diff --git a/data/hostname/bardo.internal.admin.swh.network.yaml b/data/hostname/bardo.internal.admin.swh.network.yaml
index 2806dee4..9a5fcba4 100644
--- a/data/hostname/bardo.internal.admin.swh.network.yaml
+++ b/data/hostname/bardo.internal.admin.swh.network.yaml
@@ -1,48 +1,48 @@
 hedgedoc::db::host: localhost
 hedgedoc::db::database: hedgedoc
 hedgedoc::db::username: hedgedoc
 # hedgedoc::db::password: in private-data
 
 swh::postgresql::version: '12'
 swh::postgresql::port: 5433
 swh::postgresql::cluster_name: "%{lookup('swh::postgresql::version')}/main"
 swh::postgresql::datadir_base: "%{lookup('swh::base_directory')}/postgres"
 swh::postgresql::datadir: "%{lookup('swh::postgresql::datadir_base')}/%{lookup('swh::postgresql::cluster_name')}"
 swh::postgresql::listen_addresses:
   - 0.0.0.0
 swh::postgresql::network_accesses:
   - 192.168.100.0/24 # Monitoring
   - 192.168.130.0/24 # Staging services
 
 postgresql::globals::version: "%{alias('swh::postgresql::version')}"
 
 postgresql::server::config_entries:
   shared_buffers: "%{alias('swh::postgresql::shared_buffers')}"
   cluster_name: "%{alias('swh::postgresql::cluster_name')}"
 
 swh::dbs:
   hedgedoc:
     name: "%{alias('hedgedoc::db::database')}"
     user: "%{alias('hedgedoc::db::username')}"
 
-hedgedoc::release::version: 1.7.2
-hedgedoc::release::digest: 8bb66ba9c839a4d81f72267b91a201f97a48f16aa95434586d6dd6be40502d6d
+hedgedoc::release::version: 1.9.0
+hedgedoc::release::digest: 976d908ea81025e72277d2815fd51ccf462c09d10451c16893b187d95f21e837
 hedgedoc::release::digest_type: sha256
 
 hedgedoc::allow_anonymous: true
 hedgedoc::allow_anonymous_edits: true
 
 # authentication
 hedgedoc::allow_email: true
 hedgedoc::allow_email_register: false
 hedgedoc::enable_keycloak: true
 hedgedoc::keycloak::provider_name: Software Heritage
 hedgedoc::keycloak::domain: auth.softwareheritage.org
 hedgedoc::keycloak::realm: SoftwareHeritage
 hedgedoc::keycloak::client::id: hedgedoc
 # hedgedoc::keycloak::client::secret in private-data
 
 
 
 hedgedoc::runtime_environment: production
 hedgedoc::log_level: info
diff --git a/site-modules/profile/manifests/hedgedoc/apt_config.pp b/site-modules/profile/manifests/hedgedoc/apt_config.pp
index 2228e856..3bdf7b1a 100644
--- a/site-modules/profile/manifests/hedgedoc/apt_config.pp
+++ b/site-modules/profile/manifests/hedgedoc/apt_config.pp
@@ -1,23 +1,26 @@
 # APT configuration for hedgedoc
 class profile::hedgedoc::apt_config {
+  include profile::nodejs::apt_config
+
   $packages = [
-    'npm', 'yarn', 'node-gyp'
+    'npm', 'yarn', 'node-gyp', 'nodejs'
   ]
 
   $keyid = lookup('yarn::apt_config::keyid')
   $key =   lookup('yarn::apt_config::key')
 
   apt::source { 'yarn':
     location => "https://dl.yarnpkg.com/debian/",
     release  => 'stable',
     repos    => 'main',
     key      => {
       id      => $keyid,
       content => $key,
     },
-  } ->
+  }
+
   package { $packages:
-    ensure => present,
-    notify => Archive['hedgedoc'],
+    ensure => latest,
+    notify => Service['hedgedoc'],
   }
 }
diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb
index 933bd978..7303f874 100644
--- a/site-modules/profile/templates/hedgedoc/config.json.erb
+++ b/site-modules/profile/templates/hedgedoc/config.json.erb
@@ -1,52 +1,51 @@
 {
     "<%= @runtime_environment %>": {
         "sessionSecret": "<%= @session_secret %>",
         "allowAnonymous": <%= @allow_anonymous %>,
         "allowAnonymousEdit": <%= @allow_anonymous_edits %>,
         "allowFreeURL": true,
         "protocolUseSSL": true,
         "domain": "<%= @base_url %>",
         "loglevel": "<%= @log_level %>",
         "allowOrigin": [ "localhost", "<%= @base_url %>"],
         "email": <%= @allow_email %>,
         "allowEmailRegister": <%= @allow_email_register %>,
 <% if @enable_keycloak -%>
         "oauth2": {
             "providerName": "<%= @keycloak_provider_name %>",
             "baseURL": "https://<%= @keycloak_domain %>/",
             "userProfileURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/userinfo",
             "userProfileUsernameAttr": "preferred_username",
             "userProfileDisplayNameAttr": "name",
             "userProfileEmailAttr": "email",
             "tokenURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/token",
             "authorizationURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/auth",
             "clientID": "<%= @keycloak_client_id %>",
             "clientSecret": "<%= @keycloak_client_secret %>"
         },
 <% end -%>
         "uploadsPath": "<%= @uploads_dir %>",
         "hsts": {
             "enable": true,
             "maxAgeSeconds": 31536000,
             "includeSubdomains": true,
             "preload": true
         },
         "csp": {
             "enable": true,
             "upgradeInsecureRequests": "auto",
             "addDefaults": true,
             "addDisqus": true,
             "addGoogleAnalytics": true
         },
         "cookiePolicy": "lax",
         "db": {
             "username": "<%= @db_user %>",
             "password": "<%= @db_password %>",
             "database": "<%= @db_name %>",
             "host": "<%= @db_host %>",
             "port": "<%= @db_port %>",
             "dialect": "postgres"
-        },
-        "linkifyHeaderStyle": "gfm"
+        }
     }
 }
diff --git a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb
index 7a049a22..0e6a3441 100644
--- a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb
+++ b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb
@@ -1,22 +1,44 @@
 [Unit]
-Description=Hedgedoc
-Documentation=https://github.com/hedgedoc/hedgedoc
-After=network-online.target
-Wants=network-online.target
+Description=HedgeDoc - The best platform to write and share markdown.
+Documentation=https://docs.hedgedoc.org/
+After=network.target
+After=postgresql.service
 
 [Service]
-Type=simple
-User=<%= @user %>
-Group=<%= @group %>
+Type=exec
 Environment=NODE_ENV=<%= @runtime_environment %>
 Environment=YARN_CACHE_FOLDER=<%= @yarn_cachedir %>
-WorkingDirectory=<%= @current_symlink %>
+Restart=always
+RestartSec=2s
+ExecStart=/usr/bin/yarn start --production
+CapabilityBoundingSet=
+NoNewPrivileges=true
+PrivateDevices=true
+RemoveIPC=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=noaccess
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
-ExecStart=/usr/bin/yarn start
+# You may have to adjust these settings
+User=<%= @user %>
+Group=<%= @group %>
+WorkingDirectory=<%= @current_symlink %>
 
-Restart=on-failure
-RestartSec=10
-PrivateTmp=true
+ReadWritePaths=<%= @uploads_dir %>
 
 [Install]
 WantedBy=multi-user.target