diff --git a/aspects/hosts/_alexandria/nextcloud.nix b/aspects/hosts/_alexandria/nextcloud.nix
index c4a9669..cb9f2ac 100644
--- a/aspects/hosts/_alexandria/nextcloud.nix
+++ b/aspects/hosts/_alexandria/nextcloud.nix
@@ -1,8 +1,7 @@
 {
-  lib,
   config,
-  pkgs,
   inputs,
+  pkgs,
   ...
 }:
 
@@ -83,12 +82,12 @@ in
 
   age.secrets = {
     "nextcloud-secrets.json" = {
-      file = ../../../secrets/nextcloud-secrets.json.age;
+      file = "${inputs.self}/secrets/nextcloud-secrets.json.age";
       owner = "nextcloud";
       group = "nextcloud";
     };
     nextcloud-adminpass = {
-      file = ../../../secrets/nextcloud-adminpass.age;
+      file = "${inputs.self}/secrets/nextcloud-adminpass.age";
       owner = "nextcloud";
       group = "nextcloud";
     };
diff --git a/aspects/hosts/_alexandria/nginx.nix b/aspects/hosts/_alexandria/nginx.nix
index 26a7ba1..087faf4 100644
--- a/aspects/hosts/_alexandria/nginx.nix
+++ b/aspects/hosts/_alexandria/nginx.nix
@@ -51,7 +51,7 @@ in
   ];
 
   age.secrets.cloudflare = {
-    file = ../../../secrets/cloudflare.age;
+    file = "${inputs.self}/secrets/cloudflare.age";
     owner = "nginx";
     group = "nginx";
   };
diff --git a/aspects/hosts/_trantor/forgejo.nix b/aspects/hosts/_trantor/forgejo.nix
index 1112622..8421adb 100644
--- a/aspects/hosts/_trantor/forgejo.nix
+++ b/aspects/hosts/_trantor/forgejo.nix
@@ -67,5 +67,8 @@ in
   };
 
   # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
-  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+  systemd.services.forgejo.serviceConfig = {
+    PrivateMounts = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+  };
 }
diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix
index 899666e..24f96c3 100644
--- a/aspects/hosts/_trantor/nginx.nix
+++ b/aspects/hosts/_trantor/nginx.nix
@@ -8,10 +8,8 @@
 let
   services = inputs.self.services;
 
-  # Get all unique domains from shared services on trantor (host = "trantor")
   localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
 
-  # Generate ACME cert configs for all local domains
   acmeCerts = lib.genAttrs localDomains (domain: {
     group = "nginx";
   });
@@ -51,7 +49,7 @@ in
   ];
 
   age.secrets.cloudflare = {
-    file = ../../../secrets/cloudflare.age;
+    file = "${inputs.self}/secrets/cloudflare.age";
     owner = "nginx";
     group = "nginx";
   };
diff --git a/aspects/hosts/alexandria.nix b/aspects/hosts/alexandria.nix
index 57fdf5f..f10dfe7 100644
--- a/aspects/hosts/alexandria.nix
+++ b/aspects/hosts/alexandria.nix
@@ -27,6 +27,7 @@
 
       # other aspects
       fwupd
+      podman
     ]);
   };
 }
diff --git a/aspects/lxc.nix b/aspects/lxc.nix
new file mode 100644
index 0000000..15da310
--- /dev/null
+++ b/aspects/lxc.nix
@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  flake.modules.nixos.lxc =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      virtualisation.lxc = {
+        enable = true;
+        unprivilegedContainers = true;
+      };
+    };
+}