diff --git a/apps/nextcloud/cron.yaml b/apps/nextcloud/cron.yaml
index 82ec42e..e45ed84 100644
--- a/apps/nextcloud/cron.yaml
+++ b/apps/nextcloud/cron.yaml
@@ -11,14 +11,14 @@ spec:
         spec:
           containers:
             - name: nextcloud
-              image: nextcloud:25.0.3-apache
+              image: nextcloud:REPLACEME
               imagePullPolicy: IfNotPresent
               env:
                 - name: NEXTCLOUD_URL
                   valueFrom:
                     configMapKeyRef:
                       name: config
-                      key: DOMAIN_URL
+                      key: NEXTCLOUD_DOMAIN_URL
               command:
                 - /bin/sh
                 - -c
diff --git a/apps/nextcloud/deployment.yaml b/apps/nextcloud/deployment.yaml
index 5ee80bc..ac47f25 100644
--- a/apps/nextcloud/deployment.yaml
+++ b/apps/nextcloud/deployment.yaml
@@ -26,7 +26,7 @@ spec:
               protocol: TCP
           envFrom:
             - secretRef:
-                name: nextcloud-secrets
+                name: secrets
             - configMapRef:
                 name: config
             - secretRef:
@@ -41,28 +41,28 @@ spec:
             - name: NEXTCLOUD_TRUSTED_DOMAINS
               valueFrom:
                 configMapKeyRef:
-                  key: DOMAIN
+                  key: NEXTCLOUD_TRUSTED_DOMAINS
                   name: config
             - name: NEXTCLOUD_DATA_DIR
               value: /mnt/data
             - name: TRUSTED_PROXIES
               valueFrom:
                 configMapKeyRef:
-                  key: DOMAIN
+                  key: NEXTCLOUD_DOMAIN
                   name: config
             - name: APACHE_DISABLE_REWRITE_IP
               value: "1"
             - name: OVERWRITEHOST
               valueFrom:
                 configMapKeyRef:
-                  key: DOMAIN
+                  key: NEXTCLOUD_DOMAIN
                   name: config
             - name: OVERWRITEPROTOCOL
               value: https
             - name: OVERWRITECLIURL
               valueFrom:
                 configMapKeyRef:
-                  key: DOMAIN_URL
+                  key: NEXTCLOUD_DOMAIN_URL
                   name: config
             - name: OVERWRITEWEBROOT
               value: "/"
diff --git a/apps/nextcloud/headers.yaml b/apps/nextcloud/headers.yaml
index 844e601..4349b3c 100644
--- a/apps/nextcloud/headers.yaml
+++ b/apps/nextcloud/headers.yaml
@@ -14,12 +14,19 @@ spec:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: nextcloud-redirects
+  name: nextcloud-redirects-scheme
   namespace: nextcloud
 spec:
   redirectScheme:
     permanent: true
     scheme: https
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-redirects-regex
+  namespace: nextcloud
+spec:
   redirectRegex:
     regex: https://(.*)/.well-known/(card|cal)dav
     replacement: https://$1/remote.php/dav/
diff --git a/apps/nextcloud/ingress.yaml b/apps/nextcloud/ingress.yaml
index 45582c4..61210b4 100644
--- a/apps/nextcloud/ingress.yaml
+++ b/apps/nextcloud/ingress.yaml
@@ -4,7 +4,9 @@ kind: Ingress
 metadata:
   name: nextcloud-public
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-headers@kubernetescrd,nextcloud-redirects@kubernetescrd
+    external-dns.alpha.kubernetes.io/target: your.nextcloud.domain
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
+    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-headers@kubernetescrd,nextcloud-nextcloud-redirects-scheme@kubernetescrd,nextcloud-nextcloud-redirects-regex@kubernetescrd
 spec:
   rules:
     - host: your.nextcloud.domain
diff --git a/apps/nextcloud/db-init-job.yaml b/apps/nextcloud/init/db-init-job.yaml
similarity index 89%
rename from apps/nextcloud/db-init-job.yaml
rename to apps/nextcloud/init/db-init-job.yaml
index 3af51e0..a670629 100644
--- a/apps/nextcloud/db-init-job.yaml
+++ b/apps/nextcloud/init/db-init-job.yaml
@@ -12,8 +12,8 @@ spec:
           args:
             - |
               PGPASSWORD=${POSTGRES_ADMIN_PASSWORD} psql -h ${NEXTCLOUD_DB_HOST} -U postgres <<EOF
-              CREATE DATABASE ${NEXTCLOUD_DB_NAME} WITH OWNER ${NEXTCLOUD_DB_USER};
               CREATE USER ${NEXTCLOUD_DB_USER} WITH ENCRYPTED PASSWORD '${NEXTCLOUD_DB_PASSWORD}';
+              CREATE DATABASE ${NEXTCLOUD_DB_NAME} WITH OWNER ${NEXTCLOUD_DB_USER};
               GRANT ALL PRIVILEGES ON DATABASE ${NEXTCLOUD_DB_NAME} TO ${NEXTCLOUD_DB_USER};
               EOF
           env:
@@ -22,6 +22,11 @@ spec:
                 secretKeyRef:
                   name: secrets
                   key: POSTGRES_ADMIN_PASSWORD
+            - name: NEXTCLOUD_DB_HOST
+              valueFrom:
+                configMapKeyRef:
+                  name: config
+                  key: NEXTCLOUD_DB_HOST
             - name: NEXTCLOUD_DB_NAME
               valueFrom:
                 configMapKeyRef:
diff --git a/apps/nextcloud/init/kustomization.yaml b/apps/nextcloud/init/kustomization.yaml
new file mode 100644
index 0000000..57ef308
--- /dev/null
+++ b/apps/nextcloud/init/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: nextcloud
+resources:
+  - db-init-job.yaml
+configMapGenerator:
+  - name: config
+    envs:
+      - ../config/config.env
+secretGenerator:
+  - name: secrets
+    envs:
+      - ../config/secrets.env
\ No newline at end of file
diff --git a/apps/nextcloud/kustomization.yaml b/apps/nextcloud/kustomization.yaml
index 6536cf4..c6a066c 100644
--- a/apps/nextcloud/kustomization.yaml
+++ b/apps/nextcloud/kustomization.yaml
@@ -25,6 +25,16 @@ secretGenerator:
       - config/secrets.env
 
 replacements:
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.DOMAIN
+    targets:
+      - select:
+          kind: Ingress
+          name: nextcloud-public
+        fieldPaths:
+          - metadata.annotations.[external-dns.alpha.kubernetes.io/target]
   - source:
       kind: ConfigMap
       name: config
@@ -32,7 +42,7 @@ replacements:
     targets:
       - select:
           kind: Ingress
-          name: nextcloud-ingress
+          name: nextcloud-public
         fieldPaths:
           - spec.rules.0.host
           - spec.tls.0.hosts.0
@@ -56,3 +66,18 @@ replacements:
           name: nextcloud-pvc
         fieldPaths:
           - spec.resources.requests.storage
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.NEXTCLOUD_IMAGE
+    targets:
+      - select:
+          kind: Deployment
+          name: nextcloud
+        fieldPaths:
+          - spec.template.spec.containers.0.image
+      - select:
+          kind: CronJob
+          name: nextcloud-cron
+        fieldPaths:
+          - spec.jobTemplate.spec.template.spec.containers.0.image