diff --git a/kubenix-modules/kitchenowl.nix b/kubenix-modules/kitchenowl.nix
index ff2ef57..76e0549 100644
--- a/kubenix-modules/kitchenowl.nix
+++ b/kubenix-modules/kitchenowl.nix
@@ -2,34 +2,36 @@
   kubernetes.resources = {
     secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";
 
-    deployments = {
+    deployments.kitchenowl = {
+      metadata.labels.app = "kitchenowl";
 
-      kitchenowl = {
-        metadata.labels.app = "kitchenowl";
+      spec = {
+        selector.matchLabels.app = "kitchenowl";
 
-        spec = {
-          selector.matchLabels.app = "kitchenowl";
+        template = {
+          metadata.labels.app = "kitchenowl";
 
-          template = {
-            metadata.labels.app = "kitchenowl";
+          spec = {
+            volumes.data.persistentVolumeClaim.claimName = "kitchenowl";
 
-            spec = {
-              volumes.data.persistentVolumeClaim.claimName = "kitchenowl";
+            containers.kitchenowl = {
+              image = "tombursch/kitchenowl:v0.5.1";
+              ports.web.containerPort = 8080;
 
-              containers.kitchenowl = {
-                image = "tombursch/kitchenowl:v0.5.1";
-                ports.web.containerPort = 8080;
-
-                env.JWT_SECRET_KEY.valueFrom.secretKeyRef = {
-                  name = "kitchenowl";
-                  key = "jwtSecretKey";
-                };
-
-                volumeMounts = [{
-                  name = "data";
-                  mountPath = "/data";
-                }];
+              env.JWT_SECRET_KEY.valueFrom.secretKeyRef = {
+                name = "kitchenowl";
+                key = "jwtSecretKey";
               };
+
+              volumeMounts = [{
+                name = "data";
+                mountPath = "/data";
+              }];
+            };
+
+            securityContext = {
+              fsGroup = 0;
+              fsGroupChangePolicy = "OnRootMismatch";
             };
           };
         };
diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix
index 7b447eb..f4ca35f 100644
--- a/kubenix-modules/volumes.nix
+++ b/kubenix-modules/volumes.nix
@@ -5,14 +5,14 @@
 
   #     volumeMounts = [
   #       {
-  #         name = "forgejo";
-  #         mountPath = "/forgejo";
+  #         name = "kitchenowl";
+  #         mountPath = "/kitchenowl";
   #       }
   #     ];
   #   };
 
   #   volumes = {
-  #     forgejo.persistentVolumeClaim.claimName = "forgejo";
+  #     kitchenowl.persistentVolumeClaim.claimName = "kitchenowl";
   #   };
   # };
 
@@ -26,6 +26,7 @@
       pihole-data.storage = "750Mi";
       pihole-dnsmasq.storage = "16Mi";
       forgejo.storage = "20Gi";
+      kitchenowl.storage = "100Mi";
     };
 
     nfsVolumes = {
@@ -40,7 +41,6 @@
       bazarr-config.path = "bazarr/config";
       atticd.path = "atticd";
       syncthing.path = "syncthing/config";
-      kitchenowl.path = "kitchenowl/data";
       paperless-ngx-redisdata.path = "paperless-ngx/redisdata";
       paperless-ngx-data.path = "paperless-ngx/data";
     };
diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix
index 6e013a1..eb833af 100644
--- a/nixos-modules/data-sharing.nix
+++ b/nixos-modules/data-sharing.nix
@@ -3,8 +3,6 @@ let
   cfg = config.lab.data-sharing;
 
   nfsShares = [
-    "/forgejo/data"
-    "/kitchenowl/data"
     "/syncthing/config"
     "/paperless-ngx/data"
     "/paperless-ngx/redisdata"