diff --git a/README.md b/README.md
index fccfa0e..fc94c5f 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,6 @@ id\_rsa\_operator_pub is baked into the image generated by Packer (see `nixos/ni
 
 ### NixOS
 #### Building NixOS Images (Snapshots) with Packer
-The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provider by Hetzner Cloud.
 The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
 Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.
 
@@ -159,12 +158,13 @@ $ make infra-destroy MODULE=compute
 The following sections assume the environment to be called 'production'.
 
 #### Configure Environment in `config.json` and `secrets.json`
-Set the environment name and desired NixOS image/snapshot ID in `config.json`:
 Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
 ```json
 {
-  "terraform_packer_environment": "production"
-  tbd
+    "terraform_packer_environment": "production",
+    "nixos_snapshot_id": "1234567",
+    "domain_name_production": "guidelines.ch",
+    "domain_alternative_names_production": "*.guidelines.ch"
 }
 ```
 Use your personal Gitlab deployment- and Hetzner Cloud tokens.
@@ -178,7 +178,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
     "gitlab_deploy_token_password": "",
     "aws_access_key_id": "",
     "aws_secret_access_key": "",
-    "kibana_elasticsearch_password_production": "",
+    "elasticsearch_password_production": "",
     "hcloud_token_production": "",
     "vault_db_password_production": ""
 }
@@ -263,7 +263,7 @@ If this file exists and contains a valid master key, Vault will be unsealed auto
 
 #### Configuring Elasticsearch
 Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
-Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'.
+The password is derieved from the `elasticsearch_password_<env>` key in `secrets.json`
 
 #### Configuring Guidelines
 ```
diff --git a/infrastructure/modules/compute/certbot.sh b/infrastructure/modules/compute/certbot.sh
index afb413e..b4ab225 100644
--- a/infrastructure/modules/compute/certbot.sh
+++ b/infrastructure/modules/compute/certbot.sh
@@ -42,7 +42,6 @@ update_load_balancer() {
     case "$1" in
         *[0-9]*)
             _proto=https
-            _redirect_http="true"
             _certs="[$1]"
             ;;
         "")
@@ -58,6 +57,14 @@ update_load_balancer() {
     esac
 
     for sp in $service_ports; do
+        case "$sp" in
+            "443")
+                _redirect_http="true"
+                ;;
+            *)
+                _redirect_http="false"
+                ;;
+        esac
         error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error')
         case "$(printf "%s" "$error" | $jq -r '.code')" in
             "null")
diff --git a/infrastructure/modules/compute/nix/guidelines.nix b/infrastructure/modules/compute/nix/guidelines.nix
index 13151a2..0dc05c4 100644
--- a/infrastructure/modules/compute/nix/guidelines.nix
+++ b/infrastructure/modules/compute/nix/guidelines.nix
@@ -48,6 +48,28 @@ in
       };
     };
 
+    oci-containers.containers."deploymentagent" = {
+      image = "registry.gitlab.com/infektweb/glv5/hetzner-cloud-environment/deploymentagent:poc-integration";
+      ports = [
+        "5000:5000"
+      ];
+      extraOptions = [
+        "--add-host=host:10.0.1.51"
+      ];
+      environment = {
+        "VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/deploymentagent";
+        "VAULT_URL" = "http://host:8200";
+        "NIXOS_REBUILD_SOCKET_URL" = "host:4444";
+        "DEPLOYMENT_STATE_FILE" = "/guidelines.json";
+      };
+      volumes = [
+        "/mnt/data/vault-deploymentagent-api-token:/vault-token"
+        "/run/podman-containers.sock:/tmp/podman/podman.sock"
+        "/mnt/data/guidelines.json:/guidelines.json"
+      ];
+      #extraDockerOptions = [ "--network=foo" ];
+    };
+
     #oci-containers.containers."containerapi" = {
     #  image = "alpine";
     #  volumes = [
@@ -69,5 +91,6 @@ in
 
   services.redis.enable = true;
   services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf";
-  networking.firewall.allowedTCPPorts = [ 6379 ];
+
+  networking.firewall.allowedTCPPorts = [ 6379 5000 4444 ];
 }
diff --git a/infrastructure/modules/ingress/load_balancers.tf b/infrastructure/modules/ingress/load_balancers.tf
index 1765051..87d5223 100644
--- a/infrastructure/modules/ingress/load_balancers.tf
+++ b/infrastructure/modules/ingress/load_balancers.tf
@@ -35,7 +35,7 @@ resource "hcloud_load_balancer_service" "guidelines-http-to-https-with-terminati
   // TODO: Add health check
 }
 
-resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-termination" {
+resource "hcloud_load_balancer_service" "guidelines-kibana-https-with-termination" {
   load_balancer_id = hcloud_load_balancer.guidelines.id
   protocol = "http"
   listen_port = 8443
@@ -49,16 +49,28 @@ resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-te
   // TODO: Add health check
 }
 
-resource "hcloud_load_balancer_service" "vault-http-to-https-with-termination" {
+resource "hcloud_load_balancer_service" "guidelines-deploymentagent-https-with-termination" {
   load_balancer_id = hcloud_load_balancer.guidelines.id
   protocol = "http"
   listen_port = 9443
-  destination_port = 8200
+  destination_port = 5000
 
   http {
     sticky_sessions = false
     #certificates = []
     #redirect_http = true
   }
+
+  health_check {
+    protocol = "http"
+    port = 5000
+    interval = 15
+    timeout = 10
+    http {
+      path = "/status"
+      status_codes = [ 401 ]
+      tls = false
+    }
+  }
   // TODO: Add health check
 }
diff --git a/nixos/nix/system.nix b/nixos/nix/system.nix
index 0ddd357..c7cf90b 100644
--- a/nixos/nix/system.nix
+++ b/nixos/nix/system.nix
@@ -43,7 +43,7 @@
   };
 
   systemd.sockets.socket-nixos-rebuild-trigger = {
-    listenStreams = [ "0.0.0.0:4444" ];
+    listenStreams = [ "10.0.1.51:4444" ];
     partOf = [ "socket-nixos-rebuild-trigger.service" ];
     wantedBy = [ "sockets.target" ];
   };