diff --git a/FedoraServer.md b/FedoraServer.md
index 932c6c9..7ef1a33 100644
--- a/FedoraServer.md
+++ b/FedoraServer.md
@@ -13,6 +13,7 @@ quick.
   - [Install K3S](#install-k3s)
     - [Database Backups](#database-backups)
   - [Expanding Root Partition](#expanding-root-partition)
+  - [Arping IP Address](#arping-ip-address)
   - [Optional Steps](#optional-steps)
     - [Certbot for Cockpit](#certbot-for-cockpit)
 
@@ -106,14 +107,16 @@ our own components.
         "traefik" \
         "--disable" \
         "local-storage" \
+         "--disable" \
+        "servicelb" \
         "--disable" \
         "coredns" \
-        "--disable" \
-        "servicelb" \
         "--cluster-dns" \
         "10.43.0.10" \
         "--tls-san" \
         "kube.reeselink.com" \
+        "--tls-san" \
+        "kube.reeseapps.com" \
 
 3. Join each server node
 
@@ -159,6 +162,13 @@ lvextend -l +100%FREE fedora
 xfs_growfs /dev/mapper/fedora-root
 ```
 
+## Arping IP Address
+
+```bash
+echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
+arping -I bridge0 -U -s 10.1.2.102 10.1.0.1
+```
+
 ## Optional Steps
 
 ### Certbot for Cockpit
diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml
index 9e9ac93..cf28e85 100644
--- a/ansible/inventory.yaml
+++ b/ansible/inventory.yaml
@@ -9,7 +9,7 @@ kubernetes:
 
 colors:
   hosts:
-    # orange:
+    orange:
     yellow:
 
 apt:
diff --git a/coredns-values.yaml b/coredns-values.yaml
index 4bd1999..42f11c5 100644
--- a/coredns-values.yaml
+++ b/coredns-values.yaml
@@ -4,14 +4,16 @@
 
 image:
   repository: coredns/coredns
-  tag: "1.11.1"
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
   pullPolicy: IfNotPresent
   ## Optionally specify an array of imagePullSecrets.
   ## Secrets must be manually created in the namespace.
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   ##
+  pullSecrets: []
   # pullSecrets:
-  #   - myRegistryKeySecretName
+  #   - name: myRegistryKeySecretName
 
 replicaCount: 1
 
@@ -23,29 +25,10 @@ resources:
     cpu: 100m
     memory: 128Mi
 
-## Create HorizontalPodAutoscaler object.
-##
-# autoscaling:
-#   minReplicas: 1
-#   maxReplicas: 10
-#   metrics:
-#   - type: Resource
-#     resource:
-#       name: cpu
-#       targetAverageUtilization: 60
-#   - type: Resource
-#     resource:
-#       name: memory
-#       targetAverageUtilization: 60
-
 rollingUpdate:
   maxUnavailable: 1
   maxSurge: 25%
 
-# Under heavy load it takes more that standard time to remove Pod endpoint from a cluster.
-# This will delay termination of our pod by `preStopSleep`. To make sure kube-proxy has
-# enough time to catch up.
-# preStopSleep: 5
 terminationGracePeriodSeconds: 30
 
 podAnnotations: {}
@@ -67,9 +50,11 @@ prometheus:
 
 service:
   clusterIP: "10.43.0.10"
+# clusterIPs: []
 # loadBalancerIP: ""
 # externalIPs: []
 # externalTrafficPolicy: ""
+# ipFamilyPolicy: ""
   # The name of the Service
   # If not set, a name is generated using the fullname template
   name: ""
@@ -97,6 +82,16 @@ isClusterService: true
 # Optional priority class to be used for the coredns pods. Used for autoscaler if autoscaler.priorityClassName not set.
 priorityClassName: ""
 
+# Configure the pod level securityContext.
+podSecurityContext: {}
+
+# Configure SecurityContext for Pod.
+# Ensure that required linux capability to bind port number below 1024 is assigned (`CAP_NET_BIND_SERVICE`).
+securityContext:
+  capabilities:
+    add:
+      - NET_BIND_SERVICE
+
 # Default zone is what Kubernetes recommends:
 # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns-configmap-options
 servers:
@@ -124,12 +119,6 @@ servers:
   # Serves a /metrics endpoint on :9153, required for serviceMonitor
   - name: prometheus
     parameters: 0.0.0.0:9153
-  - name: file
-    parameters: /etc/coredns/democratic-csi-server.reeselink.db democratic-csi-server.reeselink.com
-  - name: file
-    parameters: /etc/coredns/democratic-csi-client.reeselink.db democratic-csi-client.reeselink.com
-  - name: file
-    parameters: /etc/coredns/driveripper.reeselink.db driveripper.reeselink.com
   - name: forward
     parameters: . /etc/resolv.conf
   - name: cache
@@ -192,14 +181,23 @@ readinessProbe:
 affinity: {}
 
 # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#topologyspreadconstraint-v1-core
-# for example:
+# and supports Helm templating.
+# For example:
 #   topologySpreadConstraints:
-#   - maxSkew: 1
-#     topologyKey: zone
-#     whenUnsatisfiable: DoNotSchedule
-#     labelSelector:
-#       matchLabels:
-#         foo: bar
+#     - labelSelector:
+#         matchLabels:
+#           app.kubernetes.io/name: '{{ template "coredns.name" . }}'
+#           app.kubernetes.io/instance: '{{ .Release.Name }}'
+#       topologyKey: topology.kubernetes.io/zone
+#       maxSkew: 1
+#       whenUnsatisfiable: ScheduleAnyway
+#     - labelSelector:
+#         matchLabels:
+#           app.kubernetes.io/name: '{{ template "coredns.name" . }}'
+#           app.kubernetes.io/instance: '{{ .Release.Name }}'
+#       topologyKey: kubernetes.io/hostname
+#       maxSkew: 1
+#       whenUnsatisfiable: ScheduleAnyway
 topologySpreadConstraints: []
 
 # Node labels for pod assignment
@@ -219,29 +217,20 @@ tolerations: []
 podDisruptionBudget: {}
 
 # configure custom zone files as per https://coredns.io/2017/05/08/custom-dns-entries-for-kubernetes/
-zoneFiles:
-  - filename: democratic-csi-server.reeselink.db
-    domain: democratic-csi-server.reeselink.com
-    contents: |
-      democratic-csi-server.reeselink.com.   IN   SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-      democratic-csi-server.reeselink.com.   IN   NS      b.iana-servers.net.
-      democratic-csi-server.reeselink.com.   IN   NS      a.iana-servers.net.
-      democratic-csi-server.reeselink.com.   IN   A       172.20.0.1
-  - filename: democratic-csi-client.reeselink.db
-    domain: democratic-csi-client.reeselink.com
-    contents: |
-      democratic-csi-client.reeselink.com.   IN   SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-      democratic-csi-client.reeselink.com.   IN   NS      b.iana-servers.net.
-      democratic-csi-client.reeselink.com.   IN   NS      a.iana-servers.net.
-      democratic-csi-client.reeselink.com.   IN   A       127.0.0.1
-  - filename: driveripper.reeselink.db
-    domain: driveripper.reeselink.com
-    contents: |
-      driveripper.reeselink.com.   IN   SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-      driveripper.reeselink.com.   IN   NS      b.iana-servers.net.
-      driveripper.reeselink.com.   IN   NS      a.iana-servers.net.
-      driveripper.reeselink.com.   IN   A       172.20.0.1
+# zoneFiles:
+# - filename: local.db
+#   domain: driveripper.reeselink.com
+#   contents: |
+#     driveripper.reeselink.com.   IN SOA sns.dns.icann.com. noc.dns.icann.com. 2015082541 7200 3600 1209600 3600
+#     driveripper.reeselink.com.   IN NS  b.iana-servers.net.
+#     driveripper.reeselink.com.   IN NS  a.iana-servers.net.
+#     driveripper.reeselink.com.   IN A   172.20.0.1
 
+# optional array of sidecar containers
+extraContainers: []
+# - name: some-container-name
+#   image: some-image:latest
+#   imagePullPolicy: Always
 # optional array of extra volumes to create
 extraVolumes: []
 # - name: some-volume-name
@@ -256,8 +245,10 @@ extraVolumeMounts: []
 extraSecrets: []
 # - name: etcd-client-certs
 #   mountPath: /etc/coredns/tls/etcd
+#   defaultMode: 420
 # - name: some-fancy-secret
 #   mountPath: /etc/wherever
+#   defaultMode: 440
 
 # To support legacy deployments using CoreDNS with the "k8s-app: kube-dns" label selectors.
 # See https://github.com/coredns/helm/blob/master/charts/coredns/README.md#adopting-existing-coredns-resources
@@ -270,7 +261,27 @@ customLabels: {}
 customAnnotations: {}
 
 ## Alternative configuration for HPA deployment if wanted
-#
+## Create HorizontalPodAutoscaler object.
+##
+# hpa:
+#   enabled: false
+#   minReplicas: 1
+#   maxReplicas: 10
+#   metrics:
+#    metrics:
+#    - type: Resource
+#      resource:
+#        name: memory
+#        target:
+#          type: Utilization
+#          averageUtilization: 60
+#    - type: Resource
+#      resource:
+#        name: cpu
+#        target:
+#          type: Utilization
+#          averageUtilization: 60
+
 hpa:
   enabled: false
   minReplicas: 1
@@ -296,6 +307,9 @@ autoscaler:
   # If true does not allow single points of failure to form
   preventSinglePointFailure: true
 
+  # Annotations for the coredns proportional autoscaler pods
+  podAnnotations: {}
+
   ## Optionally specify some extra flags to pass to cluster-proprtional-autoscaler.
   ## Useful for e.g. the nodelabels flag.
   # customFlags:
@@ -309,8 +323,9 @@ autoscaler:
     ## Secrets must be manually created in the namespace.
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
     ##
+    pullSecrets: []
     # pullSecrets:
-    #   - myRegistryKeySecretName
+    #   - name: myRegistryKeySecretName
 
   # Optional priority class to be used for the autoscaler pods. priorityClassName used if not set.
   priorityClassName: ""
@@ -349,7 +364,14 @@ autoscaler:
     failureThreshold: 3
     successThreshold: 1
 
+  # optional array of sidecar containers
+  extraContainers: []
+  # - name: some-container-name
+  #   image: some-image:latest
+  #   imagePullPolicy: Always
+
 deployment:
+  skipConfig: false
   enabled: true
   name: ""
   ## Annotations for the coredns deployment
diff --git a/helm/nextcloud/values.yaml b/helm/nextcloud/values.yaml
index cae47fb..0ca6eae 100755
--- a/helm/nextcloud/values.yaml
+++ b/helm/nextcloud/values.yaml
@@ -1,5 +1,5 @@
 nextcloud:
-  image: nextcloud:28.0.1
+  image: nextcloud:27.1.9
   domain: nextcloud.reeseapps.com
   html:
     storageClassName: zfs-iscsi-enc1
diff --git a/nextcloud/README.md b/nextcloud/README.md
index f4724f2..b457c49 100644
--- a/nextcloud/README.md
+++ b/nextcloud/README.md
@@ -21,6 +21,12 @@ docker run \
 nextcloud/all-in-one:latest
 ```
 
+## Trusted Proxy
+
+```bash
+docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set trusted_proxies 2 --value="10.1.0.0/16"
+```
+
 ## Uninstall
 
 ```bash
diff --git a/nodes/README.md b/nodes/README.md
new file mode 100644
index 0000000..2c926c4
--- /dev/null
+++ b/nodes/README.md
@@ -0,0 +1,7 @@
+# Kubernetes Node Ansible
+
+## Update Hosts
+
+```bash
+ansible-playbook -i ansible/inventory.yaml nodes/update_hosts.yaml
+```
diff --git a/nodes/hosts b/nodes/hosts
new file mode 100644
index 0000000..c71131e
--- /dev/null
+++ b/nodes/hosts
@@ -0,0 +1,3 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+172.20.0.1  democratic-csi-server.reeselink.com
diff --git a/nodes/update_hosts.yaml b/nodes/update_hosts.yaml
new file mode 100644
index 0000000..3d3641f
--- /dev/null
+++ b/nodes/update_hosts.yaml
@@ -0,0 +1,13 @@
+- name: Update /etc/hosts
+  hosts: kubernetes
+  become: true
+  become_user: root
+  become_method: sudo
+  tasks:
+  - name: Copy /etc/hosts
+    ansible.builtin.copy:
+      src: ./hosts
+      dest: /etc/hosts
+      owner: root
+      group: root
+      mode: '0644'
diff --git a/orange_yellow.md b/orange_yellow.md
new file mode 100644
index 0000000..eee6ee1
--- /dev/null
+++ b/orange_yellow.md
@@ -0,0 +1,22 @@
+# Orange and Yellow Servers
+
+## Services
+
+1. Both servers run all quadlets in `podman/`
+2. Both servers run the same nginx config in `nginx/`
+
+## VMs
+
+1. Orange runs unifi-external
+2. Yellow runs nextcloud-aio
+
+## Pihole
+
+- Orange is ad-blocking
+- Yellow is caching
+
+## Load Balancing
+
+- Orange handles all traffic from outside the network
+- Yellow handles all internal traffic
+- Both are capable of handling all traffic, port forwarding rule determines which is up
diff --git a/podman/README.md b/podman/README.md
index 5c55d5a..4e207ad 100644
--- a/podman/README.md
+++ b/podman/README.md
@@ -66,7 +66,10 @@ podman run \
 
 ### Cloudflared
 
-Creates a DOH proxy for pihole. Just set the pihole upstream to `10.1.203.197#5053`.
+https://docs.pi-hole.net/guides/dns/cloudflared/
+
+Creates a DOH proxy for pihole. Just set the pihole upstream to `10.1.203.197#5053` (yellow) or
+`10.1.200.253#5053` (orange).
 
 ```bash
 podman run \
diff --git a/truenas-iscsi-enc0.yaml b/truenas-iscsi-enc0.yaml
index 7c4121f..801bd8f 100644
--- a/truenas-iscsi-enc0.yaml
+++ b/truenas-iscsi-enc0.yaml
@@ -29,9 +29,10 @@ driver:
     httpConnection:
       protocol: https
       host: driveripper.reeselink.com
-      port: 8443
+      port: 443
       apiKey: ""
-      allowInsecure: true
+      allowInsecure: false
+      apiVersion: 2
     zfs:
       datasetProperties:
        "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
diff --git a/truenas-iscsi-enc1.yaml b/truenas-iscsi-enc1.yaml
index ab718b3..7001470 100644
--- a/truenas-iscsi-enc1.yaml
+++ b/truenas-iscsi-enc1.yaml
@@ -29,9 +29,9 @@ driver:
     httpConnection:
       protocol: https
       host: driveripper.reeselink.com
-      port: 8443
+      port: 443
       apiKey: ""
-      allowInsecure: true
+      allowInsecure: false
     zfs:
       datasetProperties:
        "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
diff --git a/truenas-nfs-enc1.yaml b/truenas-nfs-enc1.yaml
index 8930970..91609bc 100644
--- a/truenas-nfs-enc1.yaml
+++ b/truenas-nfs-enc1.yaml
@@ -25,7 +25,7 @@ driver:
     httpConnection:
       protocol: https
       host: driveripper.reeselink.com
-      port: 8443
+      port: 443
       apiKey: ""
       allowInsecure: true
     zfs: