diff --git a/workloads/grafana/grafana-deploy.yml b/workloads/grafana/grafana-deploy.yml
index 8c406e4..a37df2e 100644
--- a/workloads/grafana/grafana-deploy.yml
+++ b/workloads/grafana/grafana-deploy.yml
@@ -21,21 +21,25 @@ spec:
         imagePullPolicy: IfNotPresent
         name: grafana
         env:
-        - name: GRAFANA_DATABASE_TYPE
+        - name: GF_SERVER_ROOT_URL
+          value: https://grafana.shoup.io
+        - name: GF_SERVER_DOMAIN
+          value: grafana.shoup.io
+        - name: GF_DATABASE_TYPE
           value: postgres
-        - name: GRAFANA_DATABASE_HOST
+        - name: GF_DATABASE_HOST
           value: postgres:5432
-        - name: GRAFANA_DATABASE_NAME
+        - name: GF_DATABASE_NAME
           valueFrom:
             secretKeyRef:
               name: postgres
               key: POSTGRES_USER
-        - name: GRAFANA_DATABASE_USER
+        - name: GF_DATABASE_USER
           valueFrom:
             secretKeyRef:
               name: postgres
               key: POSTGRES_USER
-        - name: GRAFANA_DATABASE_PASSWORD
+        - name: GF_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: postgres
diff --git a/workloads/hass/deployment.yml b/workloads/hass/deployment.yml
index cf952b2..8650b44 100644
--- a/workloads/hass/deployment.yml
+++ b/workloads/hass/deployment.yml
@@ -1,9 +1,12 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: hass
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: hass
diff --git a/workloads/kube-system/coredns-config.yml b/workloads/kube-system/coredns-config.yml
new file mode 100644
index 0000000..e47c334
--- /dev/null
+++ b/workloads/kube-system/coredns-config.yml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+    k8s-app: kube-dns
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+          lameduck 5s
+        }
+        ready
+        log . {
+          class error
+        }
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+          pods insecure
+          fallthrough in-addr.arpa ip6.arpa
+        }
+        prometheus :9153
+        forward . 10.30.14.1
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
diff --git a/workloads/kube-system/prometheus-sa.yml b/workloads/kube-system/prometheus-sa.yml
new file mode 100644
index 0000000..5d6283c
--- /dev/null
+++ b/workloads/kube-system/prometheus-sa.yml
@@ -0,0 +1,58 @@
+# This file is used to create a prometheus service account
+# and role bindings.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prometheus-secret
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: prometheus
+type: kubernetes.io/service-account-token
diff --git a/workloads/nextcloud/nextcloud-cron.yml b/workloads/nextcloud/nextcloud-cron.yml
index 7464587..788b181 100644
--- a/workloads/nextcloud/nextcloud-cron.yml
+++ b/workloads/nextcloud/nextcloud-cron.yml
@@ -64,3 +64,61 @@ spec:
             - "60"
             - "http://nextcloud"
           restartPolicy: Never
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: ncbackup
+  namespace: nextcloud
+spec:
+  schedule: "00 01 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          imagePullSecrets:
+          - name: gitlab-regcred
+          containers:
+          - name: ncbackup
+            image: registry.gitlab.com/shouptech/ncbackup:454955999
+            imagePullPolicy: IfNotPresent
+            env:
+            - name: NC_CONFIG_FILE
+              value: /var/www/html/config/config.php
+            - name: NC_DATA_PATH
+              value: /var/www/html/
+            - name: NC_DATA_DEST
+              value: /bkup/data/
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: POSTGRES_USER
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: POSTGRES_PASSWORD
+            - name: POSTGRES_HOST
+              value: postgres
+            - name: POSTGRES_PORT
+              value: "5432"
+            - name: POSTGRES_DB
+              value: nextcloud
+            - name: POSTGRES_DEST
+              value: /bkup/db/
+            volumeMounts:
+            - name: nextcloud-data
+              mountPath: /var/www/html
+            - name: nextcloud-backup
+              mountPath: /bkup
+          restartPolicy: Never
+          volumes:
+          - name: nextcloud-data
+            hostPath:
+              path: /opt/nextcloud/pod
+              type: Directory
+          - name: nextcloud-backup
+            hostPath:
+              path: /net/hv01/opt/backup/nextcloud