diff --git a/roles/garage/tasks/provision.yml b/roles/garage/tasks/provision.yml
index ba9344b..1c2628e 100644
--- a/roles/garage/tasks/provision.yml
+++ b/roles/garage/tasks/provision.yml
@@ -75,7 +75,7 @@
 - name: Get detailed key information for all keys
   community.docker.docker_container_exec:
     container: "{{ garage_service_name }}"
-    command: /garage key info {{ item.name }}
+    command: /garage key info {{ item.name }} --show-secret
   loop: "{{ garage_s3_keys }}"
   register: _key_details_results
   when: garage_s3_keys | length > 0
diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index 73a986f..2e5a61e 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -13,6 +13,7 @@ nextcloud_domain: "nextcloud.local.test"
 nextcloud_image: "nextcloud:fpm"
 nextcloud_redis_image: "redis:latest"
 nextcloud_port: 80
+nextcloud_extra_hosts: []
 
 nextcloud_postgres_image: "postgres:15"
 nextcloud_postgres_db: nextcloud
@@ -45,4 +46,13 @@ nextcloud_admin_password: admin
 nextcloud_memory_limit_mb: 1024
 nextcloud_upload_limit_mb: 2048
 
-nextcloud_scale_factor: 2
\ No newline at end of file
+nextcloud_scale_factor: 2
+
+# Non-default apps to install and enable
+nextcloud_apps_to_install:
+  - groupfolders
+  - richdocuments
+  - spreed
+  - user_ldap
+  - user_oidc
+  - whiteboard
\ No newline at end of file
diff --git a/roles/nextcloud/tasks/plugins.yml b/roles/nextcloud/tasks/plugins.yml
index 32d7c64..2a6d8a5 100644
--- a/roles/nextcloud/tasks/plugins.yml
+++ b/roles/nextcloud/tasks/plugins.yml
@@ -1,3 +1,25 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for installing Nextcloud plugins/apps
+
+- name: Install Nextcloud apps
+  ansible.builtin.shell:
+    cmd: docker compose exec -T nextcloud php /var/www/html/occ app:install {{ item }}
+    chdir: "{{ nextcloud_docker_compose_dir }}"
+  loop: "{{ nextcloud_apps_to_install }}"
+  register: app_install_result
+  changed_when: "'installed' in app_install_result.stdout"
+  failed_when:
+    - app_install_result.rc != 0
+    - "'already installed' not in app_install_result.stdout"
+
+- name: Enable Nextcloud apps
+  ansible.builtin.shell:
+    cmd: docker compose exec -T nextcloud php /var/www/html/occ app:enable {{ item }}
+    chdir: "{{ nextcloud_docker_compose_dir }}"
+  loop: "{{ nextcloud_apps_to_install }}"
+  register: app_enable_result
+  changed_when: "'enabled' in app_enable_result.stdout"
+  failed_when:
+    - app_enable_result.rc != 0
+    - "'already enabled' not in app_enable_result.stdout"
diff --git a/roles/nextcloud/templates/docker-compose.yml.j2 b/roles/nextcloud/templates/docker-compose.yml.j2
index 5fd4a32..b8a8a4d 100644
--- a/roles/nextcloud/templates/docker-compose.yml.j2
+++ b/roles/nextcloud/templates/docker-compose.yml.j2
@@ -102,6 +102,12 @@ services:
       - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
     networks:
       - {{ nextcloud_backend_network }}
+{% if nextcloud_extra_hosts is defined and nextcloud_extra_hosts | length > 0 %}
+    extra_hosts:
+{% for host in nextcloud_extra_hosts %}
+      - "{{ host }}"
+{% endfor %}
+{% endif %}
 
 {% if nextcloud_enable_collabora %}
   collabora:
diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index 489ee60..c896ae2 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -41,6 +41,7 @@ selfsigned_common_name: "*.local.test"
 
 # Dashboard
 enable_dashboard: false
+dashboard_domain: ""  # e.g., "traefik.local.test" - if set, exposes dashboard via hostname instead of port 8080
 
 # Access log configuration
 enable_access_logs: true
diff --git a/roles/traefik/meta/main.yml b/roles/traefik/meta/main.yml
index 5c93db2..7c2fc0d 100644
--- a/roles/traefik/meta/main.yml
+++ b/roles/traefik/meta/main.yml
@@ -30,5 +30,4 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-dependencies:
-  - digitalboard.core.base
+dependencies: []
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index ab3aed7..d9253eb 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -37,7 +37,6 @@
     path: "{{ docker_volume_dir }}/config"
     state: directory
     mode: '0755'
-  when: traefik_mode == 'dmz'
 
 - name: Create letsencrypt directory
   file:
@@ -66,6 +65,21 @@
   notify: restart traefik
   when: traefik_mode == 'dmz'
 
+- name: Generate dashboard routing configuration
+  template:
+    src: dashboard.yml.j2
+    dest: "{{ docker_volume_dir }}/config/dashboard.yml"
+    mode: '0644'
+  notify: restart traefik
+  when: enable_dashboard | bool and dashboard_domain | length > 0
+
+- name: Remove dashboard routing configuration when not needed
+  file:
+    path: "{{ docker_volume_dir }}/config/dashboard.yml"
+    state: absent
+  notify: restart traefik
+  when: not (enable_dashboard | bool) or dashboard_domain | length == 0
+
 - name: Create docker-compose file for traefik
   template:
     src: docker-compose.yml.j2
diff --git a/roles/traefik/templates/dashboard.yml.j2 b/roles/traefik/templates/dashboard.yml.j2
new file mode 100644
index 0000000..8d7e1bf
--- /dev/null
+++ b/roles/traefik/templates/dashboard.yml.j2
@@ -0,0 +1,16 @@
+{% set dashboard_ssl = use_ssl_dashboard | default(use_ssl) %}
+http:
+  routers:
+    dashboard:
+      rule: "Host(`{{ dashboard_domain }}`)"
+      service: api@internal
+      entryPoints:
+        - {{ 'websecure' if dashboard_ssl else 'web' }}
+{% if dashboard_ssl %}
+      tls:
+{% if cert_mode == 'acme' %}
+        certResolver: {{ ssl_cert_resolver }}
+{% else %}
+        {}
+{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index 288e693..d40a247 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -16,17 +16,15 @@ services:
     ports:
       - "80:80"
       - "443:443"
-{% if enable_dashboard %}
+{% if enable_dashboard and not dashboard_domain %}
       - "8080:8080"
 {% endif %}
     volumes:
       - {{ docker_volume_dir }}/traefik.yml:/traefik.yml:ro
+      - {{ docker_volume_dir }}/config:/config:ro
 {% if cert_mode == 'acme' %}
       - {{ docker_volume_dir }}/letsencrypt:/letsencrypt
 {% endif %}
-{% if traefik_mode == 'dmz' %}
-      - {{ docker_volume_dir }}/config:/config:ro
-{% endif %}
 {% if traefik_mode == 'backend' %}
       - /var/run/docker.sock:/var/run/docker.sock:ro
 {% endif %}
diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2
index f89d7a3..92efd44 100644
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -4,8 +4,10 @@ log:
 {% if enable_dashboard %}
 api:
   dashboard: true
+{% if not dashboard_domain %}
   insecure: true
 {% endif %}
+{% endif %}
 
 {% if enable_access_logs %}
 accessLog:
@@ -26,11 +28,9 @@ entryPoints:
     address: ":443"
 
 providers:
-{% if traefik_mode == 'dmz' %}
   file:
     directory: /config
     watch: true
-{% endif %}
 {% if traefik_mode == 'backend' %}
   docker:
     endpoint: "unix:///var/run/docker.sock"