diff --git a/main.tf b/main.tf
index 1966bb6d..f1df7250 100644
--- a/main.tf
+++ b/main.tf
@@ -65,6 +65,8 @@ variable "ingress_honeypotapikey" {}
 variable "ingress_crowdsec_api_key" {}
 variable "ingress_crowdsec_captcha_secret_key" {}
 variable "ingress_crowdsec_captcha_site_key" {}
+variable "crowdsec_enroll_key" { type = string }
+variable "crowdsec_db_password" { type = string }
 variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
@@ -379,6 +381,8 @@ module "kubernetes_cluster" {
   ingress_crowdsec_api_key            = var.ingress_crowdsec_api_key
   ingress_crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key
   ingress_crowdsec_captcha_site_key   = var.ingress_crowdsec_captcha_site_key
+  crowdsec_enroll_key                 = var.crowdsec_enroll_key
+  crowdsec_db_password                = var.crowdsec_db_password
 
   vaultwarden_smtp_password = var.vaultwarden_smtp_password
 
diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
index 14a92de0..6d661011 100644
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -1,6 +1,8 @@
 variable "tls_secret_name" {}
 variable "homepage_username" {}
 variable "homepage_password" {}
+variable "db_password" {}
+variable "enroll_key" {}
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -14,95 +16,16 @@ resource "kubernetes_namespace" "crowdsec" {
   }
 }
 
-resource "kubernetes_persistent_volume" "db" {
-  metadata {
-    name = "crowdsec-db"
-  }
-  spec {
-    capacity = {
-      "storage" = "2Gi"
-    }
-    access_modes = ["ReadWriteOnce"]
-    persistent_volume_source {
-      nfs {
-        path   = "/mnt/main/crowdsec/db"
-        server = "10.0.10.15"
-      }
-    }
-    claim_ref {
-      name      = "crowdsec-db-pvc"
-      namespace = "crowdsec"
-    }
-  }
-}
-
-resource "kubernetes_persistent_volume" "config" {
-  metadata {
-    name = "crowdsec-config"
-  }
-  spec {
-    capacity = {
-      "storage" = "2Gi"
-    }
-    access_modes = ["ReadWriteOnce"]
-    persistent_volume_source {
-      nfs {
-        path   = "/mnt/main/crowdsec/config"
-        server = "10.0.10.15"
-      }
-    }
-    claim_ref {
-      name      = "crowdsec-config-pvc"
-      namespace = "crowdsec"
-    }
-  }
-}
-
 resource "helm_release" "crowdsec" {
   namespace        = "crowdsec"
   create_namespace = true
   name             = "crowdsec"
   atomic           = true
-  version          = "0.19.2"
+  version          = "0.19.4"
 
   repository = "https://crowdsecurity.github.io/helm-charts"
   chart      = "crowdsec"
 
-  values  = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password })]
+  values  = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })]
   timeout = 3600
 }
-
-# resource "kubernetes_ingress_v1" "metabase" {
-#   metadata {
-#     name      = "metabase"
-#     namespace = "crowdsec"
-#     annotations = {
-#       "kubernetes.io/ingress.class" = "nginx"
-#       "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
-#       "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
-#     }
-#   }
-
-#   spec {
-#     tls {
-#       hosts       = ["metabase.viktorbarzin.me"]
-#       secret_name = var.tls_secret_name
-#     }
-#     rule {
-#       host = "metabase.viktorbarzin.me"
-#       http {
-#         path {
-#           path = "/"
-#           backend {
-#             service {
-#               name = "crowdsec-service"
-#               port {
-#                 number = 3000
-#               }
-#             }
-#           }
-#         }
-#       }
-#     }
-#   }
-# }
diff --git a/modules/kubernetes/crowdsec/values.yaml b/modules/kubernetes/crowdsec/values.yaml
index 5f5447ff..555c99ae 100644
--- a/modules/kubernetes/crowdsec/values.yaml
+++ b/modules/kubernetes/crowdsec/values.yaml
@@ -19,13 +19,56 @@ agent:
     - name: COLLECTIONS
       value: "crowdsecurity/nginx"
 lapi:
-  replicas: 3
+  replicas: 1
+  extraSecrets:
+    dbPassword: "${DB_PASSWORD}"
+  storeCAPICredentialsInSecret: true
+  persistentVolume:
+    config:
+      enabled: false
+    data:
+      enabled: false
   env:
+    - name: ENROLL_KEY
+      value: "${ENROLL_KEY}"
+    - name: ENROLL_INSTANCE_NAME
+      value: "k8s-cluster"
+    - name: ENROLL_TAGS
+      value: "k8s linux"
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: crowdsec-lapi-secrets
+          key: dbPassword
     # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
     # - name: DISABLE_ONLINE_API
     #   value: "true"
   dashboard:
     enabled: true
+    env:
+    - name: MB_DB_TYPE
+      value: "mysql"
+    - name: MB_DB_DBNAME
+      value: crowdsec-metabase
+    - name: MB_DB_USER
+      value: "crowdsec"
+    - name: MB_DB_PASS
+      value: "${DB_PASSWORD}"
+    - name: MB_DB_HOST
+      value: "mysql.dbaas.svc.cluster.local"
+
+    - name: MB_EMAIL_SMTP_USERNAME
+      value: "info@viktorbarzin.me"
+    - name: MB_EMAIL_FROM_ADDRESS
+      value: "info@viktorbarzin.me"
+    - name: MB_EMAIL_SMTP_HOST
+      value: "mailserver.mailserver.svc.cluster.local"
+    - name: MB_EMAIL_SMTP_PASSWORD
+      value: "" # Ignore for now as it's unclear what notifications we can get
+    - name: MB_EMAIL_SMTP_PORT
+      value: "587"
+    - name: MB_EMAIL_SMTP_SECURITY
+      value: "starttls"
     ingress:
       enabled: true
       annotations:
@@ -55,3 +98,23 @@ lapi:
     enabled: true
   strategy:
     type: RollingUpdate
+  
+config:
+  config.yaml.local: |
+    db_config:
+      type:     mysql
+      user:     crowdsec
+      password: ${DB_PASSWORD}
+      db_name:  crowdsec
+      host:     mysql.dbaas.svc.cluster.local
+      port:     3306
+    api:
+      server:
+        auto_registration: # Activate if not using TLS for authentication
+          enabled: true
+          token: "$${REGISTRATION_TOKEN}"  # /!\ do not change
+          allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+            - "127.0.0.1/32"
+            - "192.168.0.0/16"
+            - "10.0.0.0/8"
+            - "172.16.0.0/12"
diff --git a/modules/kubernetes/immich/chart_values.tpl b/modules/kubernetes/immich/chart_values.tpl
index fc5da9a4..59c75c09 100644
--- a/modules/kubernetes/immich/chart_values.tpl
+++ b/modules/kubernetes/immich/chart_values.tpl
@@ -29,7 +29,7 @@ env:
   # IMMICH_MACHINE_LEARNING_URL: "http://immich-machine-learning.immich.svc.cluster.local:3003"
 
 image:
-  tag: v1.140.0
+  tag: v1.140.1
 
 immich:
   persistence:
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 835c5acf..39b7992a 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -52,6 +52,8 @@ variable "ingress_honeypotapikey" {}
 variable "ingress_crowdsec_api_key" {}
 variable "ingress_crowdsec_captcha_secret_key" {}
 variable "ingress_crowdsec_captcha_site_key" {}
+variable "crowdsec_enroll_key" { type = string }
+variable "crowdsec_db_password" { type = string }
 variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
@@ -423,12 +425,14 @@ module "nginx-ingress" {
   crowdsec_captcha_site_key   = var.ingress_crowdsec_captcha_site_key
 }
 
-# module "crowdsec" {
-#   source            = "./crowdsec"
-#   tls_secret_name   = var.tls_secret_name
-#   homepage_username = var.homepage_credentials["crowdsec"]["username"]
-#   homepage_password = var.homepage_credentials["crowdsec"]["password"]
-# }
+module "crowdsec" {
+  source            = "./crowdsec"
+  tls_secret_name   = var.tls_secret_name
+  homepage_username = var.homepage_credentials["crowdsec"]["username"]
+  homepage_password = var.homepage_credentials["crowdsec"]["password"]
+  enroll_key        = var.crowdsec_enroll_key
+  db_password       = var.crowdsec_db_password
+}
 
 # Seems like it needs S3 even if pg is local...
 # module "resume" {
diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf
index 1a7fb4df..8f6c3c18 100644
--- a/modules/kubernetes/nginx-ingress/main.tf
+++ b/modules/kubernetes/nginx-ingress/main.tf
@@ -331,8 +331,8 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
         setvar:tx.block_harvester_ip=1,\
         setvar:tx.block_spammer_ip=1"
         EOT
-    # plugins = "crowdsec"  # metabase causing high cpu?
-    plugins          = ""
+    plugins = "crowdsec"
+    # plugins          = ""
     lua-shared-dicts = "crowdsec_cache: 50m"
     http-snippet : <<-EOT
       proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
@@ -522,23 +522,23 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
             name  = "MODE"
             value = "stream"
           }
-          # env {
-          #   name  = "CAPTCHA_PROVIDER"
-          #   value = "recaptcha"
-          # }
           env {
-            name = "BOUNCING_ON_TYPE"
-            # value = "all"
-            value = "ban"
+            name  = "CAPTCHA_PROVIDER"
+            value = "recaptcha"
+          }
+          env {
+            name  = "BOUNCING_ON_TYPE"
+            value = "all"
+            # value = "ban"
+          }
+          env {
+            name  = "SECRET_KEY"
+            value = var.crowdsec_captcha_secret_key
+          }
+          env {
+            name  = "SITE_KEY"
+            value = var.crowdsec_captcha_site_key
           }
-          # env {
-          #   name  = "SECRET_KEY"
-          #   value = var.crowdsec_captcha_secret_key
-          # }
-          # env {
-          #   name  = "SITE_KEY"
-          #   value = var.crowdsec_captcha_site_key
-          # }
 
           # env {
           #   name  = "DISABLE_RUN"