diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh
index 5d2aff0..aafd57e 100755
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@@ -7,10 +7,21 @@ if [ "$1" = "vanguards" ]; then
     echo "Starting Vanguards Sidecar Mode..."
     shift # remove 'vanguards' from the arguments
     
-    # Extract the hostname from the arguments? 
-    # For now, we assume 'tor-service' as per the standard docker-compose setup
-    TARGET_HOST="tor-service"
+    # Extract TARGET_HOST from arguments (looking for --control_ip)
+    TARGET_HOST="tor-service" # Default fallback
     TARGET_PORT=9051
+    
+    # Simple argument parsing to find control_ip
+    next_is_ip=0
+    for arg in "$@"; do
+        if [ "$next_is_ip" -eq 1 ]; then
+            TARGET_HOST="$arg"
+            next_is_ip=0
+        fi
+        if [ "$arg" = "--control_ip" ]; then
+            next_is_ip=1
+        fi
+    done
 
     echo "Waiting for Tor Control Port at $TARGET_HOST:$TARGET_PORT..."
     # Use Python to wait for the port (more reliable than Alpine's nc)
@@ -72,7 +83,7 @@ if [ -n "$TOR_CONTROL_PASSWORD" ]; then
         exit 1
     fi
     
-    echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG"
+    echo "ControlPort 127.0.0.1:9051" >> "$TOR_CONFIG"
     echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG"
     echo "Control Password set."
 else
@@ -122,7 +133,15 @@ fi
 
 # 4. Ownership Fix (Crucial for Docker volumes)
 mkdir -p "$DATA_DIR/hidden_service/"
-chown -R tor:root "$DATA_DIR"
+# Ensure the current user owns the data directory (Fix for Podman/Docker permission mismatch)
+if [ "$(id -u)" = "0" ]; then
+    chown -R tor:root "$DATA_DIR"
+else
+    # Non-root (e.g. Podman rootless or user:1000), we just hope we have write access
+    # or that the volume was mounted with correct permissions.
+    # But let's try to be helpful if we are root-ish.
+    :
+fi
 chmod 700 "$DATA_DIR"
 chmod 700 "$DATA_DIR/hidden_service/"
 
diff --git a/docker-compose.yml b/docker-compose.yml
index f1ced55..3d228aa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,16 +4,20 @@ services:
     build: .
     image: docker-tor-hidden-service:latest
     container_name: tor-service
+    user: "0:0"
     restart: unless-stopped
+    network_mode: host
     environment:
       # Format: ExternalPort:ContainerName:InternalPort
-      - HIDDEN_SERVICE_HOSTS=80:web:80
+      # Since we are on host network, 'web' hostname won't resolve via Docker DNS.
+      # We must point to localhost if nginx is also on host network.
+      - HIDDEN_SERVICE_HOSTS=80:localhost:80
       - TOR_CONTROL_PASSWORD=secure_password
-    ports:
-      - "9051:9051" 
-      - "9050:9050" 
+    # ports:  <-- Not needed in host mode
+    #   - "9051:9051"
+    #   - "9050:9050"
     volumes:
-      - tor-data:/var/lib/tor/
+      - ./tor-data:/var/lib/tor/:z
     depends_on:
       - web
 
@@ -22,19 +26,25 @@ services:
     image: nginx:alpine
     container_name: my-website
     restart: unless-stopped
+    network_mode: host
+    volumes:
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
 
   # Vanguards Service - Sidecar
   vanguards:
     build: .
     image: docker-tor-hidden-service:latest
     container_name: vanguards-sidecar
+    user: "0:0"
     restart: unless-stopped
+    network_mode: host
     # The 'vanguards' first word triggers the logic in your entrypoint.sh
-    command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
+    # Connect to localhost since we share the network stack
+    command: vanguards --control_ip localhost --control_port 9051 --control_pass secure_password
     depends_on:
       - tor
     volumes:
-      - tor-data:/var/lib/tor/
+      - ./tor-data:/var/lib/tor/:z
 
 volumes:
-  tor-data:
+  tor-data-new:
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..6ee82e5
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,24 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    # Basic error logging
+    error_log /var/log/nginx/error.log warn;
+
+    location / {
+        # CHANGE THIS to your actual Netbird Service IP and Port
+        # Example: proxy_pass http://100.64.0.10:5000;
+        proxy_pass http://100.x.x.x:5000;
+        
+        # Standard Proxy Headers required for most apps
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket Support (if needed later)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}