diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
index e61a413..c0dc07a 100644
--- a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
@@ -1,22 +1,5 @@
 #!/bin/bash
 
-PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
-
-# Enable IP forwarding
-echo "[HOST] Enabling IP forwarding..."
-echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
-sudo sysctl -p
-
-# Configure firewall
-echo "[HOST] Configuring firewall..."
-sudo iptables -A FORWARD -i $PUBLIC_INTERFACE -o lxcbr0 -p tcp -m multiport --dports 25,80,110,143,465,587,993,995,4190 -j ACCEPT
-sudo iptables -A FORWARD -i lxcbr0 -o $PUBLIC_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
-sudo iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
-
-# Save iptables rules permanently (adjust based on your distro)
-if command -v iptables-persistent >/dev/null; then
-    sudo iptables-save | sudo tee /etc/iptables/rules.v4
-fi
 
 # ------------------------- CONTAINER SETUP -------------------------
 
@@ -38,11 +21,12 @@ sleep 15
 echo "[CONTAINER] Installing Stalwart Mail..."
 lxc exec "$PARAM_TENANT"-email -- bash -c "
 apt-get update && apt-get install -y wget libcap2-bin
-wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.11.8/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
+wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.12.4/stalwart-x86_64-unknown-linux-gnu.tar.gz
+                             
 tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
-mv /tmp/stalwart-mail /opt/gbo/bin/stalwart-mail
-chmod +x /opt/gbo/bin/stalwart-mail
+mv /tmp/stalwart /opt/gbo/bin/stalwart
+chmod +x /opt/gbo/bin/stalwart
 rm /tmp/stalwart.tar.gz
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
@@ -90,40 +74,3 @@ systemctl enable email
 systemctl start email
 "
 
-# ------------------------- PORT FORWARDING -------------------------
-
-# Get container IP
-CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}')
-
-
-declare -A PORTS=(
-    ["smtp"]="25"
-    ["submission"]="587"
-    ["submissions"]="465"
-    ["imap"]="143"
-    ["imaps"]="993"
-    ["sieve"]="4190"
-)
-
-for service in "${!PORTS[@]}"; do
-    port="${PORTS[$service]}"
-    
-    # Add LXC proxy device
-    lxc config device remove pragmatismo-email "${service}-proxy" 2>/dev/null || true
-    lxc config device add pragmatismo-email "${service}-proxy" proxy \
-        listen=tcp:0.0.0.0:"${port}" \
-        connect=tcp:"${CONTAINER_IP}":"${port}" \
-        bind=host \
-        nat=false 
-
-    # Add correct iptables rules
-    sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport ${port} -j DNAT --to-destination ${CONTAINER_IP}:${port}
-    sudo iptables -A FORWARD -p tcp --dport ${port} -j ACCEPT
-done
-
-# Enable IP forwarding
-echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
-sudo sysctl -p
-
-# Save rules
-sudo iptables-save | sudo tee /etc/iptables/rules.v4
\ No newline at end of file
diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt b/gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt
new file mode 100644
index 0000000..fc005f2
--- /dev/null
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt
@@ -0,0 +1,16 @@
+    do not comment or echo anything
+    
+    keep lines condensed
+    always call it <kind> not own name. Eg.: proxy instead of Caddy. alm instead of forgejo.
+    use KISS priciple
+     
+    use local /opt/gbo/{logs, data, conf} exposed as 
+        HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/<kind>"
+        HOST_DATA="$HOST_BASE/data" 
+        HOST_CONF="$HOST_BASE/conf"
+        HOST_LOGS="$HOST_BASE/logs"
+        instead of using app original paths.
+    and use /opt/gbo/bin to put local binaries of installations 
+    during sh exection, never touch files in /opt/gbo/{logs, data, conf}
+    use wget
+    use gbuser as system user
\ No newline at end of file
diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh b/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
index d20958e..3b6840b 100644
--- a/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
@@ -1,79 +1,56 @@
 #!/bin/bash
-
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/proxy"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
-
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-chmod -R 750 "$HOST_BASE"
+mkdir -p "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod 750 "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 
 lxc launch images:debian/12 "$PARAM_TENANT"-proxy -c security.privileged=true
 sleep 15
 
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-apt-get update && apt-get install -y curl libcap2-bin
-curl -sL \"https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz\" | tar -C /usr/local/bin -xz caddy
-chmod 755 /usr/local/bin/caddy
-setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
-useradd --system --no-create-home --shell /usr/sbin/nologin caddy
+mkdir -p /opt/gbo/{bin,data,conf,logs}
+apt-get update && apt-get install -y wget libcap2-bin
+wget -q https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz
+tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
+rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
+chmod 750 /opt/gbo/bin/caddy
+setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
+useradd --system --shell /usr/sbin/nologin gbuser
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 "
 
-CADDY_UID=$(lxc exec "$PARAM_TENANT"-proxy -- id -u caddy)
-CADDY_GID=$(lxc exec "$PARAM_TENANT"-proxy -- id -g caddy)
-HOST_CADDY_UID=$((100000 + CADDY_UID))
-HOST_CADDY_GID=$((100000 + CADDY_GID))
-chown -R "$HOST_CADDY_UID:$HOST_CADDY_GID" "$HOST_BASE"
-
-lxc config device add "$PARAM_TENANT"-proxy proxydata disk source="$HOST_DATA" path=/var/lib/caddy
-lxc config device add "$PARAM_TENANT"-proxy proxyconf disk source="$HOST_CONF" path=/etc/caddy
-lxc config device add "$PARAM_TENANT"-proxy proxylogs disk source="$HOST_LOGS" path=/var/log/caddy
+lxc config device add "$PARAM_TENANT"-proxy data disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-proxy conf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-proxy logs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-mkdir -p /var/lib/caddy /etc/caddy /var/log/caddy
-chown -R caddy:caddy /var/lib/caddy /etc/caddy /var/log/caddy
-
-cat > /etc/caddy/Caddyfile <<EOF
-:80 {
-    respond \"Welcome to $PARAM_TENANT Proxy\"
-    log {
-        output file /var/log/caddy/access.log
-    }
-}
-EOF
-
-cat > /etc/systemd/system/caddy.service <<EOF
+cat > /etc/systemd/system/proxy.service <<EOF
 [Unit]
-Description=Caddy
+Description=Proxy
 After=network.target
-
 [Service]
-User=root
-Group=root
-ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
-ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
-TimeoutStopSec=5s
-LimitNOFILE=1048576
-LimitNPROC=512
-PrivateTmp=true
-ProtectSystem=full
+User=gbuser
+Group=gbuser
+Environment=XDG_DATA_HOME=/opt/gbo/data
+ExecStart=/opt/gbo/bin/caddy run --config /opt/gbo/conf/config --adapter caddyfile
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
-
 systemctl daemon-reload
-systemctl enable caddy
-systemctl start caddy
+
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
+
+systemctl enable proxy
 "
 
-lxc config device remove "$PARAM_TENANT"-proxy http-proxy 2>/dev/null || true
-lxc config device add "$PARAM_TENANT"-proxy http-proxy proxy \
-    listen=tcp:0.0.0.0:"$PARAM_HTTP_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_HTTP_PORT"
+for port in 80 443 25 110 143 465 587 993 995; do
+lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
+done
 
-lxc config device remove "$PARAM_TENANT"-proxy https-proxy 2>/dev/null || true
-lxc config device add "$PARAM_TENANT"-proxy https-proxy proxy \
-    listen=tcp:0.0.0.0:"$PARAM_HTTPS_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_HTTPS_PORT"
\ No newline at end of file
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.mknod true
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.setxattr true
\ No newline at end of file
diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
index 2b86f1f..3be588a 100644
--- a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
@@ -3,8 +3,9 @@
 # Define container limits in an associative array
 declare -A container_limits=(
     # Pattern       Memory    CPU Allowance
+    ["*tables*"]="2048MB:33ms/100ms"
     ["*alm*"]="5126MB:15ms/100ms"
-    ["*email*"]="1024MB:15ms/100ms"
+    ["*email*"]="4024MB:100ms/100ms"
     ["*webmail*"]="1024MB:20ms/100ms"
     ["*bot*"]="2048MB:20ms/100ms"
     ["*drive*"]="1024MB:20ms/100ms"
diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh b/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh
index 6184331..0787910 100644
--- a/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh
@@ -6,7 +6,6 @@ HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
 
 PARAM_RC_VERSION="1.6.6"
-RC_PATH="$HOST_DATA/wwwroot"
 
 mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 chmod -R 750 "$HOST_BASE"
@@ -14,6 +13,8 @@ chmod -R 750 "$HOST_BASE"
 lxc launch images:debian/12 "$PARAM_TENANT"-webmail -c security.privileged=true
 sleep 15
 
+RC_PATH="/opt/gbo/data"
+
 lxc exec "$PARAM_TENANT"-webmail -- bash -c '
 # Install prerequisites
 apt install -y ca-certificates apt-transport-https lsb-release gnupg wget
@@ -39,19 +40,19 @@ apt install -y \
 
 # Restart PHP-FPM
 systemctl restart php8.1-fpm
-if [ ! -d '"$RC_PATH"' ]; then
-    mkdir -p '"$RC_PATH"'
-    wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
-    tar -xzf roundcubemail-*.tar.gz
-    mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
-    rm -rf roundcubemail-*
-fi
 
-chown -R www-data:www-data '"$RC_PATH"'
+mkdir -p '"$RC_PATH"'
+wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
+tar -xzf roundcubemail-*.tar.gz
+mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
+rm -rf roundcubemail-*
+
+mkdir -p /opt/gbo/logs
+
 chmod 750 '"$RC_PATH"'
 find '"$RC_PATH"' -type d -exec chmod 750 {} \;
 find '"$RC_PATH"' -type f -exec chmod 640 {} \;
-mkdir -p '"$HOST_LOGS"'
+
 '
 
 WEBMAIL_UID=$(lxc exec "$PARAM_TENANT"-webmail -- id -u www-data)
@@ -60,11 +61,11 @@ HOST_WEBMAIL_UID=$((100000 + WEBMAIL_UID))
 HOST_WEBMAIL_GID=$((100000 + WEBMAIL_GID))
 chown -R "$HOST_WEBMAIL_UID:$HOST_WEBMAIL_GID" "$HOST_BASE"
 
-lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path=/var/lib/roundcube
-lxc config device add "$PARAM_TENANT"-webmail webmailconf disk source="$HOST_CONF" path=/etc/roundcube
-lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/var/log/roundcube
+lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path="$RC_PATH"
+lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-webmail -- bash -c "
+chown -R www-data:www-data '"$RC_PATH"' /opt/gbo/logs
 cat > /etc/systemd/system/webmail.service <<EOF
 [Unit]
 Description=Roundcube Webmail
@@ -74,10 +75,10 @@ After=network.target php8.1-fpm.service
 User=www-data
 Group=www-data
 WorkingDirectory=$RC_PATH
-ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/public_html
+ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/wwwroot/public_html
 Restart=always
-StandardOutput=append:/var/log/roundcube/stdout.log
-StandardError=append:/var/log/roundcube/stderr.log
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
 
 [Install]
 WantedBy=multi-user.target