diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml
index 171422a..10db3b3 100644
--- a/cloud-init/swarm-manager.yml
+++ b/cloud-init/swarm-manager.yml
@@ -16,6 +16,7 @@ packages:
   - iptables-persistent
   - unattended-upgrades
   - apt-listchanges
+  - auditd
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -83,6 +84,23 @@ write_files:
       APT::Periodic::Update-Package-Lists "1";
       APT::Periodic::Unattended-Upgrade "1";
       APT::Periodic::AutocleanInterval "7";
+  - path: /etc/audit/rules.d/docker.rules
+    permissions: 0640
+    owner: root:root
+    content: |
+      -w /etc/docker -k docker
+      -w /etc/default/docker -k docker
+      -w /etc/docker/daemon.json -k docker
+      -w /etc/containerd/config.toml -k docker
+      -w /lib/systemd/system/docker.service -k docker
+      -w /lib/systemd/system/docker.socket -k docker
+      -w /run/containerd -k docker
+      -w /usr/bin/containerd -k docker
+      -w /usr/bin/containerd-shim -k docker
+      -w /usr/bin/containerd-shim-runc-v1 -k docker
+      -w /usr/bin/containerd-shim-runc-v2 -k docker
+      -w /usr/bin/runc -k docker
+      -w /var/lib/docker -k docker
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -109,10 +127,10 @@ runcmd:
 
   - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
 
-  - [mkdir, -p, /usr/local/apt-keys]
-  - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
-  - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
-  - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
+  # - [mkdir, -p, /usr/local/apt-keys]
+  # - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
+  # - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
+  # - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
 
   - [mkdir, -p, /etc/apt/keyrings]
   - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
@@ -120,10 +138,12 @@ runcmd:
   - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
 
   - [apt-get, update]
-  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
+  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
 
-  - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
-  - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
+
+  # - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
+  # - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
   #- [systemctl, enable, --now, yggdrasil]
 
   - [timedatectl, set-timezone, Europe/Rome]
diff --git a/cloud-init/swarm-worker.yml b/cloud-init/swarm-worker.yml
index 8bd69b5..b1f124f 100644
--- a/cloud-init/swarm-worker.yml
+++ b/cloud-init/swarm-worker.yml
@@ -17,6 +17,7 @@ packages:
   - glusterfs-client
   - unattended-upgrades
   - apt-listchanges
+  - auditd
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -81,6 +82,23 @@ write_files:
     append: true
     content: |
       /swapfile swap swap defaults 0 0
+  - path: /etc/audit/rules.d/docker.rules
+    permissions: 0640
+    owner: root:root
+    content: |
+      -w /etc/docker -k docker
+      -w /etc/default/docker -k docker
+      -w /etc/docker/daemon.json -k docker
+      -w /etc/containerd/config.toml -k docker
+      -w /lib/systemd/system/docker.service -k docker
+      -w /lib/systemd/system/docker.socket -k docker
+      -w /run/containerd -k docker
+      -w /usr/bin/containerd -k docker
+      -w /usr/bin/containerd-shim -k docker
+      -w /usr/bin/containerd-shim-runc-v1 -k docker
+      -w /usr/bin/containerd-shim-runc-v2 -k docker
+      -w /usr/bin/runc -k docker
+      -w /var/lib/docker -k docker
   - path: /etc/hosts
     append: true
     content: |
@@ -113,10 +131,10 @@ runcmd:
 
   - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
 
-  - [mkdir, -p, /usr/local/apt-keys]
-  - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
-  - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
-  - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
+  # - [mkdir, -p, /usr/local/apt-keys]
+  # - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
+  # - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
+  # - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
 
   - [mkdir, -p, /etc/apt/keyrings]
   - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
@@ -124,12 +142,14 @@ runcmd:
   - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
 
   - [apt-get, update]
-  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
+  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
 
-  - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
-  - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
+  # - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
+  # - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
   #- [systemctl, enable, --now, yggdrasil]
 
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
+
   - [timedatectl, set-timezone, Europe/Rome]
 
   - [mkdir, /mnt/swarm-data]
diff --git a/docker/etc/docker/daemon.json b/docker/etc/docker/daemon.json
new file mode 100644
index 0000000..cee3a96
--- /dev/null
+++ b/docker/etc/docker/daemon.json
@@ -0,0 +1,4 @@
+{
+    "userland-proxy": false,
+    "icc": false
+}