diff --git a/hosts/nas/apps/actual/default.nix b/hosts/nas/apps/actual/default.nix
index 4a111ba..6d5c2ba 100644
--- a/hosts/nas/apps/actual/default.nix
+++ b/hosts/nas/apps/actual/default.nix
@@ -1,21 +1,84 @@
 { ... }:
+let
+  actualPort = 3333;
+  hostDataDir = "/media/nas/ssd/nix-app-data/jellyseerr";
+  dataDir = "/var/lib/private/actual-data";
+  stateDir = "/var/lib/private/actual";
+  hostAddress = "10.0.1.18";
+  localAddress = "10.0.3.18";
+in
 {
-  services.actual = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      trustedProxies = [ "10.0.1.18" ];
-      port = 3333;
-      config = {
-        dataDir = "/media/nas/ssd/nix-app-data/actual";
-        openId = {
-          issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
-          client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
-          client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
-          server_hostname = "https://actual.mjallen.dev";
-          authMethod = "openid";
-        };
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = localAddress;
+
+    bindMounts = {
+      ${dataDir} = {
+        hostPath = hostDataDir;
+        isReadOnly = false;
+      };
+      ${stateDir} = {
+        hostPath = stateDir;
+        isReadOnly = false;
       };
     };
+
+    config = { lib, ... }:
+      {
+        services.actual = {
+          enable = true;
+          openFirewall = true;
+          settings = {
+            trustedProxies = [ hostAddress ];
+            port = actualPort;
+            config = {
+              dataDir = dataDir;
+              openId = {
+                issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
+                client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
+                client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
+                server_hostname = "https://actual.mjallen.dev";
+                authMethod = "openid";
+              };
+            };
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ actualPort ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        # Create and set permissions for required directories
+        # system.activationScripts.actual-dirs = ''
+        #   mkdir -p /var/lib/private/actual-data
+
+        #   chown -R nobody:nogroup /var/lib/private/actual-data
+
+        #   chmod -R 775 /var/lib/private/actual-data
+
+        #   ln -sf /var/lib/private/actual /var/lib/actual-data
+
+        # '';
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "${localAddress}:${toString actualPort}";
+        sourcePort = actualPort;
+      }
+    ];
   };
 }
\ No newline at end of file
diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix
index 73876e9..007882f 100755
--- a/hosts/nas/apps/traefik/default.nix
+++ b/hosts/nas/apps/traefik/default.nix
@@ -13,7 +13,8 @@ let
   paperlessUrl = "http://10.0.1.20:28981";
   cacheUrl = "http://10.0.1.18:5000";
   giteaUrl = "http://10.0.1.18:3000";
-  actualUrl = "http://10.0.1.18:3333";
+  actualUrl = "http://10.0.3.18:3333";
+  lubeloggerUrl = "http://10.0.1.18:6754";
 in
 {
   networking.firewall = {
@@ -224,6 +225,11 @@ in
               url = actualUrl;
             }
           ];
+          lubelogger.loadBalancer.servers = [
+            {
+              url = lubeloggerUrl;
+            }
+          ];
         };
 
         routers = {
@@ -292,14 +298,6 @@ in
             priority = 10;
             tls.certResolver = "letsencrypt";
           };
-          # open-webui = {
-          #   entryPoints = [ "websecure" ];
-          #   rule = "Host(`chat.${domain}`)";
-          #   service = "chat";
-          #   middlewares = [ "authentik" "whitelist-geoblock" ];
-          #   priority = 10;
-          #   tls.certResolver = "letsencrypt";
-          # };
           cache = {
             entryPoints = [ "websecure" ];
             rule = "Host(`cache.${domain}`)";
@@ -308,13 +306,13 @@ in
             priority = 10;
             tls.certResolver = "letsencrypt";
           };
-          # paperless = {
-          #   entryPoints = ["websecure"];
-          #   rule = "Host(`paperless.${domain}`)";
-          #   service = "paperless";
-          #   middlewares = [ "crowdsec" "whitelist-geoblock" ];
-          #   tls.certResolver = "letsencrypt";
-          # };
+          lubelogger = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`lubelogger.${domain}`)";
+            service = "lubelogger";
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
+            tls.certResolver = "letsencrypt";
+          };
         };
       };
     };
diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix
index 548017b..fbaa50d 100755
--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -18,6 +18,7 @@ let
     3000 # gitea
     3300
     9898
+    6754 # lubelogger
   ];
 in
 {