diff --git a/.gitignore b/.gitignore
index e6639a7..ecab0e7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-reset.sh
\ No newline at end of file
+./reset.sh
\ No newline at end of file
diff --git a/defaults.sh b/defaults.sh
index 2a82396..6f6e1fe 100755
--- a/defaults.sh
+++ b/defaults.sh
@@ -74,6 +74,7 @@ export VM_NAME="sovereign-stack-base"
 export DEV_MEMORY_MB="4096"
 export DEV_CPU_COUNT="4"
 export SSHFS_PATH="/tmp/sshfs_temp"
+mkdir -p "$SSHFS_PATH"
 export DOCKER_IMAGE_CACHE_FQDN="registry-1.docker.io"
 
 export NEXTCLOUD_SPACE_GB=10
@@ -136,3 +137,7 @@ export DEPLOY_MGMT_REGISTRY=true
 export REMOTE_HOME="/home/ubuntu"
 
 export BTCPAY_SERVER_APPPATH="$REMOTE_HOME/btcpayserver-docker"
+export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
+
+# this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
+export ROOT_DISK_SIZE_GB=20
\ No newline at end of file
diff --git a/deploy.sh b/deploy.sh
index f28f63e..ddb6a36 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -23,22 +23,25 @@ if ! lsb_release -d | grep -q "Ubuntu 22.04"; then
     exit 1
 fi
 
-MIGRATE_VPS=false
+
 DOMAIN_NAME=
 RESTORE_ARCHIVE=
 VPS_HOSTING_TARGET=lxd
 RUN_CERT_RENEWAL=true
-USER_NO_BACKUP=false
-USER_RUN_RESTORE=false
-RESTORE_WWW_USERDATA=true
+
+RESTORE_WWW=false
+BACKUP_WWW=true
 RESTORE_BTCPAY=false
+BACKUP_BTCPAY=true
+MIGRATE_WWW=false
+MIGRATE_BTCPAY=false
+
 USER_SKIP_WWW=false
 USER_SKIP_BTCPAY=false
 UPDATE_BTCPAY=false
 RECONFIGURE_BTCPAY_SERVER=false
 DEPLOY_BTCPAY_SERVER=false
 CLUSTER_NAME="$(lxc remote get-default)"
-RUN_BACKUP=true
 
 # grab any modifications from the command line.
 for i in "$@"; do
@@ -48,13 +51,14 @@ for i in "$@"; do
             shift
         ;;
         --restore-www)
-            USER_RUN_RESTORE=true
+            RESTORE_WWW=true
+            BACKUP_WWW=false
             RUN_CERT_RENEWAL=false
-            USER_NO_BACKUP=true
             shift
         ;;
         --restore-btcpay)
             RESTORE_BTCPAY=true
+            BACKUP_BTCPAY=false
             shift
         ;;
         --archive=*)
@@ -77,12 +81,21 @@ for i in "$@"; do
             USER_SKIP_BTCPAY=true
             shift
         ;;
-        --no-backup)
-            USER_NO_BACKUP=true
+        --no-backup-www)
+            BACKUP_WWW=false
             shift
         ;;
-        --migrate)
-            MIGRATE_VPS=true
+        --no-backup-btcpay)
+            BACKUP_BTCPAY=false
+            shift
+        ;;
+        --migrate-www)
+            MIGRATE_WWW=true
+            RUN_CERT_RENEWAL=false
+            shift
+        ;;
+        --migrate-btcpay)
+            MIGRATE_BTCPAY=true
             RUN_CERT_RENEWAL=false
             shift
         ;;
@@ -109,7 +122,12 @@ export SSH_HOME="$HOME/.ssh"
 export DOMAIN_NAME="$DOMAIN_NAME"
 export REGISTRY_DOCKER_IMAGE="registry:2"
 export RESTORE_ARCHIVE="$RESTORE_ARCHIVE"
-
+export RESTORE_WWW="$RESTORE_WWW"
+export BACKUP_WWW="$BACKUP_WWW"
+export RESTORE_BTCPAY="$RESTORE_BTCPAY"
+export BACKUP_BTCPAY="$RESTORE_BTCPAY"
+export MIGRATE_WWW="$MIGRATE_WWW"
+export MIGRATE_BTCPAY="$MIGRATE_BTCPAY"
 
 if [ "$VPS_HOSTING_TARGET" = aws ]; then
 
@@ -172,7 +190,7 @@ proxy:
 EOL
 
         # enable docker swarm mode so we can support docker stacks.
-        if ! docker info | grep -q "Swarm: active"; then
+        if docker info | grep -q "Swarm: inactive"; then
             docker swarm init
         fi
 
@@ -192,41 +210,23 @@ function new_pass {
     gpg --gen-random --armor 1 25
 }
 
-if [ "$VPS_HOSTING_TARGET" = lxd ]; then
-    # first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
-    # which is set up during LXD cluster creation ss-cluster.
-    LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep ss-config)"
-    CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
-    DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
-    DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
 
-    export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
-    export DISK_TO_USE="$DISK_TO_USE"
-
-    ./deployment/create_lxc_base.sh
-
-fi
-
-function run_domain {
+function instantiate_vms {
 
     export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
     export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
     export BTC_CHAIN="$BTC_CHAIN"
     export UPDATE_BTCPAY="$UPDATE_BTCPAY"
-    export MIGRATE_VPS="$MIGRATE_VPS"
     export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
 
     # iterate over all our server endpoints and provision them if needed.
     # www
     VPS_HOSTNAME=
 
-
     for VIRTUAL_MACHINE in www btcpayserver; do
         FQDN=
 
-        # shellcheck disable=SC1091
-        source ./shared.sh
-
+        export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
         if [ ! -f "$SITE_PATH/site_definition" ]; then
             echo "ERROR: Something went wrong. Your site_definition is missing."
             exit 1
@@ -234,6 +234,51 @@ function run_domain {
 
         source "$SITE_PATH/site_definition"
 
+        # VALIDATE THE INPUT from the ENVFILE
+        if [ -z "$DOMAIN_NAME" ]; then
+            echo "ERROR: DOMAIN_NAME not specified. Use the --domain-name= option."
+            exit 1
+        fi
+
+        # TODO, ensure VPS_HOSTING_TARGET is in range.
+        export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
+        export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
+        export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
+        export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
+        export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
+        export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
+        export ADMIN_ACCOUNT_USERNAME="info"
+        export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
+        export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
+        export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
+        export BTC_CHAIN="$BTC_CHAIN"
+        export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
+        export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
+
+
+        # ensure the 
+        if [ ! -f "$PROJECT_PATH/project_definition" ]; then 
+            echo "ERROR: Your project_definition is not set."
+            exit 1
+        fi
+
+        source "$PROJECT_PATH/project_definition"
+
+        if [ "$VPS_HOSTING_TARGET" = lxd ]; then
+            # first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
+            # which is set up during LXD cluster creation ss-cluster.
+            LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep ss-config)"
+            CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
+            DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
+            DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
+
+            export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
+            export DISK_TO_USE="$DISK_TO_USE"
+
+            ./deployment/create_lxc_base.sh
+
+        fi
+
         # create the local packup path if it's not there!
         BACKUP_PATH_CREATED=false
 
@@ -247,19 +292,25 @@ function run_domain {
         export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
         LOCAL_BACKUP_PATH="$SITE_PATH/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
         export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
-
         export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
         export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
-
         export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
         
+
+
+        # ensure the admin has set the MAC address for the base image.
+        if [ -z "$SOVEREIGN_STACK_MAC_ADDRESS" ]; then
+            echo "ERROR: SOVEREIGN_STACK_MAC_ADDRESS is undefined. Check your project definition."
+            exit 1
+        fi
+
         if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
             mkdir -p "$LOCAL_BACKUP_PATH"
             BACKUP_PATH_CREATED=true
-            RESTORE_WWW_USERDATA=false
         fi
 
         DDNS_HOST=
+        MIGRATE_VPS=false
         if [ "$VIRTUAL_MACHINE" = www ]; then
             if [ "$DEPLOY_WWW_SERVER" = false ] || [ "$USER_SKIP_WWW" = true ]; then
                 continue
@@ -269,6 +320,9 @@ function run_domain {
             MAC_ADDRESS_TO_PROVISION="$WWW_MAC_ADDRESS"
             DDNS_HOST="$WWW_HOSTNAME"
             ROOT_DISK_SIZE_GB="$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))"
+            if [ "$MIGRATE_WWW" = true ]; then
+                MIGRATE_VPS=true
+            fi
         elif [ "$VIRTUAL_MACHINE" = btcpayserver ] || [ "$USER_SKIP_BTCPAY" = true ]; then
             if [ "$DEPLOY_BTCPAY_SERVER" = false ]; then
                 continue
@@ -282,10 +336,14 @@ function run_domain {
             elif [ "$BTC_CHAIN" = testnet ]; then
                 ROOT_DISK_SIZE_GB=70
             fi
+
+            if [ "$MIGRATE_BTCPAY" = true ]; then
+                MIGRATE_VPS=true
+            fi
+
         elif [ "$VIRTUAL_MACHINE" = "sovereign-stack" ]; then
             DDNS_HOST="sovereign-stack-base"
             ROOT_DISK_SIZE_GB=8
-            MAC_ADDRESS_TO_PROVISION="$SOVEREIGN_STACK_MAC_ADDRESS"
         else
             echo "ERROR: VIRTUAL_MACHINE not within allowable bounds."
             exit
@@ -294,8 +352,8 @@ function run_domain {
         export DDNS_HOST="$DDNS_HOST"
         export FQDN="$DDNS_HOST.$DOMAIN_NAME"
         export LXD_VM_NAME="${FQDN//./-}"
+        #${PROJECT_NAME//./-}-
         export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
-        export RESTORE_WWW_USERDATA="$RESTORE_WWW_USERDATA"
 
         # This next section of if statements is our sanity checking area.
         if [ "$VPS_HOSTING_TARGET" = aws ]; then
@@ -306,74 +364,6 @@ function run_domain {
             fi
         fi
 
-        if [ "$DEPLOY_GHOST" = true ]; then
-            if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
-                echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-
-            if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
-                echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-        fi
-
-        if [ "$DEPLOY_GITEA" = true ]; then
-            if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
-                echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-            if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
-                echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-        fi
-
-        if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-            if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
-                echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-
-            if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
-                echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
-                exit 1
-            fi
-        fi
-
-        if [ "$DEPLOY_NOSTR" = true ]; then
-            if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
-                echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
-                exit 1
-            fi
-
-            if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
-                echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
-                exit 1
-            fi    
-        fi
-
-        if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
-            echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
-            exit 1
-        fi
-
-        if [ -z "$DOMAIN_NAME" ]; then
-            echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
-            exit 1
-        fi
-
-        if [ -z "$DEPLOY_BTCPPAY_SERVER" ]; then
-            echo "ERROR: Ensure DEPLOY_BTCPPAY_SERVER is configured in your site_definition."
-            exit 1
-        fi
-
-        if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then 
-            echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
-            echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
-            exit 1
-        fi
-    
         MACHINE_EXISTS=false
         if [ "$VPS_HOSTING_TARGET" = aws ] && docker-machine ls -q | grep -q "$FQDN"; then
             MACHINE_EXISTS=true
@@ -383,10 +373,6 @@ function run_domain {
             MACHINE_EXISTS=true
         fi
 
-        if [ "$USER_NO_BACKUP" = true ]; then
-            RUN_BACKUP=false
-        fi
-
         if [ "$MACHINE_EXISTS"  = true ]; then
             # we delete the machine if the user has directed us to
             if [ "$MIGRATE_VPS" = true ]; then
@@ -398,7 +384,7 @@ function run_domain {
 
                 # get a backup of the machine. This is what we restore to the new VPS.
                 echo "INFO: Machine exists.  Since we're going to delete it, let's grab a backup. We don't need to restore services since we're deleting it."
-                RESTORE_BTCPAY=false UPDATE_BTCPAY=false RUN_RESTORE=false RUN_BACKUP=true RUN_SERVICES=false ./deployment/domain_init.sh
+                ./deployment/deploy_vms.sh
 
                 # delete the remote VPS.
                 if [ "$VPS_HOSTING_TARGET" = aws ]; then
@@ -412,17 +398,16 @@ function run_domain {
                     fi
                 elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
                     lxc delete --force "$LXD_VM_NAME"
-                    USER_RUN_RESTORE=true
                 fi
 
                 # Then we run the script again to re-instantiate a new VPS, restoring all user data 
                 # if restore directory doesn't exist, then we end up with a new site.
                 echo "INFO: Recreating the remote VPS then restoring user data."
-                sleep 5
-                RESTORE_BTCPAY=true UPDATE_BTCPAY=false RUN_RESTORE=true RUN_BACKUP=false RUN_SERVICES=true RUN_CERT_RENEWAL=false RESTORE_ARCHIVE="$RESTORE_ARCHIVE" ./deployment/domain_init.sh
-                sleep 5
+                sleep 2
+
+                ./deployment/deploy_vms.sh
             else
-                RESTORE_BTCPAY="$RESTORE_BTCPAY" UPDATE_BTCPAY="$UPDATE_BTCPAY" RUN_RESTORE="$USER_RUN_RESTORE" RUN_BACKUP="$RUN_BACKUP" RUN_SERVICES=true ./deployment/domain_init.sh
+                ./deployment/deploy_vms.sh
             fi
         else
             if [ "$MIGRATE_VPS" = true ]; then
@@ -430,22 +415,54 @@ function run_domain {
             fi
 
             # The machine does not exist. Let's bring it into existence, restoring from latest backup.
-            echo "Machine does not exist. RUN_RESTORE=$USER_RUN_RESTORE RUN_BACKUP=false" 
-            RESTORE_BTCPAY="$RESTORE_BTCPAY" UPDATE_BTCPAY="$UPDATE_BTCPAY" RUN_RESTORE="$USER_RUN_RESTORE" RUN_BACKUP=false RUN_SERVICES=true ./deployment/domain_init.sh
+            echo "Machine does not exist." 
+            ./deployment/deploy_vms.sh
         fi
+
+
     done
 
 }
 
+function run_domain {
+
+    # if the local docker client isn't logged in, do so;
+    # this helps prevent docker pull errors since they throttle.
+    if [ ! -f "$HOME/.docker/config.json" ]; then
+        echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
+    fi
+
+    # this tells our local docker client to target the remote endpoint via SSH
+    export DOCKER_HOST="ssh://ubuntu@$WWW_FQDN"
+    # enable docker swarm mode so we can support docker stacks.
+    if docker info | grep -q "Swarm: inactive"; then
+        docker swarm init --advertise-addr enp6s0
+    fi
+    bash -c "./deployment/www/go.sh"
+
+
+    export DOCKER_HOST="ssh://ubuntu@$BTCPAY_FQDN"
+
+    # enable docker swarm mode so we can support docker stacks.
+    if docker info | grep -q "Swarm: inactive"; then
+        docker swarm init --advertise-addr enp6s0
+    fi
+
+    bash -c "./deployment/btcpayserver/go.sh"
+
+    echo "Successfully deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;"
+
+}
+
 function stub_site_definition {
+    mkdir -p "$SITE_PATH" "$PROJECT_PATH/sites"
 
-    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
-    mkdir -p "$SITE_PATH"
-
-    if [ -f "$SITE_PATH/site_definition" ]; then
-            source ./shared.sh
-    else
+    # create a symlink from the CLUSTERPATH/sites/DOMAIN_NAME to the ss-sites/domain name
+    if [ ! -d "$PROJECT_PATH/sites/$DOMAIN_NAME" ]; then
+        ln -s "$SITE_PATH" "$PROJECT_PATH/sites/$DOMAIN_NAME"
+    fi
 
+    if [ ! -f "$SITE_PATH/site_definition" ]; then
         # check to see if the enf file exists. exist if not.
         SITE_DEFINITION_PATH="$SITE_PATH/site_definition"
         if [ ! -f "$SITE_DEFINITION_PATH" ]; then
@@ -463,10 +480,6 @@ export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
 # AWS only
 #export DDNS_PASSWORD=
 
-## WWW
-export DEPLOY_WWW_SERVER=true
-export WWW_SERVER_MAC_ADDRESS="CHANGE_ME_REQUIRED"
-
 # Deploy APPS to www
 export DEPLOY_GHOST=true
 export DEPLOY_NEXTCLOUD=true
diff --git a/deployment/btcpayserver/go.sh b/deployment/btcpayserver/go.sh
index d5cb918..bc2d99f 100755
--- a/deployment/btcpayserver/go.sh
+++ b/deployment/btcpayserver/go.sh
@@ -23,12 +23,11 @@ elif [ "$RESTORE_BTCPAY" = true ]; then
     
     ./restore.sh
 
-    RUN_BACKUP=false
     RUN_SERVICES=true
     OPEN_URL=true
 
     # if this is a new VM from a migration procedure, then we can now run setup.
-    if [ "$MIGRATE_VPS" = true ]; then
+    if [ "$MIGRATE_BTCPAY" = true ]; then
         ./stub_btcpay_setup.sh
     fi
 
@@ -37,13 +36,12 @@ elif [ "$RECONFIGURE_BTCPAY_SERVER" == true ]; then
     # if so, we re-run setup script.
     ./stub_btcpay_setup.sh
 
-    RUN_BACKUP=false
     RUN_SERVICES=true
     OPEN_URL=true
 fi
 
 # if the script gets this far, then we grab a regular backup.
-if [ "$RUN_BACKUP"  = true ]; then
+if [ "$BACKUP_BTCPAY"  = true ]; then
     # we just grab a regular backup
     ./backup.sh "$UNIX_BACKUP_TIMESTAMP"
 fi
@@ -60,8 +58,8 @@ fi
 if [ "$OPEN_URL" = true ]; then
 
     if [ "$VPS_HOSTING_TARGET" = lxd ]; then
-        if wait-for-it -t 5 "$WWW_FQDN:443"; then
-            xdg-open "https://$WWW_FQDN" > /dev/null 2>&1
+        if wait-for-it -t 5 "$WWW_FQDN:80"; then
+            xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
         fi
     else
         if wait-for-it -t 5 "$FQDN:443"; then
diff --git a/deployment/btcpayserver/stub_btcpay_setup.sh b/deployment/btcpayserver/stub_btcpay_setup.sh
index 93adc99..32f6b36 100755
--- a/deployment/btcpayserver/stub_btcpay_setup.sh
+++ b/deployment/btcpayserver/stub_btcpay_setup.sh
@@ -19,9 +19,6 @@ while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
     sleep 1
 done
 
-#curl -SL https://github.com/docker/compose/releases/download/v2.6.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
-#chmod 0777 /usr/local/bin/docker-compose
-
 if [ ! -d "btcpayserver-docker" ]; then 
     echo "cloning btcpayserver-docker"; 
     git clone -b master https://github.com/btcpayserver/btcpayserver-docker btcpayserver-docker;
@@ -78,5 +75,6 @@ EOL
 
 # send the setup script to the remote machine.
 scp "$SITE_PATH/btcpay.sh" "ubuntu@$FQDN:$REMOTE_HOME/btcpay_setup.sh"
-ssh "$FQDN" "chmod 0744 $REMOTE_HOME/btcpay_setup.sh"
-ssh "$FQDN" "sudo bash -c ./btcpay_setup.sh"
+ssh "$BTCPAY_FQDN" "chmod 0744 $REMOTE_HOME/btcpay_setup.sh"
+ssh "$BTCPAY_FQDN" "sudo bash -c ./btcpay_setup.sh"
+ssh "$BTCPAY_FQDN" "touch $REMOTE_HOME/btcpay.complete"
diff --git a/deployment/domain_init.sh b/deployment/deploy_vms.sh
similarity index 70%
rename from deployment/domain_init.sh
rename to deployment/deploy_vms.sh
index 746e8ea..414090e 100755
--- a/deployment/domain_init.sh
+++ b/deployment/deploy_vms.sh
@@ -33,9 +33,12 @@ function prepare_host {
     # create a directory to store backup archives. This is on all new vms.
     ssh "$FQDN" mkdir -p "$REMOTE_HOME/backups"
 
+    # if this execution is for btcpayserver, then we run the stub/btcpay setup script
+    # but only if it hasn't been executed before.
     if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
-        echo "INFO: new machine detected. Provisioning BTCPay server scripts."
-        ./btcpayserver/stub_btcpay_setup.sh
+        if [ "$(ssh "$BTCPAY_FQDN" [[ ! -f "$REMOTE_HOME/btcpay.complete" ]]; echo $?)" -eq 0 ]; then
+            ./btcpayserver/stub_btcpay_setup.sh
+        fi
     fi
 
 }
@@ -44,7 +47,6 @@ function prepare_host {
 if [ "$VPS_HOSTING_TARGET" = aws ]; then
     # let's create the remote VPS if needed.
     if ! docker-machine ls -q --filter name="$FQDN" | grep -q "$FQDN"; then
-        RUN_BACKUP=false
 
         ./provision_vps.sh
 
@@ -55,7 +57,6 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
     # if the machine doesn't exist, we create it.
     if ! lxc list --format csv | grep -q "$LXD_VM_NAME"; then
-        export RUN_BACKUP=false
 
         # create a base image if needed and instantiate a VM.
         if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
@@ -68,18 +69,5 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
     fi
 
     prepare_host
+
 fi
-
-# if the local docker client isn't logged in, do so;
-# this helps prevent docker pull errors since they throttle.
-if [ ! -f "$HOME/.docker/config.json" ]; then
-    echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
-fi
-
-# this tells our local docker client to target the remote endpoint via SSH
-export DOCKER_HOST="ssh://ubuntu@$FQDN"
-
-# the following scripts take responsibility for the rest of the provisioning depending on the app you're deploying.
-bash -c "./$VIRTUAL_MACHINE/go.sh"
-
-echo "Successfully deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;"
diff --git a/deployment/provision_lxc.sh b/deployment/provision_lxc.sh
index 946cec4..1629a13 100755
--- a/deployment/provision_lxc.sh
+++ b/deployment/provision_lxc.sh
@@ -26,13 +26,9 @@ function run_ddns {
 
                 # we're waiting here to allow dns records to stale out.
                 # this is necessary for certificate renewal; letsencrypt might have stale records
-                # and cert renew won't succeed. HOWEVER, if we're running a restore operation, we SHOULD NOT
-                # do a certificate renewal (we're restoring old certs). Thus it is not necessary to sleep here.
-                if [ "$RUN_RESTORE" = false ]; then
-                    echo "INFO: Waiting $DDNS_SLEEP_SECONDS seconds to allow cached DNS records to expire."
-                    sleep "$DDNS_SLEEP_SECONDS";
-                fi
-                
+                echo "INFO: Waiting $DDNS_SLEEP_SECONDS seconds to allow cached DNS records to expire."
+                sleep "$DDNS_SLEEP_SECONDS";
+    
                 break;
             fi
 
diff --git a/deployment/stub_lxc_profile.sh b/deployment/stub_lxc_profile.sh
index 3958f20..20758c0 100755
--- a/deployment/stub_lxc_profile.sh
+++ b/deployment/stub_lxc_profile.sh
@@ -194,16 +194,16 @@ else
         dhcp4: false
 EOF
 
-    if [[ "$LXD_HOSTNAME" = www-* ]]; then
+    if [[ "$LXD_HOSTNAME" = $WWW_HOSTNAME-* ]]; then
         cat >> "$YAML_PATH" <<EOF
         addresses: [10.139.144.5/24]
         nameservers:
           addresses: [10.139.144.1]
-
+          
 EOF
     fi
 
-    if [[ "$LXD_HOSTNAME" = btcpay-* ]]; then
+    if [[ "$LXD_HOSTNAME" = $BTCPAY_HOSTNAME-* ]]; then
         cat >> "$YAML_PATH" <<EOF
         addresses: [10.139.144.10/24]
         nameservers:
@@ -226,9 +226,7 @@ devices:
     type: disk
 EOF
 
-# TODO get the sovereign-stack lxc profile OFF the lxdbrSS bridge network.
-echo "DATA_PLANE_MACVLAN_INTERFACE: $DATA_PLANE_MACVLAN_INTERFACE"
-
+# Stub out the network piece for the base image.
 if [ "$LXD_HOSTNAME" = sovereign-stack ] ; then
 
 # If we are deploying the www, we attach the vm to the underlay via macvlan.
diff --git a/deployment/www/backup.sh b/deployment/www/backup.sh
index e4970bf..7b71dbf 100755
--- a/deployment/www/backup.sh
+++ b/deployment/www/backup.sh
@@ -9,12 +9,12 @@ cd "$(dirname "$0")"
 # maybe something like https://superuser.com/questions/616182/how-to-mount-local-directory-to-remote-like-sshfs
 
 # step 1: run duplicity on the remote system to backup all files to the remote system.
-ssh "$FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
-ssh "$FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
+ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
+ssh "$WWW_FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
 
 # now let's pull down the latest files from the backup directory.
 # create a temp directory to serve as the mountpoint for the remote machine backups directory
-sshfs "$FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
+sshfs "$WWW_FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
 
 # rsync the files from the remote server to our local backup path.
 rsync -av "$SSHFS_PATH/" "$LOCAL_BACKUP_PATH/"
diff --git a/deployment/www/generate_certs.sh b/deployment/www/generate_certs.sh
index ae4c899..1cb06b0 100755
--- a/deployment/www/generate_certs.sh
+++ b/deployment/www/generate_certs.sh
@@ -18,8 +18,8 @@ if [ "$VPS_HOSTING_TARGET" = aws ]; then
         certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
 
 elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
-# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
-# at a cachehing reverse proxy that runs nginx.
+    # with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
+    # at a cachehing reverse proxy that runs nginx.
     docker run -it --rm \
         --name certbot \
         -p 80:80 \
diff --git a/deployment/www/go.sh b/deployment/www/go.sh
index 4d4406d..d9fda0b 100755
--- a/deployment/www/go.sh
+++ b/deployment/www/go.sh
@@ -1,65 +1,115 @@
 #!/bin/bash
 
-set -exu
+set -exuo
 cd "$(dirname "$0")"
 
+if [ "$DEPLOY_GHOST" = true ]; then
+    if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
+        echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+
+    if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
+        echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+fi
+
+if [ "$DEPLOY_GITEA" = true ]; then
+    if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
+        echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+    if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
+        echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+fi
+
+if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+    if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
+        echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+
+    if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
+        echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
+        exit 1
+    fi
+fi
+
+if [ "$DEPLOY_NOSTR" = true ]; then
+    if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
+        echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
+        exit 1
+    fi
+
+    if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
+        echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
+        exit 1
+    fi    
+fi
+
+if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
+    echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
+    exit 1
+fi
+
+if [ -z "$DOMAIN_NAME" ]; then
+    echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
+    exit 1
+fi
+
+if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then 
+    echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
+    echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
+    exit 1
+fi
+
 bash -c ./stub_nginxconf.sh
 
 TOR_CONFIG_PATH=
 
-ssh "$FQDN" mkdir -p "$REMOTE_HOME/ghost_site" "$REMOTE_HOME/ghost_db"
+ssh "$WWW_FQDN" mkdir -p "$REMOTE_HOME/ghost_site" "$REMOTE_HOME/ghost_db"
 
 if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    ssh "$FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
-    ssh "$FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
-    ssh "$FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
+    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
+    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
+    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
 fi
 
 if [ "$DEPLOY_GITEA" = true ]; then
     ssh "$FQDN" "mkdir -p $REMOTE_GITEA_PATH/data $REMOTE_GITEA_PATH/db"
 fi
 
-# enable docker swarm mode so we can support docker stacks.
-if ! docker info | grep -q "Swarm: active"; then
-    docker swarm init --advertise-addr enp6s0
-fi
-
 # stop services.
 if docker stack list --format "{{.Name}}" | grep -q webstack; then
     docker stack rm webstack
     sleep 15
 fi
 
-# this will generate letsencrypt certs and pull them down locally.
-# if [ "$VPS_HOSTING_TARGET" != lxd ]; then
 
-
-# really we should change this if clause to some thing like
-# "if the perimeter firewall allows port 80/443, then go ahead."
-if [ "$RUN_CERT_RENEWAL" = true ]; then
-    ./generate_certs.sh
-fi
-
-if [ "$RUN_BACKUP"  = true ]; then
+if [ "$BACKUP_WWW"  = true ]; then
     ./backup.sh
 fi
 
-if [ "$RUN_RESTORE" = true ]; then
+if [ "$RESTORE_WWW" = true ]; then
     # Generally speaking we try to restore data. But if the BACKUP directory was
     # just created, we know that we'll deploy fresh.
-    if [ "$RESTORE_WWW_USERDATA"  = true ]; then
-        ./restore.sh
-    fi
+    ./restore.sh
+else
+    ./generate_certs.sh
 fi
 
+
 if [ "$DEPLOY_ONION_SITE" = true ]; then
     # ensure the tor image is built
     docker build -t tor:latest ./tor
 
     # if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
     # this is how we generate a new torv3 endpoint.
-    if ! ssh "$FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
-        ssh "$FQDN" "mkdir -p $REMOTE_HOME/tor"
+    if ! ssh "$WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
+        ssh "$WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
         TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
         export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
         docker stack deploy -c ./tor.yml torstack
@@ -68,37 +118,37 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
         sleep 20
     fi
 
-    ONION_ADDRESS="$(ssh "$FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
+    ONION_ADDRESS="$(ssh "$WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
     export ONION_ADDRESS="$ONION_ADDRESS"
 
     # # Since we run a separate ghost process, we create a new directory and symlink it to the original
-    # if ! ssh "$FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
-    #     ssh "$FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
+    # if ! ssh "$WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
+    #     ssh "$WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
     # fi
 fi
 
-if [ "$RUN_SERVICES" = true ]; then
-    mkdir -p "$SITE_PATH/stacks"
-    DOCKER_YAML_PATH="$SITE_PATH/stacks/www.yml"
-    export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
-    bash -c ./stub_docker_yml.sh
+#if [ "$RUN_SERVICES" = true ]; then
+mkdir -p "$SITE_PATH/stacks"
+DOCKER_YAML_PATH="$SITE_PATH/stacks/www.yml"
+export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
+bash -c ./stub_docker_yml.sh
 
-    docker stack deploy -c "$DOCKER_YAML_PATH" webstack
+docker stack deploy -c "$DOCKER_YAML_PATH" webstack
 
-    # start a browser session; point it to port 80 to ensure HTTPS redirect.
-    wait-for-it -t 320 "$FQDN:80"
-    wait-for-it -t 320 "$FQDN:443"
+# start a browser session; point it to port 80 to ensure HTTPS redirect.
+wait-for-it -t 320 "$WWW_FQDN:80"
+wait-for-it -t 320 "$WWW_FQDN:443"
 
-    # open bowser tabs.
-    if [ "$DEPLOY_GHOST" = true ]; then
-        xdg-open "http://$FQDN" > /dev/null 2>&1
-    fi
-
-    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-        xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
-    fi
-
-    if [ "$DEPLOY_GITEA" = true ]; then
-        xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
-    fi
+# open bowser tabs.
+if [ "$DEPLOY_GHOST" = true ]; then
+    xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
 fi
+
+if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+    xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
+fi
+
+if [ "$DEPLOY_GITEA" = true ]; then
+    xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
+fi
+#fi
diff --git a/deployment/www/restore.sh b/deployment/www/restore.sh
index 3f66b41..9cae660 100755
--- a/deployment/www/restore.sh
+++ b/deployment/www/restore.sh
@@ -7,13 +7,13 @@ set -exu
 # indeed, our first step is the delete the home directory on the remote server.
 
 # delete the home directory so we know we are restoring all files from the duplicity archive.
-ssh "$FQDN" sudo rm -rf "$REMOTE_HOME/*"
+ssh "$WWW_FQDN" sudo rm -rf "$REMOTE_HOME/*"
 
 # scp our local backup directory to the remote machine
-ssh "$FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
+ssh "$WWW_FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
 
 # TODO instead of scp the files up there, lets' mount the local backup folder to a remote folder then just run a duplicity restore.
-scp -r "$LOCAL_BACKUP_PATH/" "$FQDN:$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
+scp -r "$LOCAL_BACKUP_PATH/" "$WWW_FQDN:$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
 
 # now we run duplicity to restore the archive.
-ssh "$FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/" "$REMOTE_HOME/"
+ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/" "$REMOTE_HOME/"
diff --git a/deployment/www/stub_docker_yml.sh b/deployment/www/stub_docker_yml.sh
index 01a04b4..ba39d22 100755
--- a/deployment/www/stub_docker_yml.sh
+++ b/deployment/www/stub_docker_yml.sh
@@ -32,7 +32,7 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
     volumes:
       - ${REMOTE_HOME}/ghost_site:/var/lib/ghost/content
     environment:
-      - url=https://${FQDN}
+      - url=https://${WWW_FQDN}
       - database__client=mysql
       - database__connection__host=ghostdb
       - database__connection__user=ghost
@@ -296,7 +296,7 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
 
 configs:
   nginx-config:
-    file: ${SITE_PATH}/nginx.conf
+    file: ${PROJECT_PATH}/nginx.conf
 EOL
 
 if [ "$DEPLOY_ONION_SITE" = true ]; then
diff --git a/deployment/www/stub_nginxconf.sh b/deployment/www/stub_nginxconf.sh
index e2a6517..3431c39 100755
--- a/deployment/www/stub_nginxconf.sh
+++ b/deployment/www/stub_nginxconf.sh
@@ -51,7 +51,7 @@ EOL
 
 # ghost http to https redirects.
 cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${DOMAIN_NAME} redirect to https://${FQDN}
+    # http://${DOMAIN_NAME} redirect to https://${WWW_FQDN}
     server {
         listen 80;
         listen [::]:80;
@@ -63,15 +63,16 @@ cat >>"$NGINX_CONF_PATH" <<EOL
             return 301 https://${DOMAIN_NAME}\$request_uri;
         }
     }
+
 EOL
 
 cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${FQDN} redirect to https://${FQDN}
+    # http://${WWW_FQDN} redirect to https://${WWW_FQDN}
     server {
         listen 80;
         listen [::]:80;
-        server_name ${FQDN};
-        return 301 https://${FQDN}\$request_uri;
+        server_name ${WWW_FQDN};
+        return 301 https://${WWW_FQDN}\$request_uri;
     }
 
 EOL
@@ -128,9 +129,6 @@ cat >>"$NGINX_CONF_PATH" <<EOL
     # global TLS settings
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1.3;
-    ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;
@@ -142,19 +140,29 @@ cat >>"$NGINX_CONF_PATH" <<EOL
 
 
     # default server if hostname not specified.
-    #server {
-    #    listen 443 default_server;
-    #    return 403;
-    #}
+    server {
+        listen 443 default_server;
 
-    # map \$http_user_agent \$og_prefix {
-    #     ~*(googlebot|twitterbot)/  /open-graph;
-    # }
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+
+        return 403;
+    }
+
+    # maybe helps with Twitter cards.
+    map \$http_user_agent \$og_prefix {
+        ~*(googlebot|twitterbot)/  /open-graph;
+    }
 
     # https://${DOMAIN_NAME} redirect to https://${FQDN}
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
+
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
         
         server_name ${DOMAIN_NAME};
 
@@ -176,9 +184,9 @@ EOL
 fi
 
 cat >>"$NGINX_CONF_PATH" <<EOL
-        # catch all; send request to ${FQDN}
+        # catch all; send request to ${WWW_FQDN}
         location / {
-            return 301 https://${FQDN}\$request_uri;
+            return 301 https://${WWW_FQDN}\$request_uri;
         }
 EOL
 #####################################################
@@ -209,6 +217,11 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
     server {
         listen 443 ssl http2;
         ssl on;
+
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+
         server_name ${BTCPAY_USER_FQDN};
     
         # Route everything to the real BTCPay server
@@ -246,7 +259,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
 
-        server_name ${FQDN};
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+
+        server_name ${WWW_FQDN};
 EOL
 
 # add the Onion-Location header if specifed.
@@ -376,6 +393,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
+
+        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+
         server_name ${NEXTCLOUD_FQDN};
         
         location / {
diff --git a/reset.sh b/reset.sh
index 87ee6b0..e7e1095 100755
--- a/reset.sh
+++ b/reset.sh
@@ -2,10 +2,10 @@
 
 set -x
 
-CLUSTER_NAME=""
-SSH_ENDPOINT_HOSTNAME=""
-SSH_ENDPOINT_DOMAIN_NAME=""
-TEST_DOMAIN=""
+CLUSTER_NAME="development"
+SSH_ENDPOINT_HOSTNAME="atlantis"
+SSH_ENDPOINT_DOMAIN_NAME="ancapistan.io"
+TEST_DOMAIN="ancapistan.casa"
 
 export LXD_VM_NAME="${TEST_DOMAIN//./-}"
 
@@ -21,6 +21,8 @@ lxc profile delete sovereign-stack
 lxc image rm sovereign-stack-base
 lxc image rm ubuntu-base
 
+lxc network delete lxdbrSS
+
 lxc storage delete sovereign-stack
 
 lxc remote switch "local"
@@ -28,6 +30,6 @@ lxc remote remove "$CLUSTER_NAME"
 
 source "$HOME/.bashrc"
 
-./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT.$DOMAIN_NAME"
+./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT_HOSTNAME.$SSH_ENDPOINT_DOMAIN_NAME" --data-plane-interface=enp89s0
 
-./deploy.sh
+#./deploy.sh
diff --git a/shared.sh b/shared.sh
deleted file mode 100755
index 987fb8e..0000000
--- a/shared.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-VALUE=${SITE_PATH:-}
-if [ -z "$VALUE" ]; then
-    echo "ERROR: Your SITE_PATH is undefined. Did you specify the domain correctly?"
-    exit 1
-fi
-
-# check to see if the enf file exists. exist if not.
-if [ ! -d "$SITE_PATH" ]; then
-    echo "ERROR: '$SITE_PATH' does not exist."
-    exit 1
-fi
-
-mkdir -p "$SSHFS_PATH"
-
-# VALIDATE THE INPUT from the ENVFILE
-if [ -z "$DOMAIN_NAME" ]; then
-    echo "ERROR: DOMAIN_NAME not specified. Use the --domain-name= option."
-    exit 1
-fi
-
-# TODO, ensure VPS_HOSTING_TARGET is in range.
-export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
-export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
-export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
-export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
-export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
-export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
-
-export ADMIN_ACCOUNT_USERNAME="info"
-export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
-export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
-
-export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
-export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
-
-# this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
-export ROOT_DISK_SIZE_GB=20
-
-
-export BTC_CHAIN="$BTC_CHAIN"
-export ROOT_DISK_SIZE_GB=$ROOT_DISK_SIZE_GB
-export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
-
-export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
-
diff --git a/show_lxc.sh b/show_lxc.sh
new file mode 100755
index 0000000..fcc6d5d
--- /dev/null
+++ b/show_lxc.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+lxc list
+lxc network list
+lxc profile list
+lxc storage list
+lxc image list