diff --git a/Justfile b/Justfile
index 59a46f1..aafaf31 100644
--- a/Justfile
+++ b/Justfile
@@ -17,10 +17,10 @@ deploy:
   }}
 
 europium:
-  nixos-rebuild switch --flake .#europium --target-host europium --build-host europium --use-remote-sudo
+  nixos-rebuild switch --flake .#europium --target-host europium-deploy --build-host europium --use-remote-sudo
 
 beryllium:
-  nixos-rebuild switch --flake .#beryllium --target-host beryllium --build-host beryllium --use-remote-sudo
+  nixos-rebuild switch --flake .#beryllium --target-host beryllium-deploy --build-host beryllium --use-remote-sudo
   
 # Opens the elements configuration in the default editor
 edit:
diff --git a/flake.lock b/flake.lock
index 492913e..c52c6e9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -934,6 +934,21 @@
         "type": "github"
       }
     },
+    "quadlet": {
+      "locked": {
+        "lastModified": 1754008153,
+        "narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -947,6 +962,7 @@
         "hyprland": "hyprland",
         "musnix": "musnix",
         "nixpkgs": "nixpkgs_4",
+        "quadlet": "quadlet",
         "rose-pine-hyprcursor": "rose-pine-hyprcursor",
         "snowfall": "snowfall",
         "split-monitor-workspaces": "split-monitor-workspaces"
diff --git a/flake.nix b/flake.nix
index 95f5d73..9e98260 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,9 +35,17 @@
         ];
         beryllium.modules = [
           copyparty.nixosModules.default
+          quadlet.nixosModules.quadlet
+        ];
+        europium.modules = [
+          quadlet.nixosModules.quadlet
         ];
       };
 
+      homes.users."christopher@beryllium".modules = with inputs; [
+        quadlet.homeManagerModules.quadlet
+      ];
+
       # Configure nixpkgs when instantiating the package set
       # TODO: This is already specified elsewhere. Still needed here?
       channels-config = {
@@ -110,6 +118,7 @@
       inputs.hyprland.follows = "hyprland";
     };
 
+    quadlet.url = "github:SEIAROTg/quadlet-nix";
     musnix.url = "github:musnix/musnix";
 
     docker-compose-1.url = github:nixos/nixpkgs/b0f0b5c6c021ebafbd322899aa9a54b87d75a313;
diff --git a/homes/x86_64-linux/christopher@beryllium/default.nix b/homes/x86_64-linux/christopher@beryllium/default.nix
new file mode 100644
index 0000000..a3a04ca
--- /dev/null
+++ b/homes/x86_64-linux/christopher@beryllium/default.nix
@@ -0,0 +1,32 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  elements.secrets = {
+    rekeyPath = "christopher_beryllium";
+    key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf";
+
+    needs = {
+      traefik-env = "traefik.env.age";
+    };
+  };
+
+  # virtualisation.quadlet.containers = {
+  #   echo = {
+  #     autoStart = true;
+  #     serviceConfig = {
+  #       RestartSec = "10";
+  #       Restart = "always";
+  #     };
+  #     containerConfig = {
+  #       image = "docker.io/mendhak/http-https-echo:31";
+  #       publishPorts = ["127.0.0.1:8080:8080"];
+  #     };
+  #   };
+  # };
+
+  home.packages = with pkgs; [
+    helix
+  ];
+}
diff --git a/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age b/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age
new file mode 100644
index 0000000..74bb7a8
--- /dev/null
+++ b/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pySEWw kigbWfXfeb8YlBMpSWM+jDPtjYeAltdTORqPQ7kqnFg
+P8j10qrMzjWZ91FVnn4sLugS/AcS2XrMr9TRal5gRVc
+-> m0^G"4-grease p]TT RuLz
+9HFjCiuy7w
+--- j57VRBCbLMVDI2s7DnpBwTvVzzvqwMdXL6Ec/9Tg6MA
+c‘DÍ_FT,hº³}/;A8õüPýþØ%/:E)pè”Õ€
+mœ‚¾qý{J­–UÚë†kï¸n\8L}j›'Ãî‰yaãJ
\ No newline at end of file
diff --git a/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age b/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age
new file mode 100644
index 0000000..84cc35b
--- /dev/null
+++ b/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pySEWw yyra9wL+n2gFPpbmnkvbsxBverCR/r7yPSw3aCD0slk
+65Vc/tQKzfsFC5smIqHmXA7NlSJLW8oXAYPYiX3bGcw
+-> MV*6+^H-grease uV!LS]1* B5lCK], yjN7.
+O1RM77BbFx0SsKlEXUVAJCswHGS1oKfX1ZvBNcF47W0o//6iiBHOWTvpaW15xVMZ
+00g
+--- XNgzqoXEkkzK8TE/A81FFduXsiDouJFXV/9o/m/bnss
+Q1‡©0#ÍšÎi~d¹Ç~ïòEðlÔgG–^OÕ,ÊP:¹¡Ö£¨ëø[if>•,@i|D‹J¹åm)P8hé·2ÈVÃãüÑkš)ø7›£>u@qò¡–Í#Íˆ×ïfå¨ä™Û¥+¡O,œa,ð%éátRË[7îN
\ No newline at end of file
diff --git a/secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age b/secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age
deleted file mode 100644
index 90a4f40..0000000
Binary files a/secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age and /dev/null differ
diff --git a/secrets/rekeyed/christopher_cobalt/ed09b6b5d3b63d4794137e3cbdad53c9-config.age b/secrets/rekeyed/christopher_cobalt/ed09b6b5d3b63d4794137e3cbdad53c9-config.age
new file mode 100644
index 0000000..e9ca7c0
Binary files /dev/null and b/secrets/rekeyed/christopher_cobalt/ed09b6b5d3b63d4794137e3cbdad53c9-config.age differ
diff --git a/secrets/smb-secrets.age b/secrets/smb-secrets.age
new file mode 100644
index 0000000..c3d08ca
Binary files /dev/null and b/secrets/smb-secrets.age differ
diff --git a/secrets/ssh/config.age b/secrets/ssh/config.age
index c3cd9fa..7bafed4 100644
Binary files a/secrets/ssh/config.age and b/secrets/ssh/config.age differ
diff --git a/secrets/traefik.env.age b/secrets/traefik.env.age
new file mode 100644
index 0000000..54abd02
--- /dev/null
+++ b/secrets/traefik.env.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 bXMX40Vz9sJqcVcb3ote48FAUxB+GzTQ4rOP8rI8O34
+KlAn7X9p9EqKxmiBOBg/apVLCSMAoOTsEF4BW8pBxng
+-> piv-p256 Kmn3OQ A5tjfx5HhP+RRxXD3dQmuZnxezXp1SdmlGbhBazV8EMz
+B/6jGDqQagB2ZSxC2WhZcDcu6YfJokHTR0DtrIJ45Tk
+-> f!=YO-grease (YufTYP (VD px s8\X~Fzn
+WYavDbOneKQ/pdc369k8fqDS2ITD+rQ
+--- HE0AabwaJ9U/2CWSqIghcWxhIW9fwNCqCkZFhcb+xnU
+é?”169C77jÜ²m0,ˆ¬¼' Ã
+:“fxB¶âè¤ûð¢ëRÞ]¥bŠ\÷ç7^¹k°h>ºƒÃ¦–‰¤¾­üª¡|žÀ[ßxj’ƒdIÄ
+æU¼ÖÈ"erR–»Y½Š±@6=4Øü}w
\ No newline at end of file
diff --git a/systems/x86_64-linux/beryllium/default.nix b/systems/x86_64-linux/beryllium/default.nix
index 326ccba..84c841c 100644
--- a/systems/x86_64-linux/beryllium/default.nix
+++ b/systems/x86_64-linux/beryllium/default.nix
@@ -3,6 +3,7 @@
 # NUC / HomeLab environment
 {
   lib,
+  config,
   pkgs,
   ...
 }: {
@@ -48,23 +49,72 @@
     users = ["christopher"];
     secrets = {
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf";
+      needs = {
+        smbSecrets = "smb-secrets.age";
+      };
     };
   };
 
+  networking.firewall.enable = false;
+  networking.dhcpcd.IPv6rs = false;
+
+  users.users.christopher.linger = true; # autostart of quadlets before login
+  users.users.christopher.autoSubUidGidRange = true;
   users.users.christopher.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"];
+  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"];
 
   services = {
-    openssh.enable = true;
-    openssh.ports = [7319];
-    openssh.settings.PasswordAuthentication = false;
+    openssh = {
+      enable = true;
+      ports = [7319];
+      settings.PasswordAuthentication = false;
+    };
 
-    beszel-agent.enable = true;
-    beszel-agent.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T";
+    beszel-agent = {
+      enable = true;
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T";
+    };
   };
 
-  virtualisation.podman.enable = true;
+  boot.kernel.sysctl = {
+    # We require this so that a rootless traefik can bind to port 80.
+    "net.ipv4.ip_unprivileged_port_start" = "80";
+  };
+
+  # virtualisation.quadlet.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      # Override the default subnet as it overlaps with my LAN.
+      subnets = [
+        {
+          gateway = "172.16.0.1";
+          subnet = "172.16.0.0/16";
+        }
+      ];
+    };
+  };
+
+  fileSystems."/mnt/nuc/_NAS_Media" = {
+    device = "//10.1.0.1/_NAS_Media";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"];
+  };
+
+  fileSystems."/mnt/nuc/Ix" = {
+    device = "//10.1.0.1/Ix";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"];
+  };
 
   environment.systemPackages = with pkgs; [
+    cifs-utils
+    helix
     podman-compose
   ];
 }
diff --git a/systems/x86_64-linux/beryllium/hardware.nix b/systems/x86_64-linux/beryllium/hardware.nix
index 05213be..418dfa2 100644
--- a/systems/x86_64-linux/beryllium/hardware.nix
+++ b/systems/x86_64-linux/beryllium/hardware.nix
@@ -14,4 +14,14 @@
   virtualisation.virtualbox.guest.enable = true;
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  fileSystems."/mnt/external" = {
+    device = "/dev/disk/by-uuid/0fc53086-d326-4663-973c-aa224a3f8589";
+    fsType = "ext4";
+    options = [
+      "nofail"
+      "exec"
+      "users"
+    ];
+  };
 }