diff --git a/README.md b/README.md
index 14e92ac..8282975 100644
--- a/README.md
+++ b/README.md
@@ -245,32 +245,26 @@ kubectl exec -i guacamole-<pod-id> --container guacamole -- /opt/guacamole/bin/i
 kubectl exec -i guacamole-<pod-id> --container mysql -- mysql -uguacamole -pguacamole guacamole < initdb.sql
 kubectl rollout restart deployment guacamole
 ```
-##### 4.7) [Harbor](https://goharbor.io/)    <small>(container image registry)</small>
-*Running externally; refer to [Ansible.Harbor](https://code.spamasaurus.com/djpbessems/Ansible.Harbor/src/branch/master)-repository for actual setup*  
-Create `Endpoint`, `service` and `ingressRoute`
-```
-kubectl apply -f services/Harbor/ingressRoute-Harbor.yml
-```
 
-##### 4.8) [Lighttpd](https://www.lighttpd.net/)    <small>(webserver)</small>
+##### 4.7) [Lighttpd](https://www.lighttpd.net/)    <small>(webserver)</small>
 *Serves various semi-containerized websites; respective webcontent is stored on fileshare*  
 ```
 kubectl apply -f services/Lighttpd/configMap-Lighttpd.yml
 kubectl apply -f services/Lighttpd/deploy-Lighttpd.yml
 kubectl apply -f services/Lighttpd/cronJob-Spotweb.yml
 ```
-##### 4.9) PVR `namespace`    <small>(automated media management)</small>
+##### 4.8) PVR `namespace`    <small>(automated media management)</small>
 *Containers use shared resources to be able to interact with downloaded files*
 ```
 kubectl create secret generic --type=mount/smb smb-secret --from-literal=username=<<omitted>> --from-literal=password=<<omitted>> -n pvr
 kubectl apply -f services/PVR/persistentVolumeClaim-PVR.yml
 kubectl apply -f services/PVR/storageClass-PVR.yml
 ```
-###### 4.9.1) [NZBHydra](https://github.com/theotherp/nzbhydra2)    <small>(index aggregator)</small>
+###### 4.8.1) [NZBHydra](https://github.com/theotherp/nzbhydra2)    <small>(index aggregator)</small>
 ```
 kubectl apply -f services/PVR/deploy-NZBHydra.yml
 ```
-###### 4.9.2) [Plex](https://www.plex.tv/)    <small>(media library)</small>
+###### 4.8.2) [Plex](https://www.plex.tv/)    <small>(media library)</small>
 *Due to usage of symlinks, partially incompatible with SMB-share-backed storage*
 ```
 kubectl apply -f services/PVR/deploy-Plex.yml
@@ -280,32 +274,32 @@ After deploying, Plex server needs to be *claimed* (=assigned to Plex-account):
 kubectl get endpoints Plex -n PVR
 ```
 Browse to the respective IP address (http://<nodeipaddress>:32400/web) and follow instructions.
-###### 4.9.3) [Radarr](https://radarr.video/)    <small>(movie management)</small>
+###### 4.8.3) [Radarr](https://radarr.video/)    <small>(movie management)</small>
 ```
 kubectl apply -f services/PVR/deploy-Radarr.yml
 ```
-###### 4.9.4) [Readarr](https://readarr.com/)    <small>(book management)</small>
+###### 4.8.4) [Readarr](https://readarr.com/)    <small>(book management)</small>
 ```
 kubectl apply -f services/PVR/deploy-Readarr.yml
 ```
-###### 4.9.5) [SABnzbd](https://sabnzbd.org/)    <small>(download client)</small>
+###### 4.8.5) [SABnzbd](https://sabnzbd.org/)    <small>(download client)</small>
 ```
 kubectl apply -f services/PVR/deploy-SABnzbd.yml
 ```
-###### 4.9.6) [Sonarr](https://sonarr.tv/)    <small>(tv management)</small>
+###### 4.8.6) [Sonarr](https://sonarr.tv/)    <small>(tv management)</small>
 ```
 kubectl apply -f services/PVR/deploy-Sonarr.yml
 ```
 
-##### 4.10) [Shaarli](https://github.com/shaarli/Shaarli)    <small>(bookmarks/notes)</small>
+##### 4.9) [Shaarli](https://github.com/shaarli/Shaarli)    <small>(bookmarks/notes)</small>
 ```
 kubectl apply -f services/Shaarli/deploy-Shaarli.yml
 ```
-##### 4.11) [Theia](https://theia-ide.org/)    <small>(web IDE)</small>
+##### 4.10) [Theia](https://theia-ide.org/)    <small>(web IDE)</small>
 ```
 kubectl apply -f services/Theia/deploy-Theia.yml
 ```
-##### 4.12) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper)    <small>(certificate tooling)</small>
+##### 4.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper)    <small>(certificate tooling)</small>
 ```
 kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
 ```
diff --git a/ingress/Traefik2.x/chart-values.yml b/ingress/Traefik2.x/chart-values.yml
index 40ffff0..e4970ea 100644
--- a/ingress/Traefik2.x/chart-values.yml
+++ b/ingress/Traefik2.x/chart-values.yml
@@ -1,5 +1,5 @@
 image:
-  name: traefik
+  name: bv11-cr01.bessems.eu/proxy/library/traefik
 #  tag: 2.3.2
 
 ports:
diff --git a/services/Adminer/deploy-Adminer.yml b/services/Adminer/deploy-Adminer.yml
index c6c154e..7414365 100644
--- a/services/Adminer/deploy-Adminer.yml
+++ b/services/Adminer/deploy-Adminer.yml
@@ -37,7 +37,7 @@ spec:
       serviceAccountName: adminer
       containers:
       - name: adminer
-        image: registry.spamasaurus.com/proxy/library/adminer
+        image: bv11-cr01.bessems.eu/proxy/library/adminer
         ports:
           - name: web
             containerPort: 8080
diff --git a/services/Bitwarden/deploy-Bitwarden.yml b/services/Bitwarden/deploy-Bitwarden.yml
index bda5a8a..d1a5d6f 100644
--- a/services/Bitwarden/deploy-Bitwarden.yml
+++ b/services/Bitwarden/deploy-Bitwarden.yml
@@ -42,7 +42,7 @@ spec:
       serviceAccountName: bitwarden
       containers:
       - name: bitwarden
-        image: bitwardenrs/server
+        image: bv11-cr01.bessems.eu/proxy/bitwardenrs/server
         args: ["sh", "-c", ". /vault/secrets/bitwarden && /start.sh"]
         env:
         - name: ENABLE_DB_WAL
diff --git a/services/DDclient/deploy-DDclient.yml b/services/DDclient/deploy-DDclient.yml
index 1453507..22984df 100644
--- a/services/DDclient/deploy-DDclient.yml
+++ b/services/DDclient/deploy-DDclient.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: ddclient
-        image: registry.spamasaurus.com/proxy/linuxserver/ddclient
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/ddclient
         volumeMounts:
         - mountPath: /config
           name: ddclient-secret
diff --git a/services/DroneCI/deploy-DroneCI.yml b/services/DroneCI/deploy-DroneCI.yml
index be8f7a4..0ea1630 100644
--- a/services/DroneCI/deploy-DroneCI.yml
+++ b/services/DroneCI/deploy-DroneCI.yml
@@ -39,7 +39,7 @@ spec:
       serviceAccountName: drone
       containers:
       - name: drone
-        image: drone/drone:latest
+        image: bv11-cr01.bessems.eu/proxy/drone/drone:latest
         command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-server"]
         env:
         - name: DRONE_SERVER_PROTO
@@ -58,6 +58,8 @@ spec:
           value: 'false'
         - name: DRONE_AGENTS_ENABLED
           value: 'true'
+        - name: DRONE_USER_CREATE
+          value: 'username:djpbessems,admin:true'
         ports:
           - name: ui
             containerPort: 80
@@ -65,7 +67,7 @@ spec:
         - mountPath: /data
           name: flexvolsmb-drone-data
       - name: drone-runner
-        image: drone/drone-runner-kube:latest
+        image: bv11-cr01.bessems.eu/proxy/drone/drone-runner-kube:latest
         command: ["sh", "-c", ". /vault/secrets/drone && /bin/drone-runner-kube"]
         ports:
         - containerPort: 3000
@@ -135,6 +137,38 @@ spec:
     requests:
       storage: 1Gi
 ---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-drone-certs
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-drone-certs
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+    options:
+      opts: domain=bessems.eu,file_mode=0777,dir_mode=0777,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/traefikcertsdumper/export
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flexvolsmb-drone-certs
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-drone-certs
+  resources:
+    requests:
+      storage: 1Gi
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
diff --git a/services/Gitea/deploy-Gitea.yml b/services/Gitea/deploy-Gitea.yml
index 618ce70..ddbe051 100644
--- a/services/Gitea/deploy-Gitea.yml
+++ b/services/Gitea/deploy-Gitea.yml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: gitea
-        image: registry.spamasaurus.com/proxy/gitea/gitea:1
+        image: bv11-cr01.bessems.eu/proxy/gitea/gitea:1
         env:
         - name: DB_TYPE
           value: 'sqlite3'
diff --git a/services/Gotify/deploy-Gotify.yml b/services/Gotify/deploy-Gotify.yml
index 4018509..e3a7459 100644
--- a/services/Gotify/deploy-Gotify.yml
+++ b/services/Gotify/deploy-Gotify.yml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: gotify
-        image: registry.spamasaurus.com/proxy/gotify/server
+        image: bv11-cr01.bessems.eu/proxy/gotify/server
         ports:
           - name: web
             containerPort: 80
diff --git a/services/Guacamole/deploy-Guacamole.yml b/services/Guacamole/deploy-Guacamole.yml
index 82eef9e..7e7f071 100644
--- a/services/Guacamole/deploy-Guacamole.yml
+++ b/services/Guacamole/deploy-Guacamole.yml
@@ -35,7 +35,7 @@ spec:
       hostname: guacamole
       containers:
       - name: guacamole
-        image: registry.spamasaurus.com/proxy/guacamole/guacamole
+        image: bv11-cr01.bessems.eu/proxy/guacamole/guacamole
         env:
         - name: GUACD_HOSTNAME
           value: 'guacamole.default.svc.cluster.local'
@@ -53,7 +53,7 @@ spec:
           - name: ui
             containerPort: 8080
       - name: guacd
-        image: registry.spamasaurus.com/proxy/guacamole/guacd
+        image: bv11-cr01.bessems.eu/proxy/guacamole/guacd
         env:
         - name: GUACD_LOG_LEVEL
           value: 'debug'
@@ -61,7 +61,7 @@ spec:
           - name: proxy
             containerPort: 4822
       - name: mysql
-        image: registry.spamasaurus.com/proxy/library/mysql:latest
+        image: bv11-cr01.bessems.eu/proxy/library/mysql:latest
         securityContext:
           runAsUser: 999
           runAsGroup: 999
diff --git a/services/Harbor/ingressRoute-Harbor.yml b/services/Harbor/ingressRoute-Harbor.yml
deleted file mode 100644
index 9e28ae0..0000000
--- a/services/Harbor/ingressRoute-Harbor.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: harbor
-spec:
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 80
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: harbor
-subsets:
-  - addresses:
-      - ip: 192.168.11.249
-    ports:
-      - port: 80
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: harbor
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`registry.spamasaurus.com`)
-    kind: Rule
-    services:
-    - name: harbor
-      port: 80
-    middlewares:
-      - name: security-headers@file
-      - name: compression@file
-#  - match: Host(`registry.spamasaurus.com`) && PathPrefix(`/api/`, `/service/`, `/v2/`, `/chartrepo/`, `/c/`)
-#    kind: Rule
-#    services:
-#    - name: harbor-harbor-core
-#      port: 80
-#    middlewares:
-#      - name: security-headers@file
-#  - match: Host(`notary.spamasaurus.com`)
-#    kind: Rule
-#    services:
-#    - name: harbor-harbor-notary-server
-#      port: 4443
-#    middlewares:
-#      - name: security-headers@file
diff --git a/services/Lighttpd/deploy-Lighttpd.yml b/services/Lighttpd/deploy-Lighttpd.yml
index b2a323c..8f0e9f4 100644
--- a/services/Lighttpd/deploy-Lighttpd.yml
+++ b/services/Lighttpd/deploy-Lighttpd.yml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: lighttpd-php-pwsh
-        image: registry.spamasaurus.com/library/lighttpd-php-powershell
+        image: bv11-cr01.bessems.eu/library/lighttpd-php-powershell
         ports:
           - name: web
             containerPort: 8080
diff --git a/services/PVR/deploy-NZBHydra.yml b/services/PVR/deploy-NZBHydra.yml
index 2686e16..a158901 100644
--- a/services/PVR/deploy-NZBHydra.yml
+++ b/services/PVR/deploy-NZBHydra.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: nzbhydra
-        image: registry.spamasaurus.com/proxy/linuxserver/nzbhydra2
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/nzbhydra2
         ports:
           - name: web
             containerPort: 5076
diff --git a/services/PVR/deploy-Plex.yml b/services/PVR/deploy-Plex.yml
index b7b2761..fa9f294 100644
--- a/services/PVR/deploy-Plex.yml
+++ b/services/PVR/deploy-Plex.yml
@@ -31,7 +31,7 @@ spec:
       hostNetwork: true
       containers:
       - name: plex
-        image: registry.spamasaurus.com/proxy/linuxserver/plex
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/plex
         ports:
           - name: web
             containerPort: 32400
diff --git a/services/PVR/deploy-Radarr.yml b/services/PVR/deploy-Radarr.yml
index 33cb563..09d1bec 100644
--- a/services/PVR/deploy-Radarr.yml
+++ b/services/PVR/deploy-Radarr.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: radarr
-        image: registry.spamasaurus.com/proxy/linuxserver/radarr:nightly
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/radarr:nightly
         ports:
           - name: web
             containerPort: 7878
diff --git a/services/PVR/deploy-Readarr.yml b/services/PVR/deploy-Readarr.yml
index 0346633..36445f9 100644
--- a/services/PVR/deploy-Readarr.yml
+++ b/services/PVR/deploy-Readarr.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: readarr
-        image: registry.spamasaurus.com/proxy/hotio/readarr:nightly
+        image: bv11-cr01.bessems.eu/proxy/hotio/readarr:nightly
         env:
         - name: DEBUG
           value: 'yes'
diff --git a/services/PVR/deploy-SABnzbd.yml b/services/PVR/deploy-SABnzbd.yml
index 7372dfe..db052a0 100644
--- a/services/PVR/deploy-SABnzbd.yml
+++ b/services/PVR/deploy-SABnzbd.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: sabnzbd
-        image: registry.spamasaurus.com/proxy/linuxserver/sabnzbd
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/sabnzbd
         ports:
           - name: web
             containerPort: 8080
diff --git a/services/PVR/deploy-Sonarr.yml b/services/PVR/deploy-Sonarr.yml
index db4cf9a..250dda9 100644
--- a/services/PVR/deploy-Sonarr.yml
+++ b/services/PVR/deploy-Sonarr.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: sonarr
-        image: registry.spamasaurus.com/proxy/linuxserver/sonarr:preview
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/sonarr:preview
         ports:
           - name: web
             containerPort: 8989
diff --git a/services/Shaarli/deploy-Shaarli.yml b/services/Shaarli/deploy-Shaarli.yml
index 45a9e68..b932411 100644
--- a/services/Shaarli/deploy-Shaarli.yml
+++ b/services/Shaarli/deploy-Shaarli.yml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: shaarli
-        image: registry.spamasaurus.com/proxy/shaarli/shaarli
+        image: bv11-cr01.bessems.eu/proxy/shaarli/shaarli
         ports:
           - name: web
             containerPort: 80
diff --git a/services/Theia/deploy-Theia.yml b/services/Theia/deploy-Theia.yml
index 5ec53b0..a2ae387 100644
--- a/services/Theia/deploy-Theia.yml
+++ b/services/Theia/deploy-Theia.yml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: theia
-        image: registry.spamasaurus.com/proxy/theiaide/theia-full
+        image: bv11-cr01.bessems.eu/proxy/theiaide/theia-full
         ports:
           - name: web
             containerPort: 3000
diff --git a/services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml b/services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
index 1345e05..1112c0a 100644
--- a/services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
+++ b/services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: traefik-certs-dumper
-        image: registry.spamasaurus.com/proxy/ldez/traefik-certs-dumper:latest-amd64
+        image: bv11-cr01.bessems.eu/proxy/ldez/traefik-certs-dumper:latest-amd64
         command: ['traefik-certs-dumper', 'file']
         args: 
         - --watch
diff --git a/services/Unifi/deploy-Unifi.yml b/services/Unifi/deploy-Unifi.yml
index a6b8f31..2e3b48e 100644
--- a/services/Unifi/deploy-Unifi.yml
+++ b/services/Unifi/deploy-Unifi.yml
@@ -67,7 +67,7 @@ spec:
     spec:
       containers:
       - name: unifi
-        image: linuxserver/unifi-controller
+        image: bv11-cr01.bessems.eu/proxy/linuxserver/unifi-controller
         ports:
           - name: web
             containerPort: 8443
diff --git a/system/InotifyMaxWatchers/daemonSet-InotifyMaxWatchers.yml b/system/InotifyMaxWatchers/daemonSet-InotifyMaxWatchers.yml
index 16d08c4..95864b8 100644
--- a/system/InotifyMaxWatchers/daemonSet-InotifyMaxWatchers.yml
+++ b/system/InotifyMaxWatchers/daemonSet-InotifyMaxWatchers.yml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
         - name: inotify-max-watchers
-          image: alpine
+          image: bv11-cr01.bessems.eu/proxy/library/alpine
           imagePullPolicy: Always
           securityContext:
             privileged: true
diff --git a/system/RolloutRestart/cronjob-RolloutRestart.yml b/system/RolloutRestart/cronjob-RolloutRestart.yml
index 6966716..16569f0 100644
--- a/system/RolloutRestart/cronjob-RolloutRestart.yml
+++ b/system/RolloutRestart/cronjob-RolloutRestart.yml
@@ -49,7 +49,7 @@ spec:
           restartPolicy: Never
           containers:
             - name: kubectl
-              image: registry.spamasaurus.com/proxy/bitnami/kubectl
+              image: bv11-cr01.bessems.eu/proxy/bitnami/kubectl
               command:
                 - 'bash'
                 - '-c'
diff --git a/system/UpgradeController/plan-Agent.yml b/system/UpgradeController/plan-Agent.yml
index 51edf6c..9d9f3cd 100644
--- a/system/UpgradeController/plan-Agent.yml
+++ b/system/UpgradeController/plan-Agent.yml
@@ -14,8 +14,8 @@ spec:
     args:
     - prepare
     - server-plan
-    image: rancher/k3s-upgrade:v1.19.3-k3s2
+    image: bv11-cr01.bessems.eu/proxy/rancher/k3s-upgrade:v1.19.3-k3s2
   serviceAccountName: system-upgrade
   upgrade:
-    image: rancher/k3s-upgrade
+    image: bv11-cr01.bessems.eu/proxy/rancher/k3s-upgrade
   channel: https://update.k3s.io/v1-release/channels/stable
diff --git a/system/UpgradeController/plan-Server.yml b/system/UpgradeController/plan-Server.yml
index 9c146ab..241b105 100644
--- a/system/UpgradeController/plan-Server.yml
+++ b/system/UpgradeController/plan-Server.yml
@@ -14,5 +14,5 @@ spec:
       - "true"
   serviceAccountName: system-upgrade
   upgrade:
-    image: rancher/k3s-upgrade
+    image: bv11-cr01.bessems.eu/proxy/rancher/k3s-upgrade
   channel: https://update.k3s.io/v1-release/channels/stable