diff --git a/.env b/.env
new file mode 100644
index 0000000..b44966c
--- /dev/null
+++ b/.env
@@ -0,0 +1,51 @@
+# Required
+# Mail domain
+MYVEMAIL_SUBDOMAIN={{MYVEMAIL_SUBDOMAIN}}
+MYVEMAIL_DOMAIN={{MYVEMAIL_DOMAIN}}
+
+# Webmail port
+MYVEMAIL_PORT={{MYVEMAIL_PORT}}
+
+# Optional
+# Version: latest or stable (defaults to latest)
+MYVEMAIL_VERSION={{MYVEMAIL_VERSION}}
+
+# Additional mail domains separated by commas
+MYVEMAIL_ADDMX=
+
+# Backup mail servers separated by commas
+MYVEMAIL_BACKUPMX=
+
+# Whitelist SPF
+MYVEMAIL_WHITELIST_HELO=
+
+# Whitelist domains separated by commas (eg. website.tld,web.website.tld)
+MYVEMAIL_WHITELIST_DOMAINS=
+
+# Whitelist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
+MYVEMAIL_WHITELIST_EMAILS=
+
+# Blacklist domains separated by commas (eg. website.tld,web.website.tld)
+MYVEMAIL_BLACKLIST_DOMAINS=
+
+# Blacklist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
+MYVEMAIL_BLACKLIST_EMAILS=
+
+# Volumes
+MYVEMAIL_VOLUME_MARIADB=
+MYVEMAIL_VOLUME_SSL=
+MYVEMAIL_VOLUME_DATA=
+MYVEMAIL_VOLUME_MAIL=
+MYVEMAIL_VOLUME_LOGS=
+MYVEMAIL_VOLUME_DKIM=
+MYVEMAIL_VOLUME_POSTWHITE=
+
+# MariaDB
+# Roundcube
+MYVEMAIL_ROUNDCUBE_DBNAME=roundcube
+MYVEMAIL_ROUNDCUBE_DBUSER=roundcube
+MYVEMAIL_ROUNDCUBE_DBPASS={{MYVEMAIL_ROUNDCUBE_DBPASS}}
+# Postfixadmin
+MYVEMAIL_POSTFIXADMIN_DBNAME=postfixadmin
+MYVEMAIL_POSTFIXADMIN_DBUSER=postfixadmin
+MYVEMAIL_POSTFIXADMIN_DBPASS={{MYVEMAIL_POSTFIXADMIN_DBPASS}}
diff --git a/01-setup.sh b/01-setup.sh
index 5e4c678..eeb03f2 100755
--- a/01-setup.sh
+++ b/01-setup.sh
@@ -66,6 +66,14 @@ server {
         proxy_set_header Accept-Encoding "";
         proxy_set_header Host $host;
 
+        proxy_set_header Early-Data $ssl_early_data;
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        proxy_next_upstream error timeout invalid_header http_500;
+        proxy_next_upstream_timeout 3s;
+        proxy_next_upstream_tries 2;
+
         client_body_buffer_size 512k;
         proxy_read_timeout 86400s;
         client_max_body_size 0;
@@ -80,104 +88,67 @@ server {
     # http_upgrade
     # Security
     server_tokens off;
-    add_header X-Frame-Options                   "SAMEORIGIN"        	always;
-    add_header X-Content-Type-Options            "nosniff"           	always;
-    add_header X-XSS-Protection                  "1; mode=block"     	always;
-    add_header Referrer-Policy                   "strict-origin"       	always;
-    add_header X-Permitted-Cross-Domain-Policies "none"              	always;
-    add_header X-Robots-Tag                      "noindex, nofollow" 	always;
-    # add_header Content-Security-Policy 	    "default-src 'self';" 	always;
+    add_header X-Frame-Options                   "SAMEORIGIN"               always;
+    add_header X-Content-Type-Options            "nosniff"                  always;
+    add_header X-XSS-Protection                  "1; mode=block"            always;
+    add_header Referrer-Policy                   "no-referrer"              always;
+    add_header X-Permitted-Cross-Domain-Policies "none"                     always;
+    add_header X-Robots-Tag                      "noindex, nofollow"        always;
 
     # http2
     http2 on;
 
     # http3
-    listen 443 quic;
     add_header Alt-Svc 'h3=":443"; ma=86400';
     quic_retry on;
+    quic_gso on;
+    http3_stream_buffer_size 512k;
     http3 on;
 
     # Certbot defaults
-    listen 443 ssl;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
     add_header Strict-Transport-Security "max-age=31536000" always;
 }
+
 proxy
 
 # Run certbot
-if sudo nginx -t
-then
-    sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \
-        --staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'
-else
-    exit 1
-fi
+sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \
+    --staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'
+
+# Add http2 and http3 directives
+sudo sed -e '/listen 80/d' \
+    -e '/listen 443/a\
+    listen 443 quic;\
+    listen [::]:443 ssl;\
+    listen [::]:443 quic;\n' -i ${nginxdir}/${appname}.conf
+sudo tee -a ${nginxdir}/${appname}.conf >/dev/null <<- 'redirect'
+server {
+    listen 80;
+    server_name {{domain}};
+    if ($scheme = "http") {
+        return 301 https://$host$request_uri;
+    }
+}
+redirect
+sudo systemctl reload nginx.service
 
 # SSL
 [ -d ./data/ssl/ ] || install --directory ./data/ssl/
 sudo ln -s -f /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
 sudo ln -s -f /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
-[ -f ./data/ssl/dh.pem ] || openssl dhparam -out ./data/ssl/dh.pem 4096
+[ -f ./data/ssl/dh.pem ] || touch ./data/ssl/dh.pem
 
 # Postwhite
 [ -f ./data/postwhite ] || touch ./data/postwhite
 
 # Environment file
-[ -f ./.env ] || \
-cat >./.env <<- gen-env
-# Required
-# Mail domain
-MYVEMAIL_SUBDOMAIN=${_subdomain}
-MYVEMAIL_DOMAIN=${_domain}
-
-# Webmail port
-MYVEMAIL_PORT=${proxyport}
-
-# Optional
-# Version: latest or stable (defaults to latest)
-MYVEMAIL_VERSION=${mailver:-latest}
-
-# Additional mail domains separated by commas
-MYVEMAIL_ADDMX=
-
-# Backup mail servers separated by commas
-MYVEMAIL_BACKUPMX=
-
-# Whitelist SPF
-MYVEMAIL_WHITELIST_HELO=
-
-# Whitelist domains separated by commas (eg. website.tld,web.website.tld)
-MYVEMAIL_WHITELIST_DOMAINS=
-
-# Whitelist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
-MYVEMAIL_WHITELIST_EMAILS=
-
-# Blacklist domains separated by commas (eg. website.tld,web.website.tld)
-MYVEMAIL_BLACKLIST_DOMAINS=
-
-# Blacklist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
-MYVEMAIL_BLACKLIST_EMAILS=
-
-# Volumes
-MYVEMAIL_VOLUME_MARIADB=
-MYVEMAIL_VOLUME_SSL=
-MYVEMAIL_VOLUME_DATA=
-MYVEMAIL_VOLUME_MAIL=
-MYVEMAIL_VOLUME_LOGS=
-MYVEMAIL_VOLUME_DKIM=
-MYVEMAIL_VOLUME_POSTWHITE=
-
-# MariaDB
-# Roundcube
-MYVEMAIL_ROUNDCUBE_DBNAME=roundcube
-MYVEMAIL_ROUNDCUBE_DBUSER=roundcube
-MYVEMAIL_ROUNDCUBE_DBPASS=$(openssl rand -hex 32)
-# Postfixadmin
-MYVEMAIL_POSTFIXADMIN_DBNAME=postfixadmin
-MYVEMAIL_POSTFIXADMIN_DBUSER=postfixadmin
-MYVEMAIL_POSTFIXADMIN_DBPASS=$(openssl rand -hex 32)
-gen-env
+sed -e "s/{{MYVEMAIL_SUBDOMAIN}}/${_subdomain}/" \
+    -e "s/{{MYVEMAIL_DOMAIN}}/${_domain}/" \
+    -e "s/{{MYVEMAIL_PORT}}/${proxyport}/" \
+    -e "s/{{MYVEMAIL_VERSION}}/${mailver:-latest}/" \
+    -e "s/{{MYVEMAIL_ROUNDCUBE_DBPASS}}/$(openssl rand -hex 32)/" \
+    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/$(openssl rand -hex 32)/" \
+    -i ./.env
 
 # Cleanup
 rm -r ${0} ./build/ -f
@@ -190,5 +161,6 @@ docker compose run --rm -it myvemail setup
 if [ -d ./data/sql/mysql/ ] && [ -d ./data/sql/postfixadmin/ ]
 then
     docker compose up --detach
+    [ -s ./data/ssl/dh.pem ] || openssl dhparam -out ./data/ssl/dh.pem 4096 &
     docker compose logs --follow
 fi