diff --git a/max.yml b/max.yml
index eb6771f..a17d2e2 100644
--- a/max.yml
+++ b/max.yml
@@ -26,11 +26,11 @@
     - {role: 'syncthing', tags: 'syncthing'}
     - {role: 'kms', tags: 'kms'}
     - {role: 'cyberchef', tags: 'cyberchef'}
-    # - {role: 'radicale', tags: 'radicale'}
+    - {role: 'radicale', tags: 'radicale'}
     - {role: 'mastodon', tags: 'mastodon'}
     - {role: 'seafile', tags: 'seafile'}
     - {role: 'jitsi', tags: 'jitsi'}
-    - {role: 'freshrss', tags: 'freshrss'}
+    # - {role: 'freshrss', tags: 'freshrss'}
     - {role: 'static', tags: 'static'}
     - {role: 'inbucket', tags: 'inbucket'}
     - {role: 'prometheus', tags: 'prometheus'}
diff --git a/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf
index 360d314..eb9df16 100644
--- a/roles/radicale/files/radicale.conf
+++ b/roles/radicale/files/radicale.conf
@@ -9,7 +9,7 @@ stock = utf-8
 [auth]
 realm = Radicale - Password Required
 type = htpasswd
-htpasswd_filename = /radicale/users
+htpasswd_filename = /config/users
 htpasswd_encryption = md5
 
 [rights]
diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml
index 48afa89..5ac19d6 100644
--- a/roles/radicale/tasks/main.yml
+++ b/roles/radicale/tasks/main.yml
@@ -13,7 +13,7 @@
 - name: Copy radicale.conf
   copy:
     src: "{{ role_path }}/files/radicale.conf"
-    dest: "{{ service_dir }}/config/radicale.conf"
+    dest: "{{ service_dir }}/config/config"
 - name: Copy users file
   copy:
     src: "{{ role_path }}/files/users"
diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2
index e8a51fd..70e0b29 100644
--- a/roles/radicale/templates/docker-compose.yml.j2
+++ b/roles/radicale/templates/docker-compose.yml.j2
@@ -1,18 +1,28 @@
-version: '3'
-
-networks:
-  traefik:
-    external: true
+version: '3.7'
 
 services:
   radicale:
-    restart: always
-    image: mailu/radicale:1.9
+    image: tomsquest/docker-radicale
     container_name: radicale
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: unless-stopped
     volumes:
       - {{ data_dir }}:/data
-      - {{ service_dir }}/config:/radicale
-    command: radicale -S -C /radicale/radicale.conf
+      - {{ service_dir }}/config:/config:ro
     networks:
       - traefik
     labels:
@@ -23,3 +33,7 @@ services:
       - traefik.http.routers.radicale.tls.certresolver=letsencrypt
       - traefik.http.routers.radicale.service=radicale
       - traefik.http.services.radicale.loadbalancer.server.port=5232
+
+networks:
+  traefik:
+    external: true