diff --git a/roles/garage/tasks/provision.yml b/roles/garage/tasks/provision.yml
index 1c2628e..ba9344b 100644
--- a/roles/garage/tasks/provision.yml
+++ b/roles/garage/tasks/provision.yml
@@ -75,7 +75,7 @@
 - name: Get detailed key information for all keys
   community.docker.docker_container_exec:
     container: "{{ garage_service_name }}"
-    command: /garage key info {{ item.name }} --show-secret
+    command: /garage key info {{ item.name }}
   loop: "{{ garage_s3_keys }}"
   register: _key_details_results
   when: garage_s3_keys | length > 0
diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml
index 2e5a61e..73a986f 100644
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -13,7 +13,6 @@ nextcloud_domain: "nextcloud.local.test"
 nextcloud_image: "nextcloud:fpm"
 nextcloud_redis_image: "redis:latest"
 nextcloud_port: 80
-nextcloud_extra_hosts: []
 
 nextcloud_postgres_image: "postgres:15"
 nextcloud_postgres_db: nextcloud
@@ -46,13 +45,4 @@ nextcloud_admin_password: admin
 nextcloud_memory_limit_mb: 1024
 nextcloud_upload_limit_mb: 2048
 
-nextcloud_scale_factor: 2
-
-# Non-default apps to install and enable
-nextcloud_apps_to_install:
-  - groupfolders
-  - richdocuments
-  - spreed
-  - user_ldap
-  - user_oidc
-  - whiteboard
\ No newline at end of file
+nextcloud_scale_factor: 2
\ No newline at end of file
diff --git a/roles/nextcloud/tasks/plugins.yml b/roles/nextcloud/tasks/plugins.yml
index 2a6d8a5..32d7c64 100644
--- a/roles/nextcloud/tasks/plugins.yml
+++ b/roles/nextcloud/tasks/plugins.yml
@@ -1,25 +1,3 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for installing Nextcloud plugins/apps
-
-- name: Install Nextcloud apps
-  ansible.builtin.shell:
-    cmd: docker compose exec -T nextcloud php /var/www/html/occ app:install {{ item }}
-    chdir: "{{ nextcloud_docker_compose_dir }}"
-  loop: "{{ nextcloud_apps_to_install }}"
-  register: app_install_result
-  changed_when: "'installed' in app_install_result.stdout"
-  failed_when:
-    - app_install_result.rc != 0
-    - "'already installed' not in app_install_result.stdout"
-
-- name: Enable Nextcloud apps
-  ansible.builtin.shell:
-    cmd: docker compose exec -T nextcloud php /var/www/html/occ app:enable {{ item }}
-    chdir: "{{ nextcloud_docker_compose_dir }}"
-  loop: "{{ nextcloud_apps_to_install }}"
-  register: app_enable_result
-  changed_when: "'enabled' in app_enable_result.stdout"
-  failed_when:
-    - app_enable_result.rc != 0
-    - "'already enabled' not in app_enable_result.stdout"
diff --git a/roles/nextcloud/templates/docker-compose.yml.j2 b/roles/nextcloud/templates/docker-compose.yml.j2
index b8a8a4d..5fd4a32 100644
--- a/roles/nextcloud/templates/docker-compose.yml.j2
+++ b/roles/nextcloud/templates/docker-compose.yml.j2
@@ -102,12 +102,6 @@ services:
       - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
     networks:
       - {{ nextcloud_backend_network }}
-{% if nextcloud_extra_hosts is defined and nextcloud_extra_hosts | length > 0 %}
-    extra_hosts:
-{% for host in nextcloud_extra_hosts %}
-      - "{{ host }}"
-{% endfor %}
-{% endif %}
 
 {% if nextcloud_enable_collabora %}
   collabora:
diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index c896ae2..489ee60 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -41,7 +41,6 @@ selfsigned_common_name: "*.local.test"
 
 # Dashboard
 enable_dashboard: false
-dashboard_domain: ""  # e.g., "traefik.local.test" - if set, exposes dashboard via hostname instead of port 8080
 
 # Access log configuration
 enable_access_logs: true
diff --git a/roles/traefik/meta/main.yml b/roles/traefik/meta/main.yml
index 7c2fc0d..5c93db2 100644
--- a/roles/traefik/meta/main.yml
+++ b/roles/traefik/meta/main.yml
@@ -30,4 +30,5 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-dependencies: []
+dependencies:
+  - digitalboard.core.base
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index d9253eb..ab3aed7 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -37,6 +37,7 @@
     path: "{{ docker_volume_dir }}/config"
     state: directory
     mode: '0755'
+  when: traefik_mode == 'dmz'
 
 - name: Create letsencrypt directory
   file:
@@ -65,21 +66,6 @@
   notify: restart traefik
   when: traefik_mode == 'dmz'
 
-- name: Generate dashboard routing configuration
-  template:
-    src: dashboard.yml.j2
-    dest: "{{ docker_volume_dir }}/config/dashboard.yml"
-    mode: '0644'
-  notify: restart traefik
-  when: enable_dashboard | bool and dashboard_domain | length > 0
-
-- name: Remove dashboard routing configuration when not needed
-  file:
-    path: "{{ docker_volume_dir }}/config/dashboard.yml"
-    state: absent
-  notify: restart traefik
-  when: not (enable_dashboard | bool) or dashboard_domain | length == 0
-
 - name: Create docker-compose file for traefik
   template:
     src: docker-compose.yml.j2
diff --git a/roles/traefik/templates/dashboard.yml.j2 b/roles/traefik/templates/dashboard.yml.j2
deleted file mode 100644
index 8d7e1bf..0000000
--- a/roles/traefik/templates/dashboard.yml.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-{% set dashboard_ssl = use_ssl_dashboard | default(use_ssl) %}
-http:
-  routers:
-    dashboard:
-      rule: "Host(`{{ dashboard_domain }}`)"
-      service: api@internal
-      entryPoints:
-        - {{ 'websecure' if dashboard_ssl else 'web' }}
-{% if dashboard_ssl %}
-      tls:
-{% if cert_mode == 'acme' %}
-        certResolver: {{ ssl_cert_resolver }}
-{% else %}
-        {}
-{% endif %}
-{% endif %}
\ No newline at end of file
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index d40a247..288e693 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -16,15 +16,17 @@ services:
     ports:
       - "80:80"
       - "443:443"
-{% if enable_dashboard and not dashboard_domain %}
+{% if enable_dashboard %}
       - "8080:8080"
 {% endif %}
     volumes:
       - {{ docker_volume_dir }}/traefik.yml:/traefik.yml:ro
-      - {{ docker_volume_dir }}/config:/config:ro
 {% if cert_mode == 'acme' %}
       - {{ docker_volume_dir }}/letsencrypt:/letsencrypt
 {% endif %}
+{% if traefik_mode == 'dmz' %}
+      - {{ docker_volume_dir }}/config:/config:ro
+{% endif %}
 {% if traefik_mode == 'backend' %}
       - /var/run/docker.sock:/var/run/docker.sock:ro
 {% endif %}
diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2
index 92efd44..f89d7a3 100644
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -4,10 +4,8 @@ log:
 {% if enable_dashboard %}
 api:
   dashboard: true
-{% if not dashboard_domain %}
   insecure: true
 {% endif %}
-{% endif %}
 
 {% if enable_access_logs %}
 accessLog:
@@ -28,9 +26,11 @@ entryPoints:
     address: ":443"
 
 providers:
+{% if traefik_mode == 'dmz' %}
   file:
     directory: /config
     watch: true
+{% endif %}
 {% if traefik_mode == 'backend' %}
   docker:
     endpoint: "unix:///var/run/docker.sock"