diff --git a/nixos/lavender/configuration.nix b/nixos/lavender/configuration.nix
index fc89ebc..5b76741 100644
--- a/nixos/lavender/configuration.nix
+++ b/nixos/lavender/configuration.nix
@@ -111,8 +111,20 @@
     networkmanager.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 32400 32372 ];
-      allowedUDPPorts = [ 80 443 32400 32372 ];
+      allowedTCPPorts = [
+        53    # pihole-FTL  (DNS)
+        80    # traefik     (HTTP)
+        443   # traefik     (HTTPS)
+        32400 # plex
+        32372 # qbittorrent
+      ];
+      allowedUDPPorts = [
+        53    # pihole-FTL  (DNS)
+        80    # traefik     (HTTP)
+        443   # traefik     (HTTPS)
+        32400 # plex
+        32372 # qbittorrent
+      ];
     };
   };
   
diff --git a/nixos/lavender/containers/homepage/default.nix b/nixos/lavender/containers/homepage/default.nix
index c3ff6cf..db1409e 100644
--- a/nixos/lavender/containers/homepage/default.nix
+++ b/nixos/lavender/containers/homepage/default.nix
@@ -10,7 +10,6 @@
       "/srv/data:/srv/data:ro"
       "/var/run/docker.sock:/var/run/docker.sock" # pass local proxy
     ];
-    ports = [ "3000:3000" ];
     extraOptions = ["--network=host"];
   };
 }
diff --git a/nixos/lavender/containers/pihole/default.nix b/nixos/lavender/containers/pihole/default.nix
index 72385e5..173afd4 100644
--- a/nixos/lavender/containers/pihole/default.nix
+++ b/nixos/lavender/containers/pihole/default.nix
@@ -11,9 +11,9 @@
       "/srv/containers/pihole/secrets:/secrets"
     ];
     ports = [ 
-      "53:53/tcp"
-      "53:53/udp"
-      "8181:80/tcp"
+      "192.168.1.100:53:53/tcp"   # pihole-FTL (DNS)
+      "192.168.1.100:53:53/udp"   # pihole-FTL (DNS)
+      "192.168.1.100:8181:80/tcp" # lighttpd   (HTTP)
     ];
     environment = {
       WEBPASSWORD_FILE = "/secrets/admin-password";
diff --git a/nixos/lavender/containers/plex/default.nix b/nixos/lavender/containers/plex/default.nix
index d458399..acaa888 100644
--- a/nixos/lavender/containers/plex/default.nix
+++ b/nixos/lavender/containers/plex/default.nix
@@ -9,7 +9,6 @@
       "/srv/containers/plex:/config"
       "/srv/data/media:/data/media:ro"
     ];
-    ports = [ "32400:32400" ];
     extraOptions = ["--network=host"];
   };
 }
diff --git a/nixos/lavender/containers/prowlarr/default.nix b/nixos/lavender/containers/prowlarr/default.nix
index 7312592..660cdf8 100644
--- a/nixos/lavender/containers/prowlarr/default.nix
+++ b/nixos/lavender/containers/prowlarr/default.nix
@@ -10,5 +10,6 @@
       "/srv/data:/data"
     ];
     ports = [ "9696:9696" ];
+    extraOptions = ["--network=media-stack"];
   };
 }
diff --git a/nixos/lavender/containers/qbittorrent/default.nix b/nixos/lavender/containers/qbittorrent/default.nix
index 5e75745..3193e55 100644
--- a/nixos/lavender/containers/qbittorrent/default.nix
+++ b/nixos/lavender/containers/qbittorrent/default.nix
@@ -13,5 +13,6 @@
       "8383:8080"
       "32372:32372"
     ];
+    extraOptions = ["--network=media-stack"];
   };
 }
diff --git a/nixos/lavender/containers/radarr/default.nix b/nixos/lavender/containers/radarr/default.nix
index de59203..b4bac37 100644
--- a/nixos/lavender/containers/radarr/default.nix
+++ b/nixos/lavender/containers/radarr/default.nix
@@ -10,5 +10,6 @@
       "/srv/data:/data"
     ];
     ports = [ "7878:7878" ];
+    extraOptions = ["--network=media-stack"];
   };
 }
diff --git a/nixos/lavender/containers/recyclarr/default.nix b/nixos/lavender/containers/recyclarr/default.nix
index a12dcf5..436643c 100644
--- a/nixos/lavender/containers/recyclarr/default.nix
+++ b/nixos/lavender/containers/recyclarr/default.nix
@@ -8,5 +8,6 @@
     volumes = [
       "/srv/containers/recyclarr:/config"
     ];
+    extraOptions = ["--network=media-stack"];
   };
 }
diff --git a/nixos/lavender/containers/sonarr/default.nix b/nixos/lavender/containers/sonarr/default.nix
index 3465164..d20697b 100644
--- a/nixos/lavender/containers/sonarr/default.nix
+++ b/nixos/lavender/containers/sonarr/default.nix
@@ -10,5 +10,6 @@
       "/srv/data:/data"
     ];
     ports = [ "8989:8989" ];
+    extraOptions = ["--network=media-stack"];
   };
 }
diff --git a/nixos/lavender/containers/traefik/default.nix b/nixos/lavender/containers/traefik/default.nix
index 617ad14..e7f9b60 100644
--- a/nixos/lavender/containers/traefik/default.nix
+++ b/nixos/lavender/containers/traefik/default.nix
@@ -11,11 +11,6 @@
       "/srv/containers/traefik/letsencrypt:/letsencrypt"
       "/srv/containers/traefik/secrets:/secrets"
     ];
-    ports = [
-      "80:80"
-      "443:443"
-      "8080:8080"
-    ];
     environment = {
       CF_API_EMAIL_FILE = "/secrets/cf-api-email";
       CF_API_KEY_FILE = "/secrets/cf-api-key";