diff --git a/profiles/homebox/default.nix b/profiles/homebox/default.nix
index a50fb35..268878c 100644
--- a/profiles/homebox/default.nix
+++ b/profiles/homebox/default.nix
@@ -81,6 +81,7 @@
                 authentik.enable = true;
                 netbird.enable = true;
 
+                openwebui.enable = true;
                 ollama.enable = true;
                 searxng.enable = true;
                 home-assistant.enable = true;
@@ -92,8 +93,6 @@
                 "esotericbytes.com".enable = true;
                 gitea.enable = true;
                 
-                openwebui.enable = true;
-                
                 code-server.enable = true;
                 
                 minecraft.enable = true;
diff --git a/system/virtualization/docker/netbird/default.nix b/system/virtualization/docker/netbird/default.nix
index 8e65196..4c8065d 100644
--- a/system/virtualization/docker/netbird/default.nix
+++ b/system/virtualization/docker/netbird/default.nix
@@ -27,7 +27,7 @@
 
 # Containers
         virtualisation.oci-containers.containers."netbird-dashboard" = {
-            image = "netbirdio/dashboard:latest";
+            image = "netbirdio/dashboard:v2.30.1";
             environment = {
                 "AUTH_AUDIENCE" = "netbird-dashboard";
                 "AUTH_AUTHORITY" = "https://vpn.esotericbytes.com/oauth2";
@@ -71,7 +71,7 @@
             ];
         };
         virtualisation.oci-containers.containers."netbird-management" = {
-            image = "netbirdio/management:latest";
+            image = "netbirdio/management:v0.64.4";
             volumes = [
                 "/etc/netbird/management.json:/etc/netbird/management.json:rw"
                 "netbird_netbird_management:/var/lib/netbird:rw"
@@ -128,7 +128,7 @@
             ];
         };
         virtualisation.oci-containers.containers."netbird-relay" = {
-            image = "netbirdio/relay:latest";
+            image = "netbirdio/relay:v0.64.4";
 
             environmentFiles = [ config.sops.templates."netbird-relay.env".path ];
 
@@ -163,7 +163,7 @@
             ];
         };
         virtualisation.oci-containers.containers."netbird-signal" = {
-            image = "netbirdio/signal:latest";
+            image = "netbirdio/signal:v0.64.4";
             labels = {
                 "traefik.enable" = "true";
                 "traefik.http.routers.netbird-signal-grpc.entrypoints" = "websecure";
diff --git a/system/virtualization/docker/openwebui/default.nix b/system/virtualization/docker/openwebui/default.nix
index 0967ef4..61a567e 100644
--- a/system/virtualization/docker/openwebui/default.nix
+++ b/system/virtualization/docker/openwebui/default.nix
@@ -1 +1,101 @@
-{}
+{ config, lib, pkgs, ... }: let
+
+    hostPort = 11434;
+
+    subdomain = "ai";
+
+    name = "openwebui";
+
+in {
+
+    options.sysconfig.docker.openwebui.enable = with lib; mkOption {
+        type = with types; bool;
+        default = false;
+    };
+
+    config = lib.mkIf (config.sysconfig.docker.openwebui.enable && config.sysconfig.docker.enable) {
+
+        environment.systemPackages = with pkgs; [
+            openwebui
+        ];
+
+        virtualisation.oci-containers.containers.openwebui = {
+            image = "ghcr.io/openwebui/openwebui:v0.7.2";
+
+            # unstable, waiting for 26.05
+            #pull = "newer";
+
+            hostname = "${subdomain}.esotericbytes.com";
+
+            networks = [
+                "docker-main"
+            ];
+
+            /*ports = [
+                "${builtins.toString hostPort}:3000"
+            ];*/
+
+            volumes = [
+                "vol_openwebui:/app/backend/data"
+            ];
+
+            labels = {
+                "traefik.enable" = "true";
+                "traefik.http.routers.${name}.entrypoints" = "localsecure";
+                "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
+                "traefik.http.routers.${name}.service" = "${name}";
+                "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
+                
+                "traefik.http.services.${name}.loadbalancer.server.port" = "3000";
+            };
+
+            extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
+                "--device=nvidia.com/gpu=all"
+            ];
+
+            environment = {
+            };
+        };
+
+        systemd.services."docker-openwebui" = {
+            serviceConfig = {
+                Restart = lib.mkOverride 90 "always";
+                RestartMaxDelaySec = lib.mkOverride 90 "1m";
+                RestartSec = lib.mkOverride 90 "100ms";
+                RestartSteps = lib.mkOverride 90 9;
+            };
+            after = [
+                "docker-network-setup.service"
+                "docker-volume-openwebui.service" 
+            ];
+            requires = [
+                "docker-network-setup.service"
+                "docker-volume-openwebui.service" 
+            ];
+            partOf = [
+                "docker-compose-openwebui-root.target"
+            ];
+            wantedBy = [
+                "docker-compose-openwebui-root.target"
+            ];
+        };
+
+        systemd.services."docker-volume-openwebui" = {
+            path = [ pkgs.docker ];
+            serviceConfig = {
+                Type = "oneshot";
+                RemainAfterExit = true;
+            };
+            script = ''
+                docker volume inspect vol_openwebui || docker volume create vol_openwebui --driver=btrfs
+                '';
+            partOf = [ "docker-compose-openwebui-root.target" ];
+            wantedBy = [ "docker-compose-openwebui-root.target" ];
+        };
+
+        systemd.targets."docker-compose-openwebui-root" = {
+            wantedBy = [ "multi-user.target" ];
+        };
+
+    };
+}