diff --git a/roles/element/templates/docker-compose.yaml b/roles/element/templates/docker-compose.yaml
index 65af780..99c481d 100644
--- a/roles/element/templates/docker-compose.yaml
+++ b/roles/element/templates/docker-compose.yaml
@@ -4,6 +4,6 @@ services:
     image: vectorim/element-web:latest
     restart: always
     ports:
-      - {{ ports['element'] }}:80
+      - 127.0.0.1:{{ ports['element'] }}:80
     volumes:
       - ./config.json:/app/config.json
diff --git a/roles/etebase/templates/docker-compose.yaml b/roles/etebase/templates/docker-compose.yaml
index 8bddee6..02b1445 100644
--- a/roles/etebase/templates/docker-compose.yaml
+++ b/roles/etebase/templates/docker-compose.yaml
@@ -10,6 +10,6 @@ services:
       AUTO_UPDATE: 'true'
       TIME_ZONE: {{ timezone }}
     ports:
-      - {{ ports['etebase'] }}:3735
+      - 127.0.0.1:{{ ports['etebase'] }}:3735
     volumes:
       - {{ volumes['etebase_datadir'] }}:/data
diff --git a/roles/hedgedoc/templates/docker-compose.yaml b/roles/hedgedoc/templates/docker-compose.yaml
index 4c963ff..76e19d1 100644
--- a/roles/hedgedoc/templates/docker-compose.yaml
+++ b/roles/hedgedoc/templates/docker-compose.yaml
@@ -15,7 +15,7 @@ services:
       - CMD_DOMAIN=hedgedoc.{{ domain }}
       - CMD_PROTOCOL_USESSL=true
     ports:
-      - {{ ports['hedgedoc'] }}:3000
+      - 127.0.0.1:{{ ports['hedgedoc'] }}:3000
     volumes:
       - {{ volumes['hedgedoc_configdir'] }}:/config
 
diff --git a/roles/homepage/templates/docker-compose.yaml b/roles/homepage/templates/docker-compose.yaml
index 47eb39f..e8a828d 100644
--- a/roles/homepage/templates/docker-compose.yaml
+++ b/roles/homepage/templates/docker-compose.yaml
@@ -5,7 +5,7 @@ services:
     container_name: homepage
     user: {{ users['homepage'] }}:{{ users['homepage'] }}
     ports:
-      - {{ ports['homepage'] }}:80
+      - 127.0.0.1:{{ ports['homepage'] }}:80
     volumes:
       - ./nginx.conf:/etc/nginx/nginx.conf
       - ./index:/mnt/index
diff --git a/roles/reverse-proxy/templates/reverse-proxy.conf b/roles/reverse-proxy/templates/reverse-proxy.conf
index c2e4ab0..d956bc3 100644
--- a/roles/reverse-proxy/templates/reverse-proxy.conf
+++ b/roles/reverse-proxy/templates/reverse-proxy.conf
@@ -40,7 +40,7 @@ server {
 	}
 
 	location / {
-		proxy_pass http://localhost:{{ ports['homepage'] }};
+		proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
 	}
 }
 
@@ -65,7 +65,7 @@ server {
 	server_name element.{{ domain }};
 
 	location / {
-		proxy_pass http://localhost:{{ ports['element'] }};
+		proxy_pass http://127.0.0.1:{{ ports['element'] }};
 
 		add_header X-Frame-Options SAMEORIGIN;
 		add_header X-Content-Type-Options nosniff;
@@ -86,7 +86,7 @@ server {
 	server_name etebase.{{ domain }};
 	
 	location ~ ^/(?!admin) {
-		proxy_pass http://localhost:{{ ports['etebase'] }};
+		proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
 	}
 }
 
@@ -99,11 +99,11 @@ server {
 	server_name hedgedoc.{{ domain }};
 	
 	location / {
-		proxy_pass http://localhost:{{ ports['hedgedoc'] }};
+		proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
 	}
 
 	location /socket.io/ {
-		proxy_pass http://localhost:{{ ports['hedgedoc'] }};
+		proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
 
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $http_connection;
@@ -119,7 +119,7 @@ server {
 	server_name searx.{{ domain }};
 
 	location / {
-		proxy_pass http://localhost:{{ ports['searxng'] }};
+		proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
 
 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 		add_header Set-Cookie "Path=/; HttpOnly; Secure";
@@ -136,7 +136,7 @@ server {
 	server_name matrix.{{ domain }};
 
 	location ~ ^(/_matrix|/_synapse/client) {
-		proxy_pass http://localhost:{{ ports['synapse'] }};
+		proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
 
 		# Nginx by default only allows file uploads up to 1M in size
 		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
@@ -152,7 +152,7 @@ server {
 # Syncthing Discovery
 upstream stdisco.{{ domain }} {
 	# Local IP address:port for discovery server
-	server localhost:{{ ports['syncthing_discosrv'] }};
+	server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
 }
 server {
 	listen 443 ssl http2;
@@ -176,7 +176,7 @@ server {
 # Vaultwarden
 upstream vaultwarden-default {
 	zone vaultwarden-default 64k;
-	server localhost:{{ ports['vaultwarden'] }};
+	server 127.0.0.1:{{ ports['vaultwarden'] }};
 	keepalive 2;
 }
 server {
diff --git a/roles/searxng/templates/docker-compose.yaml b/roles/searxng/templates/docker-compose.yaml
index 41a291c..555c502 100644
--- a/roles/searxng/templates/docker-compose.yaml
+++ b/roles/searxng/templates/docker-compose.yaml
@@ -22,7 +22,7 @@ services:
       - SEARXNG_BASE_URL=https://searx.{{ domain }}
       - SEARXNG_SECRET={{ searxng_secrets['searxng_secret'] }}
     ports:
-      - {{ ports['searxng'] }}:8080
+      - 127.0.0.1:{{ ports['searxng'] }}:8080
     volumes:
       - ./settings.yml:/etc/searxng/settings.yml
       - ./limiter.toml:/etc/searxng/limiter.toml
diff --git a/roles/synapse/templates/docker-compose.yaml b/roles/synapse/templates/docker-compose.yaml
index f072de9..bf56f11 100644
--- a/roles/synapse/templates/docker-compose.yaml
+++ b/roles/synapse/templates/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
       GID: {{ users['synapse'] }}
       TZ: {{ timezone }}
     ports:
-      - {{ ports['synapse'] }}:8008
+      - 127.0.0.1:{{ ports['synapse'] }}:8008
     volumes:
       - {{ volumes['synapse_datadir'] }}:/data
       - ./homeserver.yaml:/data/homeserver.yaml
diff --git a/roles/syncthing/templates/docker-compose.yaml b/roles/syncthing/templates/docker-compose.yaml
index 0955205..ae84f3b 100644
--- a/roles/syncthing/templates/docker-compose.yaml
+++ b/roles/syncthing/templates/docker-compose.yaml
@@ -8,7 +8,7 @@ services:
       - PUID={{ users['syncthing'] }}
       - PGID={{ users['syncthing'] }}
     ports:
-      - {{ ports['syncthing_webui'] }}:8384 # Web UI
+      - 127.0.0.1:{{ ports['syncthing_webui'] }}:8384 # Web UI
       - {{ ports['syncthing_tcp'] }}:22000/tcp # TCP file transfers
       - {{ ports['syncthing_udp'] }}:22000/udp # QUIC file transfers
     volumes:
@@ -29,7 +29,7 @@ services:
     networks:
       - discosrv
     ports:
-      - {{ ports['syncthing_discosrv'] }}:8443
+      - 127.0.0.1:{{ ports['syncthing_discosrv'] }}:8443
 
 networks:
   discosrv:
diff --git a/roles/vaultwarden/templates/docker-compose.yaml b/roles/vaultwarden/templates/docker-compose.yaml
index 17aed67..3be7402 100644
--- a/roles/vaultwarden/templates/docker-compose.yaml
+++ b/roles/vaultwarden/templates/docker-compose.yaml
@@ -9,6 +9,6 @@ services:
       - SIGNUPS_ALLOWED=false
       - INVITATIONS_ALLOWED=false
     ports:
-      - {{ ports['vaultwarden'] }}:80
+      - 127.0.0.1:{{ ports['vaultwarden'] }}:80
     volumes:
       - {{ volumes['vaultwarden_datadir' ] }}:/data