Update project.

Update project head.
2024-02-15 10:22:48 -05:00 · 2024-02-15 10:09:59 -05:00 · 2024-02-15 10:05:16 -05:00 · 2024-02-11 20:31:35 -05:00 · 2024-02-11 20:31:27 -05:00 · 2024-02-11 20:14:38 -05:00
65 changed files with 2736 additions and 2282 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,19 +1 @@
-archive/*
-
-# these are generated files, so we don't commit them. But they still show up
-# so that's useful for development.
-cloud-init.yml
-
-# this gets generated locally then push to remote vps for execution.
-temp_btcpay.sh
-
-nginx.conf
-
-# this file can be used by the USER to reset the LXD stack. It deletes a lxc machine VM (which you should update)
-# then clears the lxd stack including profile, images, and storage pools
-# then runs go.sh
-reset.sh
-
-# you can create an env in this directory. The code will source it if the file exists. 
-# This is a good place to put your LXD info
-#env
+archive
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
+[submodule "deployment/project"]
+	path = deployment/project
+	url = https://git.sovereign-stack.org/ss/project
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,37 @@
+{
+    "editor.renderWhitespace": "boundary",
+    "editor.tabSize": 4,
+    "editor.detectIndentation": false,
+    "editor.insertSpaces": true,
+    "editor.cursorBlinking": "phase",
+    "editor.cursorWidth": 3,
+    "editor.formatOnSave": true,
+    "shellcheck.enable": true,
+    "shellcheck.enableQuickFix": true,
+    "shellcheck.run": "onType",
+    "shellcheck.executablePath": "shellcheck",
+    "shellcheck.customArgs": [
+        "-x"
+    ],
+    "shellcheck.ignorePatterns": {},
+    // "shellcheck.exclude": [
+    //     "SC1090",
+    //     "SC1091",
+    //     "SC2029"
+    // ],
+    "terminal.integrated.fontFamily": "monospace",
+    "workbench.colorCustomizations": {
+        "activityBar.background": "#1900a565",
+        "activityBar.foreground": "#e7e7e7",
+        "activityBar.inactiveForeground": "#e7e7e799",
+        "activityBarBadge.background": "#7143fc",
+        "activityBarBadge.foreground": "#e7e7e7",
+        "titleBar.activeBackground": "#029727",
+        "titleBar.inactiveBackground": "#02972799",
+        "titleBar.activeForeground": "#e7e7e7",
+        "titleBar.inactiveForeground": "#e7e7e799",
+        "statusBar.background": "#d68100",
+        "statusBarItem.hoverBackground": "#c77700",
+        "statusBar.foreground": "#000000"
+    }
+}
--- a/19
+++ b/19
@ -1,19 +0,0 @@
-FROM ubuntu:21.04
-
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get install -y wait-for-it dnsutils rsync duplicity sshfs snapd lxd-client
-
-RUN mkdir /sovereign-stack
-COPY ./ /sovereign-stack
-WORKDIR /sovereign-stack
-
-RUN mkdir /site
-VOLUME /site
-ENV SITE_PATH=/site
-
-COPY ./entrypoint.sh /entrypoint.sh
-RUN chmod 0744 /entrypoint.sh
-
-
-
-CMD /entrypoint.sh
--- a/README.md
+++ b/README.md
@ -1,3 +1,3 @@
 # Documentation

-Please visit the [https://www.sovereign-stack.org](Sovereign Stack) website for documentation related to this repository.
+All documentation for this project can be found at [sovereign-stack.org](https://www.sovereign-stack.org). To get started with this code, check out [this post](https://www.sovereign-stack.org/get/).
--- a/backup_btcpay.sh
+++ b/backup_btcpay.sh
@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-# take the services down, create a backup archive, then pull it down.
-ssh "$FQDN" "cd $REMOTE_HOME/btcpayserver-docker/; sudo bash -c ./backup.sh"
-ssh "$FQDN" "sudo cp /var/lib/docker/volumes/backup_datadir/_data/backup.tar.gz $REMOTE_HOME/backups/btcpay.tar.gz"
-ssh "$FQDN" "sudo chown ubuntu:ubuntu $REMOTE_HOME/backups/btcpay.tar.gz"
-scp "$FQDN:$REMOTE_HOME/backups/btcpay.tar.gz" "$LOCAL_BACKUP_PATH/btcpay-$1.tar.gz"
--- a/backup_www.sh
+++ b/backup_www.sh
@ -1,24 +0,0 @@
-#!/bin/bash
-
-set -exu
-cd "$(dirname "$0")"
-
-# TODO: We are using extra space on the remote VPS at the moment for the duplicity backup files.
-# we could eliminate that and simply save duplicity backups to the management machine running the script
-# this could be done by using a local path and mounting it on the remote VPS.
-# maybe something like https://superuser.com/questions/616182/how-to-mount-local-directory-to-remote-like-sshfs
-
-# step 1: run duplicity on the remote system to backup all files to the remote system.
-ssh "$FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
-ssh "$FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
-
-# now let's pull down the latest files from the backup directory.
-# create a temp directory to serve as the mountpoint for the remote machine backups directory
-sshfs "$FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
-
-# rsync the files from the remote server to our local backup path.
-rsync -av "$SSHFS_PATH/" "$LOCAL_BACKUP_PATH/"
-
-# step 4: unmount the SSHFS filesystem and cleanup.
-umount "$SSHFS_PATH"
-rm -rf "$SSHFS_PATH"
--- a/certs/docker.gpg
+++ b/certs/docker.gpg
@ -0,0 +1,62 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
+lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
+38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
+L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
+UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
+cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
+ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
+vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
+G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
+XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
+q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
+tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
+BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
+v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
+tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
+jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
+6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
+XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
+FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
+g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
+ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
+9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
+G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
+FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
+EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
+M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
+Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
+w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
+z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
+eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
+VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
+1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
+zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
+pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
+ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
+BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
+1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
+YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
+mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
+KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
+JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
+cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
+6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
+U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
+VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
+irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
+SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
+QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
+9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
+24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
+dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
+Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
+H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
+/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
+M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
+xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
+jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
+YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
+=0YYh
+-----END PGP PUBLIC KEY BLOCK-----
--- a/clear_lxd_stack.sh
+++ b/clear_lxd_stack.sh
@ -1,11 +0,0 @@
-#!/bin/bash
-
-LXD_VM_NAME="www-sovereign-stack-org"
-
-lxc delete -f "$LXD_VM_NAME"
-
-lxc profile delete "$LXD_VM_NAME"
-
-lxc image delete "sovereign-stack-base" "ubuntu-21-04"
-
-#lxc storage delete default
--- a/command.sh
+++ b/command.sh
@ -1,3 +0,0 @@
-#!/bin/bash
-
-bash -c ./refresh.sh --domain=bitizen.store --hosting-provider=lxd --macvlan-interface=eno3 --storage-backend=/dev/sda 
--- a/defaults.sh
+++ b/defaults.sh
@ -1,138 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-export DEPLOY_WWW_SERVER=true
-export DEPLOY_BTCPPAY_SERVER=false
-
-# if true, then we deploy a VPS with Jitsi/Matrix
-export DEPLOY_GHOST=true
-export DEPLOY_MATRIX=false
-export DEPLOY_ONION_SITE=false
-export DEPLOY_NEXTCLOUD=false
-export DEPLOY_GITEA=false
-
-export WWW_HOSTNAME="www"
-export BTCPAY_HOSTNAME="btcpay"
-export NEXTCLOUD_HOSTNAME="nextcloud"
-export MATRIX_HOSTNAME="chat"
-export GITEA_HOSTNAME="git"
-
-export DDNS_PASSWORD=
-
-# this is where the html is sourced from.
-export SITE_HTML_PATH=
-
-# enter your AWS Access Key and Secret Access Key here.
-export AWS_ACCESS_KEY=
-export AWS_SECRET_ACCESS_KEY=
-
-# if overridden, the app will be deployed to proxy $BTCPAY_HOSTNAME.$DOMAIN_NAME requests to the URL specified.
-# this is useful when you want to oursource your BTCPAY fullnode/lightning node.
-#export BTCPAY_HANDLER_URL=
-
-
-export SMTP_SERVER="smtp.mailgun.org"
-export SMTP_PORT="587"
-
-# default AWS region and AMI (free-tier AMI ubuntu 20.10)
-export AWS_REGION="us-east-1"
-
-# AMI NAME:
-# ubuntu-minimal/images/hvm-ssd/ubuntu-hirsute-21.04-amd64-minimal-20211130-907a40d2-dca2-4750-b073-b3254c031ab6
-export AWS_AMI_ID="ami-080435381cbbb5b9b"
-WWW_INSTANCE_TYPE="t2.micro"
-BTCPAY_INSTANCE_TYPE="t2.medium"
-
-# goal will be to keep any particular instance to run AT OR BELOW t2.medium. 
-# other options are t2.small, micro, nano; micro is the free-tier eligible.
-# [1=vCPUs, 1=Mem(GiB)]
-# nano [1,0.5], micro [1,1] (free-tier eligible), small [1,2], medium [2,4], large [2,8], xlarge [4,16], 2xlarge [8,32]
-
-export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
-export BTCPAY_INSTANCE_TYPE="$BTCPAY_INSTANCE_TYPE"
-
-export SMTP_PASSWORD=
-export GHOST_MYSQL_PASSWORD=
-export GHOST_MYSQL_ROOT_PASSWORD=
-export NEXTCLOUD_MYSQL_PASSWORD=
-export GITEA_MYSQL_PASSWORD=
-export NEXTCLOUD_MYSQL_ROOT_PASSWORD=
-export GITEA_MYSQL_ROOT_PASSWORD=
-export DUPLICITY_BACKUP_PASSPHRASE=
-#opt-add-fireflyiii;opt-add-zammad
-export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage;opt-add-btctransmuter;opt-add-configurator;"
-export SSH_HOME="$HOME/.ssh"
-export VLAN_INTERFACE=
-export CACHE_DIR="$HOME/cache"
-export VM_NAME=
-export DEV_MEMORY_MB="4096"
-export DEV_CPU_COUNT="4"
-export SSHFS_PATH="/tmp/sshfs_temp"
-
-export NEXTCLOUD_SPACE_GB=10
-
-# TODO add LXD check to ensure it's installed.
-DEV_LXD_REMOTE="$(lxc remote get-default)"
-export DEV_LXD_REMOTE="$DEV_LXD_REMOTE"
-
-export SITE_TITLE=
-
-# we use this later when we create a VM, we annotate what git commit (from a tag) we used.
-LATEST_GIT_TAG="$(git describe --abbrev=0)"
-export LATEST_GIT_TAG="$LATEST_GIT_TAG"
-
-LATEST_GIT_COMMIT="$(cat ./.git/refs/heads/master)"
-export LATEST_GIT_COMMIT="$LATEST_GIT_COMMIT"
-
-
-# let's ensure all the tools are installed
-if [ ! -f "$(which rsync)" ]; then
-    echo "ERROR: rsync is not installed. You may want to install your dependencies."
-    exit 1
-fi
-
-# shellcheck disable=1091
-export SITE_PATH="$HOME/.sites"
-export LXD_DISK_TO_USE=
-
-
-ENABLE_NGINX_CACHING=false
-
-
-
-# TODO
-# 1 add check for ~/.aws/credentials and stub one out
-# 2 ensure install.sh has been run by checking for tor, docker-machine, lxd, wait-for-it, etc.
-# 3 pretty much just run the install script if anything is awry
-# 4 maybe check to ensure all the CNAME and A+ records are there first so we can quit before machine creation.
-
-export SITE_PATH="$SITE_PATH/$DOMAIN_NAME"
-if [ ! -d "$SITE_PATH" ]; then
-    echo "ERROR: '$SITE_PATH' does not exist."
-    exit 1
-fi
-
-export SITE_PATH="$SITE_PATH"
-export BTC_CHAIN="$BTC_CHAIN"
-export DEPLOY_BTCPAY_SERVER=false
-
-# if we're running aws/public, we enable nginx caching since it's a public site.
-if [ "$VPS_HOSTING_TARGET" = aws ]; then
-    # TODO the correct behavior is to be =true, but cookies aren't working right now.
-    ENABLE_NGINX_CACHING=true
-fi
-
-DEFAULT_DB_IMAGE="mariadb:10.6.5"
-export ENABLE_NGINX_CACHING="$ENABLE_NGINX_CACHING"
-
-# run the docker stack.
-export GHOST_IMAGE="ghost:4.32.0"
-export GHOST_DB_IMAGE="$DEFAULT_DB_IMAGE"
-export NGINX_IMAGE="nginx:1.21.4"
-export NEXTCLOUD_IMAGE="nextcloud:23.0.0"
-export NEXTCLOUD_DB_IMAGE="$DEFAULT_DB_IMAGE"
-export MATRIX_IMAGE="matrixdotorg/synapse:v1.49.0"
-export MATRIX_DB_IMAGE="postgres:13.4"
-export GITEA_IMAGE="gitea/gitea:latest"
-export GITEA_DB_IMAGE="$DEFAULT_DB_IMAGE"
--- a/deployment/base.sh
+++ b/deployment/base.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+# The base VM image.
+export INCUS_UBUNTU_BASE_VERSION="jammy"
+export BASE_IMAGE_VM_NAME="ss-base-${INCUS_UBUNTU_BASE_VERSION//./-}"
+export BASE_INCUS_IMAGE="ubuntu/$INCUS_UBUNTU_BASE_VERSION/cloud"
+WEEK_NUMBER=$(date +%U)
+export UBUNTU_BASE_IMAGE_NAME="ss-ubuntu-${INCUS_UBUNTU_BASE_VERSION//./-}"
+export DOCKER_BASE_IMAGE_NAME="ss-docker-${INCUS_UBUNTU_BASE_VERSION//./-}-$WEEK_NUMBER"
--- a/deployment/create_base.sh
+++ b/deployment/create_base.sh
@ -0,0 +1,102 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+. ./base.sh
+
+bash -c "./stub_profile.sh --incus-hostname=$BASE_IMAGE_VM_NAME"
+
+if incus list -q --project default | grep -q "$BASE_IMAGE_VM_NAME" ; then
+    incus delete -f "$BASE_IMAGE_VM_NAME" --project default
+fi
+
+# let's download our base image.
+if ! incus image list --format csv --columns l --project default | grep -q "$UBUNTU_BASE_IMAGE_NAME"; then
+    # copy the image down from canonical.
+    incus image copy "images:$BASE_INCUS_IMAGE" "$REMOTE_NAME": --alias "$UBUNTU_BASE_IMAGE_NAME" --public --vm --auto-update --target-project default
+fi
+
+# If the VM does exist, then we will delete it (so we can start fresh) 
+if incus list --format csv -q --project default | grep -q "$UBUNTU_BASE_IMAGE_NAME"; then
+    # if there's no snapshot, we dispense with the old image and try again.
+    if ! incus info "$BASE_IMAGE_VM_NAME"  --project default | grep -q "$UBUNTU_BASE_IMAGE_NAME"; then
+        incus delete "$BASE_IMAGE_VM_NAME" --force --project default
+        ssh-keygen -f "$SSH_HOME/known_hosts" -R "$BASE_IMAGE_VM_NAME"
+    fi
+else
+
+    if ! incus list --project default | grep -q "$BASE_IMAGE_VM_NAME"; then
+        # the base image is ubuntu:22.04.
+        script -q -c "incus init -q --profile=$BASE_IMAGE_VM_NAME $UBUNTU_BASE_IMAGE_NAME $BASE_IMAGE_VM_NAME --vm --project default" /dev/null
+    fi
+
+    if incus info "$BASE_IMAGE_VM_NAME" --project default | grep -q "Status: STOPPED"; then
+        # TODO move this sovereign-stack-base construction VM to separate dedicated IP
+        incus config set "$BASE_IMAGE_VM_NAME" --project default
+        incus start "$BASE_IMAGE_VM_NAME" --project default
+        sleep 15
+    fi
+
+    # for CHAIN in mainnet testnet; do
+    #     for DATA in blocks chainstate; do
+    #         incus storage volume attach ss-base "$CHAIN-$DATA" "$BASE_IMAGE_VM_NAME" "/home/ubuntu/bitcoin/$DATA"
+    #     done
+    # done
+
+    if incus info "$BASE_IMAGE_VM_NAME" --project default | grep -q "Status: RUNNING"; then
+
+        while incus exec "$BASE_IMAGE_VM_NAME" --project default -- [ ! -f /var/lib/cloud/instance/boot-finished ]; do
+            sleep 1
+        done
+
+        # ensure the ssh service is listening at localhost
+        incus exec "$BASE_IMAGE_VM_NAME" --project default -- wait-for-it -t 100 127.0.0.1:22
+
+        # # If we have any chaninstate or blocks in our SSME, let's push them to the
+        # # remote host as a zfs volume that way deployments can share a common history
+        # # of chainstate/blocks.
+        # for CHAIN in testnet mainnet; do
+        #     for DATA in blocks chainstate; do
+        #         # if the storage snapshot doesn't yet exist, create it.
+        #         if ! incus storage volume list ss-base -q --format csv -c n | grep -q "$CHAIN-$DATA/snap0"; then
+        #             DATA_PATH="/home/ubuntu/.ss/cache/bitcoin/$CHAIN/$DATA"
+        #             if [ -d "$DATA_PATH" ]; then
+        #                 COMPLETE_FILE_PATH="$DATA_PATH/complete"
+        #                 if incus exec "$BASE_IMAGE_VM_NAME" -- [ ! -f "$COMPLETE_FILE_PATH" ]; then
+        #                     incus file push --recursive --project default "$DATA_PATH/" "$BASE_IMAGE_VM_NAME""$DATA_PATH/"
+        #                     incus exec "$BASE_IMAGE_VM_NAME" -- su ubuntu - bash -c "echo $(date) > $COMPLETE_FILE_PATH"
+        #                     incus exec "$BASE_IMAGE_VM_NAME" -- chown -R 999:999 "$DATA_PATH/$DATA"
+        #                 else
+        #                     echo "INFO: it appears as though $CHAIN/$DATA has already been initialized. Continuing."
+        #                 fi
+        #             fi
+        #         fi
+        #     done
+        # done
+
+        # stop the VM and get a snapshot.
+        incus stop "$BASE_IMAGE_VM_NAME" --project default
+    fi
+    
+    incus snapshot create "$BASE_IMAGE_VM_NAME" "$UBUNTU_BASE_IMAGE_NAME" --project default
+
+fi
+
+echo "INFO: Publishing '$BASE_IMAGE_VM_NAME' as image '$DOCKER_BASE_IMAGE_NAME'. Please wait."
+incus publish -q --public "$BASE_IMAGE_VM_NAME/$UBUNTU_BASE_IMAGE_NAME" \
+                 --project default --alias="$DOCKER_BASE_IMAGE_NAME" \
+                 --compression none
+
+echo "INFO: Success creating the base image. Deleting artifacts from the build process."
+incus delete -f "$BASE_IMAGE_VM_NAME" --project default
+
+# # now let's get a snapshot of each of the blocks/chainstate directories.
+# for CHAIN in testnet mainnet; do
+#     for DATA in blocks chainstate; do
+#         if ! incus storage volume list ss-base -q --format csv -c n | grep -q "$CHAIN-$DATA/snap0"; then
+#             echo "INFO: Creating a snapshot 'ss-base/$CHAIN-$DATA/snap0'."
+#             incus storage volume snapshot ss-base --project default "$CHAIN-$DATA"
+#         fi
+#     done
+# done
--- a/deployment/deploy_vm.sh
+++ b/deployment/deploy_vm.sh
@ -0,0 +1,122 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+. ./base.sh
+
+## This is a weird if clause since we need to LEFT-ALIGN the statement below.
+SSH_STRING="Host ${FQDN}"
+if ! grep -q "$SSH_STRING" "$SSH_HOME/config"; then
+
+########## BEGIN
+    cat >> "$SSH_HOME/config" <<-EOF
+
+${SSH_STRING}
+    HostName ${FQDN}
+    User ubuntu
+EOF
+###
+
+fi
+
+# if the machine doesn't exist, we create it.
+if ! incus list --format csv | grep -q "$INCUS_VM_NAME"; then
+
+    # create a base image if needed and instantiate a VM.
+    if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
+        echo "ERROR: You MUST define a MAC Address for all your machines in your project definition."
+        echo "INFO: IMPORTANT! You MUST have DHCP Reservations for these MAC addresses. You also need records established the DNS."
+        exit 1
+    fi
+
+    # TODO ensure we are only GROWING the volume--never shrinking per zfs volume docs.
+    BACKUP_DISK_SIZE_GB=
+    SSDATA_DISK_SIZE_GB=
+    DOCKER_DISK_SIZE_GB=
+    if [ "$VIRTUAL_MACHINE" = www ]; then
+        if [ "$SKIP_WWW_SERVER" = true ]; then
+            exit 0
+        fi
+
+        BACKUP_DISK_SIZE_GB="$WWW_BACKUP_DISK_SIZE_GB"
+        SSDATA_DISK_SIZE_GB="$WWW_SSDATA_DISK_SIZE_GB"
+        DOCKER_DISK_SIZE_GB="$WWW_DOCKER_DISK_SIZE_GB"
+    fi
+
+    if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+        if [ "$SKIP_BTCPAY_SERVER" = true ]; then
+            exit 0
+        fi
+
+        BACKUP_DISK_SIZE_GB="$BTCPAYSERVER_BACKUP_DISK_SIZE_GB"
+        SSDATA_DISK_SIZE_GB="$BTCPAYSERVER_SSDATA_DISK_SIZE_GB"
+        DOCKER_DISK_SIZE_GB="$BTCPAYSERVER_DOCKER_DISK_SIZE_GB"
+    fi
+
+    SSDATA_VOLUME_NAME=
+    BACKUP_VOLUME_NAME=
+    if [ "$VIRTUAL_MACHINE" != lnplayserver ]; then
+        DOCKER_VOLUME_NAME="$VIRTUAL_MACHINE-docker"
+        if ! incus storage volume list ss-base | grep -q "$DOCKER_VOLUME_NAME"; then
+            incus storage volume create ss-base "$DOCKER_VOLUME_NAME" --type=block
+            incus storage volume set ss-base "$DOCKER_VOLUME_NAME" size="${DOCKER_DISK_SIZE_GB}GB"
+        fi
+
+        SSDATA_VOLUME_NAME="$VIRTUAL_MACHINE-ss-data"
+        if ! incus storage volume list ss-base | grep -q "$SSDATA_VOLUME_NAME"; then
+            incus storage volume create ss-base "$SSDATA_VOLUME_NAME" --type=filesystem
+            incus storage volume set ss-base "$SSDATA_VOLUME_NAME" size="${SSDATA_DISK_SIZE_GB}GB"
+        fi
+
+        BACKUP_VOLUME_NAME="$VIRTUAL_MACHINE-backup"
+        if ! incus storage volume list ss-base | grep -q "$BACKUP_VOLUME_NAME"; then
+            incus storage volume create ss-base "$BACKUP_VOLUME_NAME" --type=filesystem
+            incus storage volume set ss-base "$BACKUP_VOLUME_NAME" size="${BACKUP_DISK_SIZE_GB}GB"
+        fi
+
+    fi
+
+
+    bash -c "./stub_profile.sh --vm=$VIRTUAL_MACHINE --incus-hostname=$INCUS_VM_NAME --ss-volume-name=$SSDATA_VOLUME_NAME --backup-volume-name=$BACKUP_VOLUME_NAME"
+
+  INCUS_LNPLAYSERVER_IMAGE_NAME="lnplayserver-$DOMAIN_NAME"
+  if ! incus image list -q --format csv | grep -q "$INCUS_LNPLAYSERVER_IMAGE_NAME"; then
+        script -q -c "incus init -q $DOCKER_BASE_IMAGE_NAME $INCUS_VM_NAME --vm --profile=$INCUS_VM_NAME" /dev/null
+    elif [ "$VIRTUAL_MACHINE" = lnplayserver ]; then
+        script -q -c "incus init -q $INCUS_LNPLAYSERVER_IMAGE_NAME $INCUS_VM_NAME --vm --profile=$INCUS_VM_NAME" /dev/null
+    fi
+
+    # let's PIN the HW address for now so we don't exhaust IP
+    # and so we can set DNS internally.
+    incus config set "$INCUS_VM_NAME" "volatile.enp5s0.hwaddr=$MAC_ADDRESS_TO_PROVISION"
+
+    if [ "$VIRTUAL_MACHINE" != lnplayserver ]; then
+        # attack the docker block device.
+        incus storage volume attach ss-base "$DOCKER_VOLUME_NAME" "$INCUS_VM_NAME"
+    fi
+
+    # if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+    #     # attach any volumes
+    #     for CHAIN in testnet mainnet; do
+    #         for DATA in blocks chainstate; do
+    #             MOUNT_PATH="/$CHAIN-$DATA"
+    #             incus config device add "$INCUS_VM_NAME" "$CHAIN-$DATA" disk pool=ss-base source="$CHAIN-$DATA" path="$MOUNT_PATH"
+    #         done
+    #     done
+    # fi
+
+    incus start "$INCUS_VM_NAME"
+    sleep 15
+
+    bash -c "./wait_for_ip.sh --incus-name=$INCUS_VM_NAME"
+
+    # scan the remote machine and install it's identity in our SSH known_hosts file.
+    ssh-keyscan -H "$FQDN" >> "$SSH_HOME/known_hosts"
+
+    if [ "$VIRTUAL_MACHINE" != lnplayserver ]; then
+        ssh "$FQDN" "sudo chown ubuntu:ubuntu $REMOTE_DATA_PATH"
+        ssh "$FQDN" "sudo chown -R ubuntu:ubuntu $REMOTE_BACKUP_PATH"
+    fi
+
+fi
--- a/deployment/deployment_defaults.sh
+++ b/deployment/deployment_defaults.sh
@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -eu
+
+# file paths
+export SSH_HOME="$HOME/.ssh"
+export PASS_HOME="$HOME/.password-store" #TODO
+export SS_ROOT_PATH="$HOME/ss"
+export REMOTES_PATH="$SS_ROOT_PATH/remotes"
+export PROJECTS_PATH="$SS_ROOT_PATH/projects"
+export SITES_PATH="$SS_ROOT_PATH/sites"
+export INCUS_CONFIG_PATH="$SS_ROOT_PATH/incus"
+export SS_CACHE_PATH="$SS_ROOT_PATH/cache"
+
+export REMOTE_HOME="/home/ubuntu"
+export REMOTE_DATA_PATH="$REMOTE_HOME/ss-data"
+export REMOTE_DATA_PATH_LETSENCRYPT="$REMOTE_DATA_PATH/letsencrypt"
+export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups"
+export BTCPAY_SERVER_APPPATH="$REMOTE_DATA_PATH/btcpayserver-docker"
+
+export BITCOIN_CHAIN=regtest
+
+# this space is for OS, docker images, etc
+# values here are fine for regtest generally. Later scripts adjust
+# these values based on testnet/mainnet
+export WWW_SSDATA_DISK_SIZE_GB=20
+export WWW_BACKUP_DISK_SIZE_GB=50
+export WWW_DOCKER_DISK_SIZE_GB=30
+
+export BTCPAYSERVER_SSDATA_DISK_SIZE_GB=20
+export BTCPAYSERVER_BACKUP_DISK_SIZE_GB=20
+export BTCPAYSERVER_DOCKER_DISK_SIZE_GB=30
+
+export WWW_HOSTNAME="www"
+export BTCPAY_SERVER_HOSTNAME="btcpayserver"
+export LNPLAY_SERVER_HOSTNAME="lnplayserver"
+export BTCPAY_HOSTNAME_IN_CERT="btcpay"
+export NEXTCLOUD_HOSTNAME="nextcloud"
+export GITEA_HOSTNAME="git"
+export NOSTR_HOSTNAME="relay"
+
+export REGISTRY_URL="https://index.docker.io/v1"
+
+export BTCPAY_SERVER_CPU_COUNT="4"
+export BTCPAY_SERVER_MEMORY_MB="4096"
+export WWW_SERVER_CPU_COUNT="4"
+export WWW_SERVER_MEMORY_MB="4096"
+export LNPLAY_SERVER_CPU_COUNT="4"
+export LNPLAY_SERVER_MEMORY_MB="4096"
+export DOCKER_IMAGE_CACHE_FQDN="registry-1.docker.io"
--- a/deployment/domain_list.sh
+++ b/deployment/domain_list.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -exu
+
+# the DOMAIN_LIST is a complete list of all our domains. We often iterate over this list.
+DOMAIN_LIST="${PRIMARY_DOMAIN}"
+if [ -n "$OTHER_SITES_LIST" ]; then
+    DOMAIN_LIST="${DOMAIN_LIST},${OTHER_SITES_LIST}"
+fi
+
+export DOMAIN_LIST="$DOMAIN_LIST"
+export DOMAIN_COUNT=$(("$(echo "$DOMAIN_LIST" | tr -cd , | wc -c)"+1))
+export OTHER_SITES_LIST="$OTHER_SITES_LIST"
+
+export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$PRIMARY_DOMAIN"
+export BTCPAY_SERVER_FQDN="$BTCPAY_SERVER_HOSTNAME.$PRIMARY_DOMAIN"
+export LNPLAY_SERVER_FQDN="$LNPLAY_SERVER_HOSTNAME.$PRIMARY_DOMAIN"
--- a/deployment/down.sh
+++ b/deployment/down.sh
@ -0,0 +1,137 @@
+#!/bin/bash
+
+# https://www.sovereign-stack.org/ss-down/
+
+set -exu
+cd "$(dirname "$0")"
+
+if incus remote get-default -q | grep -q "local"; then
+    echo "ERROR: you are on the local incus remote. Nothing to take down"
+    exit 1
+fi
+
+KEEP_ZFS_STORAGE_VOLUMES=true
+OTHER_SITES_LIST=
+SKIP_BTCPAY_SERVER=false
+SKIP_WWW_SERVER=false
+SKIP_LNPLAY_SERVER=false
+BACKUP_WWW_APPS=true
+
+WWW_SERVER_MAC_ADDRESS=
+BTCPAY_SERVER_MAC_ADDRESS=
+LNPLAY_SERVER_MAC_ADDRESS=
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --purge)
+            KEEP_ZFS_STORAGE_VOLUMES=false
+            shift
+        ;;
+        --skip-btcpayserver)
+            SKIP_BTCPAY_SERVER=true
+            shift
+        ;;
+        --skip-wwwserver)
+            SKIP_WWW_SERVER=true
+            shift
+        ;;
+        --skip-lnplayserver)
+            SKIP_LNPLAY_SERVER=true
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+. ./deployment_defaults.sh
+
+. ./remote_env.sh
+
+. ./project_env.sh
+
+# let's bring down services on the remote deployment if necessary.
+export DOMAIN_NAME="$PRIMARY_DOMAIN"
+export SITE_PATH="$SITES_PATH/$PRIMARY_DOMAIN"
+
+source "$SITE_PATH/site.conf"
+source ./project/domain_env.sh
+
+source ./domain_list.sh
+
+
+SERVERS=
+if [ "$SKIP_WWW_SERVER" = false ] && [ -n "$WWW_SERVER_MAC_ADDRESS" ]; then
+    SERVERS="www $SERVERS"
+fi
+
+if [ "$SKIP_BTCPAY_SERVER" = false ] && [ -n "$BTCPAY_SERVER_MAC_ADDRESS" ]; then
+    SERVERS="$SERVERS btcpayserver"
+fi
+
+if [ "$SKIP_LNPLAY_SERVER" = false ] && [ -n "$LNPLAY_SERVER_MAC_ADDRESS" ]; then
+    SERVERS="$SERVERS lnplayserver"
+fi
+
+for VIRTUAL_MACHINE in $SERVERS; do
+
+    INCUS_VM_NAME="$VIRTUAL_MACHINE-${PRIMARY_DOMAIN//./-}"
+
+    if incus list | grep -q "$INCUS_VM_NAME"; then
+        bash -c "./stop.sh --server=$VIRTUAL_MACHINE"
+
+        incus stop "$INCUS_VM_NAME"
+
+        incus delete "$INCUS_VM_NAME"
+    fi
+
+    # remove the ssh known endpoint else we get warnings.
+    ssh-keygen -f "$SSH_HOME/known_hosts" -R "$VIRTUAL_MACHINE.$PRIMARY_DOMAIN" | exit
+
+    if incus profile list | grep -q "$INCUS_VM_NAME"; then
+        incus profile delete "$INCUS_VM_NAME"
+    fi
+
+    if [ "$KEEP_ZFS_STORAGE_VOLUMES" = false ]; then
+        # d for docker; b for backup; s for ss-data
+        for DATA in docker backup ss-data; do
+            VOLUME_NAME="$VIRTUAL_MACHINE-$DATA"
+            if incus storage volume list ss-base -q | grep -q "$VOLUME_NAME"; then
+                RESPONSE=
+                read -r -p "Are you sure you want to delete the '$VOLUME_NAME' volume intended for '$INCUS_VM_NAME'?": RESPONSE
+            
+                if [ "$RESPONSE" = "y" ]; then
+                    incus storage volume delete ss-base "$VOLUME_NAME"
+                fi
+            fi
+        done
+    fi
+done
+
+
+BACKUP_WWW_APPS=true
+echo "BACKUP_WWW_APPS: $BACKUP_WWW_APPS"
+
+
+echo "SERVERS: $SERVERS"
+echo "BACKUP_WWW_APPS: $BACKUP_WWW_APPS"
+
+
+# let's grab a snapshot of the 
+if [ "$BACKUP_WWW_APPS" = true ]; then
+    SNAPSHOT_ID=$(cat /dev/urandom | tr -dc 'a-aA-Z' | fold -w 6 | head -n 1)
+    incus storage volume snapshot create ss-base www-ss-data "$SNAPSHOT_ID"
+    BACKUP_LOCATION="$HOME/ss/backups"
+    mkdir -p "$BACKUP_LOCATION"
+    #incus storage volume export ss-base "www-ss-data" "$BACKUP_LOCATION/project-$(incus project list --format csv | grep "(current)" | awk '{print $1}')_www-ss-data_""$(date +%s)"".tar.gz"
+    #incus storage volume snapshot delete ss-base "www-ss-data" "$SNAPSHOT_ID"
+fi
+
+if [[ "$SERVERS" == *"www"* && "$SERVERS" == *"btcpay"* ]]; then
+    if incus network list -q | grep -q ss-ovn; then
+        incus network delete ss-ovn
+    fi
+fi
--- a/deployment/help.txt
+++ b/deployment/help.txt
@ -0,0 +1,15 @@
+
+You are in the Sovereign Stack Management Environment (SSME). From here, you can issue several commands:
+
+    ss-remote  - Take a remote SSH endpoint under management of Sovereign Stack.
+    ss-reset   - The opposite of ss-remote; de-provisions an existing remote.
+    ss-up      - Instantiate a deployment to your active project according to your
+                 various project.conf and site.conf files.
+    ss-down    - Reverses ss-up. Takes the active project down. Non-destructive of user data,
+                 unless you provide the --purge flag.
+    ss-update  - This is just ss-down then ss-up.
+    ss-show    - show the incus resources associated with the current remote.
+
+For more infomation about all these topics, consult the Sovereign Stack website starting with:
+
+  - https://www.sovereign-stack.org/tag/deployment-management/
--- a/deployment/project
+++ b/deployment/project
@ -0,0 +1 @@
+Subproject commit e8470d789a3811e2fe3f6818fd9a6fea859ba71c
--- a/deployment/project_env.sh
+++ b/deployment/project_env.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -eu
+
+PROJECT_NAME="$(incus info | grep "project:" | awk '{print $2}')"
+export PROJECT_NAME="$PROJECT_NAME"
+
+if [ "$PROJECT_NAME" = default ]; then
+    echo "ERROR: You are on the default project. Use 'incus project list' and 'incus project switch <project>'."
+    exit 1
+fi
+
+export PROJECT_PATH="$PROJECTS_PATH/$PROJECT_NAME"
+
+PROJECT_DEFINITION_PATH="$PROJECT_PATH/project.conf"
+
+if [ ! -f "$PROJECT_DEFINITION_PATH" ]; then
+    echo "ERROR: 'project.conf' not found $PROJECT_DEFINITION_PATH not found."
+    exit 1
+fi
+
+source "$PROJECT_DEFINITION_PATH"
+
+
+export PRIMARY_SITE_DEFINITION_PATH="$SITES_PATH/$PRIMARY_DOMAIN/site.conf"
+
+if [ -z "$PRIMARY_DOMAIN" ]; then
+    echo "ERROR: The PRIMARY_DOMAIN is not specified. Check your remote definition at '$PRIMARY_SITE_DEFINITION_PATH'."
+    exit 1
+fi
+
+SHASUM_OF_PRIMARY_DOMAIN="$(echo -n "$PRIMARY_DOMAIN" | sha256sum | awk '{print $1;}' )"
+export PRIMARY_DOMAIN_IDENTIFIER="${SHASUM_OF_PRIMARY_DOMAIN: -6}"
+
+
+# default values are already at regtest mode.
+if [ "$BITCOIN_CHAIN" = testnet ]; then
+
+    WWW_SSDATA_DISK_SIZE_GB=30
+    WWW_BACKUP_DISK_SIZE_GB=30
+    WWW_DOCKER_DISK_SIZE_GB=50
+
+    BTCPAYSERVER_SSDATA_DISK_SIZE_GB=30
+    BTCPAYSERVER_BACKUP_DISK_SIZE_GB=30
+    BTCPAYSERVER_DOCKER_DISK_SIZE_GB=100
+
+elif [ "$BITCOIN_CHAIN" = mainnet ]; then
+    
+    WWW_SSDATA_DISK_SIZE_GB=40
+    WWW_BACKUP_DISK_SIZE_GB=40
+    WWW_DOCKER_DISK_SIZE_GB=50
+
+    BTCPAYSERVER_SSDATA_DISK_SIZE_GB=30
+    BTCPAYSERVER_BACKUP_DISK_SIZE_GB=30
+    BTCPAYSERVER_DOCKER_DISK_SIZE_GB=300
+
+fi
+
+export WWW_SSDATA_DISK_SIZE_GB="$WWW_SSDATA_DISK_SIZE_GB"
+export WWW_BACKUP_DISK_SIZE_GB="$WWW_BACKUP_DISK_SIZE_GB"
+export WWW_DOCKER_DISK_SIZE_GB="$WWW_DOCKER_DISK_SIZE_GB"
+
+export BTCPAYSERVER_SSDATA_DISK_SIZE_GB="$BTCPAYSERVER_SSDATA_DISK_SIZE_GB"
+export BTCPAYSERVER_BACKUP_DISK_SIZE_GB="$BTCPAYSERVER_BACKUP_DISK_SIZE_GB"
+export BTCPAYSERVER_DOCKER_DISK_SIZE_GB="$BTCPAYSERVER_DOCKER_DISK_SIZE_GB"
--- a/deployment/remote.sh
+++ b/deployment/remote.sh
@ -0,0 +1,242 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+# This script is meant to be executed on the management machine.
+# it reaches out to an SSH endpoint and provisions that machine
+# to use incus.
+
+DATA_PLANE_MACVLAN_INTERFACE=
+DISK_TO_USE=
+
+# override the remote name.
+REMOTE_NAME="${1:-}"
+if [ -z "$REMOTE_NAME" ]; then
+    echo "ERROR: The remote name was not provided. Syntax is: 'ss-remote <remote_name> <remote01.domain.tld>'"
+    echo "  for example: 'ss-remote development clusterhost00.domain.tld"
+    exit 1
+fi
+
+. ./deployment_defaults.sh
+
+. ./base.sh
+
+export REMOTE_PATH="$REMOTES_PATH/$REMOTE_NAME"
+REMOTE_DEFINITION="$REMOTE_PATH/remote.conf"
+export REMOTE_DEFINITION="$REMOTE_DEFINITION"
+
+mkdir -p "$REMOTE_PATH"
+if [ ! -f "$REMOTE_DEFINITION" ]; then
+    # stub out a remote.conf.
+    cat >"$REMOTE_DEFINITION" <<EOL
+# https://www.sovereign-stack.org/ss-remote
+
+# REGISTRY_URL=http://registry.domain.tld:5000
+
+EOL
+
+    chmod 0744 "$REMOTE_DEFINITION"
+    echo "We stubbed out a '$REMOTE_DEFINITION' file for you."
+    echo "Use this file to customize your remote deployment;"
+    echo "Check out 'https://www.sovereign-stack.org/ss-remote' for more information."
+    exit 1
+fi
+
+source "$REMOTE_DEFINITION"
+
+if ! incus remote list | grep -q "$REMOTE_NAME"; then
+    FQDN="${2:-}"
+
+    if [ -z "$FQDN" ]; then
+        echo "ERROR: You MUST provide the FQDN of the remote host."
+        exit
+    fi
+
+    shift
+
+    if [ -z "$FQDN" ]; then
+        echo "ERROR: The Fully Qualified Domain Name of the new remote member was not set."
+        exit 1
+    fi
+
+    # let's check to ensure we have SSH access to the specified host.
+    if ! wait-for-it -t 5 "$FQDN:22"; then
+        echo "ERROR: We can't get an SSH connection to '$FQDN:22'. Ensure you have the host set up correctly."
+        exit 1
+    fi
+
+    # grab any modifications from the command line.
+    for i in "$@"; do
+        case $i in
+            --data-plane-interface=*)
+                DATA_PLANE_MACVLAN_INTERFACE="${i#*=}"
+                shift
+            ;;
+            --disk=*)
+                DISK_TO_USE="${i#*=}"
+                shift
+            ;;
+            *)
+
+            ;;
+        esac
+    done
+
+    # first let's copy our ssh pubkey to the remote server so we don't have to login constantly.
+    ssh-copy-id -i "$HOME/.ssh/id_rsa.pub" "ubuntu@$FQDN"
+
+    if [ -z "$DISK_TO_USE" ]; then
+        if ! ssh "ubuntu@$FQDN" incus storage list -q | grep -q ss-base; then
+            echo "INFO: It looks like the DISK_TO_USE has not been set. Enter it now."
+            echo ""
+
+            ssh "ubuntu@$FQDN" lsblk --paths
+
+            echo "Please enter the disk or partition that Sovereign Stack will use to store data:  "
+            read -r DISK_TO_USE
+        fi
+    fi
+
+else
+    echo "ERROR: the remote already exists! You need to go delete your incus remote if you want to re-create your remote."
+    echo "       It's may also be helpful to reset/rename your remote path."
+    exit 1
+fi
+
+
+#ssh "ubuntu@$FQDN" 'sudo echo "ubuntu ALL=(ALL) NOPASSWD: /bin/su - a" >> /etc/sudoers'
+
+# if the disk is loop-based, then we assume the / path exists.
+if [ "$DISK_TO_USE" != loop ]; then
+    # ensure we actually have that disk/partition on the system.
+    if ! ssh "ubuntu@$FQDN" lsblk --paths | grep -q "$DISK_TO_USE"; then
+        echo "ERROR: We could not findthe disk you specified. Please run this command again and supply a different disk."
+        echo "NOTE: You can always specify on the command line by adding the '--disk=/dev/sdd', for example."
+        exit 1
+    fi
+fi
+
+if ! command -v incus >/dev/null 2>&1; then
+    if incus profile list --format csv | grep -q "$BASE_IMAGE_VM_NAME"; then
+        incus profile delete "$BASE_IMAGE_VM_NAME"
+        sleep 1
+    fi
+
+    if incus network list --format csv -q --project default | grep -q incusbr0; then
+        incus network delete incusbr0 --project default
+        sleep 1
+    fi
+
+
+    if incus network list --format csv -q project default | grep -q incusbr1; then
+        incus network delete incusbr1 --project default
+        sleep 1
+    fi
+
+fi
+
+# install dependencies.
+ssh -t "ubuntu@$FQDN" 'sudo apt update && sudo apt upgrade -y && sudo apt install htop dnsutils nano zfsutils-linux -y'
+
+REMOTE_SCRIPT_PATH="$REMOTE_HOME/install_incus.sh"
+scp ../install_incus.sh "ubuntu@$FQDN:$REMOTE_SCRIPT_PATH"
+ssh -t "ubuntu@$FQDN" "chmod +x $REMOTE_SCRIPT_PATH"
+ssh -t "ubuntu@$FQDN" "sudo bash -c $REMOTE_SCRIPT_PATH"
+ssh -t "ubuntu@$FQDN" "sudo adduser ubuntu incus-admin"
+
+# install OVN for the project-specific bridge networks
+ssh -t "ubuntu@$FQDN" "sudo apt-get install -y ovn-host ovn-central && sudo ovs-vsctl set open_vswitch . external_ids:ovn-remote=unix:/var/run/ovn/ovnsb_db.sock external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=127.0.0.1"
+
+# if the user did not specify the interface, we just use whatever is used for the default route.
+if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
+    DATA_PLANE_MACVLAN_INTERFACE="$(ssh ubuntu@"$FQDN" ip route | grep "default via" | awk '{print $5}')"
+fi
+
+export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
+
+MGMT_PLANE_IP="$(ssh ubuntu@"$FQDN" env | grep SSH_CONNECTION | cut -d " " -f 3)"
+IP_OF_MGMT_MACHINE="$(ssh ubuntu@"$FQDN" env | grep SSH_CLIENT | cut -d " " -f 1 )"
+IP_OF_MGMT_MACHINE="${IP_OF_MGMT_MACHINE#*=}"
+IP_OF_MGMT_MACHINE="$(echo "$IP_OF_MGMT_MACHINE" | cut -d: -f1)"
+
+# run incus admin init on the remote server.
+cat <<EOF | ssh ubuntu@"$FQDN" incus admin init --preseed
+config:
+  core.https_address: ${MGMT_PLANE_IP}:8443
+  core.dns_address: ${MGMT_PLANE_IP}
+  images.auto_update_interval: 15
+  
+networks:
+- name: incusbr0
+  description: "ss-config,${DATA_PLANE_MACVLAN_INTERFACE:-error}"
+  type: bridge
+  config:
+    ipv4.address: 10.9.9.1/24
+    ipv4.dhcp.ranges: 10.9.9.10-10.9.9.127
+    ipv4.nat: true
+    ipv6.address: none
+    dns.mode: managed
+- name: incusbr1
+  description: "Non-natting bridge needed for ovn networks."
+  type: bridge
+  config:
+    ipv4.address: 10.10.10.1/24
+    ipv4.dhcp.ranges: 10.10.10.10-10.10.10.63
+    ipv4.ovn.ranges: 10.10.10.64-10.10.10.254
+    ipv4.nat: false
+    ipv6.address: none
+profiles:
+- config: {}
+  description: "default profile for sovereign-stack instances."
+  devices:
+    root:
+      path: /
+      pool: ss-base
+      type: disk
+  name: default
+EOF
+
+ssh ubuntu@"$FQDN" incus project list -q >> /dev/null
+
+# ensure the incus service is available over the network, then add a incus remote, then switch the active remote to it.
+if wait-for-it -t 20 "$FQDN:8443"; then
+    # before we add the remote, we need a trust token from the incus server
+    INCUS_CERT_TRUST_TOKEN=$(ssh ubuntu@"$FQDN" incus config trust add ss-mgmt | tail -n 1)
+
+    # now create a remote on your local incus client and switch to it.
+    # the software will now target the new remote.
+    incus remote add "$REMOTE_NAME" "$FQDN" --auth-type=tls --accept-certificate --token="$INCUS_CERT_TRUST_TOKEN"
+    incus remote switch "$REMOTE_NAME"
+
+    echo "INFO: A new remote named '$REMOTE_NAME' has been created. Your incus client has been switched to it."
+else
+    echo "ERROR: Could not detect the incus endpoint. Something went wrong."
+    exit 1
+fi
+
+# create the default storage pool if necessary
+if ! incus storage list --format csv | grep -q ss-base; then
+
+    if [ "$DISK_TO_USE" != loop ]; then
+        # we omit putting a size here so, so incus will consume the entire disk if '/dev/sdb' or partition if '/dev/sdb1'.
+        # TODO do some sanity/resource checking on DISK_TO_USE. Impelment full-disk encryption?
+        incus storage create ss-base zfs source="$DISK_TO_USE"
+    else
+        # if a disk is the default 'loop', then we create a zfs storage pool 
+        # on top of the existing filesystem using a loop device, per incus docs
+        incus storage create ss-base zfs
+    fi
+
+    # # create the testnet/mainnet blocks/chainstate subvolumes.
+    # for CHAIN in mainnet testnet; do
+    #     for DATA in blocks chainstate; do
+    #         if ! incus storage volume list ss-base | grep -q "$CHAIN-$DATA"; then
+    #             incus storage volume create ss-base "$CHAIN-$DATA" --type=filesystem
+    #         fi
+    #     done
+    # done
+
+fi
+
+echo "INFO: completed remote.sh."
--- a/deployment/remote_env.sh
+++ b/deployment/remote_env.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -eu
+
+CURRENT_REMOTE="$(incus remote get-default)"
+DEPLOYMENT_STRING=
+
+SS_ROOT_PATH="$HOME/ss"
+REMOTES_PATH="$SS_ROOT_PATH/remotes"
+PROJECTS_PATH="$SS_ROOT_PATH/projects"
+SITES_PATH="$SS_ROOT_PATH/sites"
+INCUS_CONFIG_PATH="$SS_ROOT_PATH/incus"
+SS_CACHE_PATH="$SS_ROOT_PATH/cache"
+
+
+
+if echo "$CURRENT_REMOTE" | grep -q "prod"; then
+    echo "WARNING: You are running a migration procedure on a production system."
+    echo ""
+
+
+    RESPONSE=
+    read -r -p "         Are you sure you want to continue (y)  ": RESPONSE
+    if [ "$RESPONSE" != "y" ]; then
+        echo "STOPPING."
+        exit 1
+    fi
+
+    # check if there are any uncommited changes. It's dangerous to 
+    # alter production systems when you have commits to make or changes to stash.
+    if git update-index --refresh | grep -q "needs update"; then
+        echo "ERROR: You have uncommited changes! Better stash your work with 'git stash'."
+        exit 1
+    fi
+
+fi
+
+. ./deployment_defaults.sh
+
+export REMOTE_PATH="$REMOTES_PATH/$CURRENT_REMOTE"
+REMOTE_DEFINITION="$REMOTE_PATH/remote.conf"
+export REMOTE_DEFINITION="$REMOTE_DEFINITION"
+
+# ensure the remote definition exists.
+if [ ! -f "$REMOTE_DEFINITION" ]; then
+    echo "ERROR: The remote definition could not be found. You may need to run 'ss-remote'."
+    echo "INFO: Consult https://www.sovereign-stack.org/ss-remote for more information."
+    exit 1
+fi
+
+source "$REMOTE_DEFINITION"
+
--- a/deployment/reset.sh
+++ b/deployment/reset.sh
@ -0,0 +1,88 @@
+#!/bin/bash
+
+
+set -exu
+cd "$(dirname "$0")"
+
+echo "WARNING: THIS SCRIPT NEEDS WORK"
+exit 1
+
+PURGE_INCUS=false
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --purge)
+            PURGE_INCUS=true
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+
+./down.sh
+
+# these only get initialzed upon creation, so we MUST delete here so they get recreated.
+if incus profile list | grep -q "$BASE_IMAGE_VM_NAME"; then
+    incus profile delete "$BASE_IMAGE_VM_NAME"
+fi
+
+if incus image list | grep -q "$BASE_IMAGE_VM_NAME"; then
+    incus image rm "$BASE_IMAGE_VM_NAME"
+fi
+
+if incus image list | grep -q "$DOCKER_BASE_IMAGE_NAME"; then
+    incus image rm "$DOCKER_BASE_IMAGE_NAME"
+fi
+
+CURRENT_PROJECT="$(incus info | grep "project:" | awk '{print $2}')"
+if ! incus info | grep -q "project: default"; then
+    incus project switch default
+    incus project delete "$CURRENT_PROJECT"
+fi
+
+
+if [ "$PURGE_INCUS" = true ]; then
+
+    if incus profile show default | grep -q "root:"; then
+        incus profile device remove default root
+    fi
+
+    if incus profile show default| grep -q "eth0:"; then
+        incus profile device remove default eth0
+    fi
+
+    if incus network list --format csv -q --project default | grep -q incusbr0; then
+        incus network delete incusbr0 --project default
+    fi
+
+    if incus network list --format csv -q --project default | grep -q incusbr1; then
+        incus network delete incusbr1 --project default
+    fi
+
+    # # create the testnet/mainnet blocks/chainstate subvolumes.
+    # for CHAIN in mainnet testnet; do
+    #     for DATA in blocks chainstate; do
+    #         if incus storage volume list ss-base | grep -q "$CHAIN-$DATA"; then
+    #             incus storage volume delete ss-base "$CHAIN-$DATA"
+    #         fi
+    #     done
+    # done
+
+    echo "WARNING: ss-basae NOT DELETED. NEED TO TEST THIS SCRIPT"
+    # if incus storage list --format csv | grep -q ss-base; then
+    #     incus storage delete ss-base
+    # fi
+
+    CURRENT_REMOTE="$(incus remote get-default)"
+    if ! incus remote get-default | grep -q "local"; then
+        incus remote switch local
+        incus remote remove "$CURRENT_REMOTE"
+
+        echo "INFO: The remote '$CURRENT_REMOTE' has been removed! You are now controlling your local instance."
+    fi
+fi
--- a/down_btcpay_compose.sh
+++ b/down_btcpay_compose.sh
@ -1,2 +1,4 @@
 #!/bin/bash

+set -exu
+
--- a/deployment/show.sh
+++ b/deployment/show.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+cd "$(dirname "$0")"
+
+. ./deployment_defaults.sh
+
+. ./remote_env.sh
+
+echo "Global Settings:"
+
+incus image list
+incus storage list
+
+
+echo
+echo
+
+PROJECT_NAME="$(incus info | grep "project:" | awk '{print $2}')"
+export export="$PROJECT_NAME"
+export PROJECT_PATH="$PROJECTS_PATH/$PROJECT_NAME"
+
+echo
+echo
+echo "Active project: $PROJECT_NAME"
+echo "----------------------------------------------------------"
+
+echo "  Networks:"
+incus network list
+
+echo
+echo "  Storage Volumes:"
+incus storage volume list ss-base
+
+echo
+echo "  Profiles:"
+incus profile list
+
+
+echo
+echo "  Instances (VMs):"
+incus list
--- a/deployment/stop.sh
+++ b/deployment/stop.sh
@ -0,0 +1,66 @@
+#!/bin/bash
+
+# https://www.sovereign-stack.org/ss-down/
+
+set -eu
+cd "$(dirname "$0")"
+
+if incus remote get-default -q | grep -q "local"; then
+    echo "ERROR: you are on the local incus remote. Nothing to take down"
+    exit 1
+fi
+
+SERVER_TO_STOP=
+OTHER_SITES_LIST=
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --server=*)
+            SERVER_TO_STOP="${i#*=}"
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+if [ -z "$SERVER_TO_STOP" ]; then
+    echo "ERROR: you MUST specify a server to stop with '--server=www' for example."
+    exit 1
+fi
+
+
+. ./deployment_defaults.sh
+
+. ./remote_env.sh
+
+. ./project_env.sh
+
+# let's bring down services on the remote deployment if necessary.
+export DOMAIN_NAME="$PRIMARY_DOMAIN"
+export SITE_PATH="$SITES_PATH/$PRIMARY_DOMAIN"
+
+source "$SITE_PATH/site.conf"
+source ./project/domain_env.sh
+
+source ./domain_list.sh
+
+if [ "$SERVER_TO_STOP" = www ]; then
+    DOCKER_HOST="ssh://ubuntu@$PRIMARY_WWW_FQDN" ./project/www/stop_docker_stacks.sh
+fi
+
+if [ "$SERVER_TO_STOP" = btcpayserver ]; then
+    if wait-for-it -t 5 "$BTCPAY_SERVER_FQDN":22; then
+        ssh "$BTCPAY_SERVER_FQDN" "bash -c $BTCPAY_SERVER_APPPATH/btcpay-down.sh"
+    else
+        echo "ERROR: the remote BTCPAY Server is not available on ssh."
+        exit 1
+    fi
+fi
+
+if [ "$SERVER_TO_STOP" = lnplayserver ]; then
+    DOCKER_HOST="ssh://ubuntu@$LNPLAY_SERVER_FQDN" ./project/lnplay/down.sh
+fi
--- a/deployment/stub_profile.sh
+++ b/deployment/stub_profile.sh
@ -0,0 +1,338 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+VIRTUAL_MACHINE=base
+INCUS_HOSTNAME=
+SSDATA_VOLUME_NAME=
+BACKUP_VOLUME_NAME=
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --incus-hostname=*)
+            INCUS_HOSTNAME="${i#*=}"
+            shift
+        ;;
+        --vm=*)
+            VIRTUAL_MACHINE="${i#*=}"
+            shift
+        ;;
+        --ss-volume-name=*)
+            SSDATA_VOLUME_NAME="${i#*=}"
+            shift
+        ;;
+        --backup-volume-name=*)
+            BACKUP_VOLUME_NAME="${i#*=}"
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+# generate the custom cloud-init file. Cloud init installs and configures sshd
+SSH_AUTHORIZED_KEY=$(<"$SSH_PUBKEY_PATH")
+eval "$(ssh-agent -s)" > /dev/null
+ssh-add "$SSH_HOME/id_rsa" > /dev/null
+export SSH_AUTHORIZED_KEY="$SSH_AUTHORIZED_KEY"
+
+export FILENAME="$INCUS_HOSTNAME.yml"
+mkdir -p "$PROJECT_PATH/cloud-init"
+YAML_PATH="$PROJECT_PATH/cloud-init/$FILENAME"
+
+# If we are deploying the www, we attach the vm to the underlay via macvlan.
+cat > "$YAML_PATH" <<EOF
+config:
+EOF
+
+
+if [ "$VIRTUAL_MACHINE" = base ]; then
+    cat >> "$YAML_PATH" <<EOF
+  limits.cpu: 4
+  limits.memory: 4096MB
+
+EOF
+fi
+
+if [ "$VIRTUAL_MACHINE" = www ]; then
+    cat >> "$YAML_PATH" <<EOF
+  limits.cpu: "${WWW_SERVER_CPU_COUNT}"
+  limits.memory: "${WWW_SERVER_MEMORY_MB}MB"
+
+EOF
+fi
+
+if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+    cat >> "$YAML_PATH" <<EOF
+  limits.cpu: "${BTCPAY_SERVER_CPU_COUNT}"
+  limits.memory: "${BTCPAY_SERVER_MEMORY_MB}MB"
+
+EOF
+
+elif [ "$VIRTUAL_MACHINE" = lnplayserver ]; then
+    cat >> "$YAML_PATH" <<EOF
+  limits.cpu: "${LNPLAY_SERVER_CPU_COUNT}"
+  limits.memory: "${LNPLAY_SERVER_MEMORY_MB}MB"
+
+EOF
+
+fi
+
+# if VIRTUAL_MACHINE=base, then we doing the base image.
+if [ "$VIRTUAL_MACHINE" = base ]; then
+    # this is for the base image only...
+    cat >> "$YAML_PATH" <<EOF
+  user.vendor-data: |
+    #cloud-config
+    package_update: true
+    package_upgrade: false
+    package_reboot_if_required: false
+
+    preserve_hostname: false
+    fqdn: ${BASE_IMAGE_VM_NAME}
+
+    packages:
+      - curl
+      - ssh-askpass
+      - apt-transport-https
+      - ca-certificates
+      - gnupg-agent
+      - software-properties-common
+      - lsb-release
+      - net-tools
+      - htop
+      - rsync
+      - duplicity
+      - sshfs
+      - fswatch
+      - jq
+      - git
+      - nano
+      - wait-for-it
+      - dnsutils
+      - wget
+
+    groups:
+      - docker
+
+    users:
+      - name: ubuntu
+        groups: docker
+        shell: /bin/bash
+        lock_passwd: false
+        sudo: ALL=(ALL) NOPASSWD:ALL
+        ssh_authorized_keys:
+          - ${SSH_AUTHORIZED_KEY}
+
+EOF
+
+    if [ "$REGISTRY_URL" != "https://index.docker.io/v1" ]; then
+        cat >> "$YAML_PATH" <<EOF
+    write_files:
+      - path: /etc/docker/daemon.json
+        permissions: 0644
+        owner: root
+        content: |
+            {
+                "registry-mirrors": [
+                  "${REGISTRY_URL}"
+                ]
+            }
+
+
+EOF
+
+    fi
+
+fi
+
+if [ "$VIRTUAL_MACHINE" = base ]; then
+    cat >> "$YAML_PATH" <<EOF
+    runcmd:
+      - sudo mkdir -m 0755 -p /etc/apt/keyrings
+      - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+      - echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" | sudo tee /etc/apt/sources.list.d/docker.list
+      - sudo apt-get update
+      - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+      - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server
+
+EOF
+
+fi
+
+if [ "$VIRTUAL_MACHINE" != base ]; then
+    # all other machines that are not the base image
+    cat >> "$YAML_PATH" <<EOF
+  user.vendor-data: |
+    #cloud-config
+    apt_mirror: http://us.archive.ubuntu.com/ubuntu/
+    package_update: false
+    package_upgrade: false
+    package_reboot_if_required: false
+
+    preserve_hostname: true
+    fqdn: ${FQDN}
+
+EOF
+fi
+
+if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+    # all other machines that are not the base image
+    cat >> "$YAML_PATH" <<EOF
+    resize_rootfs: false
+    disk_setup:
+      /dev/sdb:
+        table_type: 'gpt'
+        layout: true
+        overwrite: false
+
+    fs_setup:
+      - label: docker-data
+        filesystem: 'ext4'
+        device: '/dev/sdb1'
+        overwrite: false
+
+    mounts:
+      - [ sdb, /var/lib/docker ]
+
+    mount_default_fields: [ None, None, "auto", "defaults,nofail", "0", "2" ]
+
+EOF
+fi
+
+if [ "$VIRTUAL_MACHINE" != base ]; then
+    cat >> "$YAML_PATH" <<EOF
+  user.network-config: |
+    version: 2
+    ethernets:
+      enp5s0:
+        dhcp4: true
+        dhcp4-overrides:
+          route-metric: 50
+        match:
+          macaddress: ${MAC_ADDRESS_TO_PROVISION}
+        set-name: enp5s0
+EOF
+fi
+
+# TODO try to get DHCP working reliably.
+if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+    cat >> "$YAML_PATH" <<EOF
+      enp6s0:
+        addresses:
+          - 10.10.10.66/24
+
+EOF
+fi
+
+if [ "$VIRTUAL_MACHINE" = www ]; then
+    cat >> "$YAML_PATH" <<EOF
+      enp6s0:
+        addresses:
+          - 10.10.10.65/24
+
+EOF
+fi
+
+# All profiles get a root disk and cloud-init config.
+cat >> "$YAML_PATH" <<EOF
+description: Default incus profile for ${FILENAME}
+devices:
+
+EOF
+
+if [ "$VIRTUAL_MACHINE" = lnplayserver ]; then
+    # All profiles get a root disk and cloud-init config.
+    cat >> "$YAML_PATH" <<EOF
+  root:
+    path: /
+    pool: ss-base
+    type: disk
+    size: 20GiB
+EOF
+else
+    # All profiles get a root disk and cloud-init config.
+    cat >> "$YAML_PATH" <<EOF
+  root:
+    path: /
+    pool: ss-base
+    type: disk
+EOF
+
+fi
+
+cat >> "$YAML_PATH" <<EOF
+  config:
+    source: cloud-init:config
+    type: disk
+EOF
+
+if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+    cat >> "$YAML_PATH" <<EOF
+  ss-data:
+    path: ${REMOTE_DATA_PATH}
+    pool: ss-base
+    source: ${SSDATA_VOLUME_NAME}
+    type: disk
+  ss-backup:
+    path: ${REMOTE_BACKUP_PATH}
+    pool: ss-base
+    source: ${BACKUP_VOLUME_NAME}
+    type: disk
+EOF
+fi
+
+# Stub out the network piece for the base image.
+if [ "$VIRTUAL_MACHINE" = base ]; then
+    cat >> "$YAML_PATH" <<EOF
+  enp6s0:
+    name: enp6s0
+    network: incusbr0
+    type: nic
+name: ${FILENAME}
+EOF
+
+else
+
+    # all other vms attach to the network underlay
+    cat >> "$YAML_PATH" <<EOF
+  enp5s0:
+    nictype: macvlan
+    parent: ${DATA_PLANE_MACVLAN_INTERFACE}
+    type: nic
+EOF
+
+    if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
+        cat >> "$YAML_PATH" <<EOF
+  enp6s0:
+    name: enp6s0
+    network: ss-ovn
+    type: nic
+EOF
+    fi
+
+    cat >> "$YAML_PATH" <<EOF
+name: ${PRIMARY_DOMAIN}
+EOF
+
+fi
+
+if [ "$VIRTUAL_MACHINE" = base ]; then
+    if ! incus profile list --format csv --project default | grep -q "$INCUS_HOSTNAME"; then
+        incus profile create "$INCUS_HOSTNAME" --project default
+    fi
+
+    # configure the profile with our generated cloud-init.yml file.
+    incus profile edit "$INCUS_HOSTNAME" --project default < "$YAML_PATH"
+else
+    if ! incus profile list --format csv | grep -q "$INCUS_HOSTNAME"; then
+        incus profile create "$INCUS_HOSTNAME"
+    fi
+
+    # configure the profile with our generated cloud-init.yml file.
+    incus profile edit "$INCUS_HOSTNAME" < "$YAML_PATH"
+fi
--- a/deployment/up.sh
+++ b/deployment/up.sh
@ -0,0 +1,478 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+# check to ensure dependencies are met.
+for cmd in wait-for-it dig rsync sshfs incus; do
+    if ! command -v "$cmd" >/dev/null 2>&1; then
+        echo "This script requires \"${cmd}\" to be installed. Please run 'install.sh'."
+        exit 1
+    fi
+done
+
+# do a spot check; if we are on production warn.
+if incus remote get-default | grep -q "production"; then
+    echo "WARNING: You are running command against a production system!"
+    echo ""
+
+    # check if there are any uncommited changes. It's dangerous to 
+    # alter production systems when you have commits to make or changes to stash.
+    if git update-index --refresh | grep -q "needs update"; then
+        echo "ERROR: You have uncommited changes! You MUST commit or stash all changes to continue."
+        exit 1
+    fi
+
+    RESPONSE=
+    read -r -p "         Are you sure you want to continue (y)  ": RESPONSE
+    if [ "$RESPONSE" != "y" ]; then
+        echo "STOPPING."
+        exit 1
+    fi
+
+fi
+
+OTHER_SITES_LIST=
+PRIMARY_DOMAIN=
+RUN_CERT_RENEWAL=true
+SKIP_BASE_IMAGE_CREATION=false
+RESTORE_WWW=false
+RESTORE_CERTS=false
+BACKUP_CERTS=true
+BACKUP_BTCPAY=true
+SKIP_BTCPAY_SERVER=false
+SKIP_WWW_SERVER=false
+SKIP_LNPLAY_SERVER=false
+BACKUP_BTCPAY_ARCHIVE_PATH= 
+RESTORE_BTCPAY=false
+UPDATE_BTCPAY=false
+REMOTE_NAME="$(incus remote get-default)"
+USER_SAYS_YES=false
+
+WWW_SERVER_MAC_ADDRESS=
+BTCPAY_SERVER_MAC_ADDRESS=
+LNPLAY_SERVER_MAC_ADDRESS=
+LNPLAY_ENV_PATH=
+LNPLAY_VM_EXPIRATION_DATE=
+LNPLAY_ORDER_ID=
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --restore-certs)
+            RESTORE_CERTS=true
+            shift
+        ;;
+        --restore-wwwserver)
+            RESTORE_WWW=true
+            shift
+        ;;
+        --restore-btcpay)
+            RESTORE_BTCPAY=true
+            shift
+        ;;
+        --skip-btcpayserver)
+            SKIP_BTCPAY_SERVER=true
+            shift
+        ;;
+        --skip-wwwserver)
+            SKIP_WWW_SERVER=true
+            shift
+        ;;
+        --skip-lnplayserver)
+            SKIP_LNPLAY_SERVER=true
+            shift
+        ;;
+        --backup-btcpayserver)
+            BACKUP_BTCPAY=true
+            shift
+        ;;
+        --backup-archive-path=*)
+            BACKUP_BTCPAY_ARCHIVE_PATH="${i#*=}"
+            shift
+        ;;
+        --update-btcpay)
+            UPDATE_BTCPAY=true
+            shift
+        ;;
+        --skip-base-image)
+            SKIP_BASE_IMAGE_CREATION=true
+            shift
+        ;;
+        --no-cert-renew)
+            RUN_CERT_RENEWAL=false
+            shift
+        ;;
+        --lnplay-env-path=*)
+            LNPLAY_ENV_PATH="${i#*=}"
+            shift
+        ;;
+        --vm-expiration-date=*)
+            LNPLAY_VM_EXPIRATION_DATE="${i#*=}"
+            shift
+        ;;
+        --order-id=*)
+            LNPLAY_ORDER_ID="${i#*=}"
+            shift
+        ;;
+        -y)
+            USER_SAYS_YES=true
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+
+if [ "$RESTORE_BTCPAY" = true ] && [ -z "$BACKUP_BTCPAY_ARCHIVE_PATH" ]; then
+    echo "ERROR: Use the '--backup-archive-path=/path/to/btcpay/archive.tar.gz' option when restoring btcpay server."
+    exit 1
+fi
+
+if [ "$RESTORE_BTCPAY" = true ] && [ ! -f "$BACKUP_BTCPAY_ARCHIVE_PATH" ]; then
+    echo "ERROR: The backup archive path you specified DOES NOT exist!"
+    exit 1
+fi
+
+. ./remote_env.sh
+
+export REGISTRY_DOCKER_IMAGE="registry:2"
+export BACKUP_CERTS="$BACKUP_CERTS"
+export RESTORE_BTCPAY="$RESTORE_BTCPAY"
+export RESTORE_WWW="$RESTORE_WWW"
+export BACKUP_BTCPAY="$BACKUP_BTCPAY"
+export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
+export REMOTE_NAME="$REMOTE_NAME"
+export REMOTE_PATH="$REMOTES_PATH/$REMOTE_NAME"
+export USER_SAYS_YES="$USER_SAYS_YES"
+export BACKUP_BTCPAY_ARCHIVE_PATH="$BACKUP_BTCPAY_ARCHIVE_PATH"
+export RESTORE_CERTS="$RESTORE_CERTS"
+
+# todo convert this to Trezor-T
+SSH_PUBKEY_PATH="$SSH_HOME/id_rsa.pub"
+export SSH_PUBKEY_PATH="$SSH_PUBKEY_PATH"
+
+# ensure our remote path is created.
+mkdir -p "$REMOTE_PATH"
+
+REMOTE_DEFINITION="$REMOTE_PATH/remote.conf"
+if [ ! -f "$REMOTE_DEFINITION" ]; then
+    echo "ERROR: The remote definition could not be found. You may need to re-run 'ss-remote'."
+    exit 1
+fi
+
+export REMOTE_DEFINITION="$REMOTE_DEFINITION"
+source "$REMOTE_DEFINITION"
+
+
+# this is our password generation mechanism. Relying on GPG for secure password generation
+# TODO see if this is a secure way to do it.
+function new_pass {
+    gpg --gen-random --armor 1 25
+}
+
+function stub_site_definition {
+    mkdir -p "$SITE_PATH" "$PROJECT_PATH/sites"
+
+    # create a symlink from the PROJECT_PATH/sites/DOMAIN_NAME to the ss-sites/domain name
+    DOMAIN_SYMLINK_PATH="$PROJECT_PATH/sites/$DOMAIN_NAME"
+    if [ ! -L "$DOMAIN_SYMLINK_PATH" ]; then
+        ln -r -s "$SITE_PATH" "$DOMAIN_SYMLINK_PATH"
+    fi
+
+    if [ ! -f "$SITE_PATH/site.conf" ]; then
+        # check to see if the enf file exists. exist if not.
+        SITE_DEFINITION_PATH="$SITE_PATH/site.conf"
+        if [ ! -f "$SITE_DEFINITION_PATH" ]; then
+
+            # stub out a site.conf with new passwords.
+            cat >"$SITE_DEFINITION_PATH" <<EOL
+# https://www.sovereign-stack.org/ss-up/#siteconf
+
+DOMAIN_NAME="${DOMAIN_NAME}"
+# BTCPAY_ALT_NAMES="tip,store,pay,send"
+SITE_LANGUAGE_CODES="en"
+DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
+DEPLOY_GHOST=true
+
+DEPLOY_NEXTCLOUD=false
+DEPLOY_NOSTR=false
+NOSTR_ACCOUNT_PUBKEY=
+DEPLOY_GITEA=false
+GHOST_MYSQL_PASSWORD="$(new_pass)"
+GHOST_MYSQL_ROOT_PASSWORD="$(new_pass)"
+NEXTCLOUD_MYSQL_PASSWORD="$(new_pass)"
+NEXTCLOUD_MYSQL_ROOT_PASSWORD="$(new_pass)"
+GITEA_MYSQL_PASSWORD="$(new_pass)"
+GITEA_MYSQL_ROOT_PASSWORD="$(new_pass)"
+
+
+#GHOST_DEPLOY_SMTP=true
+#MAILGUN_FROM_ADDRESS=false
+#MAILGUN_SMTP_USERNAME=
+#MAILGUN_SMTP_PASSWORD=
+
+EOL
+
+            chmod 0744 "$SITE_DEFINITION_PATH"
+            echo "INFO: we stubbed a new site.conf for you at '$SITE_DEFINITION_PATH'. Go update it!"
+            exit 1
+
+        fi
+    fi
+
+}
+
+PROJECT_NAME="$(incus info | grep "project:" | awk '{print $2}')"
+export PROJECT_NAME="$PROJECT_NAME"
+export PROJECT_PATH="$PROJECTS_PATH/$PROJECT_NAME"
+export SKIP_BTCPAY_SERVER="$SKIP_BTCPAY_SERVER"
+export SKIP_WWW_SERVER="$SKIP_WWW_SERVER"
+export SKIP_LNPLAY_SERVER="$SKIP_LNPLAY_SERVER"
+
+
+mkdir -p "$PROJECT_PATH" "$REMOTE_PATH/projects"
+
+# create a symlink from ./remotepath/projects/project
+PROJECT_SYMLINK="$REMOTE_PATH/projects/$PROJECT_NAME"
+if [ ! -L "$PROJECT_SYMLINK" ]; then
+    ln -r -s "$PROJECT_PATH" "$PROJECT_SYMLINK"
+fi
+
+# check to see if the enf file exists. exist if not.
+PROJECT_DEFINITION_PATH="$PROJECT_PATH/project.conf"
+if [ ! -f "$PROJECT_DEFINITION_PATH" ]; then
+
+        # stub out a project.conf
+    cat >"$PROJECT_DEFINITION_PATH" <<EOL
+# see https://www.sovereign-stack.org/ss-up/#projectconf for more info.
+
+PRIMARY_DOMAIN="domain0.tld"
+# OTHER_SITES_LIST="domain1.tld,domain2.tld,domain3.tld"
+
+WWW_SERVER_MAC_ADDRESS=
+# WWW_SSDATA_DISK_SIZE_GB=100
+# WWW_SERVER_CPU_COUNT="6"
+# WWW_SERVER_MEMORY_MB="4096"
+
+BTCPAY_SERVER_MAC_ADDRESS=
+# BTCPAY_SERVER_CPU_COUNT="4"
+# BTCPAY_SERVER_MEMORY_MB="4096"
+
+LNPLAY_SERVER_MAC_ADDRESS=
+# LNPLAY_SERVER_CPU_COUNT="4"
+# LNPLAY_SERVER_MEMORY_MB="4096"
+
+# BITCOIN_CHAIN=mainnet
+
+EOL
+
+    chmod 0744 "$PROJECT_DEFINITION_PATH"
+    echo "INFO: we stubbed a new project.conf for you at '$PROJECT_DEFINITION_PATH'. Go update it!"
+    echo "INFO: Learn more at https://www.sovereign-stack.org/ss-up/"
+
+    exit 1
+fi
+
+. ./project_env.sh
+
+if [ -z "$PRIMARY_DOMAIN" ]; then
+    echo "ERROR: The PRIMARY_DOMAIN is not specified. Check your project.conf."
+    exit 1
+fi
+
+source ./domain_list.sh
+
+# let's provision our primary domain first.
+export DOMAIN_NAME="$PRIMARY_DOMAIN"
+export PRIMARY_DOMAIN="$PRIMARY_DOMAIN"
+export BITCOIN_CHAIN="$BITCOIN_CHAIN"
+export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+export PRIMARY_SITE_PATH="$SITES_PATH/$PRIMARY_DOMAIN"
+
+stub_site_definition
+
+# bring the VMs up under the primary domain name.
+
+export UPDATE_BTCPAY="$UPDATE_BTCPAY"
+
+# iterate over all our server endpoints and provision them if needed.
+# www
+VPS_HOSTNAME=
+
+. ./base.sh
+if ! incus image list --format csv | grep -q "$DOCKER_BASE_IMAGE_NAME"; then
+    # create the incus base image.
+    if [ "$SKIP_BASE_IMAGE_CREATION" = false ]; then
+        ./create_base.sh
+    fi
+fi
+
+
+VMS_TO_PROVISION=""
+if [ -n "$WWW_SERVER_MAC_ADDRESS" ] && [ "$SKIP_WWW_SERVER" = false ]; then
+    VMS_TO_PROVISION="www"
+fi
+
+if [ -n "$BTCPAY_SERVER_MAC_ADDRESS" ] && [ "$SKIP_BTCPAY_SERVER" = false ]; then
+    VMS_TO_PROVISION="$VMS_TO_PROVISION btcpayserver"
+fi
+
+if [ -n "$LNPLAY_SERVER_MAC_ADDRESS" ] || [ "$SKIP_LNPLAY_SERVER" = false ]; then
+    VMS_TO_PROVISION="$VMS_TO_PROVISION lnplayserver"
+fi
+
+for VIRTUAL_MACHINE in $VMS_TO_PROVISION; do
+
+    export VIRTUAL_MACHINE="$VIRTUAL_MACHINE"
+    FQDN=
+
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+
+    source "$SITE_PATH/site.conf"
+    source ./project/domain_env.sh
+
+    # VALIDATE THE INPUT from the ENVFILE
+    if [ -z "$DOMAIN_NAME" ]; then
+        echo "ERROR: DOMAIN_NAME not specified in your site.conf."
+        exit 1
+    fi
+
+    # Goal is to get the macvlan interface.
+    INCUS_SS_CONFIG_LINE=
+    if incus network list --format csv --project default | grep incusbr0 | grep -q "ss-config"; then
+        INCUS_SS_CONFIG_LINE="$(incus network list --format csv --project default | grep incusbr0 | grep ss-config)"
+    fi
+
+    if [ -z "$INCUS_SS_CONFIG_LINE" ]; then
+        echo "ERROR: the MACVLAN interface has not been specified. You may need to run 'ss-remote' again."
+        exit 1
+    fi
+
+    CONFIG_ITEMS="$(echo "$INCUS_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
+    DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
+    export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
+
+
+    # Now let's switch to the new project to ensure new resources are created under the project scope.
+    if ! incus info | grep "project:" | grep -q "$PROJECT_NAME"; then
+        incus project switch "$PROJECT_NAME"
+    fi
+
+    # check if the OVN network exists in this project.
+    if ! incus network list | grep -q "ss-ovn"; then
+        incus network create ss-ovn --type=ovn network=incusbr1 ipv6.address=none
+    fi
+
+    export MAC_ADDRESS_TO_PROVISION=
+    export VPS_HOSTNAME="$VPS_HOSTNAME"
+    export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME"
+
+    if [ "$VIRTUAL_MACHINE" = www ] && [ -n "$WWW_SERVER_MAC_ADDRESS" ]; then
+        FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
+        VPS_HOSTNAME="$WWW_HOSTNAME"
+        MAC_ADDRESS_TO_PROVISION="$WWW_SERVER_MAC_ADDRESS"
+
+    elif [ "$VIRTUAL_MACHINE" = btcpayserver ] && [ -n "$BTCPAY_SERVER_MAC_ADDRESS" ]; then
+        FQDN="$BTCPAY_SERVER_HOSTNAME.$DOMAIN_NAME"
+        VPS_HOSTNAME="$BTCPAY_SERVER_HOSTNAME"
+        MAC_ADDRESS_TO_PROVISION="$BTCPAY_SERVER_MAC_ADDRESS"
+    
+    elif [ "$VIRTUAL_MACHINE" = lnplayserver ] && [ -n "$LNPLAY_SERVER_MAC_ADDRESS" ]; then
+        FQDN="$LNPLAY_SERVER_HOSTNAME.$DOMAIN_NAME"
+        VPS_HOSTNAME="$LNPLAY_SERVER_HOSTNAME"
+        MAC_ADDRESS_TO_PROVISION="$LNPLAY_SERVER_MAC_ADDRESS"
+
+    elif [ "$VIRTUAL_MACHINE" = "$BASE_IMAGE_VM_NAME" ]; then
+        FQDN="$BASE_IMAGE_VM_NAME"
+    fi
+
+    export FQDN="$FQDN"
+    export INCUS_VM_NAME="${FQDN//./-}"
+    export MAC_ADDRESS_TO_PROVISION="$MAC_ADDRESS_TO_PROVISION"
+    export PROJECT_PATH="$PROJECT_PATH"
+
+    ./deploy_vm.sh
+
+done
+
+# let's stub out the rest of our site definitions, if any.
+for DOMAIN_NAME in ${OTHER_SITES_LIST//,/ }; do
+    export DOMAIN_NAME="$DOMAIN_NAME"
+    export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
+
+    # stub out the site_defition if it's doesn't exist.
+    stub_site_definition
+done
+
+if [ "$SKIP_BTCPAY_SERVER" = false ]; then
+    if [ -n "$BTCPAY_SERVER_MAC_ADDRESS" ]; then
+        export DOCKER_HOST="ssh://ubuntu@$BTCPAY_SERVER_FQDN"
+        ./project/btcpayserver/go.sh
+    fi
+fi
+
+if [ "$SKIP_WWW_SERVER" = false ]; then
+    # now let's run the www and btcpay-specific provisioning scripts.
+    if [ -n "$WWW_SERVER_MAC_ADDRESS" ]; then
+        export DOCKER_HOST="ssh://ubuntu@$WWW_FQDN"
+
+        # enable docker swarm mode so we can support docker stacks.
+        if docker info | grep -q "Swarm: inactive"; then
+            docker swarm init --advertise-addr enp6s0
+        fi
+
+        ./project/www/go.sh
+    fi
+fi
+
+# don't run lnplay stuff if user specifies --skip-lnplay
+if [ "$SKIP_LNPLAY_SERVER" = false ]; then
+    # now let's run the www and btcpay-specific provisioning scripts.
+    if [ -n "$LNPLAY_SERVER_MAC_ADDRESS" ]; then
+        export DOCKER_HOST="ssh://ubuntu@$LNPLAY_SERVER_FQDN"
+
+        LNPLAY_ENV_FILE="$PRIMARY_SITE_PATH/$LNPLAY_SERVER_FQDN/lnplay.conf"
+        if [ ! -f "$LNPLAY_ENV_FILE" ]; then
+            # and we have to set our environment file as well.
+            cat > "$LNPLAY_ENV_FILE" <<EOL
+DOCKER_HOST=ssh://ubuntu@${LNPLAY_SERVER_FQDN}
+BACKEND_FQDN=lnplay.${PRIMARY_DOMAIN}
+FRONTEND_FQDN=remote.${PRIMARY_DOMAIN}
+ENABLE_TLS=true
+BTC_CHAIN=${BITCOIN_CHAIN}
+CHANNEL_SETUP=none
+LNPLAY_SERVER_PATH=${SITES_PATH}/${PRIMARY_DOMAIN}/lnplayserver
+DEPLOY_PRISM_PLUGIN=true
+EOL
+
+        fi
+
+        INCUS_LNPLAYSERVER_IMAGE_NAME="lnplayserver-$DOMAIN_NAME"
+        if ! incus image list -q --format csv | grep -q "$INCUS_LNPLAYSERVER_IMAGE_NAME"; then
+
+            # do all the docker image creation steps, but don't run services.
+            bash -c "./project/lnplay/up.sh -y --no-services  --lnplay-conf-path=$LNPLAY_ENV_FILE"
+
+            # stop the instance so we can get an image yo
+            INCUS_VM_NAME="${LNPLAY_SERVER_FQDN//./-}"
+
+            incus stop "$INCUS_VM_NAME"
+
+            # create the incus image.
+            incus publish -q --public "$INCUS_VM_NAME" --alias="$INCUS_LNPLAYSERVER_IMAGE_NAME" --compression none
+
+            incus start "$INCUS_VM_NAME"
+            sleep 10
+
+            bash -c "./wait_for_ip.sh --incus-name=$INCUS_VM_NAME"
+            sleep 3
+        fi
+
+        # bring up lnplay services.
+        bash -c "./project/lnplay/up.sh -y --lnplay-conf-path=$LNPLAY_ENV_FILE"
+    fi
+fi
--- a/deployment/wait_for_ip.sh
+++ b/deployment/wait_for_ip.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+INCUS_INSTANCE_NAME=
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --incus-name=*)
+            INCUS_INSTANCE_NAME="${i#*=}"
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+# if the invoker did not set the instance name, throw an error.
+if [ -z "$INCUS_INSTANCE_NAME" ]; then
+    echo "ERROR: The instance name was not specified. Use '--incus-name' when calling wait_for_ip.sh."
+    exit 1
+fi
+
+if ! incus list --format csv | grep -q "$INCUS_INSTANCE_NAME"; then
+    echo "ERROR: the instance '$INCUS_INSTANCE_NAME' does not exist."
+    exit 1
+fi
+
+IP_V4_ADDRESS=
+while true; do
+    IP_V4_ADDRESS="$(incus list "$INCUS_INSTANCE_NAME" --format csv --columns=4 | grep enp5s0 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')" || true
+    export IP_V4_ADDRESS="$IP_V4_ADDRESS"
+    if [ -n "$IP_V4_ADDRESS" ]; then
+        # give the machine extra time to spin up.
+        wait-for-it -t 300 "$IP_V4_ADDRESS:22"
+        break
+    else
+        sleep 1
+        printf '.'
+    fi
+done
+
+# wait for cloud-init to complet before returning.
+while incus exec "$INCUS_INSTANCE_NAME" -- [ ! -f /var/lib/cloud/instance/boot-finished ]; do
+    sleep 1
+done
+
+sleep 1
--- a/domain_init.sh
+++ b/domain_init.sh
@ -1,93 +0,0 @@
-#!/bin/bash
-
-set -exuo nounset
-cd "$(dirname "$0")"
-
-# let's make sure we have an ssh keypair. We just use ~/.ssh/id_rsa
-if [ ! -f "$SSH_HOME/id_rsa" ]; then
-    # generate a new SSH key for the base vm image.
-    ssh-keygen -f "$SSH_HOME/id_rsa" -t ecdsa -b 521 -N ""
-fi
-
-# if an authorized_keys file does not exist, we'll stub one out with the current user.
-# add additional id_rsa.pub entries manually for more administrative logins.
-if [ ! -f "$SITE_PATH/authorized_keys" ]; then
-    cat "$SSH_HOME/id_rsa.pub" >> "$SITE_PATH/authorized_keys"
-fi
-
-## This is a weird if clause since we need to LEFT-ALIGN the statement below.
-SSH_STRING="Host ${FQDN}"
-if ! grep -q "$SSH_STRING" "$SSH_HOME/config"; then
-
-########## BEGIN
-cat >> "$SSH_HOME/config" <<-EOF
-
-${SSH_STRING}
-    HostName ${FQDN}
-    User ubuntu
-EOF
-###
-
-fi
-
-# when set to true, this flag indicates that a new VPS was created during THIS script run.
-if [ "$VPS_HOSTING_TARGET" = aws ]; then
-    # let's create the remote VPS if needed.
-    if ! docker-machine ls -q --filter name="$FQDN" | grep -q "$FQDN"; then
-        RUN_BACKUP=false
-
-        ./provision_vps.sh
-
-        ./prepare_vps_host.sh
-    fi
-elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
-    ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
-
-    #check to ensure the MACVLAN interface has been set by the user
-    if [ -z "$DEV_MACVLAN_INTERFACE" ]; then
-        echo "ERROR: DEV_MACVLAN_INTERFACE has not been defined. Use '--macvlan-interface=eno1' for example."
-        exit 1
-    fi
-
-    # let's first check to ensure there's a cert.tar.gz. We need a valid cert for testing.
-    if [ ! -f "$SITE_PATH/certs.tar.gz" ]; then
-        echo "ERROR: We need a valid cert for testing. Please use the '--app=certonly' first."
-        exit
-    fi
-
-    # if the machine doesn't exist, we create it.
-    if ! lxc list --format csv | grep -q "$LXD_VM_NAME"; then
-        RUN_BACKUP=false
-
-        # create a base image if needed and instantiate a VM.
-        ./provision_lxc.sh
-    fi
-
-    # prepare the VPS to support our applications and backups and stuff.
-    ./prepare_vps_host.sh
-fi
-
-# clear 
-
-# this tells our local docker client to target the remote endpoint via SSH
-export DOCKER_HOST="ssh://ubuntu@$FQDN"    
-
-# the following scripts take responsibility for the rest of the provisioning depending on the app you're deploying.
-if [ "$APP_TO_DEPLOY" = www ]; then
-    ./go_www.sh
-elif [ "$APP_TO_DEPLOY" = btcpay ]; then
-    ./go_btcpay.sh
-elif [ "$APP_TO_DEPLOY" = certonly ]; then
-    # renew the certs; certbot takes care of seeing if we need to actually renew.
-    if [ "$RUN_CERT_RENEWAL" = true ]; then
-        ./generate_certs.sh
-    fi
-    
-    echo "INFO: Please run 'docker-machine rm -f $FQDN' to remove the remote VPS."
-    exit
-else
-    echo "ERROR: APP_TO_DEPLOY not set correctly. Please refer to the documentation for allowable values."
-    exit
-fi
-
-echo "Successfull deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET; Latest git tag is $LATEST_GIT_TAG" >> "$SITE_PATH/debug.log"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,8 +0,0 @@
-#!/bin/bash
-
-if [ -z "$DOMAIN_NAME" ]; then
-    echo "ERROR: DOMAIN_NAME not defined.".
-    exit 1
-fi
-
-/sovereign-stack/refresh.sh --domain="$DOMAIN_NAME"
--- a/farscapian.gpg
+++ b/farscapian.gpg
@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mFIEAAAAABMIKoZIzj0DAQcCAwQ3hQeRT8HLyQEtKJ5C3dKilfWhSpqkPFtfuE0I
+i+MNLavAM7tL9gShij7tEcyZe0Iy2hc38TizSlQJciIdgtHUtCJEZXJlayBTbWl0
+aCA8ZGVyZWtAZmFyc2NhcGlhbi5jb20+iIAEExMIABwFAgAAAAACCwkCGwMEFQgJ
+CgQWAgMBAheAAh4BABYJELRD5TChThyQCxpUUkVaT1ItR1BHXMcA/2k4QtiV0eNQ
+299XW4Wvoac1Be6+WTPRIaC/PYnd0pR7AP4hi5ou6uyKtqkfhLtRQHN/9ny3MBEG
+whGxb/bCIzOdILhWBAAAAAASCCqGSM49AwEHAgMEI0VBpCTeIpfdH2UcWiSPYGAJ
+Z1Rsp0uKf6HzZnpGRAdCTNgCh+pVBibP0Cz0pNdM7IfHSfS+OP4/Lb1B5N9BSAMB
+CAeIbQQYEwgACQUCAAAAAAIbDAAWCRC0Q+UwoU4ckAsaVFJFWk9SLUdQRxM4AQCw
+m24svH13uNAebQurOloy/1qZgNdXANBQQ05oi1tEyAD/eGFFVdgs5L6Hpg/GJLvo
+X8bd1+1sa2d9TldbgfNfRA0=
+=vZGY
+-----END PGP PUBLIC KEY BLOCK-----
--- a/generate_certs.sh
+++ b/generate_certs.sh
@ -1,22 +0,0 @@
-#!/bin/bash
-
-set -exuo nounset
-cd "$(dirname "$0")"
-
-# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
-docker pull certbot/certbot
-
-docker run -it --rm \
-    --name certbot \
-    -p 80:80 \
-    -p 443:443 \
-    -v /etc/letsencrypt:/etc/letsencrypt \
-    -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/certbot \
-    certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$MATRIX_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
-
-# backup the certs to our SITE_PATH/certs.tar.gz so we have them handy (for local development)
-ssh "$FQDN" sudo tar -zcvf "$REMOTE_HOME/certs.tar.gz" -C /etc ./letsencrypt
-ssh "$FQDN" sudo chown ubuntu:ubuntu "$REMOTE_HOME/certs.tar.gz"
-
-# now pull the tarballs down the local machine.
-scp "$FQDN:$REMOTE_HOME/certs.tar.gz" "$SITE_PATH/certs.tar.gz"
--- a/1
+++ b/1
@ -1 +0,0 @@
-git
--- a/go_btcpay.sh
+++ b/go_btcpay.sh
@ -1,54 +0,0 @@
-#!/bin/bash
-
-set -exuo nounset
-cd "$(dirname "$0")"
-
-if [ "$RUN_BACKUP"  = true ]; then
-    ssh "$FQDN" "cd $REMOTE_HOME/btcpayserver-docker/; sudo bash -c ./btcpay-down.sh" 
-fi
-
-# we will re-run the btcpay provisioning scripts if directed to do so.
-# if an update does occur, we grab another backup.
-if [ "$UPDATE_BTCPAY" = true ]; then
-
-    if [ "$RUN_BACKUP"  = true ]; then
-        # grab a backup PRIOR to update
-        ./backup_btcpay.sh "before-update-$UNIX_BACKUP_TIMESTAMP"
-    fi
-
-    # run the update.
-    ssh "$FQDN" "cd $REMOTE_HOME/btcpayserver-docker/; sudo bash -c ./btcpay-update.sh" 
-
-else
-    if [ "$RUN_BACKUP"  = true ]; then
-        # we just grab a regular backup
-        ./backup_btcpay.sh "regular-backup-$UNIX_BACKUP_TIMESTAMP"
-    fi
-fi
-
-# run a restoration if specified.
-if [ "$RUN_RESTORE" = true ]; then
-    ssh "$FQDN" "cd $REMOTE_HOME/btcpayserver-docker/; sudo bash -c ./btcpay-down.sh" 
-    ./restore_btcpay.sh
-fi
-
-
-if [ "$RECONFIGURE_BTCPAY_SERVER"  = true ]; then
-    # re-run the setup script.
-    ./run_btcpay_setup.sh
-fi
-
-if [ "$MIGRATE_BTCPAY_SERVER" = false ]; then
-    # The default is to resume services, though admin may want to keep services off (eg., for a migration)
-    # we bring the services back up by default.
-    ssh "$FQDN" "cd $REMOTE_HOME/btcpayserver-docker/; sudo bash -c ./btcpay-up.sh"
-
-    # we wait for lightning to comone line too.
-    wait-for-it -t -60 "$FQDN:80"
-    wait-for-it -t -60 "$FQDN:443"
-
-    xdg-open "http://$FQDN"
-else
-    echo "WARNING: The '--migrate' flag was specified. BTCPay Server services HAVE NOT BEEN TURNED ON!"
-    echo "NOTE: You can restore your latest backup to a new host that has BTCPay Server installed."
-fi
--- a/go_www.sh
+++ b/go_www.sh
@ -1,136 +0,0 @@
-#!/bin/bash
-
-set -exuo nounset
-cd "$(dirname "$0")"
-
-TOR_CONFIG_PATH=
-
-ssh "$FQDN" mkdir -p "$REMOTE_HOME/ghost_site" "$REMOTE_HOME/ghost_db"
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    ssh "$FQDN" mkdir -p "$REMOTE_NEXTCLOUD_PATH/db/data" \
-    ssh "$FQDN" mkdir -p "$REMOTE_NEXTCLOUD_PATH/db/logs" \
-    ssh "$FQDN" mkdir -p "$REMOTE_NEXTCLOUD_PATH/html"
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-    ssh "$FQDN" mkdir -p "$REMOTE_GITEA_PATH/data" "$REMOTE_GITEA_PATH/db"
-fi
-
-# enable docker swarm mode so we can support docker stacks.
-if ! docker info | grep -q "Swarm: active"; then
-    docker swarm init
-fi
-
-# stop services.
-if docker stack list --format "{{.Name}}" | grep -q webstack; then
-    docker stack rm webstack
-    sleep 10
-fi
-
-# this will generate letsencrypt certs and pull them down locally.
-if [ "$VPS_HOSTING_TARGET" != lxd ]; then
-    # really we should change this if clause to some thing like
-    # "if the perimeter firewall allows port 80/443, then go ahead."
-    if [ "$VPS_HOSTING_TARGET" = aws ] && [ "$RUN_CERT_RENEWAL" = true ]; then
-        ./generate_certs.sh
-    fi
-else
-    
-    # restore the certs. If they don't exist in a backup we restore from SITE_PATH
-    if [ -f "$SITE_PATH/certs.tar.gz" ]; then
-        scp "$SITE_PATH/certs.tar.gz" "ubuntu@$FQDN:$REMOTE_HOME/certs.tar.gz"
-        ssh "$FQDN" sudo tar -xvf "$REMOTE_HOME/certs.tar.gz" -C /etc
-    else
-        echo "ERROR: Certificates do not exist locally. You need to obtain some, perhaps by running with '--app=certonly'."
-        exit 1
-    fi
-fi
-
-
-if [ "$RUN_BACKUP"  = true ]; then
-    ./backup_www.sh
-fi
-
-if [ "$RUN_RESTORE" = true ]; then
-    ./restore_www.sh
-fi
-
-NEW_MATRIX_DEPLOYMENT=false
-if [ "$DEPLOY_MATRIX" = true ]; then
-    if ! ssh "$FQDN" "[ -d $REMOTE_HOME/matrix ]"; then
-        NEW_MATRIX_DEPLOYMENT=true
-        ssh "$FQDN" "mkdir $REMOTE_HOME/matrix && mkdir $REMOTE_HOME/matrix/db && mkdir $REMOTE_HOME/matrix/data"
-
-        docker run -it --rm -v "$REMOTE_HOME/matrix/data":/data \
-            -e SYNAPSE_SERVER_NAME="${DOMAIN_NAME}" \
-            -e SYNAPSE_REGISTRATION_SHARED_SECRET="${MATRIX_SHARED_SECRET}" \
-            -e SYNAPSE_REPORT_STATS=yes \
-            -e POSTGRES_PASSWORD="${MATRIX_DB_PASSWORD}" \
-            -e SYNAPSE_NO_TLS=1 \
-            -e SYNAPSE_ENABLE_REGISTRATION=yes \
-            -e SYNAPSE_LOG_LEVEL=DEBUG \
-            -e POSTGRES_DB=synapse \
-            -e POSTGRES_HOST=matrix-db \
-            -e POSTGRES_USER=synapse \
-            -e POSTGRES_PASSWORD="${MATRIX_DB_PASSWORD}" \
-            "$MATRIX_IMAGE" generate
-    fi
-fi
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-    # ensure the tor image is built
-    docker build -t tor:latest ./tor
-
-    # if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
-    # this is how we generate a new torv3 endpoint.
-    if ! ssh "$FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
-        ssh "$FQDN" "mkdir -p $REMOTE_HOME/tor"
-        TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
-        export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
-        docker stack deploy -c ./tor.yml torstack
-        sleep 20
-        docker stack rm torstack
-        sleep 20
-    fi
-
-    ONION_ADDRESS="$(ssh "$FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
-    export ONION_ADDRESS="$ONION_ADDRESS"
-
-    # # Since we run a separate ghost process, we create a new directory and symlink it to the original
-    # if ! ssh "$FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
-    #     ssh "$FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
-    # fi
-fi
-
-if [ "$RUN_SERVICES" = true ]; then
-    docker stack deploy -c "$DOCKER_YAML_PATH" webstack
-
-    # start a browser session; point it to port 80 to ensure HTTPS redirect.
-    wait-for-it -t 320 "$DOMAIN_NAME:80"
-    wait-for-it -t 320 "$DOMAIN_NAME:443"
-
-    if [ "$DEPLOY_MATRIX" = true ]; then
-        # If this is a new Matrix deployment, then we should add the default admin user.
-        if [ $NEW_MATRIX_DEPLOYMENT = true ]; then
-            # get the container ID for matrix/synapse.
-            MATRIX_CONTAINER_ID="$(docker ps | grep matrixdotorg | awk '{print $1;}')"
-
-            # create the user.
-            docker exec -it "$MATRIX_CONTAINER_ID" register_new_matrix_user http://localhost:8008 -u "$ADMIN_ACCOUNT_USERNAME" -p "$MATRIX_ADMIN_PASSWORD" -a --config /data/homeserver.yaml
-        fi
-    fi
-
-    # open bowser tabs.
-    if [ "$DEPLOY_GHOST" = true ]; then
-        xdg-open "http://$FQDN"
-    fi
-
-    if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-        xdg-open "http://$NEXTCLOUD_FQDN"
-    fi
-
-    if [ "$DEPLOY_GITEA" = true ]; then
-        xdg-open "http://$GITEA_FQDN"
-    fi
-fi
--- a/install.sh
+++ b/install.sh
@ -1,30 +1,214 @@
 #!/bin/bash

-sudo apt-get update
+set -exu
+cd "$(dirname "$0")"

-sudo apt-get install -y wait-for-it dnsutils tor rsync sshfs
+# https://www.sovereign-stack.org/install/

-if [ ! -f $(which lxd) ]; then
-    sudo snap install lxd
+# this script is not meant to be executed from the SSME; Let's let's check and abort if so.
+if [ "$(hostname)" = ss-mgmt ]; then
+    echo "ERROR: This command is meant to be executed from the bare metal management machine -- not the SSME."
+    exit 1
 fi

-# let's ensure docker-machine is available.
-base="https://github.com/docker/machine/releases/download/v0.16.2"
-curl -L "$base/docker-machine-$(uname -s)-$(uname -m)" >/tmp/docker-machine
-sudo mv /tmp/docker-machine /usr/local/bin/docker-machine
-chmod +x /usr/local/bin/docker-machine
+# ensure the iptables forward policy is set to ACCEPT so your host can act as a router
+# Note this is necessary if docker is running (or has been previuosly installed) on the
+# same host running incus.
+sudo iptables -F FORWARD
+sudo iptables -P FORWARD ACCEPT

-# NOTE!!! DOCKER CLI MUST BE INSTALLED VIA instructions at https://docs.docker.com/engine/install/ubuntu/  DO NOT USE SNAP
-sudo apt-get remove docker docker-engine docker.io containerd runc
-sudo apt-get update
-sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-sudo apt-get update
-sudo apt-get install docker-ce-cli -y
+# run the incus install script.
+sudo bash -c ./install_incus.sh

-# install trezor requirements https://wiki.trezor.io/Apps:SSH_agent
-sudo apt update && sudo apt install python3-pip libusb-1.0-0-dev libudev-dev pinentry-curses
-pip3 install trezor_agent
+# run incus init
+cat <<EOF | sudo incus admin init --preseed
+config: {}
+networks:
+- config:
+    ipv4.address: auto
+    ipv4.dhcp: true
+    ipv6.address: none
+  description: "Default network bridge for ss-mgmt outbound network access."
+  name: incusbr0
+  type: bridge
+  project: default
+storage_pools:
+- config:
+    size: 30GiB
+  description: ""
+  name: sovereign-stack
+  driver: zfs
+profiles:
+- config: {}
+  description: "Default profile for ss-mgmt."
+  devices:
+    enp5s0:
+      name: enp5s0
+      network: incusbr0
+      type: nic
+    root:
+      path: /
+      pool: sovereign-stack
+      type: disk
+  name: default
+projects: []
+cluster: null

-sudo cp ./51-trezor.rules /etc/udev/rules.d/51-trezor.rules
+EOF
+
+
+. ./deployment/deployment_defaults.sh
+
+. ./deployment/base.sh
+
+
+# we need to get the base image. IMport it if it's cached, else download it then cache it.
+if ! incus image list | grep -q "$UBUNTU_BASE_IMAGE_NAME"; then
+        # if the image if cached locally, import it from disk, otherwise download it from ubuntu
+    IMAGE_PATH="$HOME/ss/cache/ss-ubuntu-jammy"
+    IMAGE_IDENTIFIER=$(find "$IMAGE_PATH" | grep ".qcow2" | head -n1 | cut -d "." -f1)
+    METADATA_FILE="$IMAGE_PATH/meta-$IMAGE_IDENTIFIER.tar.xz"
+    IMAGE_FILE="$IMAGE_PATH/$IMAGE_IDENTIFIER.qcow2"
+    if [ -d "$IMAGE_PATH" ] && [ -f "$METADATA_FILE" ] && [ -f "$IMAGE_FILE" ]; then
+        incus image import "$METADATA_FILE" "$IMAGE_FILE" --alias "$UBUNTU_BASE_IMAGE_NAME"
+    else
+        incus image copy "images:$BASE_INCUS_IMAGE" local: --alias "$UBUNTU_BASE_IMAGE_NAME" --vm --auto-update
+        mkdir -p "$IMAGE_PATH"
+        incus image export "$UBUNTU_BASE_IMAGE_NAME" "$IMAGE_PATH" --vm
+    fi
+fi
+
+# if the ss-mgmt doesn't exist, create it.
+SSH_PATH="$HOME/.ssh"
+SSH_PRIVKEY_PATH="$SSH_PATH/id_rsa"
+SSH_PUBKEY_PATH="$SSH_PRIVKEY_PATH.pub"
+
+if [ ! -f "$SSH_PRIVKEY_PATH" ]; then
+    ssh-keygen -f "$SSH_PRIVKEY_PATH" -t rsa -b 4096
+fi
+
+# add SSH_PUBKEY_PATH to authorized_keys
+grep -qxF "$(cat "$SSH_PUBKEY_PATH")" "$SSH_PATH/authorized_keys" || cat "$SSH_PUBKEY_PATH" >> "$SSH_PATH/authorized_keys"
+
+FROM_BUILT_IMAGE=false
+if ! incus list --format csv | grep -q ss-mgmt; then
+
+    # TODO check to see if there's an existing ss-mgmt image to spawn from, otherwise do this.
+    if incus image list | grep -q ss-mgmt; then
+        FROM_BUILT_IMAGE=true
+        incus init ss-mgmt ss-mgmt --vm -c limits.cpu=4 -c limits.memory=4GiB --profile=default
+    else
+        incus init "images:$BASE_INCUS_IMAGE" ss-mgmt --vm -c limits.cpu=4 -c limits.memory=4GiB --profile=default
+    fi
+
+fi
+
+# mount the pre-verified sovereign stack git repo into the new vm
+if ! incus config device show ss-mgmt | grep -q ss-code; then
+    incus config device add ss-mgmt ss-code disk source="$(pwd)" path=/home/ubuntu/sovereign-stack
+fi
+
+# create the ~/ss path and mount it into the vm.
+source ./deployment/deployment_defaults.sh
+source ./deployment/base.sh
+
+mkdir -p "$SS_ROOT_PATH"
+
+if ! incus config device show ss-mgmt | grep -q ss-root; then
+    incus config device add ss-mgmt ss-root disk source="$SS_ROOT_PATH" path=/home/ubuntu/ss
+fi
+
+# if a ~/.bitcoin/testnet3/blocks direrectory exists, mount it in.
+BITCOIN_DIR="$HOME/.bitcoin"
+REMOTE_BITCOIN_CACHE_PATH="/home/ubuntu/ss/cache/bitcoin"
+BITCOIN_TESTNET_BLOCKS_PATH="$BITCOIN_DIR/testnet3/blocks"
+if [ -d "$BITCOIN_TESTNET_BLOCKS_PATH" ]; then
+    if ! incus config device show ss-mgmt | grep -q ss-testnet-blocks; then
+        incus config device add ss-mgmt ss-testnet-blocks disk source="$BITCOIN_TESTNET_BLOCKS_PATH" path=$REMOTE_BITCOIN_CACHE_PATH/testnet/blocks
+    fi
+fi
+
+# if a ~/.bitcoin/testnet3/blocks direrectory exists, mount it in.
+BITCOIN_TESTNET_CHAINSTATE_PATH="$BITCOIN_DIR/testnet3/chainstate"
+if [ -d "$BITCOIN_TESTNET_CHAINSTATE_PATH" ]; then
+    if ! incus config device show ss-mgmt | grep -q ss-testnet-chainstate; then
+        incus config device add ss-mgmt ss-testnet-chainstate disk source="$BITCOIN_TESTNET_CHAINSTATE_PATH" path="$REMOTE_BITCOIN_CACHE_PATH/testnet/chainstate"
+    fi
+fi
+
+# if a ~/.bitcoin/blocks dir exists, mount it in.
+BITCOIN_MAINNET_BLOCKS_PATH="$BITCOIN_DIR/blocks"
+if [ -d "$BITCOIN_MAINNET_BLOCKS_PATH" ]; then
+    if ! incus config device show ss-mgmt | grep -q ss-mainnet-blocks; then
+        incus config device add ss-mgmt ss-mainnet-blocks disk source="$BITCOIN_MAINNET_BLOCKS_PATH" path="$REMOTE_BITCOIN_CACHE_PATH/mainnet/blocks"
+    fi
+fi
+
+    # if a ~/.bitcoin/testnet3/blocks direrectory exists, mount it in.
+BITCOIN_MAINNET_CHAINSTATE_PATH="$BITCOIN_DIR/chainstate"
+if [ -d "$BITCOIN_MAINNET_CHAINSTATE_PATH" ]; then
+    if ! incus config device show ss-mgmt | grep -q ss-mainnet-blocks; then
+        incus config device add ss-mgmt ss-mainnet-chainstate disk source="$BITCOIN_MAINNET_CHAINSTATE_PATH" path="$REMOTE_BITCOIN_CACHE_PATH/mainnet/chainstate"
+    fi
+fi
+
+# mount the ssh directory in there.
+if [ -f "$SSH_PUBKEY_PATH" ]; then
+    if ! incus config device show ss-mgmt | grep -q ss-ssh; then
+        incus config device add ss-mgmt ss-ssh disk source="$HOME/.ssh" path=/home/ubuntu/.ssh
+    fi
+fi
+
+# start the vm if it's not already running
+if incus list --format csv | grep -q "ss-mgmt,STOPPED"; then
+    incus start ss-mgmt
+    sleep 10
+fi
+
+# wait for the vm to have an IP address
+. ./management/wait_for_ip.sh
+
+# do some other preparations for user experience
+incus file push ./management/bash_aliases ss-mgmt/home/ubuntu/.bash_aliases
+incus file push ./management/bash_profile ss-mgmt/home/ubuntu/.bash_profile
+incus file push ./management/bashrc ss-mgmt/home/ubuntu/.bashrc
+incus file push ./management/motd ss-mgmt/etc/update-motd.d/sovereign-stack
+
+# install SSH
+incus exec ss-mgmt apt-get update
+incus exec ss-mgmt -- apt-get install -y openssh-server
+incus file push ./management/sshd_config ss-mgmt/etc/ssh/sshd_config
+incus exec ss-mgmt -- sudo systemctl restart sshd
+
+# add 'ss-manage' to the bare metal ~/.bashrc
+ADDED_COMMAND=false
+if ! < "$HOME/.bashrc" grep -q "ss-manage"; then
+    echo "alias ss-manage='$(pwd)/manage.sh \$@'" >> "$HOME/.bashrc"
+    ADDED_COMMAND=true
+fi
+
+# Let's remove any entry in our known_hosts, then add it back.
+# we are using IP address here so we don't have to rely on external DNS 
+# configuration for the base image preparataion.
+ssh-keygen -R "$IP_V4_ADDRESS"
+
+ssh-keyscan -H "$IP_V4_ADDRESS" >> "$SSH_HOME/known_hosts"
+
+ssh "ubuntu@$IP_V4_ADDRESS" sudo chown -R ubuntu:ubuntu /home/ubuntu
+
+if [ "$FROM_BUILT_IMAGE" = false ]; then
+    ssh "ubuntu@$IP_V4_ADDRESS" /home/ubuntu/sovereign-stack/management/provision.sh
+
+    incus stop ss-mgmt
+
+    if ! incus image list | grep -q "ss-mgmt"; then
+        echo "Publishing image. Please wait, this may take a while..."
+        incus publish ss-mgmt --alias=ss-mgmt
+    fi
+
+    incus start ss-mgmt
+fi
+
+if [ "$ADDED_COMMAND" = true ]; then
+    echo "NOTICE! You need to run 'source ~/.bashrc' before continuing. After that, type 'ss-manage' to enter your management environment."
+fi
--- a/install_incus.sh
+++ b/install_incus.sh
@ -0,0 +1,75 @@
+#!/bin/bash
+
+set -exu
+cd "$(dirname "$0")"
+
+if [ $UID -ne 0 ]; then
+    echo "ERROR: run with sudo."
+    exit 1
+fi
+
+# put the zabbly key in there.
+mkdir -p /etc/apt/keyrings/
+cat <<EOF > /etc/apt/keyrings/zabbly.asc
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGTlYcIBDACYQoVXVyQ6Y3Of14GwEaiv/RstQ8jWnH441OtvDbD/VVT8yF0P
+pUfypWjQS8aq0g32Qgb9H9+b8UAAKojA2W0szjJFlmmSq19YDMMmNC4AnfeZlKYM
+61Zonna7fPaXmlsTlSiUeo/PGvmAXrkFURC9S8FbhZdWEcUpf9vcKAoEzV8qGA4J
+xbKlj8EOjSkdq3OQ1hHjP8gynbbzMhZQwjbnWqoiPj35ed9EMn+0QcX+GmynGq6T
+hBXdRdeQjZC6rmXzNF2opCyxqx3BJ0C7hUtpHegmeoH34wnJHCqGYkEKFAjlRLoW
+tOzHY9J7OFvB6U7ENtnquj7lg2VQK+hti3uiHW+oide06QgjVw2irucCblQzphgo
+iX5QJs7tgFFDsA9Ee0DZP6cu83hNFdDcXEZBc9MT5Iu0Ijvj7Oeym3DJpkCuIWgk
+SeP56sp7333zrg73Ua7YZsZHRayAe/4YdNUua+90P4GD12TpTtJa4iRWRd7bis6m
+tSkKRj7kxyTsxpEAEQEAAbQmWmFiYmx5IEtlcm5lbCBCdWlsZHMgPGluZm9AemFi
+Ymx5LmNvbT6JAdQEEwEKAD4WIQRO/FkGlssVuHxzo62CzIeXyDjc/QUCZOVhwgIb
+AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCCzIeXyDjc/W05C/4n
+lGRTlyOETF2K8oWbjtan9wlttQ+pwymJCnP8T+JJDycGL8dPsGdG1ldHdorVZpFi
+1P+Bem9bbiW73TpbX+WuCfP1g3WN7AVa2mYRfSVhsLNeBAMRgWgNW9JYsmg99lmY
+aPsRYZdGu/PB+ffMIyWhjL3CKCbYS6lV5N5Mi4Lobyz/I1Euxpk2vJhhUqh786nJ
+pQpDnvEl1CRANS6JD9bIvEdfatlAhFlrz1TTf6R7SlppyYI7tme4I/G3dnnHWYSG
+cGRaLwpwobTq0UNSO71g7+at9eY8dh5nn2lZUvvxZvlbXoOoPxKUoeGVXqoq5F7S
+QcMVAogYtyNlnLnsUfSPw6YFRaQ5o00h30bR3hk+YmJ47AJCRY9GIc/IEdSnd/Z5
+Ea7CrP2Bo4zxPgcl8fe311FQRTRoWr19l5PXZgGjzy6siXTrYQi6GjLtqVB5SjJf
+rrIIy1vZRyDL96WPu6fS+XQMpjsSygj+DBFk8OAvHhQhMCXHgT4BMyg4D5GE0665
+AY0EZOVhwgEMAMIztf6WlRsweysb0tzktYE5E/GxIK1lwcD10Jzq3ovJJPa2Tg2t
+J6ZBmMQfwU4OYO8lJxlgm7t6MYh41ZZaRhySCtbJiAXqK08LP9Gc1iWLRvKuMzli
+NFSiFDFGT1D6kwucVfL/THxvZlQ559kK+LB4iXEKXz37r+MCX1K9uiv0wn63Vm0K
+gD3HDgfXWYJcNyXXfJBe3/T5AhuSBOQcpa7Ow5n8zJ+OYg3FFKWHDBTSSZHpbJFr
+ArMIGARz5/f+EVj9XGY4W/+ZJlxNh8FzrTLeRArmCWqKLPRG/KF36dTY7MDpOzlw
+vu7frv+cgiXHZ2NfPrkH8oOl4L+ufze5KBGcN0QwFDcuwCkv/7Ft9Ta7gVaIBsK7
+12oHInUJ6EkBovxpuaLlHlP8IfmZLZbbHzR2gR0e6IhLtrzd7urB+gXUtp6+wCL+
+kWD14TTJhSQ+SFU8ajvUah7/1m2bxdjZNp9pzOPGkr/jEjCM0CpZiCY62SeIJqVc
+4/ID9NYLAGmSIwARAQABiQG8BBgBCgAmFiEETvxZBpbLFbh8c6OtgsyHl8g43P0F
+AmTlYcICGwwFCQPCZwAACgkQgsyHl8g43P0wEgv+LuknyXHpYpiUcJOl9Q5yLokd
+o7tJwJ+9Fu7EDAfM7mPgyBj7Ad/v9RRP+JKWHqIYEjyrRnz9lmzciU+LT/CeoQu/
+MgpU8wRI4gVtLkX2238amrTKKlVjQUUNHf7cITivUs/8e5W21JfwvcSzu5z4Mxyw
+L6vMlBUAixtzZSXD6O7MO9uggHUZMt5gDSPXG2RcIgWm0Bd1yTHL7jZt67xBgZ4d
+hUoelMN2XIDLv4SY78jbHAqVN6CLLtWrz0f5YdaeYj8OT6Ohr/iJQdlfVaiY4ikp
+DzagLi0LvG9/GuB9eO6yLuojg45JEH8DC7NW5VbdUITxQe9NQ/j5kaRKTEq0fyZ+
+qsrryTyvXghxK8oMUcI10l8d41qXDDPCA40kruuspCZSAle3zdqpYqiu6bglrgWr
+Zr2Nm9ecm/kkqMIcyJ8e2mlkuufq5kVem0Oez+GIDegvwnK3HAqWQ9lzdWKvnLiE
+gNkvg3bqIwZ/WoHBnSwOwwAzwarJl/gn8OG6CIeP
+=8Uc6
+-----END PGP PUBLIC KEY BLOCK-----
+
+EOF
+
+sh -c 'cat <<EOF > /etc/apt/sources.list.d/zabbly-incus-stable.sources
+Enabled: yes
+Types: deb
+URIs: https://pkgs.zabbly.com/incus/stable
+Suites: $(. /etc/os-release && echo ${VERSION_CODENAME})
+Components: main
+Architectures: $(dpkg --print-architecture)
+Signed-By: /etc/apt/keyrings/zabbly.asc
+
+EOF'
+
+apt-get update
+
+# we || true this here because installing incus fails.
+# TODO see if this can be fixed by installing JUST the incus client.
+# none of the systemd/daemon stuff is needed necessarily.
+apt-get install incus -y
+
--- a/lxc_profile.yml
+++ b/lxc_profile.yml
@ -1,142 +0,0 @@
-config:
-  limits.cpu: "${DEV_CPU_COUNT}"
-  limits.memory: "${DEV_MEMORY_MB}MB"
-  user.vendor-data: |
-    #cloud-config
-
-    apt_mirror: http://us.archive.ubuntu.com/ubuntu/
-    package_update: true
-    package_upgrade: false
-    package_reboot_if_required: false
-
-    preserve_hostname: false
-    fqdn: ${FQDN}
-
-    packages:
-      - curl
-      - ssh-askpass
-      - apt-transport-https
-      - ca-certificates
-      - gnupg-agent
-      - software-properties-common
-      - lsb-release
-      - net-tools
-      - htop
-      - rsync
-      - duplicity
-      - sshfs
-
-    groups:
-      - docker
-
-    users:
-      - name: ubuntu
-        shell: /bin/bash
-        lock_passwd: false
-        groups: 
-          - docker
-        sudo: 
-          - ALL=(ALL) NOPASSWD:ALL
-        ssh_authorized_keys:
-          - ${SSH_AUTHORIZED_KEY}
-
-    write_files:
-      - path: ${REMOTE_HOME}/docker.asc
-        content: |
-              -----BEGIN PGP PUBLIC KEY BLOCK-----
-
-              mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
-              lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
-              38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
-              L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
-              UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
-              cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
-              ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
-              vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
-              G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
-              XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
-              q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
-              tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
-              BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
-              v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
-              tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
-              jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
-              6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
-              XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
-              FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
-              g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
-              ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
-              9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
-              G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
-              FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
-              EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
-              M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
-              Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
-              w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
-              z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
-              eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
-              VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
-              1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
-              zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
-              pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
-              ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
-              BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
-              1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
-              YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
-              mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
-              KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
-              JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
-              cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
-              6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
-              U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
-              VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
-              irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
-              SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
-              QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
-              9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
-              24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
-              dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
-              Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
-              H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
-              /nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
-              M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
-              xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
-              jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
-              YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
-              =0YYh
-              -----END PGP PUBLIC KEY BLOCK-----
-
-      - path: /etc/ssh/ssh_config
-        content: |
-          Port 22
-          ListenAddress 0.0.0.0
-          Protocol 2
-          ChallengeResponseAuthentication no
-          PasswordAuthentication no
-          UsePAM no
-          LogLevel INFO
-
-    runcmd:
-      - cat ${REMOTE_HOME}/docker.asc | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-      - sudo rm ${REMOTE_HOME}/docker.asc
-      - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
-      - sudo apt-get remove docker docker.io containerd runc
-      - sudo apt-get update
-      - sudo apt-get install -y docker-ce docker-ce-cli containerd.io
-      - echo "alias ll='ls -lah'" >> ${REMOTE_HOME}/.bash_profile
-      - sudo apt-get install -y openssh-server
-
-description: Default LXD profile for ${DOMAIN_NAME}
-devices:
-  root:
-    path: /
-    pool: default
-    type: disk
-  config:
-    source: cloud-init:config
-    type: disk
-  enp5s0:
-    nictype: macvlan
-    parent: ${DEV_MACVLAN_INTERFACE}
-    type: nic
-name: ${LXD_VM_NAME}
--- a/manage.sh
+++ b/manage.sh
@ -0,0 +1,39 @@
+#!/bin/bash
+
+# https://www.sovereign-stack.org/ss-manage/
+
+set -eu
+cd "$(dirname "$0")"
+
+# check to ensure dependencies are met.
+if ! command -v incus  >/dev/null 2>&1; then
+    echo "This script requires incus to be installed. Please run 'install.sh'."
+    exit 1
+fi
+
+if ! incus remote get-default | grep -q "local"; then
+    incus remote switch "local"
+fi
+
+if ! incus list -q --format csv | grep -q ss-mgmt; then
+    echo "ERROR: the 'ss-mgmt' VM does not exist. You may need to run install.sh"
+    exit 1
+fi
+
+# if the mgmt machine doesn't exist, then warn the user to perform ./install.sh
+if ! incus list --format csv | grep -q "ss-mgmt"; then
+    echo "ERROR: the management machine VM does not exist. You probably need to run './install.sh'."
+    echo "INFO: check out https://www.sovereign-stack.org/tag/code-lifecycle-management/ for more information."
+fi
+
+# if the machine does exist, let's make sure it's RUNNING.
+if incus list --format csv | grep -q "ss-mgmt,STOPPED"; then
+    echo "INFO: The SSME was in a STOPPED state. Starting the environment. Please wait."
+    incus start ss-mgmt
+    sleep 30
+fi
+
+. ./management/wait_for_ip.sh
+
+# let's ensure ~/.ssh/ssh_config is using the correct IP address for ss-mgmt.
+ssh ubuntu@"$IP_V4_ADDRESS"
--- a/management/51-trezor.rules
+++ b/management/51-trezor.rules
@ -7,10 +7,6 @@
 # put this into /usr/lib/udev/rules.d or /lib/udev/rules.d
 # depending on your distribution

-# Trezor
-SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
-KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"
-
 # Trezor v2
 SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
 SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
--- a/management/bash_aliases
+++ b/management/bash_aliases
@ -0,0 +1,12 @@
+#!/bin/bash
+alias ss-help='cat /home/ubuntu/sovereign-stack/deployment/help.txt'
+alias ss-show='/home/ubuntu/sovereign-stack/deployment/show.sh $@'
+alias ss-remote='/home/ubuntu/sovereign-stack/deployment/remote.sh $@'
+alias ss-up='/home/ubuntu/sovereign-stack/deployment/up.sh $@'
+alias ss-down='/home/ubuntu/sovereign-stack/deployment/down.sh $@'
+alias ss-reset='/home/ubuntu/sovereign-stack/deployment/reset.sh $@'
+alias ss-stop='/home/ubuntu/sovereign-stack/deployment/stop.sh $@'
+alias ss-start='/home/ubuntu/sovereign-stack/deployment/start.sh $@'
+alias ss-restore='/home/ubuntu/sovereign-stack/deployment/restore.sh $@'
+
+alias ll='ls -lah'
--- a/management/bash_profile
+++ b/management/bash_profile
@ -0,0 +1,6 @@
+#!/bin/bash
+
+# this wires up the aliases for remote ssh sessions.
+if [ -f ~/.bashrc ]; then
+  . ~/.bashrc
+fi
--- a/management/bashrc
+++ b/management/bashrc
@ -0,0 +1,117 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color|*-256color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+        # We have color support; assume it's compliant with Ecma-48
+        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+        # a case would tend to support setf rather than setaf.)
+        color_prompt=yes
+    else
+        color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# colored GCC warnings and errors
+export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
+
+# some more ls aliases
+alias ll='ls -alF'
+alias la='ls -A'
+alias l='ls -CF'
+
+# Add an "alert" alias for long running commands.  Use like so:
+#   sleep 10; alert
+alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if ! shopt -oq posix; then
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  elif [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+  fi
+fi
--- a/management/motd
+++ b/management/motd
@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "Welcome to the management environment. Run 'ss-help' to get started."
+
--- a/management/provision.sh
+++ b/management/provision.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+cd "$(dirname "$0")"
+
+# NOTE! This script MUST be executed as root.
+sudo apt-get update
+sudo apt-get install -y ca-certificates curl gnupg lsb-release jq bc
+
+sudo mkdir -m 0755 -p /etc/apt/keyrings
+
+# add the docker gpg key to keyring for docker-ce-cli
+if [ ! -f /etc/apt/keyrings/docker.gpg ]; then
+    cat /home/ubuntu/sovereign-stack/certs/docker.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 2>&1
+fi
+
+# TODO REVIEW mgmt software requirements
+sudo apt-get update
+sudo apt-get install -y wait-for-it dnsutils rsync sshfs apt-transport-https docker-ce-cli libcanberra-gtk-module nano git gridsite-clients
+
+sudo bash -c "$HOME/sovereign-stack/install_incus.sh"
+
+sudo incus admin init --minimal
+
+# add docker group
+if ! grep -q "^docker:" /etc/group; then
+    sudo groupadd docker
+fi
+
+# add incus-admin group
+if ! grep -q "^incus-admin:" /etc/group; then
+    sudo groupadd incus-admin
+fi
+
+if ! groups ubuntu | grep -q "\bdocker\b"; then
+    sudo usermod -aG docker ubuntu
+fi
+
+if ! groups ubuntu | grep -q "\bincus-admin\b"; then
+    sudo usermod -aG incus-admin ubuntu
+fi
--- a/management/sshd_config
+++ b/management/sshd_config
@ -0,0 +1,116 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+#AddressFamily any
+ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+PrintMotd yes
--- a/management/wait_for_ip.sh
+++ b/management/wait_for_ip.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+IP_V4_ADDRESS=
+while true; do
+    # wait for 
+    if incus list ss-mgmt | grep -q enp5s0; then
+        break;
+    else
+        sleep 1
+    fi
+done
+
+while true; do
+    IP_V4_ADDRESS=$(incus list ss-mgmt --format csv --columns=4 | grep enp5s0 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    if [ -n "$IP_V4_ADDRESS" ]; then
+        # give the machine extra time to spin up.
+        break;
+    else
+        sleep 1
+        printf '.'
+    fi
+done
+
+
+export IP_V4_ADDRESS="$IP_V4_ADDRESS"
+
+# wait for the VM to complete its default cloud-init.
+while incus exec ss-mgmt -- [ ! -f /var/lib/cloud/instance/boot-finished ]; do
+    sleep 1
+done
--- a/prepare_vps_host.sh
+++ b/prepare_vps_host.sh
@ -1,16 +0,0 @@
-#!/bin/bash
-
-set -exu
-
-# scan the remote machine and install it's identity in our SSH known_hosts file.
-ssh-keyscan -H -t ecdsa "$FQDN" >> "$SSH_HOME/known_hosts"
-
-# create a directory to store backup archives. This is on all new vms.
-ssh "$FQDN" mkdir -p "$REMOTE_HOME/backups"
-
-if [ "$APP_TO_DEPLOY" = btcpay ]; then
-    echo "INFO: new machine detected. Provisioning BTCPay server scripts."
-
-    ./run_btcpay_setup.sh
-    exit
-fi
--- a/provision_lxc.sh
+++ b/provision_lxc.sh
@ -1,125 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-# check to ensure the admin has specified a MACVLAN interface
-if [ -z "$DEV_MACVLAN_INTERFACE" ]; then
-    echo "ERROR: DEV_MACVLAN_INTERFACE not defined in project."
-    exit 1
-fi
-
-# The base VM image.
-BASE_LXC_IMAGE="ubuntu/21.04/cloud"
-
-# let's create a profile for the BCM TYPE-1 VMs. This is per VM.
-if ! lxc profile list --format csv | grep -q "$LXD_VM_NAME"; then
-    lxc profile create "$LXD_VM_NAME"
-fi
-
-# generate the custom cloud-init file. Cloud init installs and configures sshd
-SSH_AUTHORIZED_KEY=$(<"$SSH_HOME/id_rsa.pub")
-eval "$(ssh-agent -s)"
-ssh-add "$SSH_HOME/id_rsa"
-export SSH_AUTHORIZED_KEY="$SSH_AUTHORIZED_KEY"
-envsubst < ./lxc_profile.yml > "$SITE_PATH/cloud-init.yml"
-
-# configure the profile with our generated cloud-init.yml file.
-cat "$SITE_PATH/cloud-init.yml" | lxc profile edit "$LXD_VM_NAME"
-
-wait_for_lxc_ip () {
-
-LXC_INSTANCE_NAME="$1"
-IP_V4_ADDRESS=
-while true; do
-    IP_V4_ADDRESS="$(lxc list "$LXC_INSTANCE_NAME" --format csv --columns=4 | grep enp5s0 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')" || true
-    if [ -n "$IP_V4_ADDRESS" ]; then
-        # give the machine extra time to spin up.
-        wait-for-it -t 300 "$IP_V4_ADDRESS:22"
-        break
-    else
-        sleep 1
-        printf '.'
-    fi
-done
-
-}
-
-
-# create the default storage pool if necessary
-if ! lxc storage list --format csv | grep -q default; then
-    if [ -n "$LXD_DISK_TO_USE" ]; then
-        lxc storage create default zfs source="$LXD_DISK_TO_USE" size="${ROOT_DISK_SIZE_GB}GB"
-    else
-        lxc storage create default zfs size="${ROOT_DISK_SIZE_GB}GB"
-    fi
-fi
-
-
-MAC_ADDRESS_TO_PROVISION="$DEV_WWW_MAC_ADDRESS"
-if [ "$APP_TO_DEPLOY" = btcpay ]; then
-    MAC_ADDRESS_TO_PROVISION="$DEV_BTCPAY_MAC_ADDRESS"
-fi
-
-# If our template doesn't exist, we create one.
-if ! lxc image list --format csv "$VM_NAME" | grep -q "$VM_NAME"; then
-    
-    # If the lxc VM does exist, then we will delete it (so we can start fresh) 
-    if lxc list -q --format csv | grep -q "$VM_NAME"; then
-        lxc delete "$VM_NAME" --force
-
-        # remove the ssh known endpoint else we get warnings.
-        ssh-keygen -f "$SSH_HOME/known_hosts" -R "$VM_NAME"
-    fi
-
-    # let's download our base image.
-    if ! lxc image list --format csv --columns l | grep -q "ubuntu-21-04"; then
-        # if the image doesn't exist, download it from Ubuntu's image server
-        # TODO see if we can fetch this file from a more censorship-resistant source, e.g., ipfs
-        # we don't really need to cache this locally since it gets continually updated upstream.
-        lxc image copy "images:$BASE_LXC_IMAGE" "$DEV_LXD_REMOTE": --alias "ubuntu-21-04" --public --vm
-    fi
-
-    lxc init \
-        --profile="$LXD_VM_NAME" \
-        "ubuntu-21-04" \
-        "$VM_NAME" --vm
-
-    # let's PIN the HW address for now so we don't exhaust IP
-    # and so we can set DNS internally.
-    lxc config set "$VM_NAME" "volatile.enp5s0.hwaddr=$MAC_ADDRESS_TO_PROVISION"
-
-    lxc start "$VM_NAME"
-
-    # let's wait a minimum of 15 seconds before we start checking for an IP address.
-    sleep 15
-
-    # let's wait for the LXC vm remote machine to get an IP address.
-    wait_for_lxc_ip "$VM_NAME"
-
-    # Let's remove any entry in our known_hosts, then add it back.
-    # we are using IP address here so we don't have to rely on external DNS 
-    # configuration for the base image preparataion.
-    ssh-keygen -R "$IP_V4_ADDRESS"
-    ssh-keyscan -H -t ecdsa "$IP_V4_ADDRESS" >> "$SSH_HOME/known_hosts"
-    ssh "ubuntu@$IP_V4_ADDRESS" sudo chown -R ubuntu:ubuntu "$REMOTE_HOME"
-    
-    # stop the VM and get a snapshot.
-    lxc stop "$VM_NAME"
-    lxc publish "$DEV_LXD_REMOTE:$VM_NAME" --alias "$VM_NAME" --public
-    lxc delete "$VM_NAME"
-fi
-
-# now let's create a new VM to work with.
-lxc init --profile="$LXD_VM_NAME" "$VM_NAME" "$LXD_VM_NAME" --vm
-
-# let's PIN the HW address for now so we don't exhaust IP
-# and so we can set DNS internally.
-lxc config set "$LXD_VM_NAME" "volatile.enp5s0.hwaddr=$MAC_ADDRESS_TO_PROVISION"
-lxc config device override "$LXD_VM_NAME" root size="${ROOT_DISK_SIZE_GB}GB"
-
-lxc start "$LXD_VM_NAME"
-
-wait_for_lxc_ip "$LXD_VM_NAME"
-
-# remove any existing SSH identities for the host, then add it back.
-ssh-keygen -R "$IP_V4_ADDRESS"
--- a/provision_vps.sh
+++ b/provision_vps.sh
@ -1,93 +0,0 @@
-#!/bin/bash
-
-set -euo nounset
-cd "$(dirname "$0")"
-
-
-
-if [ ! -f "$HOME/.aws/credentials" ]; then
-
-    # TODO write a credential file baseline
-    echo "ERROR: Please update your '$HOME/.aws/credentials' file before continuing."
-    mkdir -p "$HOME/.aws"
-    touch "$HOME/.aws/credentials"
-
-    # stub out a site_definition with new passwords.
-    cat >"$HOME/.aws/credentials" <<EOL
-#!/bin/bash
-
-# enter your AWS Access Key and Secret Access Key here.
-export AWS_ACCESS_KEY=
-export AWS_SECRET_ACCESS_KEY=
-
-EOL
-
-    exit 1
-fi
-
-source "$HOME/.aws/credentials"
-
-if [ -z "$AWS_ACCESS_KEY" ]; then
-    echo "ERROR: AWS_ACCESS_KEY is not set."
-    exit 1
-fi
-
-if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-    echo "ERROR: AWS_SECRET_ACCESS_KEY is not set."
-    exit 1
-fi
-
-# ports: All ports go to nginx; 8448 directs to the matrix federation servoce.
-
-# Note, we assume the script has already made sure the machine doesn't exist.
-if [ "$APP_TO_DEPLOY" = www ] || [ "$APP_TO_DEPLOY" = certonly ]; then
-    # creates a public VM in AWS and provisions the bcm website.
-    docker-machine create --driver amazonec2 \
-        --amazonec2-open-port 80 \
-        --amazonec2-open-port 443 \
-        --amazonec2-open-port 8448 \
-        --amazonec2-access-key "$AWS_ACCESS_KEY" \
-        --amazonec2-secret-key "$AWS_SECRET_ACCESS_KEY" \
-        --amazonec2-region "$AWS_REGION" \
-        --amazonec2-ami "$AWS_AMI_ID" \
-        --amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
-        --amazonec2-instance-type "$WWW_INSTANCE_TYPE" \
-        --engine-label tag="$LATEST_GIT_TAG" \
-        --engine-label commit="$LATEST_GIT_COMMIT" \
-        "$FQDN"
-        
-elif [ "$APP_TO_DEPLOY" = btcpay ]; then
-    # creates a public VM in AWS and provisions the bcm website.
-    docker-machine create --driver amazonec2 \
-        --amazonec2-open-port 80 \
-        --amazonec2-open-port 443 \
-        --amazonec2-open-port 9735 \
-        --amazonec2-access-key "$AWS_ACCESS_KEY" \
-        --amazonec2-secret-key "$AWS_SECRET_ACCESS_KEY" \
-        --amazonec2-region "$AWS_REGION" \
-        --amazonec2-ami "$AWS_AMI_ID" \
-        --amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
-        --amazonec2-instance-type "$BTCPAY_INSTANCE_TYPE" \
-        --engine-label tag="$LATEST_GIT_TAG" \
-        --engine-label commit="$LATEST_GIT_COMMIT" \
-        "$FQDN"
-
-fi
-
-docker-machine scp "$SITE_PATH/authorized_keys" "$FQDN:$REMOTE_HOME/authorized_keys"
-docker-machine ssh "$FQDN" "cat $REMOTE_HOME/authorized_keys >> $REMOTE_HOME/.ssh/authorized_keys"
-
-# we have to ensure ubuntu is able to do sudo less docker commands.
-docker-machine ssh "$FQDN" sudo usermod -aG docker ubuntu
-
-# we restart so dockerd starts with fresh group membership.
-docker-machine ssh "$FQDN" sudo systemctl restart docker
-
-# TODO INSTALL DOCKER COMPOSE
-
-# let's wire up the DNS so subsequent ssh commands resolve to the VPS.
-./run_ddns.sh
-
-# remove the SSH hostname from known_hosts as we'll
-# todo why do we need this again?
-ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
--- a/publish_tag.sh
+++ b/publish_tag.sh
@ -1,14 +0,0 @@
-#!/bin/bash
-
-# this script will tag the repo then push it to origin
-TAG_NAME=v0.0.18
-COMIT_MESSAGE="Creating commit on $(date)."
-TAG_MESSAGE="Creating tag $TAG_NAME on $(date)."
-
-# create a git commit with staged changes.
-git commit -m "$COMIT_MESSAGE" -s
-git tag -a "$TAG_NAME" -m "$TAG_MESSAGE" -s
-
-# optional; push to remote
-git push --all
-git push --tags
--- a/refresh.sh
+++ b/refresh.sh
@ -1,180 +0,0 @@
-#!/bin/bash
-
-set -exuo nounset
-cd "$(dirname "$0")"
-
-USER_DELETE_MACHINE=false
-DOMAIN_NAME=
-VPS_HOSTING_TARGET=lxd
-RUN_CERT_RENEWAL=true
-USER_NO_BACKUP=false
-USER_RUN_RESTORE=false
-BTC_CHAIN=testnet
-UPDATE_BTCPAY=false
-MIGRATE_BTCPAY_SERVER=false
-RECONFIGURE_BTCPAY_SERVER=false
-BTCPAY_ADDITIONAL_HOSTNAMES=
-LXD_DISK_TO_USE=
-DEV_BTCPAY_MAC_ADDRESS=
-
-for i in "$@"; do
-    case $i in
-        --domain=*)
-            DOMAIN_NAME="${i#*=}"
-            shift
-        ;;
-        --hosting-provider=*)
-            VPS_HOSTING_TARGET="${i#*=}"
-            shift
-        ;;
-        --restore)
-            USER_RUN_RESTORE=true
-            shift
-        ;;
-        --update)
-            UPDATE_BTCPAY=true
-            shift
-        ;;
-        --no-backup)
-            USER_NO_BACKUP=true
-            shift
-        ;;
-        --delete)
-            USER_DELETE_MACHINE=true
-            shift
-        ;;
-        --storage-backend=*)
-            LXD_DISK_TO_USE="${i#*=}"
-            shift
-        ;;
-        --no-cert-renew)
-            RUN_CERT_RENEWAL=false
-            shift
-        ;;
-        --mainnet)
-            BTC_CHAIN=mainnet
-            shift
-        ;;
-        --migrate)
-            MIGRATE_BTCPAY_SERVER=true
-            shift
-        ;;
-        --reconfigure-btcpay)
-            RECONFIGURE_BTCPAY_SERVER=true
-            shift
-        ;;
-        *)
-            # unknown option
-        ;;
-    esac
-done
-
-export DOMAIN_NAME="$DOMAIN_NAME"
-export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
-export LXD_DISK_TO_USE="$LXD_DISK_TO_USE"
-export DEV_BTCPAY_MAC_ADDRESS="$DEV_BTCPAY_MAC_ADDRESS"
-export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
-
-export BTC_CHAIN="$BTC_CHAIN"
-export UPDATE_BTCPAY="$UPDATE_BTCPAY"
-export MIGRATE_BTCPAY_SERVER="$MIGRATE_BTCPAY_SERVER"
-export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
-
-# # first of all, if there are uncommited changes, we quit. You better stash your work yo!
-# if git update-index --refresh| grep -q "needs update"; then
-#     echo "ERROR: You have uncommited changes! Better stash your work with 'git stash'."
-#     exit 1
-# fi
-
-# shellcheck disable=SC1091
-source ./defaults.sh
-
-# iterate over all our server endpoints and provision them if needed.
-# www
-for APP_TO_DEPLOY in btcpay www; do
-    FQDN=
-    export APP_TO_DEPLOY="$APP_TO_DEPLOY"
-    # shellcheck disable=SC1091
-    source ./shared.sh
-
-    # skip this iteration if the site_definition says not to deploy btcpay server.
-    if [ "$APP_TO_DEPLOY" = btcpay ]; then
-        FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
-        if [ "$DEPLOY_BTCPAY_SERVER" = false ]; then
-            continue
-        fi
-    fi
-
-    # skip if the server config is set to not deploy.
-    if [ "$APP_TO_DEPLOY" = www ]; then
-        FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
-        if [ "$DEPLOY_WWW_SERVER" = false ]; then
-            continue
-        fi
-    fi
-
-    export FQDN="$FQDN"
-
-    # generate the docker yaml and nginx configs.
-    ./stub_docker_yml.sh
-    ./stub_nginxconf.sh
-
-    MACHINE_EXISTS=false
-    if [ "$VPS_HOSTING_TARGET" = aws ] && docker-machine ls -q | grep -q "$FQDN"; then
-        MACHINE_EXISTS=true
-    fi
-
-    if [ "$VPS_HOSTING_TARGET" = lxd ] && lxc list --format csv | grep -q "$FQDN"; then
-        MACHINE_EXISTS=true
-    fi
-
-    if [ "$USER_NO_BACKUP" = true ]; then
-        RUN_BACKUP=true
-    fi
-
-    if [ "$MACHINE_EXISTS"  = true ]; then
-        # we delete the machine if the user has directed us to
-        if [ "$USER_DELETE_MACHINE" = true ]; then
-            # run the domain_init based on user input.
-            if [ "$USER_NO_BACKUP"  = true ]; then
-                echo "Machine exists. We don't need to back it up because the user has directed --no-backup."
-            else
-                echo "Machine exists.  Since we're going to delete it, let's grab a backup. We don't need to restore services since we're deleting it."
-                RUN_RESTORE=false RUN_BACKUP=true RUN_SERVICES=false ./domain_init.sh
-            fi
-
-            # delete the remote VPS.
-            if [ "$VPS_HOSTING_TARGET" = aws ]; then
-                if [ "$APP_TO_DEPLOY" != btcpay ]; then
-                   # docker-machine rm -f "$FQDN"
-                   echo "ERROR: NOT IMPLEMENTED"
-                fi
-            elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
-                lxc delete --force "$LXD_VM_NAME"
-            fi
-
-            # Then we run the script again to re-instantiate a new VPS, restoring all user data 
-            # if restore directory doesn't exist, then we end up with a new site.
-            echo "INFO: Recreating the remote VPS then restoring user data."
-            RUN_RESTORE="$USER_RUN_RESTORE" RUN_BACKUP=false RUN_SERVICES=true ./domain_init.sh
-        else
-            if [ "$USER_NO_BACKUP"  = true ]; then
-                RUN_BACKUP=false
-                echo "INFO: Maintaining existing VPS. RUN_BACKUP=$RUN_BACKUP RUN_RESTORE=$USER_RUN_RESTORE"
-            else
-                RUN_BACKUP=true
-                echo "INFO: Maintaining existing VPS. RUN_BACKUP=$RUN_BACKUP RUN_RESTORE=$USER_RUN_RESTORE"
-            fi
-
-            RUN_RESTORE="$USER_RUN_RESTORE" RUN_BACKUP="$RUN_BACKUP" RUN_SERVICES=true ./domain_init.sh
-        fi
-    else
-        if [ "$USER_DELETE_MACHINE" = true ]; then
-            echo "INFO: User has indicated to delete the machine, but it doesn't exist. Going to create it anyway."
-        fi
-
-        # The machine does not exist. Let's bring it into existence, restoring from latest backup.
-        echo "Machine does not exist. RUN_RESTORE=$USER_RUN_RESTORE RUN_BACKUP=false" 
-        RUN_RESTORE="$USER_RUN_RESTORE" RUN_BACKUP=false RUN_SERVICES=true ./domain_init.sh
-    fi
-done
--- a/restore_btcpay.sh
+++ b/restore_btcpay.sh
@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -exu
-
-# this scripts ASSUMES services have already been taken down.
-
-# first let's ask the user for the absolute path to the backup file that we want to restore.
-FILE_PATH=
-read -r -p "Please enter the absolute path of the backup file you want to restore:  ": FILE_PATH
-if [ -f "$FILE_PATH" ]; then
-    # then we grab a backup of the existing stuff BEFORE the restoration attempt
-    ./backup_btcpay.sh "before-restore-$UNIX_BACKUP_TIMESTAMP"
-
-    echo "INFO: Restoring BTCPAY Server: $FILE_PATH"
-    ssh "$FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
-    scp "$FILE_PATH" "$FQDN:$REMOTE_BACKUP_PATH/btcpay.tar.gz"
-    ssh "$FQDN" "cd /; sudo tar -xzvf $REMOTE_BACKUP_PATH/btcpay.tar.gz"
-else
-    echo "ERROR: File does not exist."
-    exit 1
-fi
--- a/restore_www.sh
+++ b/restore_www.sh
@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -exu
-
-# first, this is a restore operation. We need to ask the administrator
-# if they want to continue because it results in data loss.
-# indeed, our first step is the delete the home directory on the remote server.
-
-# delete the home directory so we know we are restoring all files from the duplicity archive.
-ssh "$FQDN" sudo rm -rf "$REMOTE_HOME/*"
-
-# scp our local backup directory to the remote machine
-ssh "$FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
-
-# TODO instead of scp the files up there, lets' mount the local backup folder to a remote folder then just run a duplicity restore.
-scp -r "$LOCAL_BACKUP_PATH/" "$FQDN:$REMOTE_HOME/backups/$APP_TO_DEPLOY"
-
-# now we run duplicity to restore the archive.
-ssh "$FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/" "$REMOTE_HOME/"
-#ssh "$FQDN" sudo tar -xvf  "$REMOTE_HOME/certs.tar.gz" -C /etc
--- a/run_btcpay_setup.sh
+++ b/run_btcpay_setup.sh
@ -1,60 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-
-# export BTCPAY_FASTSYNC_ARCHIVE_FILENAME="utxo-snapshot-bitcoin-testnet-1445586.tar"
-# BTCPAY_REMOTE_RESTORE_PATH="/var/lib/docker/volumes/generated_bitcoin_datadir/_data"
-
-# This is the config for a basic proxy to the listening port 127.0.0.1:2368
-# It also supports modern TLS, so SSL certs must be available.
-cat > "$SITE_PATH/btcpay.sh" <<EOL
-#!/bin/bash
-
-set -ex
-
-# wait for cloud-init to complete yo
-while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
-    sleep 1
-done
-
-# get pre-reqs
-apt-get update && apt-get install -y git wget
-
-if [ -d "btcpayserver-docker" ] && [ "$EXISTING_BRANCH" != "master" ] && [ "$EXISTING_REMOTE" != "master" ]; then echo "existing btcpayserver-docker folder found that did not match our specified fork. Moving. (Current branch: $EXISTING_BRANCH, Current remote: $EXISTING_REMOTE)"; mv "btcpayserver-docker" "btcpayserver-docker_$(date +%s)"; fi
-if [ -d "btcpayserver-docker" ] && [ "$EXISTING_BRANCH" == "master" ] && [ "$EXISTING_REMOTE" == "master" ]; then echo "existing btcpayserver-docker folder found, pulling instead of cloning."; git pull; fi
-if [ ! -d "btcpayserver-docker" ]; then echo "cloning btcpayserver-docker"; git clone -b master https://github.com/btcpayserver/btcpayserver-docker btcpayserver-docker; fi
-
-export BTCPAY_HOST="${FQDN}"
-export NBITCOIN_NETWORK="${BTC_CHAIN}"
-export LIGHTNING_ALIAS="${DOMAIN_NAME}"
-export LETSENCRYPT_EMAIL="${CERTIFICATE_EMAIL_ADDRESS}"
-export BTCPAYGEN_LIGHTNING="clightning"
-export BTCPAYGEN_CRYPTO1="btc"
-
-# opt-save-storage keeps 1 year of blocks (prunes to 100 GB)
-# opt-add-btctransmuter adds transmuter software
-# 
-export BTCPAYGEN_ADDITIONAL_FRAGMENTS="${BTCPAYGEN_ADDITIONAL_FRAGMENTS}"
-export BTCPAY_ADDITIONAL_HOSTS="${BTCPAY_ADDITIONAL_HOSTNAMES}"
-export BTCPAY_ENABLE_SSH=true
-
-cd btcpayserver-docker
-
-# run fast_sync if it's not been done before.
-if [ ! -f /home/ubuntu/fast_sync_completed ]; then
-    cd ./contrib/FastSync
-    ./load-utxo-set.sh
-    touch /home/ubuntu/fast_sync_completed
-    cd -
-fi
-
-# provision the btcpay server
-. ./btcpay-setup.sh -i
-
-EOL
-
-# send the setup script to the remote machine.
-scp "$SITE_PATH/btcpay.sh" "ubuntu@$FQDN:$REMOTE_HOME/btcpay_setup.sh"
-ssh "$FQDN" chmod 0744 "$REMOTE_HOME/btcpay_setup.sh"
-ssh "$FQDN" sudo bash -c ./btcpay_setup.sh
--- a/run_ddns.sh
+++ b/run_ddns.sh
@ -1,54 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-# create the ddclient.conf file
-cat >/tmp/ddclient.conf <<EOL
-### ddclient.conf
-### namecheap
-##################
-use=web, web=checkip.dyndns.com/, web-skip='IP Address'
-protocol=namecheap
-server=dynamicdns.park-your-domain.com
-login=${DOMAIN_NAME}
-password=${DDNS_PASSWORD}
-EOL
-
-# for the www stack, we register only the domain name so our URLs look like https://$DOMAIN_NAME
-if [ "$APP_TO_DEPLOY" = www ] || [ "$APP_TO_DEPLOY" = certonly ]; then
-    DDNS_STRING="@"
-else
-    DDNS_STRING="$DDNS_HOST"
-fi
-
-# append the correct DDNS string to ddclient.conf
-echo "$DDNS_STRING" >> /tmp/ddclient.conf
-
-cat /tmp/ddclient.conf
-
-# send the ddclient.conf file to the remote vps.
-docker-machine scp /tmp/ddclient.conf "$FQDN:$REMOTE_HOME/ddclient.conf"
-docker-machine ssh "$FQDN" sudo cp "$REMOTE_HOME/ddclient.conf" /etc/ddclient.conf
-docker-machine ssh "$FQDN" sudo chown root:root /etc/ddclient.conf
-docker-machine ssh "$FQDN" sudo chmod 0600 /etc/ddclient.conf
-docker-machine ssh "$FQDN" sudo apt-get -qq install -y ddclient wait-for-it git rsync duplicity sshfs
-docker-machine ssh "$FQDN" sudo ddclient
-
-# wait for DNS to get setup. Pass in the IP address of the actual VPS.
-echo "INFO: Verifying correct DNS configuration. This may take a while."
-MACHINE_IP="$(docker-machine ip "$FQDN")"
-
-DDNS_SLEEP_SECONDS=60
-while true; do
-    # we test the www CNAME here so we can be assured the underlying has corrected.
-    if [[ "$(getent hosts "$FQDN" | awk '{ print $1 }')" == "$MACHINE_IP" ]]; then
-        echo ""
-        echo "SUCCESS: The DNS appears to be configured correctly."
-
-        echo "INFO: Waiting $DDNS_SLEEP_SECONDS seconds to allow stale DNS records to expire."
-        sleep "$DDNS_SLEEP_SECONDS";
-        break;
-    fi
-
-    printf "." && sleep 2;
-done
--- a/shared.sh
+++ b/shared.sh
@ -1,210 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-# check to see if the enf file exists. exist if not.
-if [ ! -d "$SITE_PATH" ]; then
-    echo "ERROR: '$SITE_PATH' does not exist."
-    exit 1
-fi
-
-function new_pass {
-    apg -a 1 -M nc -n 3 -m 26 -E GHIJKLMNOPQRSTUVWXYZ | head -n1 | awk '{print $1;}'
-} 
-
-# check to see if the enf file exists. exist if not.
-SITE_DEFINITION_PATH="$SITE_PATH/site_definition"
-if [ ! -f "$SITE_DEFINITION_PATH" ]; then
-    echo "WARNING: '$SITE_DEFINITION_PATH' does not exist! We have stubbed one out for you, but you need to UPDATE IT!"
-
-    # stub out a site_definition with new passwords.
-    cat >"$SITE_DEFINITION_PATH" <<EOL
-#!/bin/bash
-
-export SITE_TITLE="Short Title of Project"
-export DOMAIN_NAME="domain.tld"
-export DDNS_PASSWORD="GET_SHARED_SECRET_FROM_DNS_PROVIDER"
-export SMTP_PASSWORD="GET_SHARED_SECRET_FROM_EMAIL_PROVIDER"
-export GHOST_MYSQL_PASSWORD="$(new_pass)"
-export GHOST_MYSQL_ROOT_PASSWORD="$(new_pass)"
-export NEXTCLOUD_MYSQL_PASSWORD="$(new_pass)"
-export GITEA_MYSQL_PASSWORD="$(new_pass)"
-export NEXTCLOUD_MYSQL_ROOT_PASSWORD="$(new_pass)"
-#export GITEA_MYSQL_ROOT_PASSWORD="$(new_pass)"
-export MATRIX_DB_PASSWORD="$(new_pass)"
-export MATRIX_SHARED_SECRET="$(new_pass)"
-export MATRIX_ADMIN_PASSWORD="$(new_pass)"
-export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
-export DEPLOY_GHOST=true
-export DEPLOY_MATRIX=true
-export DEPLOY_NEXTCLOUD=true
-export DEPLOY_ONION_SITE=false
-#export DEPLOY_BTCPAY_SERVER=true
-#export WWW_INSTANCE_TYPE="t2.medium"
-#export BTCPAY_ADDITIONAL_HOSTNAMES="pay.domain.tld"
-#export DEV_WWW_MAC_ADDRESS="00:16:3E:AD:25:2C"
-#export DEV_BTCPAY_MAC_ADDRESS="00:16:3E:AD:25:2D"
-
-EOL
-
-    chmod 0744 "$SITE_DEFINITION_PATH"
-    exit 1
-
-fi
-
-DOCKER_YAML_PATH="$SITE_PATH/appstack.yml"
-export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
-
-# TODO add file existence check
-# shellcheck disable=SC1090
-source "$SITE_PATH/site_definition"
-
-export REMOTE_HOME="/home/ubuntu"
-BACKUP_TIMESTAMP="$(date +"%Y-%m")"
-UNIX_BACKUP_TIMESTAMP="$(date +%s)"
-export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
-export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
-REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
-LOCAL_BACKUP_PATH="$SITE_PATH/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
-export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
-BACKUP_PATH_CREATED=false
-if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
-    mkdir -p "$LOCAL_BACKUP_PATH"
-    BACKUP_PATH_CREATED=true
-fi
-
-export BACKUP_PATH_CREATED="$BACKUP_PATH_CREATED"
-mkdir -p "$SSHFS_PATH"
-
-# VALIDATE THE INPUT from the ENVFILE
-if [ -z "$DOMAIN_NAME" ]; then
-    echo "ERROR: DOMAIN_NAME not specified. Use the --domain-name= option."
-    exit 1
-fi
-
-# TODO, ensure VPS_HOSTING_TARGET is in range.
-export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
-export MATRIX_FQDN="$MATRIX_HOSTNAME.$DOMAIN_NAME"
-export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
-
-export ADMIN_ACCOUNT_USERNAME="info"
-export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
-export MAIL_FROM="$SITE_TITLE <$CERTIFICATE_EMAIL_ADDRESS>"
-export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
-export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
-
-touch "$SITE_PATH/debug.log"
-export SMTP_LOGIN="www@mail.$DOMAIN_NAME"
-export VM_NAME="sovereign-stack-base"
-export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
-export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
-
-# this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
-export ROOT_DISK_SIZE_GB=20
-
-DDNS_HOST=
-if [ "$APP_TO_DEPLOY" = www ]; then
-    DDNS_HOST="$WWW_HOSTNAME"
-    ROOT_DISK_SIZE_GB=$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))
-elif [ "$APP_TO_DEPLOY" = btcpay ]; then
-    DDNS_HOST="$BTCPAY_HOSTNAME"
-    if [ "$BTC_CHAIN" = mainnet ]; then
-        ROOT_DISK_SIZE_GB=150
-    elif [ "$BTC_CHAIN" = testnet ]; then
-        ROOT_DISK_SIZE_GB=40
-    fi
-elif [ "$APP_TO_DEPLOY" = certonly ]; then
-    DDNS_HOST="$WWW_HOSTNAME"
-    ROOT_DISK_SIZE_GB=8
-else
-    echo "ERROR: APP_TO_DEPLOY not within allowable bounds."
-    exit
-fi
-
-# we use this in other subshells.
-export APP_TO_DEPLOY="$APP_TO_DEPLOY"
-export DDNS_HOST="$DDNS_HOST"
-export FQDN="$DDNS_HOST.$DOMAIN_NAME"
-export LXD_VM_NAME="${FQDN//./-}"
-export BTC_CHAIN="$BTC_CHAIN"
-export ROOT_DISK_SIZE_GB=$ROOT_DISK_SIZE_GB
-export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
-export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
-export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
-
-if [ "$DEPLOY_GHOST" = true ]; then
-    if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-    if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-    if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-    if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
-        echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
-        echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ "$DEPLOY_MATRIX" = true ]; then
-    if [ -z "$MATRIX_ADMIN_PASSWORD" ]; then
-        echo "ERROR: Ensure MATRIX_ADMIN_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-
-    if [ -z "$MATRIX_DB_PASSWORD" ]; then
-        echo "ERROR: Ensure MATRIX_DB_PASSWORD is configured in your site_definition."
-        exit 1
-    fi
-fi
-
-if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
-    echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$SMTP_PASSWORD" ]; then
-    echo "ERROR: Ensure SMTP_PASSWORD is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$DDNS_PASSWORD" ]; then
-    echo "ERROR: Ensure DDNS_PASSWORD is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$DOMAIN_NAME" ]; then
-    echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$SITE_TITLE" ]; then
-    echo "ERROR: Ensure SITE_TITLE is configured in your site_definition."
-    exit 1
-fi
-
-if [ -z "$DEPLOY_BTCPPAY_SERVER" ]; then
-    echo "ERROR: Ensure DEPLOY_BTCPPAY_SERVER is configured in your site_definition."
-    exit 1
-fi
--- a/stub_docker_yml.sh
+++ b/stub_docker_yml.sh
@ -1,357 +0,0 @@
-#!/bin/bash
-
-set -exu
-cd "$(dirname "$0")"
-
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-    if [ -z "$ONION_ADDRESS" ]; then
-        echo "ERROR: ONION_ADDRESS is not defined."
-        exit 1
-    fi
-fi
-
-
-# here's the NGINX config. We support ghost and nextcloud.
-echo "" > "$DOCKER_YAML_PATH"
-
-cat >>"$DOCKER_YAML_PATH" <<EOL
-version: "3.8"
-services:
-
-EOL
-
-
-# This is the ghost for HTTPS (not over Tor)
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  ghost:
-    image: ${GHOST_IMAGE}
-    networks:
-      - ghost-net
-      - ghostdb-net
-    volumes:
-      - ${REMOTE_HOME}/ghost_site:/var/lib/ghost/content
-    environment:
-      - url=https://${FQDN}
-      - mail__from="${MAIL_FROM}"
-      - mail__options__service=SMTP
-      - mail__transport=SMTP
-      - mail__options__host=${SMTP_SERVER}
-      - mail__options__port=${SMTP_PORT}
-      - mail__options__auth__user=${SMTP_LOGIN}
-      - mail__options__auth__pass=\${SMTP_PASSWORD}
-      - database__client=mysql
-      - database__connection__host=ghostdb
-      - database__connection__user=ghost
-      - database__connection__password=\${GHOST_MYSQL_PASSWORD}
-      - database__connection__database=ghost
-      - database__pool__min=0
-      - privacy__useStructuredData=true
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  ghostdb:
-    image: ${GHOST_DB_IMAGE}
-    networks:
-      - ghostdb-net
-    volumes:
-      - ${REMOTE_HOME}/ghost_db:/var/lib/mysql
-    environment:
-       - MYSQL_ROOT_PASSWORD=\${GHOST_MYSQL_ROOT_PASSWORD}
-       - MYSQL_DATABASE=ghost
-       - MYSQL_USER=ghost
-       - MYSQL_PASSWORD=\${GHOST_MYSQL_PASSWORD}
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-EOL
-
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nextcloud-db:
-    image: ${NEXTCLOUD_DB_IMAGE}
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
-    networks:
-      - nextclouddb-net
-    volumes:
-      - ${REMOTE_HOME}/nextcloud/db/data:/var/lib/mysql
-    environment:
-      - MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
-      - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  nextcloud:
-    image: ${NEXTCLOUD_IMAGE}
-    networks:
-      - nextclouddb-net
-      - nextcloud-net
-    volumes:
-      - ${REMOTE_HOME}/nextcloud/html:/var/www/html
-    environment:
-      - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MYSQL_HOST=nextcloud-db
-      - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
-      - OVERWRITEHOST=${NEXTCLOUD_FQDN}
-      - OVERWRITEPROTOCOL=https
-      - SERVERNAME=${NEXTCLOUD_FQDN}
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-EOL
-fi
-
-
-
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  matrix:
-    image: ${MATRIX_IMAGE}
-    volumes:
-      - ${REMOTE_HOME}/matrix/data:/data
-    networks:
-      - matrix-net
-      - matrixdb-net
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  matrix-db:
-    image: ${MATRIX_DB_IMAGE}
-    volumes:
-      - ${REMOTE_HOME}/matrix/db:/var/lib/postgresql/data
-    networks:
-      - matrixdb-net
-    environment:
-      - POSTGRES_PASSWORD=\${MATRIX_DB_PASSWORD}
-      - POSTGRES_USER=synapse
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-EOL
-fi
-
-
-
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  gitea:
-    image: ${GITEA_IMAGE}
-    volumes:
-      - ${REMOTE_GITEA_PATH}/data:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-      - GITEA__database__DB_TYPE=mysql
-      - GITEA__database__HOST=gitea-db:3306
-      - GITEA__database__NAME=gitea
-      - GITEA__database__USER=gitea
-      - GITEA__PASSWD=${GITEA_MYSQL_PASSWORD}
-    networks:
-      - gitea-net
-      - giteadb-net
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  gitea-db:
-    image: ${GITEA_DB_IMAGE}
-    networks:
-      - giteadb-net
-    volumes:
-      - ${REMOTE_GITEA_PATH}/db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=\${GITEA_MYSQL_ROOT_PASSWORD}
-      - MYSQL_PASSWORD=\${GITEA_MYSQL_PASSWORD}
-      - MYSQL_DATABASE=gitea
-      - MYSQL_USER=gitea
-    deploy:
-      restart_policy:
-        condition: on-failure
-EOL
-fi
-
-
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  # a hidden service that routes to the nginx container at http://onionurl.onion server block
-  tor-onion:
-    image: tor:latest
-    networks:
-      - tor-net
-    volumes:
-      - ${REMOTE_HOME}/tor:/var/lib/tor
-      - tor-logs:/var/log/tor
-    configs:
-      - source: tor-config
-        target: /etc/tor/torrc
-        mode: 0644
-    deploy:
-      mode: replicated
-      replicas: 1
-      restart_policy:
-        condition: on-failure
-
-  tor-ghost:
-    image: ${GHOST_IMAGE}
-    networks:
-      - ghostdb-net
-      - ghost-net
-    volumes:
-      - ${REMOTE_HOME}/tor_ghost:/var/lib/ghost/content
-    environment:
-      - url=https://${ONION_ADDRESS}
-      - mail__from=${MAIL_FROM}
-      - mail__options__service=SMTP
-      - mail__transport=SMTP
-      - mail__options__host=${SMTP_SERVER}
-      - mail__options__port=${SMTP_PORT}
-      - mail__options__auth__user=${SMTP_LOGIN}
-      - mail__options__auth__pass=\${SMTP_PASSWORD}
-      - database__client=mysql
-      - database__connection__host=ghostdb
-      - database__connection__user=ghost
-      - database__connection__password=\${GHOST_MYSQL_PASSWORD}
-      - database__connection__database=ghost
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-EOL
-fi
-
-# NGINX required
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nginx:
-    image: ${NGINX_IMAGE}
-    ports:
-      - 0.0.0.0:443:443
-      - 0.0.0.0:80:80
-      - 0.0.0.0:8448:8448
-    networks:
-      - ghost-net
-EOL
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - torghost-net
-EOL
-fi
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - nextcloud-net
-EOL
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - gitea-net
-EOL
-fi
-
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - matrix-net
-EOL
-fi
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-      - tor-net
-EOL
-fi
-
-# the rest of the nginx config
-cat >>"$DOCKER_YAML_PATH" <<EOL
-    volumes:
-      - /etc/letsencrypt:/etc/letsencrypt:ro
-    configs:
-      - source: nginx-config
-        target: /etc/nginx/nginx.conf
-    deploy:
-      restart_policy:
-        condition: on-failure
-EOL
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  
-volumes:
-  tor-data:
-  tor-logs:
-
-EOL
-fi
-#-------------------------
-
-# networks ----------------------
-cat >>"$DOCKER_YAML_PATH" <<EOL
-networks:
-EOL
-
-if [ "$DEPLOY_GHOST" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  ghost-net:
-  ghostdb-net:
-EOL
-fi
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  nextclouddb-net:
-  nextcloud-net:
-EOL
-fi
-
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  matrix-net:
-  matrixdb-net:
-EOL
-fi
-
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  gitea-net:
-  giteadb-net:
-EOL
-fi
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  tor-net:
-  torghost-net:
-EOL
-fi
-# -------------------------------
-
-
-# configs ----------------------
-cat >>"$DOCKER_YAML_PATH" <<EOL
-
-configs:
-  nginx-config:
-    file: ${SITE_PATH}/nginx.conf
-EOL
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$DOCKER_YAML_PATH" <<EOL
-  tor-config:
-    file: $(pwd)/tor/torrc
-EOL
-fi
-# -----------------------------
--- a/stub_nginxconf.sh
+++ b/stub_nginxconf.sh
@ -1,371 +0,0 @@
-#!/bin/bash
-
-set -exu
-cd "$(dirname "$0")"
-
-
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-    if [ -z "$ONION_ADDRESS" ]; then
-        echo "ERROR: ONION_ADDRESS is not defined."
-        exit 1
-    fi
-fi
-
-
-# here's the NGINX config. We support ghost and nextcloud.
-NGINX_CONF_PATH="$SITE_PATH/nginx.conf"
-echo "" > "$NGINX_CONF_PATH"
-cat >>"$NGINX_CONF_PATH" <<EOL
-events {
-    worker_connections  1024;
-}
-
-http {
-    client_max_body_size 100m;
-    server_names_hash_bucket_size  128;
-    server_tokens off;
-    
-    # this server block returns a 403 for all non-explicit host requests.
-    #server {
-    #    listen 80 default_server;
-    #    return 403;
-    #}
-
-EOL
-
-
-# ghost http to https redirects.
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${DOMAIN_NAME} redirect to https://${FQDN}
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name ${DOMAIN_NAME};
-        return 301 https://${FQDN}\$request_uri;
-    }
-
-    # http://${FQDN} redirect to https://${FQDN}
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name ${FQDN};
-        return 301 https://${FQDN}\$request_uri;
-    }
-
-EOL
-
-# nextcloud http-to-https redirect
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${NEXTCLOUD_FQDN} redirect to https://${NEXTCLOUD_FQDN}
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name ${NEXTCLOUD_FQDN};
-        return 301 https://${NEXTCLOUD_FQDN}\$request_uri;
-    }
-
-EOL
-fi
-
-# matrix http to https redirect.
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${MATRIX_FQDN} redirect to https://${MATRIX_FQDN}
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name ${MATRIX_FQDN};
-        return 301 https://${MATRIX_FQDN}\$request_uri;
-    }
-
-EOL
-fi
-
-# gitea http to https redirect.
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # http://${GITEA_FQDN} redirect to https://${GITEA_FQDN}
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name ${GITEA_FQDN};
-        return 301 https://${GITEA_FQDN}\$request_uri;
-    }
-
-EOL
-fi
-
-# TLS config for ghost.
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # global TLS settings
-    ssl_prefer_server_ciphers on;
-    ssl_protocols TLSv1.3;
-    ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
-    ssl_session_tickets off;
-    add_header Strict-Transport-Security "max-age=63072000" always;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    resolver 198.54.117.10;
-
-
-    # default server if hostname not specified.
-    #server {
-    #    listen 443 default_server;
-    #    return 403;
-    #}
-
-    # map \$http_user_agent \$og_prefix {
-    #     ~*(googlebot|twitterbot)/  /open-graph;
-    # }
-
-    # https://${DOMAIN_NAME} redirect to https://${FQDN}
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name ${DOMAIN_NAME};
-        return 301 https://${FQDN}\$request_uri;
-    }
-
-    access_log /var/log/nginx/ghost-access.log;
-    error_log /var/log/nginx/ghost-error.log;
-
-EOL
-
-if [ "$ENABLE_NGINX_CACHING" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # main TLS listener; proxies requests to ghost service. NGINX configured to cache
-    proxy_cache_path /tmp/nginx_ghost levels=1:2 keys_zone=ghostcache:600m max_size=100m inactive=24h;
-EOL
-fi
-
-# the open server block for the HTTPS listener
-cat >>"$NGINX_CONF_PATH" <<EOL
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name ${FQDN};
-
-EOL
-
-# add the Onion-Location header if specifed.
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-        add_header Onion-Location https://${ONION_ADDRESS}\$request_uri;
-        
-EOL
-fi
-
-if [ "$ENABLE_NGINX_CACHING" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-
-        # No cache + keep cookies for admin and previews
-        location ~ ^/(ghost/|p/|private/) {
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$http_host;
-            proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto  \$scheme;
-            proxy_intercept_errors  on;
-            proxy_pass http://ghost:2368;
-        }
-        
-EOL
-fi
-
-# proxy config for ghost
-cat >>"$NGINX_CONF_PATH" <<EOL
-        # Set the crawler policy.
-        location = /robots.txt { 
-            add_header Content-Type text/plain;
-            return 200 "User-Agent: *\\nAllow: /\\n";
-        }
-
-        location / {
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$http_host;
-
-            proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto  \$scheme;
-            proxy_intercept_errors  on;
-            proxy_pass http://ghost:2368;
-EOL
-
-if [ "$ENABLE_NGINX_CACHING" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-            # https://stanislas.blog/2019/08/ghost-nginx-cache/ for nginx caching instructions
-            # Remove cookies which are useless for anonymous visitor and prevent caching
-            proxy_ignore_headers Set-Cookie Cache-Control;
-            proxy_hide_header Set-Cookie;
-
-            # Add header for cache status (miss or hit)
-            add_header X-Cache-Status \$upstream_cache_status;
-            proxy_cache ghostcache;
-
-            # Default TTL: 1 day
-            proxy_cache_valid 5s;
-
-            # Cache 404 pages for 1h
-            proxy_cache_valid 404 1h;
-
-            # use conditional GET requests to refresh the content from origin servers
-            proxy_cache_revalidate on;
-            proxy_buffering on;
-
-            # Allows starting a background subrequest to update an expired cache item,
-            # while a stale cached response is returned to the client.
-            proxy_cache_background_update on;
-
-            # Bypass cache for errors
-            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-   
-EOL
-fi
-
-# this is the closing location / block for the ghost HTTPS segment
-cat >>"$NGINX_CONF_PATH" <<EOL
-        }
-
-EOL
-
-# TODO this MIGHT be part of the solution for Twitter Cards.
-        # location /contents {
-        #     resolver 127.0.0.11 ipv6=off valid=5m;
-        #     proxy_set_header X-Real-IP \$remote_addr;
-        #     proxy_set_header Host \$http_host;
-        #     proxy_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
-        #     proxy_set_header X-Forwarded-Proto  \$scheme;
-        #     proxy_intercept_errors  on;
-        #     proxy_pass http://ghost:2368\$og_prefix\$request_uri;
-        # }
-
-# setup delegation for matrix
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-        # Set up delegation for matrix: https://github.com/matrix-org/synapse/blob/develop/docs/delegate.md
-        location /.well-known/matrix/server {
-		    default_type application/json;
-		    return 200 '{"m.server": "${MATRIX_FQDN}:8448"}';
-	    }
-EOL
-fi
-
-# this is the closing server block for the ghost HTTPS segment
-cat >>"$NGINX_CONF_PATH" <<EOL
-    
-    }
-
-EOL
-
-# tor config
-if [ "$DEPLOY_ONION_SITE" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # server listener for tor v3 onion endpoint
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name ${ONION_ADDRESS};
-        #access_log /var/log/nginx/tor-www.log;
-        
-        # administration not allowed over tor interface.
-        location /ghost { deny all; }
-        location / {
-            proxy_set_header X-Forwarded-For 1.1.1.1;
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header X-Real-IP 1.1.1.1;
-            proxy_set_header Host \$http_host;
-            proxy_pass http://tor-ghost:2368;
-        }
-    }
-EOL
-fi
-
-if [ "$DEPLOY_NEXTCLOUD" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # TLS listener for ${NEXTCLOUD_FQDN}
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name ${NEXTCLOUD_FQDN};
-        
-        location / {
-            proxy_headers_hash_max_size 512;
-            proxy_headers_hash_bucket_size 64;
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto \$scheme;
-            proxy_set_header X-NginX-Proxy true;
-            
-            proxy_pass http://nextcloud:80;
-        }
-                    
-        # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
-        location /.well-known/carddav {
-            return 301 \$scheme://\$host/remote.php/dav;
-        }
-
-        location /.well-known/caldav {
-            return 301 \$scheme://\$host/remote.php/dav;
-        }
-    }
-EOL
-fi
-
-if [ "$DEPLOY_MATRIX" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # TLS listener for ${MATRIX_FQDN} (matrix)
-    server {
-        # matrix RESTful calls.
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        
-        # for the federation port
-        listen 8448 ssl http2;
-        listen [::]:8448 ssl http2;
-
-        server_name ${MATRIX_FQDN};
-        
-        location ~* ^(\/_matrix|\/_synapse\/client) {
-            proxy_pass http://matrix:8008;
-            proxy_set_header X-Forwarded-For \$remote_addr;
-            proxy_set_header X-Forwarded-Proto \$scheme;
-            proxy_set_header Host \$host;
-            client_max_body_size 50M;
-        }
-    }
-EOL
-fi
-
-
-if [ "$DEPLOY_GITEA" = true ]; then
-cat >>"$NGINX_CONF_PATH" <<EOL
-    # TLS listener for ${GITEA_FQDN}
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-    
-        server_name ${GITEA_FQDN};
-        
-        location / {
-            proxy_headers_hash_max_size 512;
-            proxy_headers_hash_bucket_size 64;
-            proxy_set_header X-Real-IP \$remote_addr;
-            proxy_set_header Host \$host;
-            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto \$scheme;
-            proxy_set_header X-NginX-Proxy true;
-            
-            proxy_pass http://gitea:3000;
-        }
-    }
-EOL
-fi
-
-# add the closing brace.
-cat >>"$NGINX_CONF_PATH" <<EOL
-}
-EOL
--- a/tor.yml
+++ b/tor.yml
@ -1,32 +0,0 @@
-version: "3.8"
-services:
-
-  # a hidden service that routes to the nginx container at http://onionurl.onion server block
-  tor-onion:
-    image: tor:latest
-    networks:
-      - tor-net
-    volumes:
-      - ${REMOTE_HOME}/tor:/var/lib/tor
-      - tor-logs:/var/log/tor
-    configs:
-      - source: tor-config
-        target: /etc/tor/torrc
-        mode: 0644
-    deploy:
-      mode: replicated
-      replicas: 1
-      restart_policy:
-        condition: on-failure
-
-volumes:
-  tor-data:
-  tor-logs:
-
-networks:
-  tor-net:
-    attachable: true
-
-configs:
-  tor-config:
-    file: ${TOR_CONFIG_PATH}
--- a/tor/Dockerfile
+++ b/tor/Dockerfile
@ -1,11 +0,0 @@
-FROM ubuntu:latest
-RUN apt-get update && apt-get install -y tor
-#COPY ./torrc /etc/tor/torrc
-#RUN chown root:root /etc/tor/torrc
-#RUN chmod 0644 /etc/tor/torrc
-
-#RUN mkdir /data
-#VOLUME /data
-# RUN chown 1000:1000 -R /data
-#USER 1000:1000
-CMD tor -f /etc/tor/torrc
--- a/tor/torrc
+++ b/tor/torrc
@ -1,8 +0,0 @@
-# we configure a hidden service that listens on onion:80 and redirects to nginx:80 at the at the torv3 onion address
-SocksPort 0
-
-HiddenServiceDir /var/lib/tor/www
-HiddenServiceVersion 3
-HiddenServicePort 443 nginx:443
-
-Log info file /var/log/tor/tor.log
--- a/tor/torrc-init
+++ b/tor/torrc-init
@ -1,5 +0,0 @@
-HiddenServiceDir /var/lib/tor/www
-HiddenServiceVersion 3
-HiddenServicePort 443 127.0.0.1:443
-
-Log info file /var/log/tor/tor.log
--- a/uninstall.sh
+++ b/uninstall.sh
@ -0,0 +1,93 @@
+#!/bin/bash
+
+set -exu
+
+# this script uninstalls incus from the MANAGEMENT MACHINE
+# if you want to remove incus from remote cluster hosts, run ss-reset.
+
+PURGE_INCUS=false
+
+# grab any modifications from the command line.
+for i in "$@"; do
+    case $i in
+        --purge)
+            PURGE_INCUS=true
+            shift
+        ;;
+        *)
+        echo "Unexpected option: $1"
+        exit 1
+        ;;
+    esac
+done
+
+# this script undoes install.sh
+if ! command -v incus >/dev/null 2>&1; then
+    echo "This script requires incus to be installed. Please run 'install.sh'."
+    exit 1
+fi
+
+if ! incus remote get-default | grep -q "local"; then
+    echo "ERROR: You MUST be on the local remote when uninstalling the SSME."
+    echo "INFO: You can use 'incus remote switch local' to do this."
+    exit 1
+fi
+
+
+if ! incus project list | grep -q "default (current)"; then
+    echo "ERROR: You MUST be on the default project when uninstalling the SSME."
+    echo "INFO: You can use 'incus project switch default' to do this."
+    exit 1
+fi
+
+
+if incus list --format csv | grep -q "ss-mgmt"; then
+
+    if incus list --format csv -q | grep -q "ss-mgmt,RUNNING"; then
+        incus stop ss-mgmt
+    fi
+
+    if incus config device list ss-mgmt -q | grep -q "ss-code"; then
+        incus config device remove ss-mgmt ss-code
+    fi
+
+    if incus config device list ss-mgmt -q | grep -q "ss-root"; then
+        incus config device remove ss-mgmt ss-root
+    fi
+
+    if incus config device list ss-mgmt -q | grep -q "ss-ssh"; then
+        incus config device remove ss-mgmt ss-ssh
+    fi
+
+    incus delete ss-mgmt
+fi
+
+if [ "$PURGE_INCUS" = true ]; then
+
+    if incus profile device list default | grep -q root; then
+        incus profile device remove default root
+    fi
+
+    if incus profile device list default | grep -q enp5s0; then
+        incus profile device remove default enp5s0
+    fi
+
+    if incus network list --project default | grep -q incusbr0; then
+        incus network delete incusbr0
+    fi
+
+    # this file contains the BASE_IMAGE_NAME
+    . ./deployment/base.sh
+    if incus image list | grep -q "$UBUNTU_BASE_IMAGE_NAME"; then
+        incus image delete "$UBUNTU_BASE_IMAGE_NAME"
+    fi
+
+    if incus storage list --format csv | grep -q sovereign-stack; then
+        incus storage delete sovereign-stack
+    fi
+
+    if dpkg -l | grep -q incus; then
+        sudo apt purge incus -y
+    fi
+
+fi
				`@ -0,0 +1 @@`
				`Subproject commit e8470d789a3811e2fe3f6818fd9a6fea859ba71c`