diff --git a/README.md b/README.md
index cd8f12c..1c54872 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,19 @@ Mistborn protects your data in a variety of ways:
 - The Mistborn firewall blocks unsolicited incoming internet packets
 - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) 
 
+# Gateways
+I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for.
+
+![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png)
+
+*Netflix blocking my connections that it sees coming from a DigitalOcean droplet*
+
+In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
+
+![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png)
+
+The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
+
 # Installation
 Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested).
 
@@ -147,6 +160,25 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
 | OnlyOffice | onlyoffice.mistborn | Off |
 | Jitsi | jitsi.mistborn | Off |
 
+# Gateway Setup
+Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
+
+## Gateway Requirements
+- Wireguard (you can run the Mistborn Wireguard installer: `sudo bash /opt/mistborn/scripts/subinstallers/wireguard.sh`)
+- Openresolv (a Wireguard dependency that is installed via the Mistborn Wireguard installer)
+- Fail2ban
+
+## Install Gateway Wireguard config file
+On Mistborn:
+- Click `View Config` on the Gateways tab in Mistborn
+- Highlight the config
+- Copy (Ctrl-C)
+
+On Gateway:
+- Paste the config to `/etc/wireguard/gateway.conf`
+- Run `sudo systemctl start wg-quick@gateway`
+- Run `sudo systemctl enable wg-quick@gateway`
+
 # Troubleshooting
 
 Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues:
diff --git a/base.yml b/base.yml
index b0c3bb7..422c966 100644
--- a/base.yml
+++ b/base.yml
@@ -22,6 +22,7 @@ services:
       - ../mistborn_volumes/base/media:/mistborn-media
       - ../mistborn_volumes/base/private_media:/mistborn-private-media
     command: /start
+    restart: unless-stopped
 
   postgres:
     build:
@@ -34,6 +35,7 @@ services:
       - production_postgres_data_backups:/backups
     env_file:
       - ./.envs/.production/.postgres
+    restart: unless-stopped
 
   traefik:
     build:
@@ -50,10 +52,12 @@ services:
     ports:
       - "0.0.0.0:80:80/tcp"
       - "0.0.0.0:443:443/tcp"
+    restart: unless-stopped
 
   redis:
     image: redis:5.0
     container_name: mistborn_production_redis
+    restart: unless-stopped
 
   celeryworker:
     image: cyber5k/mistborn:latest 
@@ -76,6 +80,7 @@ services:
       - traefik
       - pihole
     command: /start-celeryworker
+    restart: unless-stopped
   
   celeryworker-low-priority:
     image: cyber5k/mistborn:latest 
@@ -98,6 +103,7 @@ services:
       - traefik
       - pihole
     command: /start-celeryworker-low-priority
+    restart: unless-stopped
 
   celerybeat:
     image: cyber5k/mistborn:latest 
@@ -106,14 +112,19 @@ services:
       - ./.envs/.production/.django
       - ./.envs/.production/.postgres
     command: /start-celerybeat
+    restart: unless-stopped
     
 
   flower:
     image: cyber5k/mistborn:latest 
     container_name: mistborn_production_flower
+    env_file:
+      - ./.envs/.production/.django
+      - ./.envs/.production/.postgres
     ports:
       - "5555:5555/tcp"
     command: /start-flower
+    restart: unless-stopped
   
   pihole:
    container_name: mistborn_production_pihole
diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml
index 83a29a6..cc86c8f 100644
--- a/extra/jitsi-meet.yml
+++ b/extra/jitsi-meet.yml
@@ -47,6 +47,7 @@ services:
             meet.jitsi:
                 aliases:
                     - ${XMPP_DOMAIN}
+        restart: unless-stopped 
 
     # XMPP server
     jitsi-prosody:
@@ -112,6 +113,7 @@ services:
             meet.jitsi:
                 aliases:
                     - ${XMPP_SERVER}
+        restart: unless-stopped 
 
     # Focus component
     jitsi-jicofo:
@@ -139,6 +141,7 @@ services:
             - jitsi-prosody
         networks:
             meet.jitsi:
+        restart: unless-stopped 
 
     # Video bridge
     jitsi-jvb:
@@ -168,6 +171,7 @@ services:
             - jitsi-prosody
         networks:
             meet.jitsi:
+        restart: unless-stopped 
 
 # Custom network so all services can communicate using a FQDN
 networks: