 sh setup-server.sh
diff --git a/setup-server.sh b/setup-server.sh
index 8a3f92b..ae32f62 100644
--- a/setup-server.sh
+++ b/setup-server.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R server/* /
 systemctl disable auditd
 systemctl disable --now docker.socket rpm-ostree-countme.timer
diff --git a/setup-vps.sh b/setup-vps.sh
index 2095891..15e2234 100644
--- a/setup-vps.sh
+++ b/setup-vps.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R vps/* /
 ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
 sh setup-server.sh
diff --git a/setup.sh b/setup.sh
index 3ad7064..88d69ac 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cd "$(dirname "$0")"
 if [ "$USER" != root ]; then
   echo "Needs to be run as root" >&2
diff --git a/vps/etc/containers/systemd/certbot.container b/vps/etc/containers/systemd/certbot.container
index 8b42e53..0ba3dbf 100644
--- a/vps/etc/containers/systemd/certbot.container
+++ b/vps/etc/containers/systemd/certbot.container
@@ -3,7 +3,7 @@ Image=docker.io/certbot/dns-cloudflare
 UserNS=host
 Network=certbot.network
 Entrypoint=run-certbot
-Volume=/etc/certificates:/etc/certificates:z
+Volume=/etc/certificates/certificates:/etc/certificates:z
 Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt
diff --git a/vps/etc/containers/systemd/dovecot.container b/vps/etc/containers/systemd/dovecot.container
index 892ac9b..9559083 100644
--- a/vps/etc/containers/systemd/dovecot.container
+++ b/vps/etc/containers/systemd/dovecot.container
@@ -1,7 +1,7 @@
 [Container]
 Image=git.strypsteen.com/mathieu/dovecot
 Network=mail.network
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Volume=/var/lib/container-data/dovecot:/etc/dovecot-local:z,ro
 Volume=/var/lib/container-data/dovecot/local.sieve:/tmp/local.sieve:z,ro
 Volume=dovecot.volume:/srv/mail:U,Z
diff --git a/vps/etc/containers/systemd/postfix.container b/vps/etc/containers/systemd/postfix.container
index 4e4a02e..ddfbbb2 100644
--- a/vps/etc/containers/systemd/postfix.container
+++ b/vps/etc/containers/systemd/postfix.container
@@ -5,7 +5,7 @@ After=dovecot.service rspamd.service unbound.service
 Image=git.strypsteen.com/mathieu/postfix
 UserNS=host
 Network=mail.network
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Volume=postfix.volume:/var/spool/postfix:Z
 Tmpfs=/var/lib/postfix
 PublishPort=25:25