diff --git a/.forgejo/workflows/cleanup.yml b/.forgejo/workflows/cleanup.yml
deleted file mode 100644
index a911a55..0000000
--- a/.forgejo/workflows/cleanup.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Clean up Forgejo Container Registry
-
-on:
-  schedule:
-    - cron: '0 0 * * 0' # Runs every Sunday at midnight
-  workflow_dispatch: # Allows manual triggering
-
-jobs:
-  delete-old-images:
-    runs-on: almalinux-10
-    steps:
-      - name: Delete old versions
-        run: |
-          REGISTRY="forge.pc-rytteren.dk"
-          OWNER="${{ github.repository_owner }}"
-          IMAGE="my-ostree-os"
-          MIN_KEEP=50
-          TOKEN="${{ secrets.PACKAGE_TOKEN }}"
-
-          # Fetch all container packages with this name, sorted oldest first (by id)
-          # API returns a list of package objects, each with "id" and "version"
-          RAW=$(curl -s -H "Authorization: token ${TOKEN}" \
-            "https://${REGISTRY}/api/v1/packages/${OWNER}?type=container&q=${IMAGE}&limit=200")
-
-          # Filter only packages with the correct name and extract id, sort oldest first
-          IDS=$(echo "$RAW" | tr '{' '\n' | grep "\"name\":\"${IMAGE}\"" | \
-            sed 's/.*"id":\([0-9]*\).*/\1/' | sort -n)
-
-          TOTAL=$(echo "$IDS" | grep -c '[0-9]' || true)
-          echo "Found ${TOTAL} packages total, keeping ${MIN_KEEP}"
-
-          if [ "$TOTAL" -le "$MIN_KEEP" ]; then
-            echo "No packages to delete"
-            exit 0
-          fi
-
-          # Delete the oldest (lowest ids) beyond MIN_KEEP
-          TO_DELETE=$(echo "$IDS" | head -n $(( TOTAL - MIN_KEEP )))
-          for ID in $TO_DELETE; do
-            echo "Deleting package id: ${ID}"
-            curl -s -X DELETE -H "Authorization: token ${TOKEN}" \
-              "https://${REGISTRY}/api/v1/packages/${OWNER}/${ID}"
-          done
\ No newline at end of file
diff --git a/.forgejo/workflows/os.yml b/.forgejo/workflows/os.yml
index 688a6d9..801134a 100644
--- a/.forgejo/workflows/os.yml
+++ b/.forgejo/workflows/os.yml
@@ -17,6 +17,8 @@ on:
 env:
   REGISTRY: forge.pc-rytteren.dk
   IMAGE_NAME: ${{ github.repository }}
+  STORAGE_DRIVER: vfs
+  PODMAN_USERNS: disabled
 
 jobs:
   build:
@@ -24,9 +26,20 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # Påkrævet til cosign keyless signering
 
     steps:
 
+      - name: Configure Buildah storage
+        run: |
+          mkdir -p ~/.config/containers
+          cat > ~/.config/containers/storage.conf <<EOF
+          [storage]
+          driver = "vfs"
+          runroot = "/tmp/run"
+          graphroot = "/tmp/storage"
+          EOF
+
       - name: Get current date
         id: date
         run: echo "date=$(date +'%Y%m%d')" >> $FORGEJO_OUTPUT
@@ -43,29 +56,47 @@ jobs:
           tags: |
             type=ref,event=branch
             type=raw,value=latest,enable={{is_default_branch}}
-            type=raw,value=${{ github.ref_name }}
             type=raw,value=${{ github.ref_name }}-10
             type=raw,value=${{ github.ref_name }}-10.${{ steps.date.outputs.date }}
 
       - name: Log into Forgejo Container Registry
         if: github.event_name != 'pull_request'
         run: |
-          buildah login -u ${{ github.actor }} -p ${{ secrets.PACKAGE_TOKEN }} ${{ env.REGISTRY }}
+          podman login -u ${{ github.actor }} -p ${{ secrets.PACKAGE_TOKEN }} ${{ env.REGISTRY }}
 
       - name: Build image with Buildah
         id: build-image
         run: |
           # Vi bygger med 'raw-img' lokalt
-          buildah bud \
-            --label "org.opencontainers.image.source=https://pc-rytteren.dk/forge/${{ github.repository }}" \
+          podman build \
+            --label "org.opencontainers.image.source=https://forge.pc-rytteren.dk/${{ github.repository }}" \
             -t raw-img .
 
+          # Gem det primære tag til signering (vi tager det første fra listen)
+          PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
+          echo "primary_tag=$PRIMARY_TAG" >> $FORGEJO_OUTPUT
+
       - name: Push to Forgejo Container Registry
         if: github.event_name != 'pull_request'
         run: |
           for tag in $(echo "${{ steps.meta.outputs.tags }}"); do
             echo "Tagging and pushing: $tag"
-            buildah tag raw-img "$tag"
-            buildah push "$tag"
+            podman tag raw-img "$tag"
+            podman push "$tag"
           done
 
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3.3.0
+
+      - name: Log into Forgejo Container Registry (Cosign)
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign login ${{ env.REGISTRY }} -u ${{ github.actor }} -p ${{ secrets.PACKAGE_TOKEN }}
+
+      - name: Sign image
+        if: github.event_name != 'pull_request'
+        run: |
+          # Vi signerer det primære tag.
+          # Vi bruger --yes til at acceptere betingelserne automatisk.
+          cosign sign --yes "${{ steps.build-image.outputs.primary_tag }}"
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
new file mode 100644
index 0000000..453e642
--- /dev/null
+++ b/.github/workflows/cleanup.yml
@@ -0,0 +1,21 @@
+name: Ryd op i GHCR
+
+on:
+  schedule:
+    - cron: '0 0 * * 0' # Kører hver søndag ved midnat
+  workflow_dispatch: # Gør det muligt at køre den manuelt
+
+jobs:
+  delete-old-images:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Slet gamle versioner
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: 'my-ostree-os' # Skift til dit image navn
+          package-type: 'container'
+          min-versions-to-keep: 50
+          delete-only-untagged-versions: 'false'
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
index f4185d1..1e61e87 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ FROM quay.io/almalinuxorg/atomic-desktop-kde:10
 ARG KERNEL=kernel-cachyos
 ENV KERNEL=${KERNEL}
 
-RUN dnf upgrade -y
+RUN echo 'omit_drivers+=" nouveau "' | tee /etc/dracut.conf.d/blacklist-nouveau.conf
 
 COPY bin/set_next_version.sh /tmp
 RUN /tmp/set_next_version.sh
@@ -15,44 +15,28 @@ RUN dnf install --nogpgcheck -y https://mirrors.rpmfusion.org/free/el/rpmfusion-
 
 RUN dnf config-manager --add-repo https://copr.fedorainfracloud.org/coprs/andersrh/sonicDE/repo/rhel+epel-10/andersrh-sonicDE-rhel+epel-10.repo -y
 RUN dnf config-manager --add-repo https://copr.fedorainfracloud.org/coprs/g/xlibre/xlibre-xserver/repo/rhel+epel-10/group_xlibre-xlibre-xserver-rhel+epel-10.repo -y
-RUN dnf config-manager --add-repo https://pc-rytteren.dk/forge/api/packages/anders/rpm.repo -y
 
 # This may be necessary for the speakers and internal microphone
 RUN dnf install -y alsa-sof-firmware
 
-RUN rpm -e --nodeps plasma-workspace-libs plasma-workspace libplasma \
-    kwin kwin-common kwin-libs kscreenlocker plasma-desktop sddm-wayland-plasma && \
-    dnf install --allowerasing --nogpgcheck -y \
-        sonic-workspace \
-        sonic-workspace-libs \
-        sonic-workspace-common \
-        sonic-workspace-x11 \
-        sonic-win \
-        sonic-desktop-interface \
-        sonic-interface-libraries
-
-RUN dnf install --allowerasing --nogpgcheck -y sonic-keybind-daemon sonic-frameworks-windowsystem sonic-system-info sonic-screen sonic-screen-library sonic-sysguard-library
-
-RUN dnf remove -y sddm && \
-    dnf install --allowerasing --nogpgcheck -y sonic-login-manager
+RUN dnf install sonic-workspace-x11 sonic-win sonic-interface-libraries sonic-workspace --allowerasing -y
 
 RUN dnf install -y fish distrobox nvtop intel-media-driver libva-intel-driver htop
-RUN dnf install -y https://github.com/TheAssassin/AppImageLauncher/releases/download/v3.0.0-beta-3/appimagelauncher_3.0.0-beta-2-gha287.96cb937_x86_64.rpm
-
-# Enable CachyOS addons EL10 fork repo
-RUN dnf copr enable andersrh/kernel-cachyos-addons-el10 -y
+RUN dnf install -y https://github.com/TheAssassin/AppImageLauncher/releases/download/v2.2.0/appimagelauncher-2.2.0-travis995.0f91801.x86_64.rpm
 
 # Enable CachyOS repositories
 RUN dnf copr enable bieszczaders/kernel-cachyos -y
 
-RUN dnf install -y ${KERNEL}
+# Enable CachyOS addons EL10 fork repo
+RUN dnf copr enable andersrh/kernel-cachyos-addons-el10 -y
 
-RUN rpm -e --nodeps kernel kernel-core kernel-modules kernel-modules-core kernel-modules-extra
+RUN dnf install -y ${KERNEL} ${KERNEL}-devel-matched
 
-RUN dnf install -y ${KERNEL}-devel ${KERNEL}-devel-matched
+RUN dnf remove -y kernel kernel-core kernel-modules kernel-modules-core kernel-modules-extra kernel-tools kernel-tools-libs
 
 # Install Negativo17 Nvidia driver
 RUN dnf install -y dkms-nvidia nvidia-driver nvidia-persistenced opencl-filesystem libva-nvidia-driver
+
 RUN dkms install nvidia/$(ls /usr/src/ | grep nvidia- | cut -d- -f2-) -k $(rpm -q --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\n" ${KERNEL})
 
 RUN dnf install -y waydroid scx-scheds
@@ -100,27 +84,15 @@ RUN dnf install vlc vlc-plugins-freeworld vlc-plugin-pipewire -y
 RUN dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo -y
 RUN dnf install brave-browser -y
 
-RUN dnf install rclone -y
-
-RUN dnf install https://github.com/trapexit/mergerfs/releases/download/2.41.1/mergerfs-2.41.1-1.el10.x86_64.rpm -y
-
-RUN dnf install -y virt-manager
-
 RUN systemctl enable docker
-
-RUN echo 'kargs = ["mem_sleep_default=deep"]' > /usr/lib/bootc/kargs.d/10-mem-sleep.toml
-RUN echo 'kargs = ["rd.driver.blacklist=nouveau", "nouveau.modeset=0"]' > /usr/lib/bootc/kargs.d/20-blacklist-nouveau.toml
-RUN printf '[connection]\nwifi.powersave=2\n' > /usr/lib/NetworkManager/conf.d/disable-wifi-powersave.conf
-
-# Disable BORE schduler
-RUN echo "kernel.sched_bore = 0" | tee /usr/lib/sysctl.d/99-disable-bore.conf
+RUN systemctl enable scx_loader
 
 COPY etc /etc
 COPY usr /usr
 
 RUN systemctl enable waydroid-choose-intel-gpu.service
 
-# Disable SELinux
-RUN sed -i "s/^SELINUX=.*$/SELINUX=permissive/g" /etc/sysconfig/selinux && sed -i "s/^SELINUX=.*$/SELINUX=permissive/g" /etc/selinux/config
+RUN cd /usr/bin && wget https://raw.githubusercontent.com/CachyOS/CachyOS-Settings/refs/heads/master/usr/bin/kerver && chmod +x kerver
 
-RUN rm -rf /tmp/* /var/* && mkdir -p /var/tmp && chmod -R 1777 /var/tmp
+RUN rm -rf /tmp/* /var/* && mkdir -p /var/tmp && chmod -R 1777 /var/tmp && \
+    bootc container lint
diff --git a/etc/X11/xorg.conf.d/20-modesetting.conf b/etc/X11/xorg.conf.d/20-modesetting.conf
index ce0c1d9..96ed85d 100644
--- a/etc/X11/xorg.conf.d/20-modesetting.conf
+++ b/etc/X11/xorg.conf.d/20-modesetting.conf
@@ -3,5 +3,5 @@ Section "Device"
     Driver        "modesetting"
     Option        "ShadowFB" "false" # you don't need on recent hardware
     Option        "Atomic" "true" #only effective on Xlibre, or Xorg-git with a special patch
-    Option        "TearFree" "false" # Compositor is being used so TearFree is not needed
+    Option        "TearFree" "false"
 EndSection
diff --git a/usr/share/scx_loader/config.toml b/usr/share/scx_loader/config.toml
new file mode 100644
index 0000000..9ad0305
--- /dev/null
+++ b/usr/share/scx_loader/config.toml
@@ -0,0 +1,13 @@
+# This field specifies the scheduler that will be started automatically when scx_loader starts (e.g., on boot).
+default_sched = "scx_flash"
+
+# This field specifies the mode which will be used when scx_loader starts (e.g., on boot).
+#default_mode = "Auto"
+
+# This "structure" allows configuring flags for each scheduler mode of particular scx scheduler
+#[scheds.'scheduler']
+#auto_mode = []
+#gaming_mode = []
+#lowlatency_mode = []
+#powersave_mode = []
+#server_mode = []