diff --git a/apps/code-server/deploy.tf b/apps/code-server/deploy.tf
index a64474f..4e234f8 100644
--- a/apps/code-server/deploy.tf
+++ b/apps/code-server/deploy.tf
@@ -15,9 +15,6 @@ resource "kubectl_manifest" "deploy" {
       template:
         metadata:
           labels: ${jsonencode(local.common-labels)}
-          annotations:
-            container.apparmor.security.beta.kubernetes.io/code-server: unconfined
-            container.seccomp.security.alpha.kubernetes.io/code-server: unconfined
         spec:
           securityContext:
             fsGroup: 1000
@@ -36,7 +33,6 @@ resource "kubectl_manifest" "deploy" {
               runAsNonRoot: true
               runAsUser: 1000
               privileged: true
-              procMount: unmasked
             env:
             - name: USER
               value: coder
diff --git a/apps/nextcloud/middlewares.tf b/apps/nextcloud/middlewares.tf
new file mode 100644
index 0000000..d9b8a1e
--- /dev/null
+++ b/apps/nextcloud/middlewares.tf
@@ -0,0 +1,15 @@
+resource "kubectl_manifest" "redirectregex" {
+  yaml_body  = <<-EOF
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: "${var.instance}-redirectregex"
+  namespace: "${var.namespace}"
+  labels: ${jsonencode(local.common-labels)}
+spec:
+  redirectRegex:
+    permanent: true
+    regex: "https://(.*)/.well-known/(card|cal)dav"
+    replacement: "https://$${1}/remote.php/dav/"
+  EOF
+}