diff --git a/app/etc/traefik/certs/empty b/app/etc/traefik/certs/empty
new file mode 100644
index 0000000..e69de29
diff --git a/app/host_vars/create b/app/host_vars/create
new file mode 100755
index 0000000..595ec2d
--- /dev/null
+++ b/app/host_vars/create
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Check for argument
+if [ "$#" -ne 1 ]; then
+  echo "Usage: $0 <key_name>"
+  exit 1
+fi
+
+key_name="$1"
+target_dir="./$key_name"
+
+# Create directory if it doesn't exist
+mkdir -p "$target_dir"
+
+# Full paths for private and public keys
+private_key="$target_dir/$key_name"
+public_key="$target_dir/$key_name.pub"
+
+# Generate Ed25519 key without passphrase
+ssh-keygen -t ed25519 -f "$private_key" -N "" -q
+
+# Confirm creation
+echo "SSH key pair created:"
+echo "Private key: $private_key"
+echo "Public key : $public_key"
+
diff --git a/app/host_vars/dev/dev b/app/host_vars/dev/dev
index e69de29..db8ecee 100644
--- a/app/host_vars/dev/dev
+++ b/app/host_vars/dev/dev
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBH5vr90RFgOJrP2Xjr5I5QBxlonCC7pce56JDJFboPXQAAAJh9gvJGfYLy
+RgAAAAtzc2gtZWQyNTUxOQAAACBH5vr90RFgOJrP2Xjr5I5QBxlonCC7pce56JDJFboPXQ
+AAAEBSerxP83/u4p/IobVSxko5ZXO+/PPczGW0kopTfLLAykfm+v3REWA4ms/ZeOvkjlAH
+GWicILulx7nokMkVug9dAAAAEXJvb3RAMmNjNzhkYzBhZDIwAQIDBA==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/app/host_vars/dev/dev.pub b/app/host_vars/dev/dev.pub
index e69de29..e371ca8 100644
--- a/app/host_vars/dev/dev.pub
+++ b/app/host_vars/dev/dev.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEfm+v3REWA4ms/ZeOvkjlAHGWicILulx7nokMkVug9d root@2cc78dc0ad20
diff --git a/app/onboarding b/app/onboarding
index e9c805b..4899672 100755
--- a/app/onboarding
+++ b/app/onboarding
@@ -46,14 +46,20 @@ rex doas mkdir -p "$SSH_DIR"
 rex doas chmod 700 "$SSH_DIR"
 rex doas chown 4server:4server "$SSH_DIR"
 
-template templates/ssh/id_ed25519 /home/4server/.ssh/id_ed25519
-template templates/ssh/id_ed25519.pub /home/4server/.ssh/id_ed25519.pub
-rex "doas bash -c 'chmod 700 /home/4server/.ssh/*'"
-rex "doas bash -c 'chown -R 4server:4server /home/4server/.ssh/*'"
+template templates/ssh/id_ed25519.pub /home/4server/.ssh/authorized_keys
+
+rex doas chmod 755 /home/4server
+rex doas chmod 700 /home/4server/.ssh
+rex doas chmod 600 /home/4server/.ssh/authorized_keys
+rex doas chown 4server:4server /home/4server/.ssh/authorized_keys
+
+rex doas passwd -u 4server
+
+
+
 
-template templates/.bashrc /home/4server/.bashrc
 rex doas mkdir -p /etc/doas.d
 
 rex "doas sh -c 'grep -q \"permit nopass 4server as root\" /etc/doas.d/4server.conf 2>/dev/null || echo \"permit nopass 4server as root\" | tee -a /etc/doas.d/4server.conf > /dev/null'"
 
-
+rex doas rc-service sshd restart
diff --git a/app/templates/.bashrc b/app/templates/.profile
similarity index 93%
rename from app/templates/.bashrc
rename to app/templates/.profile
index ae664fe..4a7a386 100644
--- a/app/templates/.bashrc
+++ b/app/templates/.profile
@@ -1,5 +1,5 @@
 # ~/.bashrc
-
+clear
 echo "Server {{HOSTNAME}}"
 
 
diff --git a/app/templates/etc/fail2ban/jail.conf b/app/templates/etc/fail2ban/jail.conf
new file mode 100644
index 0000000..3f20e55
--- /dev/null
+++ b/app/templates/etc/fail2ban/jail.conf
@@ -0,0 +1,10 @@
+[DEFAULT]
+bantime  = 1h
+findtime  = 30m
+maxretry = 1
+
+[sshd]
+enabled = true
+port    = ssh
+filter  = sshd
+logpath = /var/log/auth.log
diff --git a/app/templates/ssh/id_ed25519.pub b/app/templates/ssh/id_ed25519.pub
index 0ac1014..fd2373f 100644
--- a/app/templates/ssh/id_ed25519.pub
+++ b/app/templates/ssh/id_ed25519.pub
@@ -1 +1 @@
-{{ssh_public}}
+{{SSH_PUBLIC}}
diff --git a/app/update b/app/update
index 435bd7b..96c74ab 100755
--- a/app/update
+++ b/app/update
@@ -6,19 +6,23 @@ rex doas chmod 777 /4server
 rex mkdir -p /4server/data/log
 template templates/hosts /etc/hosts
 
+template templates/.profile /home/4server/.profile
 
 ### PACKAGES
 template templates/repositories /etc/apk/repositories            
-rex doas apk update && upgrade
-rex doas apk add openssh ufw python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client
-
-rex doas pip install  --break-system-packages --no-cache-dir "uvicorn[standard]" fastapi pydantic psutil
-
-
+rex "doas apk update && doas apk upgrade"
+rex doas apk add fail2ban openssh ufw python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client
 
+rex doas pip install --root-user-action ignore --break-system-packages --no-cache-dir "uvicorn[standard]" fastapi pydantic psutil
 
 ### own bins
+echo "Running prsync ./sbin"
 prsync -h "$hosts_file" -avz ./sbin/ /4server/sbin/
+### Security
+template templates/etc/fail2ban/jail.conf /etc/fail2ban/jail.conf
+
+
+
 
 ### API
 
@@ -44,7 +48,8 @@ rex mkdir -p /4server/data/traefik/etc
 template templates/traefik.yaml /4server/data/traefik/etc/traefik.yaml
 
 rex mkdir -p /4server/data/traefik/etc/certs
-prsync -h "$hosts_file" -avz  ./etc/certs/* /4server/data/traefik/etc/certs/
+echo "prsync traefik certs"
+prsync -h "$hosts_file" -avz ./etc/traefik/certs/* /4server/data/traefik/etc/certs/
 
 template templates/docker-compose.yml /4server/docker-compose.yml 
 rex doas docker-compose -f /4server/docker-compose.yml up -d --force-recreate