diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 28e55ad..35b81c5 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,8 +1,8 @@
 $ANSIBLE_VAULT;1.1;AES256
-38653965373362373633626561363436306535383363306363323934333030653434303238393764
-3963303739303161336635643963336365653066656534380a643739333261383731343966613132
-65383261343733353263383436616363323739326135346139646564326362386234356262663365
-3963616639656131310a343065363336653135666163646664626363386236623064633634636234
-36306234626538313563646138663031613031626237333462303038653839303534336630346661
-37363737306330626436613763373365663231333165616362346138663866643134336630653061
-663332333639616437346239643635363264
+66373633656230653931396338653736613131323132663434626133353132613562323538656130
+3562653037663735646464656230323234626635343638300a623862363238346539313539353530
+34633531323030333965303065666563646330366634363739323634643734373837333566313566
+6466653337366637650a316638313638346432346562343731663865376166336533386137653461
+36663537393665383931613765656234646535326563313166346566613166333266373935336330
+61353666356466623739333262613064623164346133326533313238323433323731653933653062
+336431386536613361653963666438326163
diff --git a/roles/authentik_docker/tasks/main.yml b/roles/authentik_docker/tasks/main.yml
index ce2f66c..d5bdeb6 100644
--- a/roles/authentik_docker/tasks/main.yml
+++ b/roles/authentik_docker/tasks/main.yml
@@ -11,7 +11,7 @@
     path: "{{ item }}"
     state: directory
     owner: authentik-docker
-    group: root
+    group: docker
     mode: '0755'
   with_items:
     - "{{ docker_compose_config_dir }}/authentik"
@@ -27,8 +27,8 @@
     dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
     force: true
     owner: authentik-docker
-    group: root
-    mode: '0600'
+    group: docker
+    mode: '0660'
   with_items:
     - .env
   notify: restart-authentik-docker
diff --git a/roles/authentik_docker/templates/authentik-docker.service.j2 b/roles/authentik_docker/templates/authentik-docker.service.j2
index a668c2e..4bea1c4 100644
--- a/roles/authentik_docker/templates/authentik-docker.service.j2
+++ b/roles/authentik_docker/templates/authentik-docker.service.j2
@@ -3,33 +3,33 @@ Description=Authentik in Docker
 
 [Service]
 Type=exec
-User=authentik-docker
+#User=authentik-docker
 WorkingDirectory={{ docker_compose_config_dir }}/authentik
 ExecStart=docker compose up postgresql redis server worker 
 Restart=on-failure
 RestartSec=30s
 
 # Optional hardening to improve security
-ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
-NoNewPrivileges=yes
+#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
+#NoNewPrivileges=yes
 #MemoryDenyWriteExecute=true
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=yes
-ProtectSystem=strict
-ProtectControlGroups=true
-RestrictSUIDSGID=true
-RestrictRealtime=true
-LockPersonality=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
-ProtectHostname=true
-ProtectKernelModules=true
-PrivateUsers=true
-ProtectClock=true
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
+#PrivateDevices=yes
+#PrivateTmp=yes
+#ProtectHome=yes
+#ProtectSystem=strict
+#ProtectControlGroups=true
+#RestrictSUIDSGID=true
+#RestrictRealtime=true
+#LockPersonality=true
+#ProtectKernelLogs=true
+#ProtectKernelTunables=true
+#ProtectHostname=true
+#ProtectKernelModules=true
+#PrivateUsers=true
+#ProtectClock=true
+#SystemCallArchitectures=native
+#SystemCallErrorNumber=EPERM
+#SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/authentik_docker/templates/docker-compose.yml.j2 b/roles/authentik_docker/templates/docker-compose.yml.j2
index 2269e41..5f1c731 100644
--- a/roles/authentik_docker/templates/docker-compose.yml.j2
+++ b/roles/authentik_docker/templates/docker-compose.yml.j2
@@ -17,6 +17,8 @@ services:
       - POSTGRES_PASSWORD=${PG_PASS:?database password required}
       - POSTGRES_USER=${PG_USER:-authentik}
       - POSTGRES_DB=${PG_DB:-authentik}
+    networks:
+      - authentik_net
     env_file:
       - .env
   redis:
@@ -31,6 +33,8 @@ services:
       timeout: 3s
     volumes:
       - {{ docker_volumes_dir }}/authentik/redis:/data
+    networks:
+      - authentik_net
   server:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
     restart: unless-stopped
@@ -49,6 +53,9 @@ services:
       - {{ docker_volumes_dir }}/authentik/media:/media
       - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
       - {{ docker_volumes_dir }}/authentik/geoip:/geoip
+    networks:
+      - authentik_net
+      - nginx_net
     env_file:
       - .env
     expose:
@@ -77,12 +84,16 @@ services:
       - {{ docker_volumes_dir }}/authentik/certs:/certs
       - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
       - {{ docker_volumes_dir }}/authentik/geoip:/geoip
+    networks:
+      - authentik_net
     env_file:
       - .env
   geoipupdate:
     image: "maxmindinc/geoipupdate:latest"
     volumes:
       - "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
+    networks:
+      - authentik_net
     environment:
       GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
       GEOIPUPDATE_FREQUENCY: "8"
@@ -96,3 +107,11 @@ volumes:
     driver: local
   geoip:
     driver: local
+
+networks:
+  authentik_net:
+    external: false
+    name: authentik_net
+  nginx_net:
+    external: true
+    name: nginx_net