diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index 35946b0..fd7a562 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -1,8 +1,7 @@
-{ username,  ... }: {
+{ pkgs, username,  ... }: {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
-    ./owntracks.nix
     ./post-install-general.nix
     ./post-install-nginx.nix
   ];
@@ -17,6 +16,11 @@
     efiInstallAsRemovable = true;
   };
 
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose
+  ];
+
   networking = {
     # Open ports in the firewall.
     firewall.allowedTCPPorts = [
@@ -74,6 +78,7 @@
     isNormalUser = true;
     description = "Gene Liverman";
     extraGroups = [ "networkmanager" "wheel" ];
+    linger = true;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
     ];
diff --git a/modules/hosts/nixos/hetznix01/owntracks.nix b/modules/hosts/nixos/hetznix01/owntracks.nix
index 3c6fd49..0765bf4 100644
--- a/modules/hosts/nixos/hetznix01/owntracks.nix
+++ b/modules/hosts/nixos/hetznix01/owntracks.nix
@@ -1,9 +1,42 @@
 { config, pkgs, ... }: let
   frontend_port = "8082";
 in {
-  environment.systemPackages = with pkgs; [
-    owntracks-recorder
-  ];
+  environment = {
+    etc = {
+      "default/ot-recorder".text = ''
+        OTR_USER="recorder"
+        OTR_PASS="toenail-madmen-nazareth-fum"
+        OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e"
+        OTR_TOPICS="owntracks/#"
+        OTR_HTTPHOST="127.0.0.1"
+        OTR_HTTPPREFIX="owntracks"
+      '';
+    };
+  };
+
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        address = "127.0.0.1";
+        port = 1883;
+        users = {
+          recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path;
+        };
+      }
+    ];
+  };
+
+  users = {
+    groups.owntracks.gid = config.users.users.owntracks.uid;
+    users.owntracks = {
+      isSystemUser = true;
+      description = "OwnTracks";
+      group = "owntracks";
+      home = "/home/owntracks";
+    };
+  };
 
   virtualisation.oci-containers.containers = {
     "owntracks-frontend" = {
@@ -11,10 +44,18 @@ in {
       image = "docker.io/owntracks/frontend:2.15.3";
       environment = {
         LISTEN = frontend_port;
-        SERVER_HOST = config.networking.hostName;
-        SERVER_PORT = "8083";
+        SERVER_HOST = "ot-recorder";
       };
-      ports = [ "${frontend_port}:${frontend_port}" ];
+      ports = [ "127.0.0.1:${frontend_port}:80" ];
+    };
+    "ot-recorder" = {
+      autoStart = true;
+      image = "docker.io/owntracks/frontend:2.15.3";
+      ports = [ "127.0.0.1:8083:8083" ];
+      volumes = [
+        "/etc/default/config:/config"
+        "/var/spool/owntracks/recorder/store:/store"
+      ];
     };
   };
 }
diff --git a/modules/hosts/nixos/hetznix01/post-install-general.nix b/modules/hosts/nixos/hetznix01/post-install-general.nix
index a40721f..8304433 100644
--- a/modules/hosts/nixos/hetznix01/post-install-general.nix
+++ b/modules/hosts/nixos/hetznix01/post-install-general.nix
@@ -32,9 +32,28 @@
         owner = "${username}";
         path = "/home/${username}/.private-env";
       };
+      mqtt_recorder_pass.restartUnits = ["mosquitto.service"];
+      owntracks_basic_auth = {
+        owner = config.users.users.nginx.name;
+        restartUnits = ["nginx.service"];
+      };
       tailscale_key = {
         restartUnits = [ "tailscaled-autoconnect.service" ];
       };
     };
   };
-}
\ No newline at end of file
+
+  # Enable common container config files in /etc/containers
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+}
diff --git a/modules/hosts/nixos/hetznix01/post-install-nginx.nix b/modules/hosts/nixos/hetznix01/post-install-nginx.nix
index b155366..f089d1e 100644
--- a/modules/hosts/nixos/hetznix01/post-install-nginx.nix
+++ b/modules/hosts/nixos/hetznix01/post-install-nginx.nix
@@ -3,6 +3,7 @@
   http_port = 80;
   https_port = 443;
 in {
+
   imports = [
     ../../../system/common/linux/lets-encrypt.nix
   ];
@@ -38,7 +39,7 @@ in {
           '';
         };
       };
-      "ot.${domain}}" = {
+      "ot.${domain}" = {
         listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
         enableACME = true;
         acmeRoot = null;
@@ -47,34 +48,43 @@ in {
         locations = {
           # OwnTracks Frontend container
           "/" = {
-            proxypass = "http://127.0.0.1:8082";
-            recommendedproxysettings = true;
+            proxyPass = "http://127.0.0.1:8082";
+            recommendedProxySettings = true;
           };
+        };
+      };
+      "recorder.${domain}" = {
+        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
+        locations = {
           # OwnTracks Recorder
-          "/owntracks/" = {
-            proxypass = "http://127.0.0.1:8083";
-            recommendedproxysettings = true;
+          "/" = {
+            proxyPass = "http://127.0.0.1:8083";
+            recommendedProxySettings = true;
           };
-          "/owntracks/pub" = { # Client apps need to point to this path
+          "/pub" = { # Client apps need to point to this path
             extraConfig = "proxy_set_header X-Limit-U $remote_user;";
-            proxypass = "http://127.0.0.1:8083/pub";
-            recommendedproxysettings = true;
+            proxyPass = "http://127.0.0.1:8083/pub";
+            recommendedProxySettings = true;
           };
-          "/owntracks/static/" = {
-            proxypass = "http://127.0.0.1:8083/static/";
-            recommendedproxysettings = true;
+          "/static/" = {
+            proxyPass = "http://127.0.0.1:8083/static/";
+            recommendedProxySettings = true;
           };
-          "/owntracks/utils/" = {
-            proxypass = "http://127.0.0.1:8083/utils/";
-            recommendedproxysettings = true;
+          "/utils/" = {
+            proxyPass = "http://127.0.0.1:8083/utils/";
+            recommendedProxySettings = true;
           };
-          "/owntracks/view/" = {
+          "/view/" = {
             extraConfig = "proxy_buffering off;";
-            proxypass = "http://127.0.0.1:8083/view/";
-            recommendedproxysettings = true;
+            proxyPass = "http://127.0.0.1:8083/view/";
+            recommendedProxySettings = true;
           };
-          "/owntracks/ws" = {
-            extraConfig = "rewrite ^/owntracks/(.*) /$1 break;";
+          "/ws" = {
+            extraConfig = "rewrite ^/(.*) /$1 break;";
             proxyPass = "http://127.0.0.1:8083";
             recommendedProxySettings = true;
           };
diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml
index 8f55189..9f799a8 100644
--- a/modules/hosts/nixos/hetznix01/secrets.yaml
+++ b/modules/hosts/nixos/hetznix01/secrets.yaml
@@ -1,5 +1,7 @@
 local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str]
 local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
+mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
+owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
 tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
 sops:
     kms: []
@@ -16,8 +18,8 @@ sops:
             WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
             W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-15T20:49:45Z"
-    mac: ENC[AES256_GCM,data:TPY25QfdBEoQbOMoF0kDIv9P3uwqY5pq2HyFIckhidaKvUNog5OVHmXsycpEZ+JC6NOPHWpd0wrYB8XYJI4R3ND/w3Gjl/NGEnDjX7FihkhQZOlTUap+/7UBL3gTQKR/jd0enWn1FIQuOrXmNsJ3RhPStQNpHRmgSPR5FVecJFI=,iv:dIQmQjKK7VFnxOYxkDSRDZNFpsv1+6YU9tpOr8XsTtw=,tag:FDlGiuJR2mwuci+z2Pa5rg==,type:str]
+    lastmodified: "2024-06-16T03:36:06Z"
+    mac: ENC[AES256_GCM,data:KkJ7awR2HwH8MBHrDzOifwD6ePACWsGFaNg8/eixKvb+/V4k2NkOxZPzdemcqMaCPCzhX9bGlE76MGy9y6JWvln+yKkBx7uilSdfGu5bVnMQY0JT8r2nW4tCfJ1VpLOxdvcw8pUjeK/oizvUolk7DJ1PecrPQuSmhGkOAL6h6dA=,iv:nd0F7sU9hYOu3qb0kXSstRt8M3QDmciSs5ArtiXI6XQ=,tag:gGG8NnO690UrTq6y4NnK9w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1