From 8d0af43339c693d1c99c88584a22c34ed7d55f54 Mon Sep 17 00:00:00 2001
From: Derek Smith <derek@farscapian.com>
Date: Fri, 9 Sep 2022 14:00:07 -0400
Subject: [PATCH] More work on self-hosting + projects.

---
 cluster.sh                        |  46 ++-
 defaults.sh                       |  16 +-
 deploy.sh                         | 211 +++++-------
 deployment/btcpayserver/go.sh     |   7 +-
 deployment/deploy_vms.sh          |   2 +-
 deployment/provision_vps.sh       |   6 +-
 deployment/www/backup.sh          |   6 +-
 deployment/www/generate_certs.sh  |  42 ++-
 deployment/www/go.sh              | 214 +++++++------
 deployment/www/restore.sh         |   8 +-
 deployment/www/stub_docker_yml.sh | 516 ++++++++++++++++--------------
 deployment/www/stub_nginxconf.sh  | 233 +++++++-------
 domain_env.sh                     |  18 ++
 reset.sh                          |  20 +-
 reset_env.sh                      |  22 ++
 15 files changed, 720 insertions(+), 647 deletions(-)
 create mode 100755 domain_env.sh
 create mode 100755 reset_env.sh

diff --git a/cluster.sh b/cluster.sh
index fcf70be..6ce1707 100755
--- a/cluster.sh
+++ b/cluster.sh
@@ -35,16 +35,14 @@ if [ "$COMMAND" = create ]; then
     cat >"$CLUSTER_DEFINITION" <<EOL
 #!/bin/bash
 
-# Note: the path above ./ corresponds to your LXD Remote. If your remote is set to 'cluster1'
-# Then $HOME/ss-clusters/cluster1 will be your cluster working path.
+# see https://www.sovereign-stack.org/cluster_definition for more info!
+
 export LXD_CLUSTER_PASSWORD="$(gpg --gen-random --armor 1 14)"
-
-export PROJECT_NAME="[public|private1|private2]"
-
-# only relevant
+export SOVEREIGN_STACK_MAC_ADDRESS="CHANGE_ME_REQUIRED"
+export PROJECT_NAME="$CLUSTER_NAME-public"
 export REGISTRY_URL="http://$(hostname).$(resolvectl status | grep 'DNS Domain:' | awk '{ print $3 }'):5000"
-export REGISTRY_USERNAME=""
-export REGISTRY_PASSWORD=""
+export REGISTRY_USERNAME="CHANGE_ME"
+export REGISTRY_PASSWORD="CHANGE_ME"
 
 EOL
 
@@ -89,29 +87,29 @@ EOL
             esac
         done
 
-        if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
-            echo "INFO: It looks like you didn't provide input on the command line for the data plane macvlan interface."
-            echo "      We need to know which interface that is! Enter it here now."
-            echo ""
+        # if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
+        #     echo "INFO: It looks like you didn't provide input on the command line for the data plane macvlan interface."
+        #     echo "      We need to know which interface that is! Enter it here now."
+        #     echo ""
 
-            ssh "ubuntu@$FQDN" ip link
+        #     ssh "ubuntu@$FQDN" ip link
 
-            echo "Please enter the network interface that's dedicated to the Sovereign Stack data plane: "
-            read -r DATA_PLANE_MACVLAN_INTERFACE
+        #     echo "Please enter the network interface that's dedicated to the Sovereign Stack data plane: "
+        #     read -r DATA_PLANE_MACVLAN_INTERFACE
 
-        fi
+        # fi
 
-        if [ -z "$DISK_TO_USE" ]; then
-            echo "INFO: It looks like the DISK_TO_USE has not been set. Enter it now."
-            echo ""
+        # if [ -z "$DISK_TO_USE" ]; then
+        #     echo "INFO: It looks like the DISK_TO_USE has not been set. Enter it now."
+        #     echo ""
 
-            ssh "ubuntu@$FQDN" lsblk
+        #     ssh "ubuntu@$FQDN" lsblk
 
-            USER_DISK=
-            echo "Please enter the disk or partition that Sovereign Stack will use to store data (default: loop):  "
-            read -r USER_DISK
+        #     USER_DISK=
+        #     echo "Please enter the disk or partition that Sovereign Stack will use to store data (default: loop):  "
+        #     read -r USER_DISK
 
-        fi
+        # fi
 
     else
         echo "ERROR: the cluster already exists! You need to go delete your lxd remote if you want to re-create your cluster."
diff --git a/defaults.sh b/defaults.sh
index 6f6e1fe..3020f40 100755
--- a/defaults.sh
+++ b/defaults.sh
@@ -14,7 +14,7 @@ export DEPLOY_GITEA=false
 
 export WWW_HOSTNAME="www"
 export BTCPAY_HOSTNAME="btcpay"
-export BTCPAY_HOSTNAME_IN_CERT="pay"
+export BTCPAY_HOSTNAME_IN_CERT="tip"
 export NEXTCLOUD_HOSTNAME="nextcloud"
 export GITEA_HOSTNAME="git"
 export NOSTR_HOSTNAME="relay"
@@ -82,8 +82,8 @@ export NEXTCLOUD_SPACE_GB=10
 # first of all, if there are uncommited changes, we quit. You better stash or commit!
 # Remote VPS instances are tagged with your current git HEAD so we know which code revision
 # used when provisioning the VPS.
-LATEST_GIT_COMMIT="$(cat ./.git/refs/heads/master)"
-export LATEST_GIT_COMMIT="$LATEST_GIT_COMMIT"
+#LATEST_GIT_COMMIT="$(cat ./.git/refs/heads/master)"
+#export LATEST_GIT_COMMIT="$LATEST_GIT_COMMIT"
 
 # check if there are any uncommited changes. It's dangerous to instantiate VMs using
 # code that hasn't been committed.
@@ -109,18 +109,18 @@ DEFAULT_DB_IMAGE="mariadb:10.8.3-jammy"
 export ENABLE_NGINX_CACHING="$ENABLE_NGINX_CACHING"
 
 # run the docker stack.
-export GHOST_IMAGE="ghost:5.9.4"
+export GHOST_IMAGE="ghost:5.12.3"
 export GHOST_DB_IMAGE="$DEFAULT_DB_IMAGE"
 export NGINX_IMAGE="nginx:1.23.1"
-export NEXTCLOUD_IMAGE="nextcloud:24.0.3"
+export NEXTCLOUD_IMAGE="nextcloud:24.0.4"
 export NEXTCLOUD_DB_IMAGE="$DEFAULT_DB_IMAGE"
 
 export GITEA_IMAGE="gitea/gitea:latest"
 export GITEA_DB_IMAGE="$DEFAULT_DB_IMAGE"
 
 export SOVEREIGN_STACK_MAC_ADDRESS=
-export WWW_MAC_ADDRESS=
-export BTCPAY_MAC_ADDRESS=
+export WWW_SERVER_MAC_ADDRESS=
+export BTCPAYSERVER_MAC_ADDRESS=
 
 export CLUSTERS_DIR="$HOME/ss-clusters"
 export PROJECTS_DIR="$HOME/ss-projects"
@@ -132,7 +132,7 @@ export BASE_LXC_IMAGE="ubuntu/22.04/cloud"
 
 # Deploy a registry cache on your management machine.
 export DEPLOY_MGMT_REGISTRY=true
-
+export OTHER_SITES_LIST=
 
 export REMOTE_HOME="/home/ubuntu"
 
diff --git a/deploy.sh b/deploy.sh
index ddb6a36..94d8a0d 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -128,6 +128,7 @@ export RESTORE_BTCPAY="$RESTORE_BTCPAY"
 export BACKUP_BTCPAY="$RESTORE_BTCPAY"
 export MIGRATE_WWW="$MIGRATE_WWW"
 export MIGRATE_BTCPAY="$MIGRATE_BTCPAY"
+export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
 
 if [ "$VPS_HOSTING_TARGET" = aws ]; then
 
@@ -150,8 +151,8 @@ mkdir -p "$CLUSTER_PATH"
 if [ ! -f "$CLUSTER_PATH/authorized_keys" ]; then
     cat "$SSH_HOME/id_rsa.pub" >> "$CLUSTER_PATH/authorized_keys"
     echo "INFO: Sovereign Stack just stubbed out '$CLUSTER_PATH/authorized_keys'. Go update it."
-    echo "      Add ssh pubkeys for your various management machines, if any. We've stubbed it out"
-    echo "      with your ssh pubkey at '$HOME/.ssh/id_rsa.pub'."
+    echo "      Add ssh pubkeys for your various management machines, if any."
+    echo "      By default we added your main ssh pubkey: '$HOME/.ssh/id_rsa.pub'."
     exit 1
 fi
 
@@ -214,7 +215,6 @@ function new_pass {
 function instantiate_vms {
 
     export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
-    export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
     export BTC_CHAIN="$BTC_CHAIN"
     export UPDATE_BTCPAY="$UPDATE_BTCPAY"
     export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
@@ -227,12 +227,9 @@ function instantiate_vms {
         FQDN=
 
         export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
-        if [ ! -f "$SITE_PATH/site_definition" ]; then
-            echo "ERROR: Something went wrong. Your site_definition is missing."
-            exit 1
-        fi
 
         source "$SITE_PATH/site_definition"
+        source ./domain_env.sh
 
         # VALIDATE THE INPUT from the ENVFILE
         if [ -z "$DOMAIN_NAME" ]; then
@@ -240,34 +237,10 @@ function instantiate_vms {
             exit 1
         fi
 
-        # TODO, ensure VPS_HOSTING_TARGET is in range.
-        export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
-        export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
-        export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
-        export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
-        export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
-        export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
-        export ADMIN_ACCOUNT_USERNAME="info"
-        export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
-        export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
-        export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
-        export BTC_CHAIN="$BTC_CHAIN"
-        export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
-        export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
-
-
-        # ensure the 
-        if [ ! -f "$PROJECT_PATH/project_definition" ]; then 
-            echo "ERROR: Your project_definition is not set."
-            exit 1
-        fi
-
-        source "$PROJECT_PATH/project_definition"
-
         if [ "$VPS_HOSTING_TARGET" = lxd ]; then
             # first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
             # which is set up during LXD cluster creation ss-cluster.
-            LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep ss-config)"
+            LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep lxdbrSS | grep ss-config)"
             CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
             DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
             DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
@@ -286,29 +259,13 @@ function instantiate_vms {
         export MAC_ADDRESS_TO_PROVISION=
         export VPS_HOSTNAME="$VPS_HOSTNAME"
         export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME"
-        export VIRTUAL_MACHINE="$VIRTUAL_MACHINE"
-        BACKUP_TIMESTAMP="$(date +"%Y-%m")"
-        UNIX_BACKUP_TIMESTAMP="$(date +%s)"
-        export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
-        LOCAL_BACKUP_PATH="$SITE_PATH/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
-        export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
-        export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
-        export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
-        export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
-        
-
-
+       
         # ensure the admin has set the MAC address for the base image.
         if [ -z "$SOVEREIGN_STACK_MAC_ADDRESS" ]; then
             echo "ERROR: SOVEREIGN_STACK_MAC_ADDRESS is undefined. Check your project definition."
             exit 1
         fi
 
-        if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
-            mkdir -p "$LOCAL_BACKUP_PATH"
-            BACKUP_PATH_CREATED=true
-        fi
-
         DDNS_HOST=
         MIGRATE_VPS=false
         if [ "$VIRTUAL_MACHINE" = www ]; then
@@ -317,7 +274,7 @@ function instantiate_vms {
             fi
 
             VPS_HOSTNAME="$WWW_HOSTNAME"
-            MAC_ADDRESS_TO_PROVISION="$WWW_MAC_ADDRESS"
+            MAC_ADDRESS_TO_PROVISION="$WWW_SERVER_MAC_ADDRESS"
             DDNS_HOST="$WWW_HOSTNAME"
             ROOT_DISK_SIZE_GB="$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))"
             if [ "$MIGRATE_WWW" = true ]; then
@@ -330,7 +287,7 @@ function instantiate_vms {
 
             DDNS_HOST="$BTCPAY_HOSTNAME"
             VPS_HOSTNAME="$BTCPAY_HOSTNAME"
-            MAC_ADDRESS_TO_PROVISION="$BTCPAY_MAC_ADDRESS"
+            MAC_ADDRESS_TO_PROVISION="$BTCPAYSERVER_MAC_ADDRESS"
             if [ "$BTC_CHAIN" = mainnet ]; then
                 ROOT_DISK_SIZE_GB=150
             elif [ "$BTC_CHAIN" = testnet ]; then
@@ -352,8 +309,25 @@ function instantiate_vms {
         export DDNS_HOST="$DDNS_HOST"
         export FQDN="$DDNS_HOST.$DOMAIN_NAME"
         export LXD_VM_NAME="${FQDN//./-}"
-        #${PROJECT_NAME//./-}-
+        BACKUP_TIMESTAMP="$(date +"%Y-%m")"
+        UNIX_BACKUP_TIMESTAMP="$(date +%s)"
+        export VIRTUAL_MACHINE="$VIRTUAL_MACHINE"
+        export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
+        export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
+        export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
+        export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
         export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
+        export MAC_ADDRESS_TO_PROVISION="$MAC_ADDRESS_TO_PROVISION"
+        LOCAL_BACKUP_PATH="$SITE_PATH/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
+        export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
+
+        
+
+        if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
+            mkdir -p "$LOCAL_BACKUP_PATH"
+            BACKUP_PATH_CREATED=true
+        fi
+
 
         # This next section of if statements is our sanity checking area.
         if [ "$VPS_HOSTING_TARGET" = aws ]; then
@@ -383,7 +357,8 @@ function instantiate_vms {
                 fi
 
                 # get a backup of the machine. This is what we restore to the new VPS.
-                echo "INFO: Machine exists.  Since we're going to delete it, let's grab a backup. We don't need to restore services since we're deleting it."
+                echo "INFO: Machine exists.  Since we're going to delete it, let's grab a backup. "
+                echo "      We don't need to restore services since we're deleting it."
                 ./deployment/deploy_vms.sh
 
                 # delete the remote VPS.
@@ -411,7 +386,8 @@ function instantiate_vms {
             fi
         else
             if [ "$MIGRATE_VPS" = true ]; then
-                echo "INFO: User has indicated to delete the machine, but it doesn't exist. Going to create it anyway."
+                echo "INFO: User has indicated to delete the machine, but it doesn't exist."
+                echo "      Going to create it anyway."
             fi
 
             # The machine does not exist. Let's bring it into existence, restoring from latest backup.
@@ -419,40 +395,24 @@ function instantiate_vms {
             ./deployment/deploy_vms.sh
         fi
 
+        # if the local docker client isn't logged in, do so;
+        # this helps prevent docker pull errors since they throttle.
+        if [ ! -f "$HOME/.docker/config.json" ]; then
+            echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
+        fi
+
+        # this tells our local docker client to target the remote endpoint via SSH
+        export DOCKER_HOST="ssh://ubuntu@$PRIMARY_WWW_FQDN"
+
+        # enable docker swarm mode so we can support docker stacks.
+        if docker info | grep -q "Swarm: inactive"; then
+            docker swarm init --advertise-addr enp6s0
+        fi
 
     done
 
 }
 
-function run_domain {
-
-    # if the local docker client isn't logged in, do so;
-    # this helps prevent docker pull errors since they throttle.
-    if [ ! -f "$HOME/.docker/config.json" ]; then
-        echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
-    fi
-
-    # this tells our local docker client to target the remote endpoint via SSH
-    export DOCKER_HOST="ssh://ubuntu@$WWW_FQDN"
-    # enable docker swarm mode so we can support docker stacks.
-    if docker info | grep -q "Swarm: inactive"; then
-        docker swarm init --advertise-addr enp6s0
-    fi
-    bash -c "./deployment/www/go.sh"
-
-
-    export DOCKER_HOST="ssh://ubuntu@$BTCPAY_FQDN"
-
-    # enable docker swarm mode so we can support docker stacks.
-    if docker info | grep -q "Swarm: inactive"; then
-        docker swarm init --advertise-addr enp6s0
-    fi
-
-    bash -c "./deployment/btcpayserver/go.sh"
-
-    echo "Successfully deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;"
-
-}
 
 function stub_site_definition {
     mkdir -p "$SITE_PATH" "$PROJECT_PATH/sites"
@@ -471,36 +431,21 @@ function stub_site_definition {
             cat >"$SITE_DEFINITION_PATH" <<EOL
 #!/bin/bash
 
-# Set the domain name for the identity site.
 export DOMAIN_NAME="${DOMAIN_NAME}"
-
-# duplicitiy backup archive password
 export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
-
 # AWS only
 #export DDNS_PASSWORD=
-
-# Deploy APPS to www
+#export BTCPAY_HOSTNAME_IN_CERT="store"
 export DEPLOY_GHOST=true
 export DEPLOY_NEXTCLOUD=true
 export DEPLOY_NOSTR=false
-
-# set if NOSTR_ACCOUNT_PUBKEY=true
 export NOSTR_ACCOUNT_PUBKEY="CHANGE_ME"
-
 export DEPLOY_GITEA=false
 export DEPLOY_ONION_SITE=false
-
-# passwords for WWW apps
-## GHOST
 export GHOST_MYSQL_PASSWORD="$(new_pass)"
 export GHOST_MYSQL_ROOT_PASSWORD="$(new_pass)"
-
-## NEXTCLOUD
 export NEXTCLOUD_MYSQL_PASSWORD="$(new_pass)"
 export NEXTCLOUD_MYSQL_ROOT_PASSWORD="$(new_pass)"
-
-## GITEA
 export GITEA_MYSQL_PASSWORD="$(new_pass)"
 export GITEA_MYSQL_ROOT_PASSWORD="$(new_pass)"
 
@@ -526,40 +471,25 @@ function stub_project_definition {
         cat >"$PROJECT_DEFINITION_PATH" <<EOL
 #!/bin/bash
 
-# for more info about this file and how to use it, see
-# www.sovereign-stack.org/project-defintion
+# see https://www.sovereign-stack.org/project-definition for more info.
 
-# Createa a DHCP reservation for the baseline image.
-export SOVEREIGN_STACK_MAC_ADDRESS="CHANGE_ME_REQUIRED"
-
-# Create a DHCP reservation for the www/reverse proxy VM.
 export DEPLOY_WWW_SERVER=true
 export WWW_SERVER_MAC_ADDRESS="CHANGE_ME_REQUIRED"
-
-# Create a DHCP reservation for the btcpay server VM.
-export DEPLOY_BTCPAY_SERVER=false
+export DEPLOY_BTCPAY_SERVER=true
 export BTCPAYSERVER_MAC_ADDRESS="CHANGE_ME_REQUIRED"
-
-# valid are 'regtest', 'testnet', and 'mainnet'
-export BTC_CHAIN=regtest
-
-# set to true to enable nginx caching; helps when making website updates.
+# export BTC_CHAIN=mainnet
 # export ENABLE_NGINX_CACHING=true
-
-# A list of all sites in ~/ss-sites/ that will be deployed under the project.
-# e.g., 'domain1.tld,domain2.tld,domain3.tld'.
-export SITE_LIST="domain1.tld"
-
+export PRIMARY_DOMAIN="CHANGE_ME"
+export OTHER_SITES_LIST=
 EOL
 
         chmod 0744 "$PROJECT_DEFINITION_PATH"
         echo "INFO: we stubbed a new project_defition for you at '$PROJECT_DEFINITION_PATH'. Go update it yo!"
-        echo "INFO: Learn more at https://www.sovereign-stack.org/project-defition/"
+        echo "INFO: Learn more at https://www.sovereign-stack.org/project-definitions/"
         exit 1
 
     fi
 
-
     # source project defition.
     source "$PROJECT_DEFINITION_PATH"
 }
@@ -568,13 +498,13 @@ EOL
 if [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
     CURRENT_PROJECT="$(lxc info | grep "project:" | awk '{print $2}')"
-    PROJECT_PATH="$PROJECTS_DIR/$CURRENT_PROJECT"
+    PROJECT_PATH="$PROJECTS_DIR/$PROJECT_NAME"
     mkdir -p "$PROJECT_PATH" "$CLUSTER_PATH/projects"
     export PROJECT_PATH="$PROJECT_PATH"
     
     # create a symlink from ./clusterpath/projects/project
-    if [ ! -d "$CLUSTER_PATH/projects/$CURRENT_PROJECT" ]; then
-        ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$CURRENT_PROJECT"
+    if [ ! -d "$CLUSTER_PATH/projects/$PROJECT_NAME" ]; then
+        ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$PROJECT_NAME"
     fi
 
     # check if we need to provision a new lxc project.
@@ -589,29 +519,36 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
     fi
 
+    # stub out the project definition if needed.
     stub_project_definition
+    
+    # the DOMAIN_LIST is a complete list of all our domains. We often iterate over this list.
+    export DOMAIN_LIST="${PRIMARY_DOMAIN},${OTHER_SITES_LIST}"
+    export DOMAIN_COUNT=$(("$(echo $DOMAIN_LIST | tr -cd , | wc -c)"+1))
 
-    # iterate through our site list as provided by operator from cluster_definition
-    iteration=0
-    for DOMAIN_NAME in ${SITE_LIST//,/ }; do
+    # let's provision our primary domain first.
+    export DOMAIN_NAME="$PRIMARY_DOMAIN"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+    export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
+    
+    stub_site_definition
+    
+    # bring the vms up under the primary domain name.
+    instantiate_vms
+
+    # let's stub out the rest of our site definitions, if any.
+    for DOMAIN_NAME in ${OTHER_SITES_LIST//,/ }; do
         export DOMAIN_NAME="$DOMAIN_NAME"
         export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
 
-        # the vms are named accordignt to the first domain listed.
-        if [ $iteration = 0 ]; then
-            # bring the vms up
-            instantiate_vms
-        fi
-
         # stub out the site_defition if it's doesn't exist.
         stub_site_definition
-
-        # run the logic for a domain deployment.
-        run_domain
-
-        iteration=$((iteration+1))
     done
 
+    # now let's run the www and btcpay-specific provisioning scripts.
+    bash -c "./deployment/www/go.sh"
+    bash -c "./deployment/btcpayserver/go.sh"
+
 elif [ "$VPS_HOSTING_TARGET" = aws ]; then
     stub_site_definition
 
diff --git a/deployment/btcpayserver/go.sh b/deployment/btcpayserver/go.sh
index bc2d99f..338c309 100755
--- a/deployment/btcpayserver/go.sh
+++ b/deployment/btcpayserver/go.sh
@@ -3,7 +3,10 @@
 set -eux
 cd "$(dirname "$0")"
 
+export DOCKER_HOST="ssh://ubuntu@$BTCPAY_FQDN"
+
 OPEN_URL=false
+RUN_SERVICES=false
 
 # we will re-run the btcpayserver provisioning scripts if directed to do so.
 # if an update does occur, we grab another backup.
@@ -58,8 +61,8 @@ fi
 if [ "$OPEN_URL" = true ]; then
 
     if [ "$VPS_HOSTING_TARGET" = lxd ]; then
-        if wait-for-it -t 5 "$WWW_FQDN:80"; then
-            xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
+        if wait-for-it -t 5 "$PRIMARY_WWW_FQDN:80"; then
+            xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
         fi
     else
         if wait-for-it -t 5 "$FQDN:443"; then
diff --git a/deployment/deploy_vms.sh b/deployment/deploy_vms.sh
index 414090e..4fa04fa 100755
--- a/deployment/deploy_vms.sh
+++ b/deployment/deploy_vms.sh
@@ -60,7 +60,7 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
         # create a base image if needed and instantiate a VM.
         if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
-            echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_MAC_ADDRESS, BTCPAY_MAC_ADDRESS in your site defintion."
+            echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_SERVER_MAC_ADDRESS, BTCPAYSERVER_MAC_ADDRESS in your site defintion."
             echo "INFO: IMPORTANT! You MUST have DHCP Reservations for these MAC addresses. You also need static DNS entries."
             exit 1
         fi
diff --git a/deployment/provision_vps.sh b/deployment/provision_vps.sh
index 1d65494..5d8b551 100755
--- a/deployment/provision_vps.sh
+++ b/deployment/provision_vps.sh
@@ -47,9 +47,8 @@ if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = certonly ]; then
         --amazonec2-ami "$AWS_AMI_ID" \
         --amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
         --amazonec2-instance-type "$WWW_INSTANCE_TYPE" \
-        --engine-label commit="$LATEST_GIT_COMMIT" \
         "$FQDN"
-        
+            #    --engine-label commit="$LATEST_GIT_COMMIT" \
 elif [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
     # creates a public VM in AWS and provisions the bcm website.
     docker-machine create --driver amazonec2 \
@@ -62,9 +61,8 @@ elif [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
         --amazonec2-ami "$AWS_AMI_ID" \
         --amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
         --amazonec2-instance-type "$BTCPAY_INSTANCE_TYPE" \
-        --engine-label commit="$LATEST_GIT_COMMIT" \
         "$FQDN"
-
+#        --engine-label commit="$LATEST_GIT_COMMIT" \
 fi
 
 docker-machine scp "$CLUSTER_PATH/authorized_keys" "$FQDN:$REMOTE_HOME/authorized_keys"
diff --git a/deployment/www/backup.sh b/deployment/www/backup.sh
index 7b71dbf..59cb5ce 100755
--- a/deployment/www/backup.sh
+++ b/deployment/www/backup.sh
@@ -9,12 +9,12 @@ cd "$(dirname "$0")"
 # maybe something like https://superuser.com/questions/616182/how-to-mount-local-directory-to-remote-like-sshfs
 
 # step 1: run duplicity on the remote system to backup all files to the remote system.
-ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
-ssh "$WWW_FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
+ssh "$PRIMARY_WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
+ssh "$PRIMARY_WWW_FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
 
 # now let's pull down the latest files from the backup directory.
 # create a temp directory to serve as the mountpoint for the remote machine backups directory
-sshfs "$WWW_FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
+sshfs "$PRIMARY_WWW_FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
 
 # rsync the files from the remote server to our local backup path.
 rsync -av "$SSHFS_PATH/" "$LOCAL_BACKUP_PATH/"
diff --git a/deployment/www/generate_certs.sh b/deployment/www/generate_certs.sh
index 1cb06b0..19329fd 100755
--- a/deployment/www/generate_certs.sh
+++ b/deployment/www/generate_certs.sh
@@ -2,6 +2,7 @@
 
 set -ex
 
+
 # let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
 docker pull certbot/certbot:latest
 
@@ -20,13 +21,38 @@ if [ "$VPS_HOSTING_TARGET" = aws ]; then
 elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
     # with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
     # at a cachehing reverse proxy that runs nginx.
-    docker run -it --rm \
-        --name certbot \
-        -p 80:80 \
-        -p 443:443 \
-        -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-        -v /var/lib/letsencrypt:/var/lib/letsencrypt \
-        -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
-        certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
+    # docker run -it --rm \
+    #     --name certbot \
+    #     -p 80:80 \
+    #     -p 443:443 \
+    #     -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
+    #     -v /var/lib/letsencrypt:/var/lib/letsencrypt \
+    #     -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
+    #     certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$PRIMARY_WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
 
+
+    for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
+        export DOMAIN_NAME="$DOMAIN_NAME"
+        export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+    
+        # source the site path so we know what features it has.
+        source ../../reset_env.sh
+        source "$SITE_PATH/site_definition"
+        source ../../domain_env.sh
+
+        # with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
+        # at a cachehing reverse proxy that runs nginx.
+
+        ssh "$PRIMARY_WWW_FQDN" sudo mkdir -p "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs"
+
+        docker run -it --rm \
+            --name certbot \
+            -p 80:80 \
+            -p 443:443 \
+            -v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME":/etc/letsencrypt \
+            -v /var/lib/letsencrypt:/var/lib/letsencrypt \
+            -v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs":/var/log/letsencrypt \
+            certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
+
+    done
 fi
diff --git a/deployment/www/go.sh b/deployment/www/go.sh
index d9fda0b..57c6163 100755
--- a/deployment/www/go.sh
+++ b/deployment/www/go.sh
@@ -1,94 +1,109 @@
 #!/bin/bash
 
-set -exuo
+set -exu
 cd "$(dirname "$0")"
 
-if [ "$DEPLOY_GHOST" = true ]; then
-    if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-    if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-    if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_NOSTR" = true ]; then
-    if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
-        echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
-        echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
-        exit 1
-    fi    
-fi
-
-if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
-    echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$DOMAIN_NAME" ]; then
-    echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then 
-    echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
-    echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
-    exit 1
-fi
-
+# Create the nginx config file which covers all domains.
 bash -c ./stub_nginxconf.sh
 
-TOR_CONFIG_PATH=
+# redirect all docker commands to the remote host.
+export DOCKER_HOST="ssh://ubuntu@$PRIMARY_WWW_FQDN"
 
-ssh "$WWW_FQDN" mkdir -p "$REMOTE_HOME/ghost_site" "$REMOTE_HOME/ghost_db"
+for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
+    export DOMAIN_NAME="$DOMAIN_NAME"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
-    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
-    ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
-fi
+    # source the site path so we know what features it has.
+    source ../../reset_env.sh
+    source "$SITE_PATH/site_definition"
+    source ../../domain_env.sh
 
-if [ "$DEPLOY_GITEA" = true ]; then
-    ssh "$FQDN" "mkdir -p $REMOTE_GITEA_PATH/data $REMOTE_GITEA_PATH/db"
-fi
 
+    ### Let's check to ensure all the requiredsettings are set.
+    if [ "$DEPLOY_GHOST" = true ]; then
+        if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
+            echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+
+        if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
+            echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+    fi
+
+    if [ "$DEPLOY_GITEA" = true ]; then
+        if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
+            echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+        if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
+            echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+    fi
+
+    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+        if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
+            echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+
+        if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
+            echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
+            exit 1
+        fi
+    fi
+
+    if [ "$DEPLOY_NOSTR" = true ]; then
+        if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
+            echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
+            exit 1
+        fi
+
+        if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
+            echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
+            exit 1
+        fi    
+    fi
+
+    if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
+        echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
+        exit 1
+    fi
+
+    if [ -z "$DOMAIN_NAME" ]; then
+        echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
+        exit 1
+    fi
+
+    if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then 
+        echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
+        echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
+        exit 1
+    fi
+
+    TOR_CONFIG_PATH=
+
+    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
+    fi
+
+    if [ "$DEPLOY_GITEA" = true ]; then
+        ssh "$FQDN" "mkdir -p $REMOTE_GITEA_PATH/data $REMOTE_GITEA_PATH/db"
+    fi
+
+done
+
+### The next series of commands 
 # stop services.
 if docker stack list --format "{{.Name}}" | grep -q webstack; then
     docker stack rm webstack
     sleep 15
 fi
 
-
 if [ "$BACKUP_WWW"  = true ]; then
     ./backup.sh
 fi
@@ -98,7 +113,10 @@ if [ "$RESTORE_WWW" = true ]; then
     # just created, we know that we'll deploy fresh.
     ./restore.sh
 else
-    ./generate_certs.sh
+
+    if [ "$RUN_CERT_RENEWAL" = true ]; then
+        ./generate_certs.sh
+    fi
 fi
 
 
@@ -108,8 +126,8 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
 
     # if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
     # this is how we generate a new torv3 endpoint.
-    if ! ssh "$WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
-        ssh "$WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
+    if ! ssh "$PRIMARY_WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
+        ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
         TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
         export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
         docker stack deploy -c ./tor.yml torstack
@@ -118,37 +136,31 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
         sleep 20
     fi
 
-    ONION_ADDRESS="$(ssh "$WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
+    ONION_ADDRESS="$(ssh "$PRIMARY_WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
     export ONION_ADDRESS="$ONION_ADDRESS"
 
     # # Since we run a separate ghost process, we create a new directory and symlink it to the original
-    # if ! ssh "$WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
-    #     ssh "$WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
+    # if ! ssh "$PRIMARY_WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
+    #     ssh "$PRIMARY_WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
     # fi
 fi
 
-#if [ "$RUN_SERVICES" = true ]; then
-mkdir -p "$SITE_PATH/stacks"
-DOCKER_YAML_PATH="$SITE_PATH/stacks/www.yml"
-export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
 bash -c ./stub_docker_yml.sh
 
-docker stack deploy -c "$DOCKER_YAML_PATH" webstack
+# # start a browser session; point it to port 80 to ensure HTTPS redirect.
+# wait-for-it -t 320 "$PRIMARY_WWW_FQDN:80"
+# wait-for-it -t 320 "$PRIMARY_WWW_FQDN:443"
 
-# start a browser session; point it to port 80 to ensure HTTPS redirect.
-wait-for-it -t 320 "$WWW_FQDN:80"
-wait-for-it -t 320 "$WWW_FQDN:443"
+# # open bowser tabs.
+# if [ "$DEPLOY_GHOST" = true ]; then
+#     xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
+# fi
 
-# open bowser tabs.
-if [ "$DEPLOY_GHOST" = true ]; then
-    xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
-fi
+# if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+#     xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
+# fi
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-    xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
-fi
-#fi
+# if [ "$DEPLOY_GITEA" = true ]; then
+#     xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
+# fi
+# #fi
diff --git a/deployment/www/restore.sh b/deployment/www/restore.sh
index 9cae660..3c6e65b 100755
--- a/deployment/www/restore.sh
+++ b/deployment/www/restore.sh
@@ -7,13 +7,13 @@ set -exu
 # indeed, our first step is the delete the home directory on the remote server.
 
 # delete the home directory so we know we are restoring all files from the duplicity archive.
-ssh "$WWW_FQDN" sudo rm -rf "$REMOTE_HOME/*"
+ssh "$PRIMARY_WWW_FQDN" sudo rm -rf "$REMOTE_HOME/*"
 
 # scp our local backup directory to the remote machine
-ssh "$WWW_FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
+ssh "$PRIMARY_WWW_FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
 
 # TODO instead of scp the files up there, lets' mount the local backup folder to a remote folder then just run a duplicity restore.
-scp -r "$LOCAL_BACKUP_PATH/" "$WWW_FQDN:$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
+scp -r "$LOCAL_BACKUP_PATH" "$PRIMARY_WWW_FQDN:$REMOTE_BACKUP_PATH"
 
 # now we run duplicity to restore the archive.
-ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/" "$REMOTE_HOME/"
+ssh "$PRIMARY_WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/$BACKUP_TIMESTAMP" "$REMOTE_HOME/"
diff --git a/deployment/www/stub_docker_yml.sh b/deployment/www/stub_docker_yml.sh
index ba39d22..27a4dad 100755
--- a/deployment/www/stub_docker_yml.sh
+++ b/deployment/www/stub_docker_yml.sh
@@ -1,40 +1,119 @@
 #!/bin/bash
 
-set -eu
+set -eux
 cd "$(dirname "$0")"
 
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-    if [ -z "$ONION_ADDRESS" ]; then
-        echo "ERROR: ONION_ADDRESS is not defined."
-        exit 1
-    fi
-fi
 
 
-# here's the NGINX config. We support ghost and nextcloud.
-echo "" > "$DOCKER_YAML_PATH"
+ssh "$PRIMARY_WWW_FQDN" sudo rm -rf /home/ubuntu/ghost
+sleep 4
 
-cat >>"$DOCKER_YAML_PATH" <<EOL
+
+#https://github.com/fiatjaf/expensive-relay
+# NOSTR RELAY WHICH REQUIRES PAYMENTS.
+DOCKER_YAML_PATH="$PROJECT_PATH/nginx.yml"
+cat > "$DOCKER_YAML_PATH" <<EOL
+version: "3.8"
+services:
+
+  nginx:
+    image: ${NGINX_IMAGE}
+    ports:
+      - 0.0.0.0:443:443
+      - 0.0.0.0:80:80
+    networks:
+EOL
+
+    for i in $(seq 0 $DOMAIN_COUNT); do
+        cat >> "$DOCKER_YAML_PATH" <<EOL
+        - ghostnet-$i
+EOL
+    done
+
+        cat >> "$DOCKER_YAML_PATH" <<EOL
+    volumes:
+      - ${REMOTE_HOME}/letsencrypt:/etc/letsencrypt:ro
+    configs:
+      - source: nginx-config
+        target: /etc/nginx/nginx.conf
+    deploy:
+      restart_policy:
+        condition: on-failure
+        
+configs:
+  nginx-config:
+    file: ${PROJECT_PATH}/nginx.conf
+
+EOL
+
+    cat >> "$DOCKER_YAML_PATH" <<EOL
+networks:
+EOL
+
+    for i in $(seq 0 $DOMAIN_COUNT); do
+        cat >> "$DOCKER_YAML_PATH" <<EOL
+  ghostnet-$i:
+    attachable: true
+
+EOL
+    done
+
+
+docker stack deploy -c "$DOCKER_YAML_PATH" "reverse-proxy"
+
+
+# iterate over all our domains and create the nginx config file.
+
+
+domain_number=0
+for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
+    export DOMAIN_NAME="$DOMAIN_NAME"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+
+    ssh "$PRIMARY_WWW_FQDN" mkdir -p "$REMOTE_HOME/ghost/$DOMAIN_NAME/ghost" "$REMOTE_HOME/ghost/$DOMAIN_NAME/db"
+
+    # source the site path so we know what features it has.
+    source ../../reset_env.sh
+    source "$SITE_PATH/site_definition"
+    source ../../domain_env.sh
+
+    STACK_TAG="ghost-$domain_number"
+
+    # todo append domain number or port number.
+    mkdir -p "$SITE_PATH/webstack"
+    DOCKER_YAML_PATH="$SITE_PATH/webstack/$STACK_TAG.yml"
+    export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
+    # if [ "$DEPLOY_ONION_SITE" = true ]; then
+    #     if [ -z "$ONION_ADDRESS" ]; then
+    #         echo "ERROR: ONION_ADDRESS is not defined."
+    #         exit 1
+    #     fi
+    # fi
+
+    # here's the NGINX config. We support ghost and nextcloud.
+    echo "" > "$DOCKER_YAML_PATH"
+
+    cat >>"$DOCKER_YAML_PATH" <<EOL
 version: "3.8"
 services:
 
 EOL
 
 
-# This is the ghost for HTTPS (not over Tor)
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  ghost:
+    # This is the ghost for HTTPS (not over Tor)
+    cat >>"$DOCKER_YAML_PATH" <<EOL
+  ghost-${domain_number}:
     image: ${GHOST_IMAGE}
     networks:
-      - ghost-net
-      - ghostdb-net
+      - ghostnet-${domain_number}
+      - ghostdbnet-${domain_number}
     volumes:
-      - ${REMOTE_HOME}/ghost_site:/var/lib/ghost/content
+      - ${REMOTE_HOME}/ghost/${DOMAIN_NAME}/ghost:/var/lib/ghost/content
     environment:
-      - url=https://${WWW_FQDN}
+      - url=https://${PRIMARY_WWW_FQDN}
       - database__client=mysql
-      - database__connection__host=ghostdb
+      - database__connection__host=ghostdb-${domain_number}
       - database__connection__user=ghost
       - database__connection__password=\${GHOST_MYSQL_PASSWORD}
       - database__connection__database=ghost
@@ -44,12 +123,12 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
       restart_policy:
         condition: on-failure
 
-  ghostdb:
+  ghostdb-${domain_number}:
     image: ${GHOST_DB_IMAGE}
     networks:
-      - ghostdb-net
+      - ghostdbnet-${domain_number}
     volumes:
-      - ${REMOTE_HOME}/ghost_db:/var/lib/mysql
+      - ${REMOTE_HOME}/ghost/${DOMAIN_NAME}/db:/var/lib/mysql
     environment:
        - MYSQL_ROOT_PASSWORD=\${GHOST_MYSQL_ROOT_PASSWORD}
        - MYSQL_DATABASE=ghost
@@ -62,247 +141,214 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
 EOL
 
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nextcloud-db:
-    image: ${NEXTCLOUD_DB_IMAGE}
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
-    networks:
-      - nextclouddb-net
-    volumes:
-      - ${REMOTE_HOME}/nextcloud/db/data:/var/lib/mysql
-    environment:
-      - MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
-      - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-    deploy:
-      restart_policy:
-        condition: on-failure
+#     if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   nextcloud-db:
+#     image: ${NEXTCLOUD_DB_IMAGE}
+#     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
+#     networks:
+#       - nextclouddb-net
+#     volumes:
+#       - ${REMOTE_HOME}/nextcloud/db/data:/var/lib/mysql
+#     environment:
+#       - MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
+#       - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
+#       - MYSQL_DATABASE=nextcloud
+#       - MYSQL_USER=nextcloud
+#     deploy:
+#       restart_policy:
+#         condition: on-failure
 
-  nextcloud:
-    image: ${NEXTCLOUD_IMAGE}
-    networks:
-      - nextclouddb-net
-      - nextcloud-net
-    volumes:
-      - ${REMOTE_HOME}/nextcloud/html:/var/www/html
-    environment:
-      - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MYSQL_HOST=nextcloud-db
-      - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
-      - OVERWRITEHOST=${NEXTCLOUD_FQDN}
-      - OVERWRITEPROTOCOL=https
-      - SERVERNAME=${NEXTCLOUD_FQDN}
-    deploy:
-      restart_policy:
-        condition: on-failure
+#   nextcloud:
+#     image: ${NEXTCLOUD_IMAGE}
+#     networks:
+#       - nextclouddb-net
+#       - nextcloud-net
+#     volumes:
+#       - ${REMOTE_HOME}/nextcloud/html:/var/www/html
+#     environment:
+#       - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
+#       - MYSQL_DATABASE=nextcloud
+#       - MYSQL_USER=nextcloud
+#       - MYSQL_HOST=nextcloud-db
+#       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
+#       - OVERWRITEHOST=${NEXTCLOUD_FQDN}
+#       - OVERWRITEPROTOCOL=https
+#       - SERVERNAME=${NEXTCLOUD_FQDN}
+#     deploy:
+#       restart_policy:
+#         condition: on-failure
 
-EOL
-fi
+# EOL
+#     fi
 
-if [ "$DEPLOY_NOSTR" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  # TODO
+#     if [ "$DEPLOY_GITEA" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   gitea:
+#     image: ${GITEA_IMAGE}
+#     volumes:
+#       - ${REMOTE_GITEA_PATH}/data:/data
+#       - /etc/timezone:/etc/timezone:ro
+#       - /etc/localtime:/etc/localtime:ro
+#     environment:
+#       - USER_UID=1000
+#       - USER_GID=1000
+#       - ROOT_URL=https://${GITEA_FQDN}
+#       - GITEA__database__DB_TYPE=mysql
+#       - GITEA__database__HOST=gitea-db:3306
+#       - GITEA__database__NAME=gitea
+#       - GITEA__database__USER=gitea
+#       - GITEA__PASSWD=\${GITEA_MYSQL_PASSWORD}
+#     networks:
+#       - gitea-net
+#       - giteadb-net
+#     deploy:
+#       restart_policy:
+#         condition: on-failure
 
-
-EOL
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  gitea:
-    image: ${GITEA_IMAGE}
-    volumes:
-      - ${REMOTE_GITEA_PATH}/data:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-      - ROOT_URL=https://${GITEA_FQDN}
-      - GITEA__database__DB_TYPE=mysql
-      - GITEA__database__HOST=gitea-db:3306
-      - GITEA__database__NAME=gitea
-      - GITEA__database__USER=gitea
-      - GITEA__PASSWD=\${GITEA_MYSQL_PASSWORD}
-    networks:
-      - gitea-net
-      - giteadb-net
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  gitea-db:
-    image: ${GITEA_DB_IMAGE}
-    networks:
-      - giteadb-net
-    volumes:
-      - ${REMOTE_GITEA_PATH}/db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=\${GITEA_MYSQL_ROOT_PASSWORD}
-      - MYSQL_PASSWORD=\${GITEA_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=gitea
-      - MYSQL_USER=gitea
-    deploy:
-      restart_policy:
-        condition: on-failure
-EOL
-fi
+#   gitea-db:
+#     image: ${GITEA_DB_IMAGE}
+#     networks:
+#       - giteadb-net
+#     volumes:
+#       - ${REMOTE_GITEA_PATH}/db:/var/lib/mysql
+#     environment:
+#       - MYSQL_ROOT_PASSWORD=\${GITEA_MYSQL_ROOT_PASSWORD}
+#       - MYSQL_PASSWORD=\${GITEA_MYSQL_PASSWORD}
+#       - MYSQL_DATABASE=gitea
+#       - MYSQL_USER=gitea
+#     deploy:
+#       restart_policy:
+#         condition: on-failure
+# EOL
+#     fi
 
 
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  # a hidden service that routes to the nginx container at http://onionurl.onion server block
-  tor-onion:
-    image: tor:latest
-    networks:
-      - tor-net
-    volumes:
-      - ${REMOTE_HOME}/tor:/var/lib/tor
-      - tor-logs:/var/log/tor
-    configs:
-      - source: tor-config
-        target: /etc/tor/torrc
-        mode: 0644
-    deploy:
-      mode: replicated
-      replicas: 1
-      restart_policy:
-        condition: on-failure
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   # a hidden service that routes to the nginx container at http://onionurl.onion server block
+#   tor-onion:
+#     image: tor:latest
+#     networks:
+#       - tor-net
+#     volumes:
+#       - ${REMOTE_HOME}/tor:/var/lib/tor
+#       - tor-logs:/var/log/tor
+#     configs:
+#       - source: tor-config
+#         target: /etc/tor/torrc
+#         mode: 0644
+#     deploy:
+#       mode: replicated
+#       replicas: 1
+#       restart_policy:
+#         condition: on-failure
 
-  tor-ghost:
-    image: ${GHOST_IMAGE}
-    networks:
-      - ghostdb-net
-      - ghost-net
-    volumes:
-      - ${REMOTE_HOME}/tor_ghost:/var/lib/ghost/content
-    environment:
-      - url=https://${ONION_ADDRESS}
-      - database__client=mysql
-      - database__connection__host=ghostdb
-      - database__connection__user=ghost
-      - database__connection__password=\${GHOST_MYSQL_PASSWORD}
-      - database__connection__database=ghost
-    deploy:
-      restart_policy:
-        condition: on-failure
+#   tor-ghost:
+#     image: ${GHOST_IMAGE}
+#     networks:
+#       - ghostdb-net
+#       - ghost-net
+#     volumes:
+#       - ${REMOTE_HOME}/tor_ghost:/var/lib/ghost/content
+#     environment:
+#       - url=https://${ONION_ADDRESS}
+#       - database__client=mysql
+#       - database__connection__host=ghostdb
+#       - database__connection__user=ghost
+#       - database__connection__password=\${GHOST_MYSQL_PASSWORD}
+#       - database__connection__database=ghost
+#     deploy:
+#       restart_policy:
+#         condition: on-failure
 
-EOL
-fi
+# EOL
+#     fi
 
 
-#https://github.com/fiatjaf/expensive-relay
-# NOSTR RELAY WHICH REQUIRES PAYMENTS.
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nginx:
-    image: ${NGINX_IMAGE}
-    ports:
-      - 0.0.0.0:443:443
-      - 0.0.0.0:80:80
-    networks:
-      - ghost-net
-EOL
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+# cat >>"$DOCKER_YAML_PATH" <<EOL
+#       - torghost-net
+# EOL
+#     fi
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - torghost-net
-EOL
-fi
+#     if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+# cat >>"$DOCKER_YAML_PATH" <<EOL
+#       - nextcloud-net
+# EOL
+#     fi
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - nextcloud-net
-EOL
-fi
+#     if [ "$DEPLOY_GITEA" = true ]; then
+# cat >>"$DOCKER_YAML_PATH" <<EOL
+#       - gitea-net
+# EOL
+#     fi
 
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - gitea-net
-EOL
-fi
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+# cat >>"$DOCKER_YAML_PATH" <<EOL
+#       - tor-net
+# EOL
+#     fi
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - tor-net
-EOL
-fi
-
-# the rest of the nginx config
-cat >>"$DOCKER_YAML_PATH" <<EOL
-    volumes:
-      - ${REMOTE_HOME}/letsencrypt:/etc/letsencrypt:ro
-    configs:
-      - source: nginx-config
-        target: /etc/nginx/nginx.conf
-    deploy:
-      restart_policy:
-        condition: on-failure
-        
-EOL
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
   
-volumes:
-  tor-data:
-  tor-logs:
+# volumes:
+#   tor-data:
+#   tor-logs:
 
-EOL
-fi
-#-------------------------
+# EOL
+#     fi
+#     #-------------------------
 
 # networks ----------------------
-cat >>"$DOCKER_YAML_PATH" <<EOL
+    cat >>"$DOCKER_YAML_PATH" <<EOL
 networks:
 EOL
 
-if [ "$DEPLOY_GHOST" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  ghost-net:
-  ghostdb-net:
+    if [ "$DEPLOY_GHOST" = true ]; then
+        cat >>"$DOCKER_YAML_PATH" <<EOL
+    ghostnet-${domain_number}:
+      name: "reverse-proxy_ghostnet-${domain_number}"
+      external: true
+    ghostdbnet-${domain_number}:
 EOL
-fi
+    fi
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nextclouddb-net:
-  nextcloud-net:
-EOL
-fi
+#     if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   nextclouddb-net:
+#   nextcloud-net:
+# EOL
+#     fi
 
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  gitea-net:
-  giteadb-net:
-EOL
-fi
+#     if [ "$DEPLOY_GITEA" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   gitea-net:
+#   giteadb-net:
+# EOL
+#     fi
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  tor-net:
-  torghost-net:
-EOL
-fi
-# -------------------------------
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   tor-net:
+#   torghost-net:
+# EOL
+#     fi
+#     # -------------------------------
 
 
-# configs ----------------------
-cat >>"$DOCKER_YAML_PATH" <<EOL
+#     if [ "$DEPLOY_ONION_SITE" = true ]; then
+#         cat >>"$DOCKER_YAML_PATH" <<EOL
+#   tor-config:
+#     file: $(pwd)/tor/torrc
+# EOL
+#     fi
+#     # -----------------------------
 
-configs:
-  nginx-config:
-    file: ${PROJECT_PATH}/nginx.conf
-EOL
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  tor-config:
-    file: $(pwd)/tor/torrc
-EOL
-fi
-# -----------------------------
+    docker stack deploy -c "$DOCKER_YAML_PATH" "$STACK_TAG"
+
+    domain_number=$((domain_number+1))
+done
diff --git a/deployment/www/stub_nginxconf.sh b/deployment/www/stub_nginxconf.sh
index 3431c39..1efc5ee 100755
--- a/deployment/www/stub_nginxconf.sh
+++ b/deployment/www/stub_nginxconf.sh
@@ -4,17 +4,29 @@ set -eu
 cd "$(dirname "$0")"
 
 
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-    if [ -z "$ONION_ADDRESS" ]; then
-        echo "ERROR: ONION_ADDRESS is not defined."
-        exit 1
-    fi
-fi
-
 # here's the NGINX config. We support ghost and nextcloud.
 NGINX_CONF_PATH="$PROJECT_PATH/nginx.conf"
+
+# clear the existing nginx config.
 echo "" > "$NGINX_CONF_PATH"
-cat >>"$NGINX_CONF_PATH" <<EOL
+
+# iterate over all our domains and create the nginx config file.
+iteration=0
+echo "DOMAIN_LIST: $DOMAIN_LIST"
+
+for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
+    export DOMAIN_NAME="$DOMAIN_NAME"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+    export CONTAINER_TLS_PATH="/etc/letsencrypt/${DOMAIN_NAME}/live/${DOMAIN_NAME}"
+    
+    # source the site path so we know what features it has.
+    source ../../reset_env.sh
+    source "$SITE_PATH/site_definition"
+    source ../../domain_env.sh
+
+    echo "Doing DOMAIN_NAME: $DOMAIN_NAME"
+    if [ $iteration = 0 ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
 events {
     worker_connections  1024;
 }
@@ -25,14 +37,13 @@ http {
     
     # next two sets commands and connection_upgrade block come from https://docs.btcpayserver.org/FAQ/Deployment/#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination
     # Needed to allow very long URLs to prevent issues while signing PSBTs
-    server_names_hash_bucket_size 128;
-    proxy_buffer_size          128k;
-    proxy_buffers              4 256k;
-    proxy_busy_buffers_size    256k;
-    client_header_buffer_size 500k;
-    large_client_header_buffers 4 500k;
-    http2_max_field_size       500k;
-    http2_max_header_size      500k;
+    server_names_hash_bucket_size   128;
+    proxy_buffer_size               128k;
+    proxy_buffers                   4 256k;
+    proxy_busy_buffers_size         256k;
+    client_header_buffer_size       500k;
+    large_client_header_buffers     4 500k;
+    http2_max_header_size           500k;
 
     # Needed websocket support (used by Ledger hardware wallets)
     map \$http_upgrade \$connection_upgrade {
@@ -43,14 +54,14 @@ http {
     # return 403 for all non-explicit hostnames
     server {
        listen 80 default_server;
-       return 403;
+       return 301 https://${WWW_FQDN}\$request_uri;
     }
 
 EOL
+    fi
 
-
-# ghost http to https redirects.
-cat >>"$NGINX_CONF_PATH" <<EOL
+    # ghost http to https redirects.
+    cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${DOMAIN_NAME} redirect to https://${WWW_FQDN}
     server {
         listen 80;
@@ -66,7 +77,7 @@ cat >>"$NGINX_CONF_PATH" <<EOL
 
 EOL
 
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${WWW_FQDN} redirect to https://${WWW_FQDN}
     server {
         listen 80;
@@ -77,9 +88,9 @@ cat >>"$NGINX_CONF_PATH" <<EOL
 
 EOL
 
-# nextcloud http-to-https redirect
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    # nextcloud http-to-https redirect
+    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${NEXTCLOUD_FQDN} redirect to https://${NEXTCLOUD_FQDN}
     server {
         listen 80;
@@ -89,11 +100,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
     }
 
 EOL
-fi
+    fi
 
-# gitea http to https redirect.
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    # gitea http to https redirect.
+    if [ "$DEPLOY_GITEA" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${GITEA_FQDN} redirect to https://${GITEA_FQDN}
     server {
         listen 80;
@@ -103,12 +114,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
     }
 
 EOL
-fi
+    fi
 
-# REDIRECT FOR BTCPAY_USER_FQDN
-if [ "$VPS_HOSTING_TARGET" = lxd ]; then
-    # gitea http to https redirect.
-    if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
+    # REDIRECT FOR BTCPAY_USER_FQDN
+    if [ "$VPS_HOSTING_TARGET" = lxd ]; then
+        # gitea http to https redirect.
+        if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
         
         cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
@@ -121,11 +132,13 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
 EOL
 
+        fi
     fi
-fi
-
-# TLS config for ghost.
-cat >>"$NGINX_CONF_PATH" <<EOL
+    
+    
+    if [ "$iteration" = 0 ]; then
+        # TLS config for ghost.
+        cat >>"$NGINX_CONF_PATH" <<EOL
     # global TLS settings
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1.3;
@@ -143,34 +156,42 @@ cat >>"$NGINX_CONF_PATH" <<EOL
     server {
         listen 443 default_server;
 
-        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
 
         return 403;
     }
 
     # maybe helps with Twitter cards.
-    map \$http_user_agent \$og_prefix {
-        ~*(googlebot|twitterbot)/  /open-graph;
-    }
+    #map \$http_user_agent \$og_prefix {
+    #    ~*(googlebot|twitterbot)/  /open-graph;
+    #}
+EOL
+    fi
 
-    # https://${DOMAIN_NAME} redirect to https://${FQDN}
+        cat >>"$NGINX_CONF_PATH" <<EOL
+    # https://${DOMAIN_NAME} redirect to https://${WWW_FQDN}
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
 
-        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
         
         server_name ${DOMAIN_NAME};
 
-EOL
-###########################################
+        # catch all; send request to ${WWW_FQDN}
+        location / {
+            return 301 https://${WWW_FQDN}\$request_uri;
+        }
 
-if [ "$DEPLOY_NOSTR" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+EOL
+
+
+    if [ "$DEPLOY_NOSTR" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
         # We return a JSON object with name/pubkey mapping per NIP05.
         # https://www.reddit.com/r/nostr/comments/rrzk76/nip05_mapping_usernames_to_dns_domains_by_fiatjaf/sssss
         # TODO I'm not sure about the security of this Access-Control-Allow-Origin. Read up and restrict it if possible.
@@ -181,46 +202,38 @@ cat >>"$NGINX_CONF_PATH" <<EOL
         }
         
 EOL
-fi
+    fi
 
-cat >>"$NGINX_CONF_PATH" <<EOL
-        # catch all; send request to ${WWW_FQDN}
-        location / {
-            return 301 https://${WWW_FQDN}\$request_uri;
-        }
-EOL
-#####################################################
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
     }
 
     #access_log /var/log/nginx/ghost-access.log;
     #error_log /var/log/nginx/ghost-error.log;
-
 EOL
 
+
 if [ "$ENABLE_NGINX_CACHING" = true ]; then
 cat >>"$NGINX_CONF_PATH" <<EOL
     # main TLS listener; proxies requests to ghost service. NGINX configured to cache
     proxy_cache_path /tmp/nginx_ghost levels=1:2 keys_zone=ghostcache:600m max_size=100m inactive=24h;
 EOL
-fi
+    fi
 
 
-
-# SERVER block for BTCPAY Server
-if [ "$VPS_HOSTING_TARGET" = lxd ]; then
-    # gitea http to https redirect.
-    if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
+    # SERVER block for BTCPAY Server
+    if [ "$VPS_HOSTING_TARGET" = lxd ]; then
+        # gitea http to https redirect.
+        if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
         
-        cat >>"$NGINX_CONF_PATH" <<EOL
+            cat >>"$NGINX_CONF_PATH" <<EOL
     # http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
     server {
         listen 443 ssl http2;
         ssl on;
 
-        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
 
         server_name ${BTCPAY_USER_FQDN};
     
@@ -240,42 +253,34 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
 
 EOL
 
+        fi
     fi
-fi
-
-
-
-
-
-
-
-
 
 
 
 # the open server block for the HTTPS listener
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
 
-        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
 
         server_name ${WWW_FQDN};
 EOL
 
-# add the Onion-Location header if specifed.
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    # add the Onion-Location header if specifed.
+    if [ "$DEPLOY_ONION_SITE" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
         add_header Onion-Location https://${ONION_ADDRESS}\$request_uri;
         
 EOL
-fi
+    fi
 
-if [ "$ENABLE_NGINX_CACHING" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    if [ "$ENABLE_NGINX_CACHING" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
 
         # No cache + keep cookies for admin and previews
         location ~ ^/(ghost/|p/|private/) {
@@ -284,14 +289,14 @@ cat >>"$NGINX_CONF_PATH" <<EOL
             proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto  \$scheme;
             proxy_intercept_errors  on;
-            proxy_pass http://ghost:2368;
+            proxy_pass http://ghost-${iteration}:2368;
         }
         
 EOL
 fi
 
 # proxy config for ghost
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
         # Set the crawler policy.
         location = /robots.txt { 
             add_header Content-Type text/plain;
@@ -306,11 +311,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
             proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto  \$scheme;
             proxy_intercept_errors  on;
-            proxy_pass http://ghost:2368;
+            proxy_pass http://ghost-${iteration}:2368;
 EOL
 
-if [ "$ENABLE_NGINX_CACHING" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    if [ "$ENABLE_NGINX_CACHING" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
             # https://stanislas.blog/2019/08/ghost-nginx-cache/ for nginx caching instructions
             # Remove cookies which are useless for anonymous visitor and prevent caching
             proxy_ignore_headers Set-Cookie Cache-Control;
@@ -338,10 +343,10 @@ cat >>"$NGINX_CONF_PATH" <<EOL
             proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
    
 EOL
-fi
+    fi
 
 # this is the closing location / block for the ghost HTTPS segment
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
         }
 
 EOL
@@ -354,19 +359,19 @@ EOL
         #     proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
         #     proxy_set_header X-Forwarded-Proto  \$scheme;
         #     proxy_intercept_errors  on;
-        #     proxy_pass http://ghost:2368\$og_prefix\$request_uri;
+        #     proxy_pass http://ghost-${iteration}::2368\$og_prefix\$request_uri;
         # }
 
 # this is the closing server block for the ghost HTTPS segment
-cat >>"$NGINX_CONF_PATH" <<EOL
+    cat >>"$NGINX_CONF_PATH" <<EOL
     
     }
 
 EOL
 
 # tor config
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    if [ "$DEPLOY_ONION_SITE" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
     # server listener for tor v3 onion endpoint
     server {
         listen 443 ssl http2;
@@ -385,18 +390,18 @@ cat >>"$NGINX_CONF_PATH" <<EOL
         }
     }
 EOL
-fi
+    fi
 
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
+        cat >>"$NGINX_CONF_PATH" <<EOL
     # TLS listener for ${NEXTCLOUD_FQDN}
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
 
-        ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+        ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
+        ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
+        ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
 
         server_name ${NEXTCLOUD_FQDN};
         
@@ -422,11 +427,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
         }
     }
 EOL
-fi
+
+    fi
 
 
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
+    if [ "$DEPLOY_GITEA" = true ]; then
+    cat >>"$NGINX_CONF_PATH" <<EOL
     # TLS listener for ${GITEA_FQDN}
     server {
         listen 443 ssl http2;
@@ -447,9 +453,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
         }
     }
 EOL
-fi
+    fi
+
+    iteration=$((iteration+1))
+done
 
 # add the closing brace.
 cat >>"$NGINX_CONF_PATH" <<EOL
 }
-EOL
\ No newline at end of file
+EOL
diff --git a/domain_env.sh b/domain_env.sh
new file mode 100755
index 0000000..39ff60e
--- /dev/null
+++ b/domain_env.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -ex
+
+# TODO, ensure VPS_HOSTING_TARGET is in range.
+export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
+export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
+export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
+export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
+export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
+export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
+export ADMIN_ACCOUNT_USERNAME="info"
+export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
+export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
+export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
+export BTC_CHAIN="$BTC_CHAIN"
+export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
+export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
diff --git a/reset.sh b/reset.sh
index e7e1095..524e10e 100755
--- a/reset.sh
+++ b/reset.sh
@@ -2,20 +2,23 @@
 
 set -x
 
-CLUSTER_NAME="development"
 SSH_ENDPOINT_HOSTNAME="atlantis"
 SSH_ENDPOINT_DOMAIN_NAME="ancapistan.io"
 TEST_DOMAIN="ancapistan.casa"
+CLUSTER_NAME="development"
 
 export LXD_VM_NAME="${TEST_DOMAIN//./-}"
 
-lxc delete --force www-"$LXD_VM_NAME"
-lxc delete --force btcpay-"$LXD_VM_NAME"
-lxc delete --force sovereign-stack
-lxc delete --force sovereign-stack-base
+if [ -n "$TEST_DOMAIN" ]; then
+    lxc delete --force www-"$LXD_VM_NAME"
+    lxc delete --force btcpay-"$LXD_VM_NAME"
+    lxc delete --force sovereign-stack
+    lxc delete --force sovereign-stack-base
+
+    lxc profile delete www-"$LXD_VM_NAME"
+    lxc profile delete btcpay-"$LXD_VM_NAME"
+fi
 
-lxc profile delete www-"$LXD_VM_NAME"
-lxc profile delete btcpay-"$LXD_VM_NAME"
 lxc profile delete sovereign-stack
 
 lxc image rm sovereign-stack-base
@@ -30,6 +33,7 @@ lxc remote remove "$CLUSTER_NAME"
 
 source "$HOME/.bashrc"
 
-./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT_HOSTNAME.$SSH_ENDPOINT_DOMAIN_NAME" --data-plane-interface=enp89s0
+./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT_HOSTNAME.$SSH_ENDPOINT_DOMAIN_NAME" 
+#--data-plane-interface=enp89s0
 
 #./deploy.sh
diff --git a/reset_env.sh b/reset_env.sh
new file mode 100755
index 0000000..1b1f9b9
--- /dev/null
+++ b/reset_env.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+export DOMAIN_NAME=
+export DUPLICITY_BACKUP_PASSPHRASE=
+export BTCPAY_HOSTNAME_IN_CERT=
+export DEPLOY_GHOST=true
+export DEPLOY_NEXTCLOUD=true
+export DEPLOY_NOSTR=false
+export NOSTR_ACCOUNT_PUBKEY=
+export DEPLOY_GITEA=false
+export DEPLOY_ONION_SITE=false
+export GHOST_MYSQL_PASSWORD=
+export GHOST_MYSQL_ROOT_PASSWORD=
+export NEXTCLOUD_MYSQL_PASSWORD=
+export NEXTCLOUD_MYSQL_ROOT_PASSWORD=
+export GITEA_MYSQL_PASSWORD=
+export GITEA_MYSQL_ROOT_PASSWORD=
+
+SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "$SCRIPT_DIR/defaults.sh"