diff --git a/docs/TODO.md b/docs/TODO.md
index 56485b63..ec5db33c 100644
--- a/docs/TODO.md
+++ b/docs/TODO.md
@@ -5,6 +5,20 @@ https://github.com/DustinBrett/daedalOS
 https://github.com/ansh/jiffyreader.com
 https://github.com/allinurl/goaccess
 https://github.com/cloudflare/boringtun
+    CLOUDSDK_CORE_PROJECT: "megabyte-labs"
+    GCE_CREDENTIALS_FILE: "{{ joinPath .chezmoi.homeDir ".config" "gcp.json" }}"
+    GCE_SERVICE_ACCOUNT_EMAIL: "molecule@megabyte-labs.iam.gserviceaccount.com"
+
+GITLAB_READ_TOKEN
+GITHUB_READ_TOKEN
+GITHUB_GIST_TOKEN
+CLOUDFLARE_API_TOKEN
+GMAIL_APP_PASSWORD
+NGROK_AUTH_TOKEN
+SLACK_API_TOKEN
+TAILSCALE_AUTH_KEY
+LEXICON_CLOUDFLARE_USERNAME
+LEXICON_CLOUDFLARE_TOKEN
 ### Ensure these PATHs are added on Windows
 add to PATH:
 '%ProgramFiles(x86)%\mitmproxy\bin'
diff --git a/home/.chezmoi.yaml.tmpl b/home/.chezmoi.yaml.tmpl
index ea829a1e..09583907 100644
--- a/home/.chezmoi.yaml.tmpl
+++ b/home/.chezmoi.yaml.tmpl
@@ -1,28 +1,18 @@
-{{- $name := (default "Brian Zalewski" (env "FULL_NAME")) -}}
-{{- $email := (default "brian@megabyte.space" (env "PRIMARY_EMAIL")) -}}
-{{- $restricted := (default false (env "WORK_ENVIRONMENT")) -}}
-{{- $work := (default false (env "WORK_ENVIRONMENT")) -}}
-{{- $gpgKeyId := (default "0xF0A300E4199A1C33" (env "KEYID")) -}}
-{{- $gmailAddress := (default "blzalewski@gmail.com" (env "GMAIL_ADDRESS")) -}}
-{{- $gmailAddressAppPassword := (default "" (env "GMAIL_APP_PASSWORD")) -}}
-{{- $surgeshUsername := (default "brian@megabyte.space" (env "SURGESH_USERNAME")) -}}
-{{- $domain := (default "megabyte.space" (env "PUBLIC_SERVICES_DOMAIN")) -}}
 {{- $cloudflareUsername := (default "brian@megabyte.space" (env "CLOUDFLARE_USERNAME")) -}}
-{{- $cloudflareToken := (default "" (env "CLOUDFLARE_API_TOKEN")) -}}
-{{- $cloudflareAccessKeyId := "" -}}
-{{- $cloudflareSecretAccessKey := "" -}}
-{{- $cloudflareR2AccountId := "" -}}
+{{- $desktopSession := true -}}
+{{- $domain := (default "megabyte.space" (env "PUBLIC_SERVICES_DOMAIN")) -}}
+{{- $email := (default "brian@megabyte.space" (env "PRIMARY_EMAIL")) -}}
 {{- $githubUsername := (default "ProfessorManhattan" (env "GITHUB_USERNAME")) -}}
-{{- $githubGistToken := (default "" (env "GITHUB_GIST_TOKEN")) -}}
-{{- $githubReadToken := (env "GITHUB_READ_TOKEN") -}}
-{{- $gitlabReadToken := (env "GITLAB_READ_TOKEN") -}}
+{{- $gmailAddress := (default "blzalewski@gmail.com" (env "GMAIL_ADDRESS")) -}}
+{{- $gpgKeyId := (default "0xF0A300E4199A1C33" (env "KEYID")) -}}
+{{- $hostname := (default "alpha" (env "HOSTNAME")) -}}
 {{- $locale := (output "echo" "$LANG") }}
-{{- $ngrokAuthToken := (default "" (env "NGROK_AUTH_TOKEN")) -}}
-{{- $slackApiToken := (default "" (env "SLACK_API_TOKEN")) -}}
-{{- $tailscaleAuthKey := (default "" (env "TAILSCALE_AUTH_KEY")) -}}
+{{- $name := (default "Brian Zalewski" (env "FULL_NAME")) -}}
+{{- $restricted := (default false (env "WORK_ENVIRONMENT")) -}}
+{{- $surgeshUsername := (default "brian@megabyte.space" (env "SURGESH_USERNAME")) -}}
 {{- $timezone := (default "America/New_York" (env "TIMEZONE")) -}}
 {{- $toolchains := list "CLI-Extras" "Docker" "Go" "Kubernetes" "Web-Development" -}}
-{{- $desktopSession := true -}}
+{{- $work := (default false (env "WORK_ENVIRONMENT")) -}}
 {{- if and (ne .chezmoi.os "darwin") (ne .chezmoi.os "windows") (not (env "DISPLAY")) -}}
 {{-   $desktopSession = false -}}
 {{- end -}}
@@ -112,6 +102,9 @@
 {{- if not (env "PUBLIC_SERVICES_DOMAIN") -}}
 {{-   $domain = promptStringOnce $data.user "domain" "Domain name" $domain -}}
 {{- end -}}
+{{- if not (env "HOSTNAME") -}}
+{{-   $hostname = promptStringOnce $data.host "hostname" "Hostname ID" $hostname -}}
+{{- end -}}
 
 {{- else -}}
 {{-   $headless = true -}}
@@ -137,6 +130,12 @@ data:
     dns:
       primary: 10.0.0.1#dns.megabyte.space
       secondary: 1.1.1.1#cloudflare-dns.com
+    docker:
+      doRegion: nyc1
+    headless: {{ $headless }}
+    home: "{{ .chezmoi.homeDir }}"
+    homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
+    hostname: "{{ $hostname }}"
     ssh:
       allowTCPForwarding: no
       allowUsers: {{ output "echo" "$USER" }}
@@ -146,59 +145,42 @@ data:
       excludedSubnets:
         - 10.0.0.0/24
         - 10.14.50.0/24
-    home: "{{ .chezmoi.homeDir }}"
-    homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
-    hostname: "Betelgeuse"
     qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }}
+    restricted: {{ $restricted }}
     softwareGroup: "{{ $softwareGroup }}"
     type: "{{ $chassisType }}"
     work: {{ $work }}
-    restricted: {{ $restricted }}
-    headless: {{ $headless }}
   toolchains:
   {{- range $toolchain, $enabled := $toolchainsEnabled }}
     {{ $toolchain}}: {{ $enabled }}
   {{- end }}
   user:
-    email: "{{ $email }}"
-    name: "{{ $name }}"
-    username: "{{ output "echo" "$USER" }}"
+    cloudflare:
+      r2: "{{ $cloudflareR2AccountId }}"
+      username: "{{ $cloudflareUsername }}"
     defaultBrowser: firefox
     domain: "{{ $domain }}"
+    email: "{{ $email }}"
+    github:
+      username: "{{ $githubUsername }}"
+    gmail:
+      username: "{{ $gmailAddress }}"
     gpg:
       id: "{{ $gpgKeyId }}"
-    gmail:
-      email: "{{ $gmailAddress }}"
-      password: "{{ $gmailAddressAppPassword }}"
-    surgeshUsername: "{{ $surgeshUsername }}"
-    githubUsername: "{{ $githubUsername }}"
-    locale: "{{ $locale }}"
-    timezone: "{{ $timezone }}"
     holdSudoPrivileges: true
-    CLOUDFLARE_USERNAME: "{{ $cloudflareUsername }}"
-    CLOUDFLARE_ACCESS_KEY_ID: "{{ $cloudflareAccessKeyId }}"
-    CLOUDFLARE_SECRET_ACCESS_KEY: "{{ $cloudflareSecretAccessKey }}"
-    CLOUDFLARE_R2_ACCOUNT_ID: "{{ $cloudflareR2AccountId }}"
-    CLOUDSDK_CORE_PROJECT: "megabyte-labs"
-    GCE_CREDENTIALS_FILE: "{{ joinPath .chezmoi.homeDir ".config" "gcp.json" }}"
-    GCE_SERVICE_ACCOUNT_EMAIL: "molecule@megabyte-labs.iam.gserviceaccount.com"
-    GITHUB_GIST_TOKEN: "{{ $githubGistToken }}"
-    GITHUB_READ_TOKEN: "{{ $githubReadToken }}"
-    GITLAB_READ_TOKEN: "{{ $gitlabReadToken }}"
-    NGROK_AUTH_TOKEN: "{{ $ngrokAuthToken }}"
-    SLACK_API_TOKEN: "{{ $slackApiToken }}"
-    SNAPCRAFT_EMAIL: "{{ $email }}"
-    TAILSCALE_AUTH_KEY: "{{ $tailscaleAuthKey }}"
-    TINYPNG_API_KEY: "g355tx7dxG5yJfl0RXJnpQlQqk88dJBv"
+    locale: "{{ $locale }}"
+    name: "{{ $name }}"
+    surgesh:
+      username: "{{ $surgeshUsername }}"
+    timezone: "{{ $timezone }}"
+    tinypngKey: "g355tx7dxG5yJfl0RXJnpQlQqk88dJBv"
+    username: "{{ output "echo" "$USER" }}"
 diff:
   format: "git"
   pager: "delta"
 git:
   autoCommit: true
   autoPush: true
-scriptEnv:
-  LEXICON_CLOUDFLARE_USERNAME: "{{ $cloudflareUsername }}"
-  LEXICON_CLOUDFLARE_TOKEN: "{{ $cloudflareToken }}"
 textconv:
   - pattern: "**/*.plist"
     command: "plutil"
diff --git a/home/.chezmoidata.yaml b/home/.chezmoidata.yaml
index 6bcc62b2..c1d25cd3 100644
--- a/home/.chezmoidata.yaml
+++ b/home/.chezmoidata.yaml
@@ -19,11 +19,11 @@ colors:
   color14: '#EB71AD'
   color15: '#24E5FF'
   color16: '#FFFFFF'
-macosRemoteLogin: 'on'
-themeparkTheme: aquamarine
-netdataClaimURL: https://app.netdata.cloud
 config:
   gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
+macosRemoteLogin: 'on'
+netdataClaimURL: https://app.netdata.cloud
+themeparkTheme: aquamarine
 chromeExtensions:
   - https://chrome.google.com/webstore/detail/automa/infppggnoaenmfagbfknfkancpbljcca
   - https://chrome.google.com/webstore/detail/bitly-powerful-short-link/iabeihobmhlgpkcgjiloemdbofjbdcic
@@ -1007,6 +1007,9 @@ softwareGroups:
     - termius
     - ulauncher
 softwarePlugins:
+  docker:
+    plugins:
+      - sapk/plugin-rclone
   vim:
     plugins:
       - https://github.com/dense-analysis/ale.git
diff --git a/home/.chezmoiscripts/_universal/run_onchange_before_11-install-docker.tmpl b/home/.chezmoiscripts/_universal/run_onchange_before_11-install-docker.tmpl
index 40321bf0..8306d6fb 100644
--- a/home/.chezmoiscripts/_universal/run_onchange_before_11-install-docker.tmpl
+++ b/home/.chezmoiscripts/_universal/run_onchange_before_11-install-docker.tmpl
@@ -114,4 +114,7 @@ if [ ! -d /Applications ] || [ ! -d /System ]; then
     fi
 fi
 
+### Install Docker plugins
+for PLUGIN in 
+
 {{ end -}}
diff --git a/home/.chezmoiscripts/universal/run_onchange_after_07-docker-plugins.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_07-docker-plugins.tmpl
index b20c9583..ad90f70f 100644
--- a/home/.chezmoiscripts/universal/run_onchange_after_07-docker-plugins.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_07-docker-plugins.tmpl
@@ -1,6 +1,8 @@
 {{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
 
+# Docker plugins.json hash: {{ include (joinPath .chezmoi.homeDir ".config" "docker" "plugins.json") | sha256sum }}
+
 {{ includeTemplate "universal/profile" }}
 {{ includeTemplate "universal/logg" }}
 
@@ -30,13 +32,24 @@ fi
 if [ ! -f "${XDG_CONFIG_HOME:-$HOME/.docker}/cli-plugins/docker-pushrm" ]; then
     logg info 'Acquiring release information for Docker push-rm'
     RELEASE_TAG="$(curl -sSL https://api.github.com/repos/christian-korneck/docker-pushrm/releases/latest | jq -r '.tag_name')"
-    mkdir -p "${XDG_CONFIG_HOME:-$HOME/.docker}/cli-plugins"
+    mkdir -p "${XDG_CONFIG_HOME:-$HOME/.config}/docker/cli-plugins"
     logg info 'Downloading Docker push-rm'
-    curl https://github.com/christian-korneck/docker-pushrm/releases/download/$RELEASE_TAG/docker-pushrm_darwin_amd64 -o "${XDG_CONFIG_HOME:-$HOME/.docker}/cli-plugins/docker-pushrm"
-    chmod +x "${XDG_CONFIG_HOME:-$HOME/.docker}/cli-plugins/docker-pushrm"
+    curl https://github.com/christian-korneck/docker-pushrm/releases/download/$RELEASE_TAG/docker-pushrm_darwin_amd64 -o "${XDG_CONFIG_HOME:-$HOME/.config}/docker/cli-plugins/docker-pushrm"
+    chmod +x "${XDG_CONFIG_HOME:-$HOME/.config}/docker/cli-plugins/docker-pushrm"
     logg success 'Added Docker push-rm'
 else
     logg info 'Docker push-rm already added'
 fi
 
+{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "key-digitalocean-pat")) -}}
+### Docker DigitalOcean Block Storage
+docker plugin install --grant-all-permissions rexray/dobs DOBS_TOKEN={{ includeTemplate "secrets/key-digitalocean-pat" | decrypt -}} DOBS_REGION={{ .host.docker.doRegion }} LINUX_VOLUME_FILEMODE=0775
+{{ end -}}
+
+### Docker plugins (defined in ~/.config/docker/plugins.json)
+jq -r '.plugins[]' "${XDG_CONFIG_HOME:-$HOME/.config}/docker/plugins.json" | while read PLUGIN; do
+    logg info 'Installing the `'"$PLUGIN"'` Docker plugin'
+    docker plugin install --grant-all-permissions "$PLUGIN"
+done
+
 {{ end -}}
diff --git a/home/.chezmoitemplates/secrets/key-cloudflare-r2-id b/home/.chezmoitemplates/secrets/key-cloudflare-r2-id
new file mode 100644
index 00000000..772fbb89
--- /dev/null
+++ b/home/.chezmoitemplates/secrets/key-cloudflare-r2-id
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa0ZtTm9PbE03R1RReDJZ
+NUdueXVZSk1WY2RxMkpyM1VVL2t2ZlBobGxJCmRyWEtSYVMxU1VCL01hRXk5ODdR
+MTJPZFVYbEEzeStBT3JLRWdoNUg0Z2MKLS0tIGhHdzExOEU1NmJkNHBFUW5DbXFs
+S25MNHFGV01GYjkrYm0zVmhrVEFvd2sKQr2yI5Zlx+yEWa4igHFy2z1FpmEw6tux
+M9i/y2J+Da15jAZgndmc1iWNBVDKVfROon4S60P99djZi/trWcy0jA==
+-----END AGE ENCRYPTED FILE-----
\ No newline at end of file
diff --git a/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret b/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret
new file mode 100644
index 00000000..ae0c4dbb
--- /dev/null
+++ b/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYnBRTkRVZ2hGTkZ4NUdQ
+UWZBWmFxQkFXTUhESzhaaFJWMlpQSmh5cldjCjN0c0dScXQ1d0ZoalF1WXN3VG5h
+WC9wQ0pQSmYyU29nN1YwOUNFSHgyRkEKLS0tIG5lOTRhamhySm5iN1V1d0haWFRo
+VVZaczNScHd0ZHZRWmd4TFVRQWVaZzAKqbgfmbnHB5QbO0Z1JMgjNawfAD40Hzru
+kVNSyh/zgIRlwuSzwlENDgrdGXaRjDj7jtchaWe/xPX88Ba5cFe9LC7eXJP1mU2U
+l+nk1LFKSp24PZskcLzw4rxCsLap82KV
+-----END AGE ENCRYPTED FILE-----
\ No newline at end of file
diff --git a/home/dot_config/docker/plugins.json b/home/dot_config/docker/plugins.json
new file mode 100644
index 00000000..28fff243
--- /dev/null
+++ b/home/dot_config/docker/plugins.json
@@ -0,0 +1,6 @@
+{
+    "plugins" [
+        "sapk/plugin-rclone",
+        "vieux/sshfs"
+    ]
+}
\ No newline at end of file
diff --git a/home/dot_config/gcp/gcp.json.TODO b/home/dot_config/gcp/gcp.json.TODO
new file mode 100644
index 00000000..e69de29b
diff --git a/home/dot_config/rclone/merge_rclone.conf b/home/dot_config/rclone/merge_rclone.conf
index 31cb1878..c36d9e4c 100644
--- a/home/dot_config/rclone/merge_rclone.conf
+++ b/home/dot_config/rclone/merge_rclone.conf
@@ -1,4 +1,4 @@
-{{- if and (ne .user.CLOUDFLARE_ACCESS_KEY_ID "") (ne .user.CLOUDFLARE_SECRET_ACCESS_KEY "") (ne .user.CLOUDFLARE_R2_ACCOUNT_ID "") }}
+{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "key-cloudflare-r2-id")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "key-cloudflare-r2-secret")) (ne .user.cloudflare.r2 "") -}}
 #!/usr/bin/env bash
 
 CONFIG_FILE="$HOME/.config/rclone/rclone.conf"
@@ -18,27 +18,43 @@ tee -a "$CONFIG_FILE" > /dev/null <<EOT
 [{{ .user.username}}-s3]
 type = s3
 provider = Cloudflare
-access_key_id = {{ .user.CLOUDFLARE_ACCESS_KEY_ID }}
-secret_access_key = {{ .user.CLOUDFLARE_SECRET_ACCESS_KEY }}
+access_key_id = {{ includeTemplate "secrets/key-cloudflare-r2-id" | decrypt -}}
+secret_access_key = {{ includeTemplate "secrets/key-cloudflare-r2-secret" | decrypt -}}
 region = auto
-endpoint = https://{{ .user.CLOUDFLARE_R2_ACCOUNT_ID }}.r2.cloudflarestorage.com
+endpoint = https://{{ .user.cloudflare.r2 }}.r2.cloudflarestorage.com/user
 acl = private
-[do-private]
+[docker]
 type = s3
-provider = DigitalOcean
+provider = Cloudflare
 env_auth = false
-access_key_id = your_spaces_access_key
-secret_access_key = your_spaces_secret_key
-endpoint = private.nyc3.digitaloceanspaces.com
+access_key_id = {{ includeTemplate "secrets/key-cloudflare-r2-id" | decrypt -}}
+secret_access_key = {{ includeTemplate "secrets/key-cloudflare-r2-secret" | decrypt -}}
+endpoint = open.nyc3.digitaloceanspaces.com
 acl = private
-[do-open]
+[private]
 type = s3
-provider = DigitalOcean
+provider = Cloudflare
 env_auth = false
-access_key_id = your_spaces_access_key
-secret_access_key = your_spaces_secret_key
+access_key_id = {{ includeTemplate "secrets/key-cloudflare-r2-id" | decrypt -}}
+secret_access_key = {{ includeTemplate "secrets/key-cloudflare-r2-secret" | decrypt -}}
+endpoint = {{ }}
+acl = private
+[public]
+type = s3
+provider = Cloudflare
+env_auth = false
+access_key_id = {{ includeTemplate "secrets/key-cloudflare-r2-id" | decrypt -}}
+secret_access_key = {{ includeTemplate "secrets/key-cloudflare-r2-secret" | decrypt -}}
 endpoint = open.nyc3.digitaloceanspaces.com
 acl = public-read
+[system]
+type = s3
+provider = Cloudflare
+env_auth = false
+access_key_id = {{ includeTemplate "secrets/key-cloudflare-r2-id" | decrypt -}}
+secret_access_key = {{ includeTemplate "secrets/key-cloudflare-r2-secret" | decrypt -}}
+endpoint = open.nyc3.digitaloceanspaces.com
+acl = private
 # MEGABYTE LABS MANAGED S3
 EOT
 {{- end }}
diff --git a/home/dot_config/rclone/s3-docker.service.tmpl b/home/dot_config/rclone/s3-docker.service.tmpl
index c4734e44..a09dc47e 100644
--- a/home/dot_config/rclone/s3-docker.service.tmpl
+++ b/home/dot_config/rclone/s3-docker.service.tmpl
@@ -4,9 +4,9 @@ After=network-online.target
 
 [Service]
 Type=simple
-User=root
-ExecStart=/usr/local/bin/rclone-mount "docker" "docker" "docker-s3"
-ExecStop=/bin/fusermount -u /mnt/docker-s3
+User=rclone
+ExecStart=/usr/local/bin/rclone-mount "docker" "docker" "s3-docker"
+ExecStop=/bin/fusermount -u /mnt/s3-docker
 Restart=always
 RestartSec=10
 
diff --git a/home/dot_config/rclone/s3-private.service.tmpl b/home/dot_config/rclone/s3-private.service.tmpl
new file mode 100644
index 00000000..43859a24
--- /dev/null
+++ b/home/dot_config/rclone/s3-private.service.tmpl
@@ -0,0 +1,14 @@
+[Unit]
+Description=rclone S3 system service (private)
+After=network-online.target
+
+[Service]
+Type=simple
+User=rclone
+ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-private"
+ExecStop=/bin/fusermount -u /mnt/s3-private
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
diff --git a/home/dot_config/rclone/s3-public.service.tmpl b/home/dot_config/rclone/s3-public.service.tmpl
new file mode 100644
index 00000000..0c893775
--- /dev/null
+++ b/home/dot_config/rclone/s3-public.service.tmpl
@@ -0,0 +1,14 @@
+[Unit]
+Description=rclone S3 system service (public)
+After=network-online.target
+
+[Service]
+Type=simple
+User=rclone
+ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-public"
+ExecStop=/bin/fusermount -u /mnt/s3-public
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=default.target
diff --git a/home/dot_local/bin/executable_install-program b/home/dot_local/bin/executable_install-program
index 107700ba..0596e179 100644
--- a/home/dot_local/bin/executable_install-program
+++ b/home/dot_local/bin/executable_install-program
@@ -110,6 +110,7 @@ let binLinkRan = false
 const installOrdersPre = []
 const installOrdersPost = []
 const installOrdersService = []
+const installOrdersGroups = []
 const installOrdersPlugins = []
 const installOrdersBinLink = []
 let brewUpdated, osType, osID, snapRefreshed
@@ -433,6 +434,10 @@ async function updateInstallMaps(preference, packages, scopedPreference, pkg, pa
   if (serviceHook) {
     installOrdersService.concat(typeof serviceHook === 'string' ? [serviceHook] : serviceHook)
   }
+  const groupsHook = getHook(packages, 'groups', scopedPreference, preference)
+  if (groupsHook) {
+    installOrdersGroups.concat(typeof groupsHook === 'string' ? [groupsHook] : groupsHook)
+  }
   processPluginOrders(pkg)
   if (!installOrders[preference]) {
     installOrders[preference] = []
@@ -1471,17 +1476,49 @@ async function installPackageList(packageManager, packages) {
   }
 }
 
+async function addUserGroup(group) {
+  const logStage = 'Users / Groups'
+  log('info', logStage, `Ensuring the ${group} group / user is added`)
+  if (osType === 'linux') {
+    const useradd = which.sync('useradd', { nothrow: true })
+    if (useradd) {
+      runCommand(`Adding the ${group} user / group`, `sudo useradd ${group}`)
+    } else {
+      log('error', logStage, `The useradd command is unavailable`)
+    }
+  } else if (osType === 'darwin') {
+  } else if (osType === 'windows') {
+    log('warn', logStage, `Windows support not yet added`)
+  } else {
+    log('warn', logStage, `Unknown operating system type`)
+  }
+}
+
 async function updateService(service) {
   const logStage = 'Service Service'
   if (osType === 'linux') {
     const systemctl = which.sync('systemctl', { nothrow: true })
+    const brew = which.sync('brew', { nothrow: true })
     if (systemctl) {
       try {
         runCommand(`Starting / enabling ${service} with systemctl`, `sudo systemctl enable --now ${service}`)
         log('success', logStage, `Started / enabled the ${service} service`)
       } catch (e) {
-        log('error', logStage, `There was an error starting / enabling the ${service} service`)
-        console.error(e)
+        log('info', logStage, `There was an error starting / enabling the ${service} service with systemd`)
+        try {
+          if (brew) {
+            runCommand(`Starting / enabling ${service} with Homebrew`, `brew services start ${service}`)
+            log('success', logStage, `Started / enabled the ${service} service with Homebrew`)
+          } else {
+            log('error', logStage, `Unable to start service with systemd and Homebrew is not available`)
+          }
+        } catch (err) {
+          log('error', logStage, `Unable to start service with both systemd and Homebrew`)
+          log('info', logStage, `systemd error`)
+          console.error(e)
+          log('info', logStage, `brew services error`)
+          console.error(e)
+        }
       }
     } else {
       log(
@@ -1711,6 +1748,10 @@ async function installSoftware(pkgsToInstall) {
     asyncOrders.push(installPackageList(packageManager, installOrders[packageManager]))
     await Promise.all(asyncOrders)
   }
+  log('info', 'Users / Groups', `Adding groups / users`)
+  for (const group of installOrdersGroups) {
+    await addUserGroup(group)
+  }
   log('info', 'Post-Install', `Running package-specific post-installation steps`)
   for (const service of installOrdersService) {
     await updateService(service)
diff --git a/home/dot_local/bin/executable_rclone-mount b/home/dot_local/bin/executable_rclone-mount
index 22dc5f93..10f92166 100644
--- a/home/dot_local/bin/executable_rclone-mount
+++ b/home/dot_local/bin/executable_rclone-mount
@@ -4,46 +4,37 @@
 TYPE="$1"
 USER="$2"
 MOUNT="$3"
+
+### Path definitions
 if [ "$TYPE" = 'user' ]; then
   CACHE_FOLDER="/home/$USER/.cache/rclone"
   CONFIG_FOLDER="/home/$USER/.config/rclone"
   LOG_FOLDER="/home/$USER/.local/log"
   LOG_FILE="$LOG_FOLDER/$MOUNT.log"
   MOUNT_PATH="/home/{{ .user.username }}/.local/mnt/$MOUNT"
-elif [ "$TYPE" = 'docker' ]; then
-  CACHE_FOLDER="/var/cache/rclone/$MOUNT"
-  CONFIG_FOLDER="/etc"
-  LOG_FOLDER="/var/log/rclone"
-  LOG_FILE="$LOG_FOLDER/$MOUNT.log"
-  MOUNT_PATH="/mnt/$MOUNT"
 else
-  CACHE_FOLDER="/var/cache/rclone"
+  CACHE_FOLDER="/var/cache/rclone/$MOUNT"
   CONFIG_FOLDER="/etc"
   LOG_FOLDER="/var/log/rclone"
   LOG_FILE="$LOG_FOLDER/$MOUNT.log"
   MOUNT_PATH="/mnt/$MOUNT"
 fi
 
-### Ensure directories created
-if [ ! -d "$CACHE_FOLDER" ]; then
-  mkdir -p "$CACHE_FOLDER"
-fi
-if [ ! -d "$CONFIG_FOLDER" ]; then
-  mkdir -p "$CONFIG_FOLDER"
-fi
-if [ ! -d "$LOG_FOLDER" ]; then
-  mkdir -p "$LOG_FOLDER"
-fi
-if [ ! -d "$MOUNT_PATH" ]; then
-  mkdir -p "$MOUNT_PATH"
-fi
+### Ensure folders exist
+for FOLDER in "$CACHE_FOLDER" "$CONFIG_FOLDER" "$LOG_FOLDER" "$MOUNT_PATH"; do
+    if [ ! -d "$FOLDER" ]; then
+        mkdir -p "$FOLDER" || echo "ERROR: Need permissions for $FOLDER"
+    fi
+done
+
+### Define rcloneignore location
 RCLONE_IGNORE="$CONFIG_FOLDER/rcloneignore"
 if [ ! -f "$RCLONE_IGNORE" ] && [ -f "/etc/rcloneignore" ]; then
   RCLONE_IGNORE='etc/rcloneignore'
 fi
 
 ### Mount
- /usr/bin/rclone --config="$CONFIG_FOLDER/rclone.conf" \
+/usr/bin/rclone --config="$CONFIG_FOLDER/rclone.conf" \
   mount \
   --cache-tmp-upload-path="$CACHE_FOLDER/$MOUNT-upload" \
   --cache-chunk-path="$CACHE_FOLDER/$MOUNT-chunks" \
diff --git a/software.yml b/software.yml
index 8f5b5fc3..5c97be71 100644
--- a/software.yml
+++ b/software.yml
@@ -6137,6 +6137,8 @@ softwarePackages:
     _desc: '[Rclone](https://rclone.org/) is an open source, multi threaded, command line computer program to manage content on cloud and other high latency storage. Its capabilities include sync, transfer, crypt, cache, union, compress and mount. The rclone website lists [fifty supported backends](https://rclone.org/overview/) including S3 services and Google Drive.'
     _docs: https://rclone.org/docs/
     _github: https://github.com/rclone/rclone
+    _groups:
+      - rclone
     _home: https://rclone.org/
     _name: Rclone
     ansible: professormanhattan.rclone