trigger chnage detection for localize pipe and round out implementing localize pipe for consistency even though not needed

fix alerts i18n, fix status display, better, remove usb media, hide shutdown for install complete
move comment to safe place
2026-03-26 18:31:52 +00:00 · 2026-02-04 14:00:20 -07:00 · 2026-02-04 11:19:58 -07:00 · 2026-02-02 21:09:19 -07:00 · 2026-02-02 20:16:41 -07:00 · 2026-02-02 18:51:11 -07:00
2129 changed files with 211769 additions and 104048 deletions
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -1,36 +1,34 @@
 name: 🐛 Bug Report
-description: Create a report to help us improve EmbassyOS
-title: '[bug]: '
+description: Create a report to help us improve StartOS
+title: "[bug]: "
 labels: [Bug, Needs Triage]
 assignees:
-  - dr-bonez
+  - MattDHill
 body:
  - type: checkboxes
    attributes:
      label: Prerequisites
      description: Please confirm you have completed the following.
      options:
-        - label: I have searched for [existing issues](https://github.com/start9labs/embassy-os/issues) that already report this problem, without success.
+        - label: I have searched for [existing issues](https://github.com/start9labs/start-os/issues) that already report this problem.
          required: true
  - type: input
    attributes:
-      label: EmbassyOS Version
-      description: What version of EmbassyOS are you running?
-      placeholder: e.g. 0.3.0
+      label: Server Hardware
+      description: On what hardware are you running StartOS? Please be as detailed as possible!
+      placeholder: Pi (8GB) w/ 32GB microSD & Samsung T7 SSD
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: StartOS Version
+      description: What version of StartOS are you running?
+      placeholder: e.g. 0.3.4.3
    validations:
      required: true
  - type: dropdown
    attributes:
-      label: Device
-      description: What device are you using to connect to Embassy?
-      options:
-        - Phone/tablet
-        - Laptop/Desktop
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Device OS
+      label: Client OS
      description: What operating system is your device running?
      options:
        - MacOS
@@ -45,14 +43,14 @@ body:
      required: true
  - type: input
    attributes:
-      label: Device OS Version
+      label: Client OS Version
      description: What version is your device OS?
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Browser
-      description: What browser are you using to connect to Embassy?
+      description: What browser are you using to connect to your server?
      options:
        - Firefox
        - Brave
--- a/.github/ISSUE_TEMPLATE/feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yml
@@ -1,16 +1,16 @@
 name: 💡 Feature Request
-description: Suggest an idea for EmbassyOS
-title: '[feat]: '
+description: Suggest an idea for StartOS
+title: "[feat]: "
 labels: [Enhancement]
 assignees:
-  - dr-bonez
+  - MattDHill
 body:
  - type: checkboxes
    attributes:
      label: Prerequisites
      description: Please confirm you have completed the following.
      options:
-        - label: I have searched for [existing issues](https://github.com/start9labs/embassy-os/issues) that already suggest this feature, without success.
+        - label: I have searched for [existing issues](https://github.com/start9labs/start-os/issues) that already suggest this feature.
          required: true
  - type: textarea
    attributes:
@@ -27,7 +27,7 @@ body:
  - type: textarea
    attributes:
      label: Describe Preferred Solution
-      description: How you want this feature added to EmbassyOS?
+      description: How you want this feature added to StartOS?
  - type: textarea
    attributes:
      label: Describe Alternatives
--- a/.github/actions/setup-build/action.yml
+++ b/.github/actions/setup-build/action.yml
@@ -0,0 +1,81 @@
+name: Setup Build Environment
+description: Common build environment setup steps
+
+inputs:
+  nodejs-version:
+    description: Node.js version
+    required: true
+  setup-python:
+    description: Set up Python
+    required: false
+    default: "false"
+  setup-docker:
+    description: Set up Docker QEMU and Buildx
+    required: false
+    default: "true"
+  setup-sccache:
+    description: Configure sccache for GitHub Actions
+    required: false
+    default: "true"
+  free-space:
+    description: Remove unnecessary packages to free disk space
+    required: false
+    default: "true"
+
+runs:
+  using: composite
+  steps:
+    - name: Free disk space
+      if: inputs.free-space == 'true'
+      shell: bash
+      run: |
+        sudo apt-get remove --purge -y azure-cli || true
+        sudo apt-get remove --purge -y firefox || true
+        sudo apt-get remove --purge -y ghc-* || true
+        sudo apt-get remove --purge -y google-cloud-sdk || true
+        sudo apt-get remove --purge -y google-chrome-stable || true
+        sudo apt-get remove --purge -y powershell || true
+        sudo apt-get remove --purge -y php* || true
+        sudo apt-get remove --purge -y ruby* || true
+        sudo apt-get remove --purge -y mono-* || true
+        sudo apt-get autoremove -y
+        sudo apt-get clean
+        sudo rm -rf /usr/lib/jvm
+        sudo rm -rf /usr/local/.ghcup
+        sudo rm -rf /usr/local/lib/android
+        sudo rm -rf /usr/share/dotnet
+        sudo rm -rf /usr/share/swift
+        sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+
+    # BuildJet runners lack /opt/hostedtoolcache, which setup-python and setup-qemu expect
+    - name: Ensure hostedtoolcache exists
+      shell: bash
+      run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
+
+    - name: Set up Python
+      if: inputs.setup-python == 'true'
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.x"
+
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.nodejs-version }}
+        cache: npm
+        cache-dependency-path: "**/package-lock.json"
+
+    - name: Set up Docker QEMU
+      if: inputs.setup-docker == 'true'
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      if: inputs.setup-docker == 'true'
+      uses: docker/setup-buildx-action@v3
+
+    - name: Configure sccache
+      if: inputs.setup-sccache == 'true'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -1,24 +0,0 @@
-# This folder contains GitHub Actions workflows for building the project
-
-## backend-pr
-Runs: when a pull request targets the master branch and changes the libs/ and/or backend/ folders
-
-This workflow uses the actions docker/setup-qemu-action@v1 and docker/setup-buildx-action@v1 to prepare the environment for aarch64 cross complilation using docker buildx.
-A matrix-strategy has been used for building the v8 snapshot instead of the makefile to allow parallel job execution.
-
-## frontend-pr
-Runs: when a pull request targets the master branch and changes the frontend/ folder
-
-This workflow builds the frontends.
-
-## product
-Runs: when a change to the master branch is made
-
-This workflow builds everything, re-using the backend-pr and frontend-pr workflows.
-The download and extraction order of artifacts is relevant to `make`, as it checks the file timestamps to decide which targets need to be executed.
-
-Result: eos.img
-
-## a note on uploading artifacts
-
-Artifacts are used to share data between jobs. File permissions are not maintained during artifact upload. Where file permissions are relevant, the workaround using tar has been used. See (here)[https://github.com/actions/upload-artifact#maintaining-file-permissions-and-case-sensitive-files].
--- a/.github/workflows/backend-pr.yaml
+++ b/.github/workflows/backend-pr.yaml
@@ -1,104 +0,0 @@
-name: Backend PR
-
-on:
-  workflow_call:
-  workflow_dispatch:
-  pull_request:
-    branches:
-    - master
-    paths:
-    - 'backend/**'
-    - 'libs/**'
-
-jobs:
-  libs:
-    name: Build libs
-    strategy:
-      matrix:
-        target: [amd64, arm64]
-        include:
-          - target: amd64
-            snapshot_command: ./build-v8-snapshot.sh
-            artifact_name: js_snapshot
-            artifact_path: libs/js_engine/src/artifacts/JS_SNAPSHOT.bin
-          - target: arm64
-            snapshot_command: ./build-arm-v8-snapshot.sh
-            artifact_name: arm_js_snapshot
-            artifact_path: libs/js_engine/src/artifacts/ARM_JS_SNAPSHOT.bin
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-        
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-      
-    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
-    
-    - uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cargo/bin/
-          ~/.cargo/registry/index/
-          ~/.cargo/registry/cache/
-          ~/.cargo/git/db/
-          target/
-        key: ${{ runner.os }}-cargo-libs-${{ matrix.target }}-${{ hashFiles('libs/Cargo.lock') }}
-
-    - name: Build v8 snapshot
-      run: ${{ matrix.snapshot_command }}
-      working-directory: libs
-
-    - uses: actions/upload-artifact@v3
-      with:
-        name: ${{ matrix.artifact_name }}
-        path: ${{ matrix.artifact_path }}
-
-  backend:
-    name: Build backend
-    runs-on: ubuntu-latest
-    needs: libs
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-    
-    - name: Download arm_js_snapshot artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: arm_js_snapshot
-        path: libs/js_engine/src/artifacts/
-        
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-      
-    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
-
-    - uses: actions-rs/toolchain@v1
-      with:
-        toolchain: stable
-        override: true
-    
-    - uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cargo/bin/
-          ~/.cargo/registry/index/
-          ~/.cargo/registry/cache/
-          ~/.cargo/git/db/
-          target/
-        key: ${{ runner.os }}-cargo-backend-${{ hashFiles('backend/Cargo.lock') }}
-
-    - name: Build backend
-      run: make backend
-
-    - name: 'Tar files to preserve file permissions'
-      run: tar -cvf backend.tar backend/target/aarch64-unknown-linux-gnu/release/embassy*
-
-    - uses: actions/upload-artifact@v3
-      with:
-        name: backend
-        path: backend.tar
--- a/.github/workflows/frontend-pr.yaml
+++ b/.github/workflows/frontend-pr.yaml
@@ -1,46 +0,0 @@
-name: Frontend PR
-
-on:
-  workflow_call:
-  workflow_dispatch:
-  pull_request:
-    branches:
-    - master
-    paths:
-    - 'frontend/**'
-
-jobs:
-  frontend:
-    name: Build frontend
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-
-    - uses: actions/setup-node@v3
-      with:
-        node-version: 16
-    
-    - name: Get npm cache directory
-      id: npm-cache-dir
-      run: |
-        echo "::set-output name=dir::$(npm config get cache)"
-    - uses: actions/cache@v3
-      id: npm-cache
-      with:
-        path: ${{ steps.npm-cache-dir.outputs.dir }}
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
-
-    - name: Build frontends
-      run: make frontends
-
-    - name: 'Tar files to preserve file permissions'
-      run: tar -cvf frontend.tar frontend/dist frontend/config.json
-
-    - uses: actions/upload-artifact@v3
-      with:
-        name: frontend
-        path: frontend.tar
--- a/.github/workflows/product.yaml
+++ b/.github/workflows/product.yaml
@@ -1,142 +0,0 @@
-name: Build Pipeline
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-    - master
-
-jobs:
-  compat:
-    name: Build compat.tar
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-        
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-      
-    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
-
-    - uses: actions-rs/toolchain@v1
-      with:
-        toolchain: stable
-        override: true
-
-    - uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cargo/bin/
-          ~/.cargo/registry/index/
-          ~/.cargo/registry/cache/
-          ~/.cargo/git/db/
-          target/
-        key: ${{ runner.os }}-cargo-compat-${{ hashFiles('**/system-images/compat/Cargo.lock') }}
-
-    - name: Build image
-      run: make system-images/compat/compat.tar
-
-    - uses: actions/upload-artifact@v3
-      with:
-        name: compat.tar
-        path: system-images/compat/compat.tar
-
-  utils:
-    name: Build utils.tar
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-        
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-      
-    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
-
-    - name: Build image
-      run: make system-images/utils/utils.tar
-
-    - uses: actions/upload-artifact@v3
-      with:
-        name: utils.tar
-        path: system-images/utils/utils.tar
-
-  backend:
-    uses: ./.github/workflows/backend-pr.yaml
-  
-  frontend:
-    uses: ./.github/workflows/frontend-pr.yaml
-    
-  image:
-    name: Build image
-    runs-on: ubuntu-latest
-    needs: [compat,utils,backend,frontend]
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        submodules: recursive
-
-    - name: Download compat.tar artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: compat.tar
-        path: system-images/compat
-    
-    - name: Download utils.tar artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: utils.tar
-        path: system-images/utils
-
-    - name: Download js_snapshot artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: js_snapshot
-        path: libs/js_engine/src/artifacts/
-  
-    - name: Download arm_js_snapshot artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: arm_js_snapshot
-        path: libs/js_engine/src/artifacts/
-
-    - name: Download backend artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: backend
-
-    - name: 'Extract backend'
-      run: 
-        tar -mxvf backend.tar
-
-    - name: Download frontend artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: frontend
-
-    - name: Skip frontend build
-      run: |
-        mkdir frontend/node_modules
-        mkdir frontend/dist
-        mkdir patch-db/client/node_modules
-        mkdir patch-db/client/dist
-
-    - name: 'Extract frontend'
-      run: |
-        tar -mxvf frontend.tar frontend/config.json
-        tar -mxvf frontend.tar frontend/dist
-
-    - name: Cache raspiOS
-      id: cache-raspios
-      uses: actions/cache@v3
-      with:
-        path: raspios.img
-        key: cache-raspios
-    
-    - name: Build image
-      run: "make V=1 eos.img --debug"
--- a/.github/workflows/start-cli.yaml
+++ b/.github/workflows/start-cli.yaml
@@ -0,0 +1,88 @@
+name: start-cli
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - x86_64-apple
+          - aarch64
+          - aarch64-apple
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    if: github.event.pull_request.draft != true
+    strategy:
+      fail-fast: true
+      matrix:
+        triple: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64-unknown-linux-musl"],
+              "x86_64-apple": ["x86_64-apple-darwin"],
+              "aarch64": ["aarch64-unknown-linux-musl"],
+              "x86_64-apple": ["aarch64-apple-darwin"],
+              "riscv64": ["riscv64gc-unknown-linux-musl"],
+              "ALL": ["x86_64-unknown-linux-musl", "x86_64-apple-darwin", "aarch64-unknown-linux-musl", "aarch64-apple-darwin", "riscv64gc-unknown-linux-musl"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Mount tmpfs
+        if: ${{ github.event.inputs.runner == 'fast' }}
+        run: sudo mount -t tmpfs tmpfs .
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: ./.github/actions/setup-build
+        with:
+          nodejs-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Make
+        run: TARGET=${{ matrix.triple }} make cli
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-cli_${{ matrix.triple }}
+          path: core/target/${{ matrix.triple }}/release/start-cli
--- a/.github/workflows/start-registry.yaml
+++ b/.github/workflows/start-registry.yaml
@@ -0,0 +1,173 @@
+name: start-registry
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - aarch64
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    if: github.event.pull_request.draft != true
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64"],
+              "aarch64": ["aarch64"],
+              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64", "riscv64"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Mount tmpfs
+        if: ${{ github.event.inputs.runner == 'fast' }}
+        run: sudo mount -t tmpfs tmpfs .
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: ./.github/actions/setup-build
+        with:
+          nodejs-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Make
+        run: make registry-deb
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-registry_${{ matrix.arch }}.deb
+          path: results/start-registry-*_${{ matrix.arch }}.deb
+
+  create-image:
+    name: Create Docker Image
+    needs: [compile]
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y google-chrome-stable firefox mono-devel
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+
+      - run: |
+          sudo mount -t tmpfs tmpfs .
+        if: ${{ github.event.inputs.runner == 'fast' }}
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Login to GitHub Container Registry"
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/Start9Labs/startos-registry
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+
+      - name: Download debian package
+        uses: actions/download-artifact@v4
+        with:
+          pattern: start-registry_*.deb
+
+      - name: Map matrix.arch to docker platform
+        run: |
+          platforms=""
+          for deb in *.deb; do
+            filename=$(basename "$deb" .deb)
+            arch="${filename#*_}"
+            case "$arch" in
+              x86_64)
+                platform="linux/amd64"
+                ;;
+              aarch64)
+                platform="linux/arm64"
+                ;;
+              riscv64)
+                platform="linux/riscv64"
+                ;;
+              *)
+                echo "Unknown architecture: $arch" >&2
+                exit 1
+                ;;
+            esac
+            if [ -z "$platforms" ]; then
+              platforms="$platform"
+            else
+              platforms="$platforms,$platform"
+            fi
+          done
+          echo "DOCKER_PLATFORM=$platforms" >> "$GITHUB_ENV"
+
+      - run: |
+          cat | docker buildx build --platform "$DOCKER_PLATFORM" --push -t ${{ steps.meta.outputs.tags }} -f - . << 'EOF'
+          FROM debian:trixie
+
+          ADD *.deb .
+
+          RUN apt-get install -y ./*_$(uname -m).deb && rm *.deb
+
+          VOLUME /var/lib/startos
+
+          ENV RUST_LOG=startos=debug
+
+          ENTRYPOINT ["start-registryd"]
+
+          EOF
--- a/.github/workflows/start-tunnel.yaml
+++ b/.github/workflows/start-tunnel.yaml
@@ -0,0 +1,84 @@
+name: start-tunnel
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - aarch64
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    if: github.event.pull_request.draft != true
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64"],
+              "aarch64": ["aarch64"],
+              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64", "riscv64"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Mount tmpfs
+        if: ${{ github.event.inputs.runner == 'fast' }}
+        run: sudo mount -t tmpfs tmpfs .
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: ./.github/actions/setup-build
+        with:
+          nodejs-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Make
+        run: make tunnel-deb
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-tunnel_${{ matrix.arch }}.deb
+          path: results/start-tunnel-*_${{ matrix.arch }}.deb
--- a/.github/workflows/startos-iso.yaml
+++ b/.github/workflows/startos-iso.yaml
@@ -0,0 +1,256 @@
+name: Debian-based ISO and SquashFS
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      platform:
+        type: choice
+        description: Platform
+        options:
+          - ALL
+          - x86_64
+          - x86_64-nonfree
+          - aarch64
+          - aarch64-nonfree
+          # - raspberrypi
+          - riscv64
+      deploy:
+        type: choice
+        description: Deploy
+        options:
+          - NONE
+          - alpha
+          - beta
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Compile Base Binaries
+    if: github.event.pull_request.draft != true
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64"],
+              "x86_64-nonfree": ["x86_64"],
+              "aarch64": ["aarch64"],
+              "aarch64-nonfree": ["aarch64"],
+              "raspberrypi": ["aarch64"],
+              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64", "riscv64"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: >-
+      ${{
+        fromJson(
+          format(
+            '["{0}", "{1}"]',
+            fromJson('{
+              "x86_64": "ubuntu-latest",
+              "aarch64": "ubuntu-24.04-arm",
+              "riscv64": "ubuntu-latest"
+            }')[matrix.arch],
+            fromJson('{
+              "x86_64": "buildjet-32vcpu-ubuntu-2204",
+              "aarch64": "buildjet-32vcpu-ubuntu-2204-arm",
+              "riscv64": "buildjet-32vcpu-ubuntu-2204"
+            }')[matrix.arch]
+          )
+        )[github.event.inputs.runner == 'fast']
+      }}
+    steps:
+      - name: Mount tmpfs
+        if: ${{ github.event.inputs.runner == 'fast' }}
+        run: sudo mount -t tmpfs tmpfs .
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: ./.github/actions/setup-build
+        with:
+          nodejs-version: ${{ env.NODEJS_VERSION }}
+          setup-python: "true"
+
+      - name: Make
+        run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
+        env:
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: compiled-${{ matrix.arch }}.tar
+          path: compiled-${{ matrix.arch }}.tar
+  image:
+    name: Build Image
+    needs: [compile]
+    strategy:
+      fail-fast: false
+      matrix:
+        # TODO: re-add "raspberrypi" to the platform list below
+        platform: >-
+          ${{
+            fromJson(
+              format(
+                '[
+                  ["{0}"],
+                  ["x86_64", "x86_64-nonfree", "aarch64", "aarch64-nonfree", "riscv64"]
+                ]',
+                github.event.inputs.platform || 'ALL'
+              )
+            )[(github.event.inputs.platform || 'ALL') == 'ALL']
+          }}
+    runs-on: >-
+      ${{
+        fromJson(
+          format(
+            '["{0}", "{1}"]',
+            fromJson('{
+              "x86_64": "ubuntu-latest",
+              "x86_64-nonfree": "ubuntu-latest",
+              "aarch64": "ubuntu-24.04-arm",
+              "aarch64-nonfree": "ubuntu-24.04-arm",
+              "raspberrypi": "ubuntu-24.04-arm",
+              "riscv64": "ubuntu-24.04-arm",
+            }')[matrix.platform],
+            fromJson('{
+              "x86_64": "buildjet-8vcpu-ubuntu-2204",
+              "x86_64-nonfree": "buildjet-8vcpu-ubuntu-2204",
+              "aarch64": "buildjet-8vcpu-ubuntu-2204-arm",
+              "aarch64-nonfree": "buildjet-8vcpu-ubuntu-2204-arm",
+              "raspberrypi": "buildjet-8vcpu-ubuntu-2204-arm",
+              "riscv64": "buildjet-8vcpu-ubuntu-2204",
+            }')[matrix.platform]
+          )
+        )[github.event.inputs.runner == 'fast']
+      }}
+    env:
+      ARCH: >-
+        ${{
+          fromJson('{
+            "x86_64": "x86_64",
+            "x86_64-nonfree": "x86_64",
+            "aarch64": "aarch64",
+            "aarch64-nonfree": "aarch64",
+            "raspberrypi": "aarch64",
+            "riscv64": "riscv64",
+          }')[matrix.platform]
+        }}
+    steps:
+      - name: Free space
+        run: |
+          sudo apt-get remove --purge -y azure-cli || true
+          sudo apt-get remove --purge -y firefox || true
+          sudo apt-get remove --purge -y ghc-* || true
+          sudo apt-get remove --purge -y google-cloud-sdk || true
+          sudo apt-get remove --purge -y google-chrome-stable || true
+          sudo apt-get remove --purge -y powershell || true
+          sudo apt-get remove --purge -y php* || true
+          sudo apt-get remove --purge -y ruby* || true
+          sudo apt-get remove --purge -y mono-* || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          sudo rm -rf /usr/lib/jvm               # All JDKs
+          sudo rm -rf /usr/local/.ghcup          # Haskell toolchain
+          sudo rm -rf /usr/local/lib/android     # Android SDK/NDK, emulator
+          sudo rm -rf /usr/share/dotnet          # .NET SDKs
+          sudo rm -rf /usr/share/swift           # Swift toolchain (if present)
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"    # Pre-cached tool cache (Go, Node, etc.)
+        if: ${{ github.event.inputs.runner != 'fast' }}
+
+      # BuildJet runners lack /opt/hostedtoolcache, which setup-qemu expects
+      - name: Ensure hostedtoolcache exists
+        run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Download compiled artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: compiled-${{ env.ARCH }}.tar
+
+      - name: Extract compiled artifacts
+        run: tar -xvf compiled-${{ env.ARCH }}.tar
+
+      - name: Prevent rebuild of compiled artifacts
+        run: |
+          mkdir -p web/node_modules
+          mkdir -p web/dist/raw
+          mkdir -p core/bindings
+          mkdir -p sdk/base/lib/osBindings
+          mkdir -p container-runtime/node_modules
+          mkdir -p container-runtime/dist
+          mkdir -p container-runtime/dist/node_modules
+          mkdir -p sdk/dist
+          mkdir -p sdk/baseDist
+          mkdir -p patch-db/client/node_modules
+          mkdir -p patch-db/client/dist
+          mkdir -p web/.angular
+          mkdir -p web/dist/raw/ui
+          mkdir -p web/dist/raw/setup-wizard
+          mkdir -p web/dist/static/ui
+          mkdir -p web/dist/static/setup-wizard
+          PLATFORM=${{ matrix.platform }} make -t compiled-${{ env.ARCH }}.tar
+
+      - run: git status
+
+      - name: Run iso build
+        run: PLATFORM=${{ matrix.platform }} make iso
+        if: ${{ matrix.platform != 'raspberrypi' }}
+
+      - name: Run img build
+        run: PLATFORM=${{ matrix.platform }} make img
+        if: ${{ matrix.platform == 'raspberrypi' }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.platform }}.squashfs
+          path: results/*.squashfs
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.platform }}.iso
+          path: results/*.iso
+        if: ${{ matrix.platform != 'raspberrypi' }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.platform }}.img
+          path: results/*.img
+        if: ${{ matrix.platform == 'raspberrypi' }}
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,38 @@
+name: Automated Tests
+
+on:
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: dev-unstable
+
+jobs:
+  test:
+    name: Run Automated Tests
+    if: github.event.pull_request.draft != true
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: ./.github/actions/setup-build
+        with:
+          nodejs-version: ${{ env.NODEJS_VERSION }}
+          free-space: "false"
+          setup-docker: "false"
+          setup-sccache: "false"
+
+      - name: Build And Run Tests
+        run: make test
--- a/.gitignore
+++ b/.gitignore
@@ -1,14 +1,22 @@
 .DS_Store
 .idea
-/*.img
-/*.img.gz
-/*.img.xz
-/*-raspios-bullseye-arm64-lite.img
-/*-raspios-bullseye-arm64-lite.zip
+*.img
+*.img.gz
+*.img.xz
+*.zip
 /product_key.txt
 /*_product_key.txt
 .vscode/settings.json
 deploy_web.sh
-deploy_web.sh
 secrets.db
 .vscode/
+/build/env/*.txt
+*.deb
+/target
+*.squashfs
+/results
+/dpkg-workdir
+/compiled.tar
+/compiled-*.tar
+/build/lib/firmware
+tmp
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,6 +1,3 @@
-[submodule "rpc-toolkit"]
-	path = rpc-toolkit
-	url = https://github.com/Start9Labs/rpc-toolkit.git
 [submodule "patch-db"]
 	path = patch-db
 	url = https://github.com/Start9Labs/patch-db.git
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,208 +1,133 @@
-<!-- omit in toc -->
-# Contributing to Embassy OS
+# Contributing to StartOS

-First off, thanks for taking the time to contribute! ❤️
+This guide is for contributing to the StartOS. If you are interested in packaging a service for StartOS, visit the [service packaging guide](https://docs.start9.com/latest/packaging-guide/). If you are interested in promoting, providing technical support, creating tutorials, or helping in other ways, please visit the [Start9 website](https://start9.com/contribute).

-All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
+## Collaboration

-> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
-> - Star the project
-> - Tweet about it
-> - Refer this project in your project's readme
-> - Mention the project at local meetups and tell your friends/colleagues
-> - Buy an [Embassy](https://start9labs.com)
+- [Matrix](https://matrix.to/#/#community-dev:matrix.start9labs.com)
+- [Telegram](https://t.me/start9_labs/47471)

-<!-- omit in toc -->
-## Table of Contents
+## Project Structure

- [I Have a Question](#i-have-a-question)
- [I Want To Contribute](#i-want-to-contribute)
-  - [Reporting Bugs](#reporting-bugs)
-  - [Suggesting Enhancements](#suggesting-enhancements)
-  - [Project Structure](#project-structure)
-  - [Your First Code Contribution](#your-first-code-contribution)
-    - [Setting Up Your Development Environment](#setting-up-your-development-environment)
-    - [Building The Image](#building-the-image)
-  - [Improving The Documentation](#improving-the-documentation)
- [Styleguides](#styleguides)
-  - [Formatting](#formatting)
-  - [Atomic Commits](#atomic-commits)
-  - [Commit Messages](#commit-messages)
-  - [Pull Requests](#pull-requests)
-  - [Rebasing Changes](#rebasing-changes)
- [Join The Discussion](#join-the-discussion)
- [Join The Project Team](#join-the-project-team)
-
-
-
-## I Have a Question
-
-> If you want to ask a question, we assume that you have read the available [Documentation](https://docs.start9labs.com).
-
-Before you ask a question, it is best to search for existing [Issues](https://github.com/Start9Labs/embassy-os/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
-
-If you then still feel the need to ask a question and need clarification, we recommend the following:
-
- Open an [Issue](https://github.com/Start9Labs/embassy-os/issues/new).
- Provide as much context as you can about what you're running into.
- Provide project and platform versions, depending on what seems relevant.
-
-We will then take care of the issue as soon as possible.
-
-<!--
-You might want to create a separate issue tag for questions and include it in this description. People should then tag their issues accordingly.
-
-Depending on how large the project is, you may want to outsource the questioning, e.g. to Stack Overflow or Gitter. You may add additional contact and information possibilities:
- IRC
- Slack
- Gitter
- Stack Overflow tag
- Blog
- FAQ
- Roadmap
- E-Mail List
- Forum
-->
-
-## I Want To Contribute
-
-> ### Legal Notice <!-- omit in toc -->
-> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license.
-
-### Reporting Bugs
-
-<!-- omit in toc -->
-#### Before Submitting a Bug Report
-
-A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible.
-
- Make sure that you are using the latest version.
- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](https://start9.com/latest/user-manual). If you are looking for support, you might want to check [this section](#i-have-a-question)).
- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/Start9Labs/embassy-os/issues?q=label%3Abug).
- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue.
- Collect information about the bug:
-  - Stack trace (Traceback)
-  - Client OS, Platform and Version (Windows/Linux/macOS/iOS/Android, Firefox/Tor Browser/Consulate)
-  - Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant.
-  - Possibly your input and the output
-  - Can you reliably reproduce the issue? And can you also reproduce it with older versions?
-
-<!-- omit in toc -->
-#### How Do I Submit a Good Bug Report?
-
-> You must never report security related issues, vulnerabilities or bugs to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to <security@start9labs.com>.
-<!-- You may add a PGP key to allow the messages to be sent encrypted as well. -->
-
-We use GitHub issues to track bugs and errors. If you run into an issue with the project:
-
- Open an [Issue](https://github.com/Start9Labs/embassy-os/issues/new/choose) selecting the appropriate type.
- Explain the behavior you would expect and the actual behavior.
- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
- Provide the information you collected in the previous section.
-
-Once it's filed:
-
- The project team will label the issue accordingly.
- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `Question`. Bugs with the `Question` tag will not be addressed until they are answered.
- If the team is able to reproduce the issue, it will be marked a scoping level tag, as well as possibly other tags (such as `Security`), and the issue will be left to be [implemented by someone](#your-first-code-contribution).
-
-<!-- You might want to create an issue template for bugs and errors that can be used as a guide and that defines the structure of the information to be included. If you do so, reference it here in the description. -->
-
-
-### Suggesting Enhancements
-
-This section guides you through submitting an enhancement suggestion for Embassy OS, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions.
-
-<!-- omit in toc -->
-#### Before Submitting an Enhancement
-
- Make sure that you are using the latest version.
- Read the [documentation](https://start9.com/latest/user-manual) carefully and find out if the functionality is already covered, maybe by an individual configuration.
- Perform a [search](https://github.com/Start9Labs/embassy-os/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library.
-
-<!-- omit in toc -->
-#### How Do I Submit a Good Enhancement Suggestion?
-
-Enhancement suggestions are tracked as [GitHub issues](https://github.com/Start9Labs/embassy-os/issues).
-
- Use a **clear and descriptive title** for the issue to identify the suggestion.
- Provide a **step-by-step description of the suggested enhancement** in as many details as possible.
- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you.
- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. <!-- this should only be included if the project has a GUI -->
- **Explain why this enhancement would be useful** to most Embassy OS users. You may also want to point out the other projects that solved it better and which could serve as inspiration.
-
-<!-- You might want to create an issue template for enhancement suggestions that can be used as a guide and that defines the structure of the information to be included. If you do so, reference it here in the description. -->
-
-### Project Structure
-
-EmbassyOS is composed of the following components. Please visit the README for each component to understand the dependency requirements and installation instructions.
- [`ui`](frontend/README.md) (Typescript Ionic Angular) is the code that is deployed to the browser to provide the user interface for EmbassyOS.
- [`backend`](backend/README.md) (Rust) is a command line utility, daemon, and software development kit that sets up and manages services and their environments, provides the interface for the ui, manages system state, and provides utilities for packaging services for EmbassyOS.
- `patch-db` - A diff based data store that is used to synchronize data between the front and backend.
-  - Notably, `patch-db` has a [client](https://github.com/Start9Labs/patch-db/tree/master/client) with its own dependency and installation requirements.
- `rpc-toolkit` - A library for generating an rpc server with cli bindings from Rust functions.
- `system-images` - (Docker, Rust) A suite of utility Docker images that are preloaded with EmbassyOS to assist with functions relating to services (eg. configuration, backups, health checks).
- [`setup-wizard`](frontend/README.md)- Code for the user interface that is displayed during the setup and recovery process for EmbassyOS.
- [`diagnostic-ui`](frontend/README.md) - Code for the user interface that is displayed when something has gone wrong with starting up EmbassyOS, which provides helpful debugging tools.
-
-### Your First Code Contribution
-
-#### Setting Up Your Development Environment
-
-First, clone the EmbassyOS repository and from the project root, pull in the submodules for dependent libraries.
-
-```sh
-git clone https://github.com/Start9Labs/embassy-os.git
-git submodule update --init --recursive
+```bash
+/
+├── assets/
+├── container-runtime/
+├── core/
+├── build/
+├── debian/
+├── web/
+├── image-recipe/
+├── patch-db
+└── sdk/
 ```

-Depending on which component of the ecosystem you are interested in contributing to, follow the installation requirements listed in that component's README (linked [above](#project-structure))
+#### assets

-#### Building The Image
-This step is for setting up an environment in which to test your code changes if you do not yet have a EmbassyOS.
+screenshots for the StartOS README

- Requirements
-  - `ext4fs` (available if running on the Linux kernel)
-  - [Docker](https://docs.docker.com/get-docker/)
-  - GNU Make
- Building
-  - see setup instructions [here](build/README.md)
-  - run `make` from the project root
+#### container-runtime

-### Improving The Documentation
-You can find the repository for Start9's documentation [here](https://github.com/Start9Labs/documentation). If there is something you would like to see added, let us know, or create an issue yourself. Welcome are contributions for lacking or incorrect information, broken links, requested additions, or general style improvements.
+A NodeJS program that dynamically loads maintainer scripts and communicates with the OS to manage packages

-Contributions in the form of setup guides for integrations with external applications are highly encouraged. If you struggled through a process and would like to share your steps with others, check out the docs for each [service](https://github.com/Start9Labs/documentation/blob/master/source/user-manuals/available-services/index.rst) we support. The wrapper repos contain sections for adding integration guides, such as this [one](https://github.com/Start9Labs/bitcoind-wrapper/tree/master/docs). These not only help out others in the community, but inform how we can create a more seamless and intuitive experience.
+#### core

-## Styleguides
-### Formatting
-Each component of EmbassyOS contains its own style guide. Code must be formatted with the formatter designated for each component. These are outlined within each component folder's README.
+An API, daemon (startd), and CLI (start-cli) that together provide the core functionality of StartOS.

-### Atomic Commits
-Commits [should be atomic](https://en.wikipedia.org/wiki/Atomic_commit#Atomic_commit_convention) and diffs should be easy to read.
-Do not mix any formatting fixes or code moves with actual code changes.
+#### build

-### Commit Messages
-If a commit touches only 1 component, prefix the message with the affected component. i.e. `backend: update to tokio v0.3`.
+Auxiliary files and scripts to include in deployed StartOS images

-### Pull Requests
-The body of a pull request should contain sufficient description of what the changes do, as well as a justification.
-You should include references to any relevant [issues](https://github.com/Start9Labs/embassy-os/issues).
+#### debian

-### Rebasing Changes
-When a pull request conflicts with the target branch, you may be asked to rebase it on top of the current target branch. The `git rebase` command will take care of rebuilding your commits on top of the new base.
+Maintainer scripts for the StartOS Debian package

-This project aims to have a clean git history, where code changes are only made in non-merge commits. This simplifies auditability because merge commits can be assumed to not contain arbitrary code changes.
+#### web

-## Join The Discussion
-Current or aspiring contributors? Join our community developer [Matrix channel](https://matrix.to/#/#community-dev:matrix.start9labs.com).
+Web UIs served under various conditions and used to interact with StartOS APIs.

-Just interested in or using the project? Join our community [Telegram](https://t.me/start9_labs) or [Matrix](https://matrix.to/#/#community:matrix.start9labs.com).
+#### image-recipe

-## Join The Project Team
-Interested in becoming a part of the Start9 Labs team? Send an email to <jobs@start9labs.com>
+Scripts for building StartOS images

-<!-- omit in toc -->
-## Attribution
-This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)!
+#### patch-db (submodule)
+
+A diff based data store used to synchronize data between the web interfaces and server.
+
+#### sdk
+
+A typescript sdk for building start-os packages
+
+## Environment Setup
+
+#### Clone the StartOS repository
+
+```sh
+git clone https://github.com/Start9Labs/start-os.git --recurse-submodules
+cd start-os
+```
+
+#### Continue to your project of interest for additional instructions:
+
+- [`core`](core/README.md)
+- [`web-interfaces`](web-interfaces/README.md)
+- [`build`](build/README.md)
+- [`patch-db`](https://github.com/Start9Labs/patch-db)
+
+## Building
+
+This project uses [GNU Make](https://www.gnu.org/software/make/) to build its components. To build any specific component, simply run `make <TARGET>` replacing `<TARGET>` with the name of the target you'd like to build
+
+### Requirements
+
+- [GNU Make](https://www.gnu.org/software/make/)
+- [Docker](https://docs.docker.com/get-docker/)
+- [NodeJS v20.16.0](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)
+- [sed](https://www.gnu.org/software/sed/)
+- [grep](https://www.gnu.org/software/grep/)
+- [awk](https://www.gnu.org/software/gawk/)
+- [jq](https://jqlang.github.io/jq/)
+- [gzip](https://www.gnu.org/software/gzip/)
+- [brotli](https://github.com/google/brotli)
+
+### Environment variables
+
+- `PLATFORM`: which platform you would like to build for. Must be one of `x86_64`, `x86_64-nonfree`, `aarch64`, `aarch64-nonfree`, `raspberrypi`
+  - NOTE: `nonfree` images are for including `nonfree` firmware packages in the built ISO
+- `ENVIRONMENT`: a hyphen separated set of feature flags to enable
+  - `dev`: enables password ssh (INSECURE!) and does not compress frontends
+  - `unstable`: enables assertions that will cause errors on unexpected inconsistencies that are undesirable in production use either for performance or reliability reasons
+  - `docker`: use `docker` instead of `podman`
+- `GIT_BRANCH_AS_HASH`: set to `1` to use the current git branch name as the git hash so that the project does not need to be rebuilt on each commit
+
+### Useful Make Targets
+
+- `iso`: Create a full `.iso` image
+  - Only possible from Debian
+  - Not available for `PLATFORM=raspberrypi`
+  - Additional Requirements:
+    - [debspawn](https://github.com/lkhq/debspawn)
+- `img`: Create a full `.img` image
+  - Only possible from Debian
+  - Only available for `PLATFORM=raspberrypi`
+  - Additional Requirements:
+    - [debspawn](https://github.com/lkhq/debspawn)
+- `format`: Run automatic code formatting for the project
+  - Additional Requirements:
+    - [rust](https://rustup.rs/)
+- `test`: Run automated tests for the project
+  - Additional Requirements:
+    - [rust](https://rustup.rs/)
+- `update`: Deploy the current working project to a device over ssh as if through an over-the-air update
+  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
+- `reflash`: Deploy the current working project to a device over ssh as if using a live `iso` image to reflash it
+  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
+- `update-overlay`: Deploy the current working project to a device over ssh to the in-memory overlay without restarting it
+  - WARNING: changes will be reverted after the device is rebooted
+  - WARNING: changes to `init` will not take effect as the device is already initialized
+  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
+- `wormhole`: Deploy the `startbox` to a device using [magic-wormhole](https://github.com/magic-wormhole/magic-wormhole)
+  - When the build it complete will emit a command to paste into the shell of the device to upgrade it
+  - Additional Requirements:
+    - [magic-wormhole](https://github.com/magic-wormhole/magic-wormhole)
+- `clean`: Delete all compiled artifacts
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -0,0 +1,134 @@
+# Setting up your development environment on Debian/Ubuntu
+
+A step-by-step guide
+
+> This is the only officially supported build environment.
+> MacOS has limited build capabilities and Windows requires [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install)
+
+## Installing dependencies
+
+Run the following commands one at a time
+
+```sh
+sudo apt update
+sudo apt install -y ca-certificates curl gpg build-essential
+curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+echo "deb [arch=$(dpkg-architecture -q DEB_HOST_ARCH) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian bookworm stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt update
+sudo apt install -y sed grep gawk jq gzip brotli containerd.io docker-ce docker-ce-cli docker-compose-plugin qemu-user-static binfmt-support squashfs-tools git debspawn rsync b3sum
+sudo mkdir -p /etc/debspawn/
+echo "AllowUnsafePermissions=true" | sudo tee /etc/debspawn/global.toml
+sudo usermod -aG docker $USER
+sudo su $USER
+docker run --privileged --rm tonistiigi/binfmt --install all
+docker buildx create --use
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # proceed with default installation
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash
+source ~/.bashrc
+nvm install 24
+nvm use 24
+nvm alias default 24 # this prevents your machine from reverting back to another version
+```
+
+## Cloning the repository
+
+```sh
+git clone --recursive https://github.com/Start9Labs/start-os.git --branch next/major
+cd start-os
+```
+
+## Building an ISO
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make iso
+```
+
+This will build an ISO for your current architecture. If you are building to run on an architecture other than the one you are currently on, replace `$(uname -m)` with the correct platform for the device (one of `aarch64`, `aarch64-nonfree`, `x86_64`, `x86_64-nonfree`, `raspberrypi`)
+
+## Creating a VM
+
+### Install virt-manager
+
+```sh
+sudo apt update
+sudo apt install -y virt-manager
+sudo usermod -aG libvirt $USER
+sudo su $USER
+```
+
+### Launch virt-manager
+
+```sh
+virt-manager
+```
+
+### Create new virtual machine
+
+![Select "Create a new virtual machine"](assets/create-vm/step-1.png)
+![Click "Forward"](assets/create-vm/step-2.png)
+![Click "Browse"](assets/create-vm/step-3.png)
+![Click "+"](assets/create-vm/step-4.png)
+
+#### make sure to set "Target Path" to the path to your results directory in start-os
+
+![Create storage pool](assets/create-vm/step-5.png)
+![Select storage pool](assets/create-vm/step-6.png)
+![Select ISO](assets/create-vm/step-7.png)
+![Select "Generic or unknown OS" and click "Forward"](assets/create-vm/step-8.png)
+![Set Memory and CPUs](assets/create-vm/step-9.png)
+![Create disk](assets/create-vm/step-10.png)
+![Name VM](assets/create-vm/step-11.png)
+![Create network](assets/create-vm/step-12.png)
+
+## Updating a VM
+
+The fastest way to update a VM to your latest code depends on what you changed:
+
+### UI or startd:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make update-startbox REMOTE=start9@<VM IP>
+```
+
+### Container runtime or debian dependencies:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make update-deb REMOTE=start9@<VM IP>
+```
+
+### Image recipe:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make update-squashfs REMOTE=start9@<VM IP>
+```
+
+---
+
+If the device you are building for is not available via ssh, it is also possible to use `magic-wormhole` to send the relevant files.
+
+### Prerequisites:
+
+```sh
+sudo apt update
+sudo apt install -y magic-wormhole
+```
+
+As before, the fastest way to update a VM to your latest code depends on what you changed. Each of the following commands will return a command to paste into the shell of the device you would like to upgrade.
+
+### UI or startd:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make wormhole
+```
+
+### Container runtime or debian dependencies:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make wormhole-deb
+```
+
+### Image recipe:
+
+```sh
+PLATFORM=$(uname -m) ENVIRONMENT=dev make wormhole-squashfs
+```
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Start9 Labs, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,25 +0,0 @@
-# START9 PERSONAL USE LICENSE v1.0
-
-This license governs the use of the accompanying Software. If you use the Software, you accept this license. If you do not accept the license, do not use the Software.
-
-1. **Definitions.**
-    1. “Licensor” means the copyright owner, Start9 Labs, Inc, or its successor(s) in interest, or a future assignee of the copyright.
-    2. “Source Code” means the preferred form of the Software for making modifications to it.
-    3. “Object Code” means any non-source form of the Software, including the machine-language output by a compiler or assembler.
-    4. “Distribute” means to convey or to publish and generally has the same meaning here as under U.S. Copyright law.
-    5. “Sell” means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software.
-
-2. **Grant of Rights.** Subject to the terms of this license, the Licensor grants you, the licensee, a non-exclusive, worldwide, royalty-free copyright license to:
-    1. Access, audit, copy, modify, compile, or distribute the Source Code or modifications to the Source Code.
-    2. Run, test, or otherwise use the Object Code.
-
-3. **Limitations.**
-    1. The grant of rights under the License will NOT include, and the License does NOT grant you the right to:
-        1. Sell the Software or any derivative works based thereon.
-        2. Distribute the Object Code.
-    2. If you Distribute the Source Code, or if permission is separately granted to Distribute the Object Code, you expressly undertake not to remove, or modify, in any manner, the copyright notices attached to the Source Code, and displayed in any output of the Object Code when run, and to reproduce these notices, in an identical manner, in any distributed copies of the Software together with a copy of this license. If you Distribute a modified copy of the Software, or a derivative work based thereon, the work must carry prominent notices stating that you modified it, and giving a relevant date.
-    3. The terms of this license will apply to anyone who comes into possession of a copy of the Software, and any modifications or derivative works based thereon, made by anyone.
-
-4. **Contributions.** You hereby grant to Licensor a perpetual, irrevocable, worldwide, non-exclusive, royalty-free license to use and exploit any modifications or derivative works based on the Source Code of which you are the author.
-
-5. **Disclaimer.** THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. LICENSOR HAS NO OBLIGATION TO SUPPORT RECIPIENTS OF THE SOFTWARE.
--- a/416
+++ b/416
@@ -1,87 +1,381 @@
-EMBASSY_BINS := backend/target/aarch64-unknown-linux-gnu/release/embassyd backend/target/aarch64-unknown-linux-gnu/release/embassy-init backend/target/aarch64-unknown-linux-gnu/release/embassy-cli backend/target/aarch64-unknown-linux-gnu/release/embassy-sdk
-EMBASSY_UIS := frontend/dist/ui frontend/dist/setup-wizard frontend/dist/diagnostic-ui
-EMBASSY_SRC := raspios.img product_key.txt $(EMBASSY_BINS) backend/embassyd.service backend/embassy-init.service $(EMBASSY_UIS) $(shell find build)
-COMPAT_SRC := $(shell find system-images/compat/src)
-UTILS_SRC := $(shell find system-images/utils/Dockerfile)
-BACKEND_SRC := $(shell find backend/src) $(shell find patch-db/*/src) $(shell find rpc-toolkit/*/src) backend/Cargo.toml backend/Cargo.lock
-FRONTEND_SRC := $(shell find frontend/projects) $(shell find frontend/assets)
-PATCH_DB_CLIENT_SRC = $(shell find patch-db/client -not -path patch-db/client/dist)
-GIT_REFS := $(shell find .git/refs/heads)
-TMP_FILE := $(shell mktemp)
+ls-files = $(shell git ls-files --cached --others --exclude-standard $1) 
+PROFILE = release
+
+PLATFORM_FILE := $(shell ./build/env/check-platform.sh)
+ENVIRONMENT_FILE := $(shell ./build/env/check-environment.sh)
+GIT_HASH_FILE := $(shell ./build/env/check-git-hash.sh)
+VERSION_FILE := $(shell ./build/env/check-version.sh)
+BASENAME := $(shell PROJECT=startos ./build/env/basename.sh)
+PLATFORM := $(shell if [ -f $(PLATFORM_FILE) ]; then cat $(PLATFORM_FILE); else echo unknown; fi)
+ARCH := $(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then echo aarch64; else echo $(PLATFORM) | sed 's/-nonfree$$//g'; fi)
+RUST_ARCH := $(shell if [ "$(ARCH)" = "riscv64" ]; then echo riscv64gc; else echo $(ARCH); fi)
+REGISTRY_BASENAME := $(shell PROJECT=start-registry PLATFORM=$(ARCH) ./build/env/basename.sh)
+TUNNEL_BASENAME := $(shell PROJECT=start-tunnel PLATFORM=$(ARCH) ./build/env/basename.sh)
+IMAGE_TYPE=$(shell if [ "$(PLATFORM)" = raspberrypi ]; then echo img; else echo iso; fi)
+WEB_UIS := web/dist/raw/ui/index.html web/dist/raw/setup-wizard/index.html
+COMPRESSED_WEB_UIS := web/dist/static/ui/index.html web/dist/static/setup-wizard/index.html
+FIRMWARE_ROMS := build/lib/firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./build/lib/firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
+BUILD_SRC := $(call ls-files, build/lib) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
+IMAGE_RECIPE_SRC := $(call ls-files, build/image-recipe/)
+STARTD_SRC := core/startd.service $(BUILD_SRC)
+CORE_SRC := $(call ls-files, core) $(shell git ls-files --recurse-submodules patch-db) $(GIT_HASH_FILE)
+WEB_SHARED_SRC := $(call ls-files, web/projects/shared) $(call ls-files, web/projects/marketplace) $(shell ls -p web/ | grep -v / | sed 's/^/web\//g') web/node_modules/.package-lock.json web/config.json patch-db/client/dist/index.js sdk/baseDist/package.json web/patchdb-ui-seed.json sdk/dist/package.json
+WEB_UI_SRC := $(call ls-files, web/projects/ui)
+WEB_SETUP_WIZARD_SRC := $(call ls-files, web/projects/setup-wizard)
+WEB_START_TUNNEL_SRC := $(call ls-files, web/projects/start-tunnel)
+PATCH_DB_CLIENT_SRC := $(shell git ls-files --recurse-submodules patch-db/client)
+GZIP_BIN := $(shell which pigz || which gzip)
+TAR_BIN := $(shell which gtar || which tar)
+COMPILED_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container container-runtime/rootfs.$(ARCH).squashfs
+STARTOS_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs $(PLATFORM_FILE) \
+	$(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then \
+		echo target/aarch64-unknown-linux-musl/release/pi-beep; \
+	fi) \
+	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]; then \
+		echo target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph; \
+	fi') \
+	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]; then \
+		echo target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console; \
+	fi')
+REGISTRY_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox core/start-registryd.service
+TUNNEL_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
+
+ifeq ($(REMOTE),)
+	mkdir = mkdir -p $1
+	rm = rm -rf $1
+	cp = cp -r $1 $2
+	ln = ln -sf $1 $2
+else
+	ifeq ($(SSHPASS),)
+		ssh = ssh $(REMOTE) $1
+	else 
+		ssh = sshpass -p $(SSHPASS) ssh $(REMOTE) $1
+	endif
+	mkdir = $(call ssh,'sudo mkdir -p $1')
+	rm  = $(call ssh,'sudo rm -rf $1')
+	ln = $(call ssh,'sudo ln -sf $1 $2')
+define cp
+	$(TAR_BIN) --transform "s|^$1|x|" -czv -f- $1 | $(call ssh,"sudo tar --transform 's|^x|$2|' -xzv -f- -C /")
+endef
+endif

 .DELETE_ON_ERROR:

-all: eos.img
+.PHONY: all metadata install clean format install-cli cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel ts-bindings

-gzip: eos.img
-	gzip -k eos.img
+all: $(STARTOS_TARGETS)
+
+touch:
+	touch $(STARTOS_TARGETS)
+
+metadata: $(VERSION_FILE) $(PLATFORM_FILE) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE)

 clean:
-	rm -f eos.img
-	rm -f ubuntu.img
-	rm -f product_key.txt
-	rm -f system-images/**/*.tar
-	sudo rm -f $(EMBASSY_BINS)
-	rm -f frontend/config.json
-	rm -rf frontend/node_modules
-	rm -rf frontend/dist
+	rm -rf core/target
+	rm -rf core/bindings
+	rm -rf web/.angular
+	rm -f web/config.json
+	rm -rf web/node_modules
+	rm -rf web/dist
 	rm -rf patch-db/client/node_modules
 	rm -rf patch-db/client/dist
+	rm -rf patch-db/target
+	rm -rf target
+	rm -rf dpkg-workdir
+	rm -rf image-recipe/deb
+	rm -rf results
+	rm -rf build/lib/firmware
+	rm -rf container-runtime/dist
+	rm -rf container-runtime/node_modules
+	rm -f container-runtime/*.squashfs
+	(cd sdk && make clean)
+	rm -f env/*.txt

-sdk: 
-	cd backend/ && ./install-sdk.sh
+format:
+	cd core && cargo +nightly fmt

-eos.img: $(EMBASSY_SRC) system-images/compat/compat.tar system-images/utils/utils.tar 
-	! test -f eos.img || rm eos.img
-	if [ "$(NO_KEY)" = "1" ]; then NO_KEY=1 ./build/make-image.sh; else ./build/make-image.sh; fi
+test: | test-core test-sdk test-container-runtime

-system-images/compat/compat.tar: $(COMPAT_SRC)
-	cd system-images/compat && ./build.sh
-	cd system-images/compat && DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --tag start9/x_system/compat --platform=linux/arm64 -o type=docker,dest=compat.tar .
+test-core: $(CORE_SRC) $(ENVIRONMENT_FILE) 
+	./core/run-tests.sh

-system-images/utils/utils.tar: $(UTILS_SRC)
-	cd system-images/utils && DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --tag start9/x_system/utils --platform=linux/arm64 -o type=docker,dest=utils.tar .
+test-sdk: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
+	cd sdk && make test

-raspios.img:
-	wget --continue https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2022-01-28/2022-01-28-raspios-bullseye-arm64-lite.zip
-	unzip 2022-01-28-raspios-bullseye-arm64-lite.zip
-	mv 2022-01-28-raspios-bullseye-arm64-lite.img raspios.img
+test-container-runtime: container-runtime/node_modules/.package-lock.json $(call ls-files, container-runtime/src) container-runtime/package.json container-runtime/tsconfig.json 
+	cd container-runtime && npm test

-product_key.txt:
-	$(shell which echo) -n "X" > product_key.txt
-	cat /dev/urandom | base32 | head -c11 | tr '[:upper:]' '[:lower:]' >> product_key.txt
-	if [ "$(KEY)" != "" ]; then $(shell which echo) -n "$(KEY)" > product_key.txt; fi
-	echo >> product_key.txt
+install-cli: $(GIT_HASH_FILE)
+	./core/build/build-cli.sh --install

-snapshots: libs/snapshot-creator/Cargo.toml
-	cd libs/  && ./build-v8-snapshot.sh
-	cd libs/  && ./build-arm-v8-snapshot.sh
+cli: $(GIT_HASH_FILE)
+	./core/build/build-cli.sh

-$(EMBASSY_BINS): $(BACKEND_SRC) 
-	cd backend && ./build-prod.sh
+registry: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox

-frontend/node_modules: frontend/package.json
-	npm --prefix frontend ci
+install-registry: $(REGISTRY_TARGETS)
+	$(call mkdir,$(DESTDIR)/usr/bin)
+	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox,$(DESTDIR)/usr/bin/start-registrybox)
+	$(call ln,/usr/bin/start-registrybox,$(DESTDIR)/usr/bin/start-registryd)
+	$(call ln,/usr/bin/start-registrybox,$(DESTDIR)/usr/bin/start-registry)

-$(EMBASSY_UIS): $(FRONTEND_SRC) frontend/node_modules patch-db/client patch-db/client/dist frontend/config.json
-	npm --prefix frontend run build:all
+	$(call mkdir,$(DESTDIR)/lib/systemd/system)
+	$(call cp,core/start-registryd.service,$(DESTDIR)/lib/systemd/system/start-registryd.service)

-frontend/config.json: .git/HEAD $(GIT_REFS)
-	jq '.useMocks = false' frontend/config-sample.json > frontend/config.json
-	npm --prefix frontend run-script build-config
+core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox: $(CORE_SRC) $(ENVIRONMENT_FILE)
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-registrybox.sh

-patch-db/client/node_modules: patch-db/client/package.json
-	npm --prefix patch-db/client install
+tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox

-patch-db/client/dist: $(PATCH_DB_CLIENT_SRC) patch-db/client/node_modules
-	! test -d patch-db/client/dist || rm -rf patch-db/client/dist
+install-tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
+	$(call mkdir,$(DESTDIR)/usr/bin)
+	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox,$(DESTDIR)/usr/bin/start-tunnelbox)
+	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunneld)
+	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunnel)
+
+	$(call mkdir,$(DESTDIR)/lib/systemd/system)
+	$(call cp,core/start-tunneld.service,$(DESTDIR)/lib/systemd/system/start-tunneld.service)
+
+	$(call mkdir,$(DESTDIR)/usr/lib/startos/scripts)
+	$(call cp,build/lib/scripts/forward-port,$(DESTDIR)/usr/lib/startos/scripts/forward-port)
+
+core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox: $(CORE_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) web/dist/static/start-tunnel/index.html
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-tunnelbox.sh
+
+deb: results/$(BASENAME).deb
+
+results/$(BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/startos) $(STARTOS_TARGETS)
+	PLATFORM=$(PLATFORM) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
+
+registry-deb: results/$(REGISTRY_BASENAME).deb
+
+results/$(REGISTRY_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-registry) $(REGISTRY_TARGETS)
+	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
+
+tunnel-deb: results/$(TUNNEL_BASENAME).deb
+
+results/$(TUNNEL_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-tunnel) $(TUNNEL_TARGETS) build/lib/scripts/forward-port
+	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables,conntrack ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
+
+$(IMAGE_TYPE): results/$(BASENAME).$(IMAGE_TYPE)
+
+squashfs: results/$(BASENAME).squashfs
+
+results/$(BASENAME).$(IMAGE_TYPE) results/$(BASENAME).squashfs: $(IMAGE_RECIPE_SRC) results/$(BASENAME).deb
+	ARCH=$(ARCH) ./build/image-recipe/run-local-build.sh "results/$(BASENAME).deb"
+
+# For creating os images. DO NOT USE
+install: $(STARTOS_TARGETS)
+	$(call mkdir,$(DESTDIR)/usr/bin)
+	$(call mkdir,$(DESTDIR)/usr/sbin)
+	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox,$(DESTDIR)/usr/bin/startbox)
+	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/startd)
+	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/start-cli)
+	if [ "$(PLATFORM)" = "raspberrypi" ]; then $(call cp,target/aarch64-unknown-linux-musl/release/pi-beep,$(DESTDIR)/usr/bin/pi-beep); fi
+	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]'; then \
+		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph,$(DESTDIR)/usr/bin/flamegraph); \
+	fi
+	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]'; then \
+		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console,$(DESTDIR)/usr/bin/tokio-console); \
+	fi
+	$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs,$(DESTDIR)/usr/bin/startos-backup-fs)
+	$(call ln,/usr/bin/startos-backup-fs,$(DESTDIR)/usr/sbin/mount.backup-fs)
+	
+	$(call mkdir,$(DESTDIR)/lib/systemd/system)
+	$(call cp,core/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
+
+	$(call mkdir,$(DESTDIR)/usr/lib)
+	$(call rm,$(DESTDIR)/usr/lib/startos)
+	$(call cp,build/lib,$(DESTDIR)/usr/lib/startos)
+	$(call mkdir,$(DESTDIR)/usr/lib/startos/container-runtime)
+	$(call cp,container-runtime/rootfs.$(ARCH).squashfs,$(DESTDIR)/usr/lib/startos/container-runtime/rootfs.squashfs)
+
+	$(call cp,build/env/PLATFORM.txt,$(DESTDIR)/usr/lib/startos/PLATFORM.txt)
+	$(call cp,build/env/ENVIRONMENT.txt,$(DESTDIR)/usr/lib/startos/ENVIRONMENT.txt)
+	$(call cp,build/env/GIT_HASH.txt,$(DESTDIR)/usr/lib/startos/GIT_HASH.txt)
+	$(call cp,build/env/VERSION.txt,$(DESTDIR)/usr/lib/startos/VERSION.txt)
+
+update-overlay: $(STARTOS_TARGETS)
+	@echo "\033[33m!!! THIS WILL ONLY REFLASH YOUR DEVICE IN MEMORY !!!\033[0m"
+	@echo "\033[33mALL CHANGES WILL BE REVERTED IF YOU RESTART THE DEVICE\033[0m"
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	@if [ "`ssh $(REMOTE) 'cat /usr/lib/startos/VERSION.txt'`" != "`cat $(VERSION_FILE)`" ]; then >&2 echo "StartOS requires migrations: update-overlay is unavailable." && false; fi
+	$(call ssh,"sudo systemctl stop startd")
+	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) PLATFORM=$(PLATFORM)
+	$(call ssh,"sudo systemctl start startd")
+
+wormhole: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox
+	@echo "Paste the following command into the shell of your StartOS server:"
+	@echo
+	@wormhole send core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo /usr/lib/startos/scripts/chroot-and-upgrade \"cd /usr/bin && rm startbox && wormhole receive --accept-file %s && chmod +x startbox\"\n", $$3 }'
+
+wormhole-deb: results/$(BASENAME).deb
+	@echo "Paste the following command into the shell of your StartOS server:"
+	@echo
+	@wormhole send results/$(BASENAME).deb 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo /usr/lib/startos/scripts/chroot-and-upgrade '"'"'cd $$(mktemp -d) && wormhole receive --accept-file %s && apt-get install -y --reinstall ./$(BASENAME).deb'"'"'\n", $$3 }'
+
+wormhole-squashfs: results/$(BASENAME).squashfs
+	$(eval SQFS_SUM := $(shell b3sum results/$(BASENAME).squashfs | head -c 32))
+	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
+	@echo "Paste the following command into the shell of your StartOS server:"
+	@echo
+	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade ./$(BASENAME).squashfs'"'"'\n", $$3 }'
+
+update: $(STARTOS_TARGETS)
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
+	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) DESTDIR=/media/startos/next PLATFORM=$(PLATFORM)
+	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y $(shell cat ./build/lib/depends)"')
+
+update-startbox: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox # only update binary (faster than full update)
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
+	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox,/media/startos/next/usr/bin/startbox)
+	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync true')
+
+update-deb: results/$(BASENAME).deb # better than update, but only available from debian
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
+	$(call mkdir,/media/startos/next/tmp/startos-deb)
+	$(call cp,results/$(BASENAME).deb,/media/startos/next/tmp/startos-deb/$(BASENAME).deb)
+	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y --reinstall /tmp/startos-deb/$(BASENAME).deb"')
+
+update-squashfs: results/$(BASENAME).squashfs
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	$(eval SQFS_SUM := $(shell b3sum results/$(BASENAME).squashfs))
+	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
+	$(call ssh,'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
+	$(call ssh,'/usr/lib/startos/scripts/prune-boot')
+	$(call cp,results/$(BASENAME).squashfs,/media/startos/images/next.rootfs)
+	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade /media/startos/images/next.rootfs')
+
+emulate-reflash: $(STARTOS_TARGETS)
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
+	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) DESTDIR=/media/startos/next PLATFORM=$(PLATFORM)
+	$(call ssh,'sudo rm -f /media/startos/config/disk.guid /media/startos/config/overlay/etc/hostname')
+	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y $(shell cat ./build/lib/depends)"')
+
+upload-ota: results/$(BASENAME).squashfs
+	TARGET=$(TARGET) KEY=$(KEY) ./build/upload-ota.sh
+
+container-runtime/debian.$(ARCH).squashfs: ./container-runtime/download-base-image.sh
+	ARCH=$(ARCH) ./container-runtime/download-base-image.sh
+
+container-runtime/package-lock.json: sdk/dist/package.json
+	npm --prefix container-runtime i
+	touch container-runtime/package-lock.json
+
+container-runtime/node_modules/.package-lock.json: container-runtime/package-lock.json
+	npm --prefix container-runtime ci
+	touch container-runtime/node_modules/.package-lock.json
+
+ts-bindings: core/bindings/index.ts
+	mkdir -p sdk/base/lib/osBindings
+	rsync -ac --delete core/bindings/ sdk/base/lib/osBindings/
+
+core/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
+	rm -rf core/bindings
+	./core/build/build-ts.sh
+	ls core/bindings/*.ts | sed 's/core\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/bindings/index.ts
+	npm --prefix sdk exec -- prettier --config ./sdk/base/package.json -w ./core/bindings/*.ts
+	touch core/bindings/index.ts
+
+sdk/dist/package.json sdk/baseDist/package.json: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
+	(cd sdk && make bundle)
+	touch sdk/dist/package.json
+	touch sdk/baseDist/package.json
+
+# TODO: make container-runtime its own makefile?
+container-runtime/dist/index.js: container-runtime/node_modules/.package-lock.json $(call ls-files, container-runtime/src) container-runtime/package.json container-runtime/tsconfig.json 
+	npm --prefix container-runtime run build
+
+container-runtime/dist/node_modules/.package-lock.json container-runtime/dist/package.json container-runtime/dist/package-lock.json: container-runtime/package.json container-runtime/package-lock.json sdk/dist/package.json container-runtime/install-dist-deps.sh
+	./container-runtime/install-dist-deps.sh
+	touch container-runtime/dist/node_modules/.package-lock.json
+
+container-runtime/rootfs.$(ARCH).squashfs: container-runtime/debian.$(ARCH).squashfs container-runtime/container-runtime.service container-runtime/update-image.sh container-runtime/update-image-local.sh container-runtime/deb-install.sh container-runtime/dist/index.js container-runtime/dist/node_modules/.package-lock.json core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
+	ARCH=$(ARCH) ./container-runtime/update-image-local.sh
+
+build/lib/depends build/lib/conflicts: $(ENVIRONMENT_FILE) $(PLATFORM_FILE) $(shell ls build/dpkg-deps/*)
+	PLATFORM=$(PLATFORM) ARCH=$(ARCH) build/dpkg-deps/generate.sh
+
+$(FIRMWARE_ROMS): build/lib/firmware.json ./build/download-firmware.sh $(PLATFORM_FILE)
+	./build/download-firmware.sh $(PLATFORM)
+
+core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox: $(CORE_SRC) $(COMPRESSED_WEB_UIS) web/patchdb-ui-seed.json $(ENVIRONMENT_FILE)
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-startbox.sh
+	touch core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox
+
+core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container: $(CORE_SRC) $(ENVIRONMENT_FILE)
+	ARCH=$(ARCH) ./core/build/build-start-container.sh
+	touch core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
+
+web/package-lock.json: web/package.json sdk/baseDist/package.json
+	npm --prefix web i
+	touch web/package-lock.json
+
+web/node_modules/.package-lock.json: web/package-lock.json
+	npm --prefix web ci
+	touch web/node_modules/.package-lock.json
+
+web/.angular/.updated: patch-db/client/dist/index.js sdk/baseDist/package.json web/node_modules/.package-lock.json
+	rm -rf web/.angular
+	mkdir -p web/.angular
+	touch web/.angular/.updated
+
+web/.i18n-checked: $(WEB_SHARED_SRC) $(WEB_UI_SRC) $(WEB_SETUP_WIZARD_SRC) $(WEB_START_TUNNEL_SRC)
+	npm --prefix web run check:i18n
+	touch web/.i18n-checked
+
+web/dist/raw/ui/index.html: $(WEB_UI_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
+	npm --prefix web run build:ui
+	touch web/dist/raw/ui/index.html
+
+web/dist/raw/setup-wizard/index.html: $(WEB_SETUP_WIZARD_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
+	npm --prefix web run build:setup
+	touch web/dist/raw/setup-wizard/index.html
+
+web/dist/raw/start-tunnel/index.html: $(WEB_START_TUNNEL_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
+	npm --prefix web run build:tunnel
+	touch web/dist/raw/start-tunnel/index.html
+
+web/dist/static/%/index.html: web/dist/raw/%/index.html
+	./web/compress-uis.sh $*
+
+web/config.json: $(GIT_HASH_FILE) $(ENVIRONMENT_FILE) web/config-sample.json web/update-config.sh
+	./web/update-config.sh	
+
+patch-db/client/node_modules/.package-lock.json: patch-db/client/package.json
+	npm --prefix patch-db/client ci
+	touch patch-db/client/node_modules/.package-lock.json
+
+patch-db/client/dist/index.js: $(PATCH_DB_CLIENT_SRC) patch-db/client/node_modules/.package-lock.json
+	rm -rf patch-db/client/dist
 	npm --prefix patch-db/client run build
+	touch patch-db/client/dist/index.js

-# this is a convenience step to build all frontends - it is not referenced elsewhere in this file
-frontends: frontend/node_modules frontend/config.json $(EMBASSY_UIS) 
+# used by github actions
+compiled-$(ARCH).tar: $(COMPILED_TARGETS) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE)
+	tar -cvf $@ $^
+
+# this is a convenience step to build all web uis - it is not referenced elsewhere in this file
+uis: $(WEB_UIS) 

 # this is a convenience step to build the UI
-ui: frontend/node_modules frontend/config.json frontend/dist/ui
+ui: web/dist/raw/ui

-# this is a convenience step to build the backend
-backend: $(EMBASSY_BINS)
+target/aarch64-unknown-linux-musl/release/pi-beep: ./build/build-cargo-dep.sh
+	ARCH=aarch64 ./build/build-cargo-dep.sh pi-beep
+
+target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console: ./build/build-cargo-dep.sh
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh tokio-console
+	touch $@
+
+target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs: ./build/build-cargo-dep.sh
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh --git https://github.com/Start9Labs/start-fs.git startos-backup-fs
+	touch $@
+
+target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph: ./build/build-cargo-dep.sh
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh flamegraph
+	touch $@
--- a/README.md
+++ b/README.md
@@ -1,49 +1,82 @@
-# EmbassyOS
-[![Version](https://img.shields.io/github/v/tag/Start9Labs/embassy-os?color=success)](https://github.com/Start9Labs/embassy-os/releases)
-[![community](https://img.shields.io/badge/community-matrix-yellow)](https://matrix.to/#/#community:matrix.start9labs.com)
-[![community](https://img.shields.io/badge/community-telegram-informational)](https://t.me/start9_labs)
-[![support](https://img.shields.io/badge/support-docs-important)](https://docs.start9labs.com)
-[![developer](https://img.shields.io/badge/developer-matrix-blueviolet)](https://matrix.to/#/#community-dev:matrix.start9labs.com)
-[![website](https://img.shields.io/website?down_color=lightgrey&down_message=offline&up_color=green&up_message=online&url=https%3A%2F%2Fstart9labs.com)](https://start9labs.com)
-
-[![mastodon](https://img.shields.io/mastodon/follow/000000001?domain=https%3A%2F%2Fmastodon.start9labs.com&label=Follow&style=social)](http://mastodon.start9labs.com)
-[![twitter](https://img.shields.io/twitter/follow/start9labs?label=Follow)](https://twitter.com/start9labs)
-
-### _Welcome to the era of Sovereign Computing_ ###
-
-EmbassyOS is a browser-based, graphical operating system for a personal server. EmbassyOS facilitates the discovery, installation, network configuration, service configuration, data backup, dependency management, and health monitoring of self-hosted software services. It is the most advanced, secure, reliable, and user friendly personal server OS in the world.
-
-## Running EmbassyOS
-There are multiple ways to get your hands on EmbassyOS.
-
-### :moneybag: Buy an Embassy
-This is the most convenient option. Simply [buy an Embassy](https://start9.com) from Start9 and plug it in. Depending on where you live, shipping costs and import duties will vary.
-
-### :construction_worker: Build your own Embassy
-While not as convenient as buying an Embassy, this option is easier than you might imagine, and there are 4 reasons why you might prefer it:
-1. You already have a Raspberry Pi and would like to re-purpose it.
-1. You want to save on shipping costs.
-1. You prefer not to divulge your physical address.
-1. You just like building things.
-
-To pursue this option, follow this [guide](https://start9.com/latest/diy).
-
-### :hammer_and_wrench: Build EmbassyOS from Source
-
-EmbassyOS can be built from source, for personal use, for free.
-A detailed guide for doing so can be found [here](https://github.com/Start9Labs/embassy-os/blob/master/build/README.md).
-
-## :heart: Contributing
-There are multiple ways to contribute: work directly on EmbassyOS, package a service for the marketplace, or help with documentation and guides. To learn more about contributing, see [here](https://github.com/Start9Labs/embassy-os/blob/master/CONTRIBUTING.md).
-
-## UI Screenshots
+<div align="center">
+  <img src="web/projects/shared/assets/img/icon.png" alt="StartOS Logo" width="16%" />
+  <h1 style="margin-top: 0;">StartOS</h1>
+  <a href="https://github.com/Start9Labs/start-os/releases">
+    <img alt="GitHub release (with filter)" src="https://img.shields.io/github/v/release/start9labs/start-os?logo=github">
+  </a>
+  <a href="https://github.com/Start9Labs/start-os/actions/workflows/startos-iso.yaml">
+    <img src="https://github.com/Start9Labs/start-os/actions/workflows/startos-iso.yaml/badge.svg">
+  </a>
+    <a href="https://heyapollo.com/product/startos">
+    <img alt="Static Badge" src="https://img.shields.io/badge/apollo-review%20%E2%AD%90%E2%AD%90%E2%AD%90%E2%AD%90%E2%AD%90%20-slateblue">
+  </a>
+  <a href="https://twitter.com/start9labs">
+    <img alt="X (formerly Twitter) Follow" src="https://img.shields.io/twitter/follow/start9labs">
+  </a>
+  <a href="https://matrix.to/#/#community:matrix.start9labs.com">
+    <img alt="Static Badge" src="https://img.shields.io/badge/community-matrix-yellow?logo=matrix">
+  </a>
+  <a href="https://t.me/start9_labs">
+    <img alt="Static Badge" src="https://img.shields.io/badge/community-telegram-blue?logo=telegram">
+  </a>
+  <a href="https://docs.start9.com">
+    <img alt="Static Badge" src="https://img.shields.io/badge/docs-orange?label=%F0%9F%91%A4%20support">
+  </a>
+  <a href="https://matrix.to/#/#community-dev:matrix.start9labs.com">
+    <img alt="Static Badge" src="https://img.shields.io/badge/developer-matrix-darkcyan?logo=matrix">
+  </a>
+  <a href="https://start9.com">
+    <img alt="Website" src="https://img.shields.io/website?up_message=online&down_message=offline&url=https%3A%2F%2Fstart9.com&logo=website&label=%F0%9F%8C%90%20website">
+  </a>
+</div>
+<br />
+<div align="center">
+  <h3>
+    Welcome to the era of Sovereign Computing
+  </h3>
+  <p>
+    StartOS is an open source Linux distribution optimized for running a personal server. It facilitates the discovery, installation, network configuration, service configuration, data backup, dependency management, and health monitoring of self-hosted software services.
+  </p>
+</div>
+<br />
 <p align="center">
-<img src="assets/EmbassyOS.png" alt="EmbassyOS" width="65%">
+<img src="assets/StartOS.png" alt="StartOS" width="85%">
 </p>
+<br />
+
+## Running StartOS
+> [!WARNING]
+> StartOS is in beta. It lacks features. It doesn't always work perfectly. Start9 servers are not plug and play. Using them properly requires some effort and patience. Please do not use StartOS or purchase a server if you are unable or unwilling to follow instructions and learn new concepts.
+
+### 💰 Buy a Start9 server
+This is the most convenient option. Simply [buy a server](https://store.start9.com) from Start9 and plug it in.
+
+### 👷 Build your own server
+This option is easier than you might imagine, and there are 4 reasons why you might prefer it:
+1. You already have hardware
+1. You want to save on shipping costs
+1. You prefer not to divulge your physical address
+1. You just like building things
+
+To pursue this option, follow one of our [DIY guides](https://start9.com/latest/diy).
+
+## ❤️ Contributing
+There are multiple ways to contribute: work directly on StartOS, package a service for the marketplace, or help with documentation and guides. To learn more about contributing, see [here](https://start9.com/contribute/).
+
+To report security issues, please email our security team - security@start9.com.
+
+## 🌎 Marketplace
+There are dozens of services available for StartOS, and new ones are being added all the time. Check out the full list of available services [here](https://marketplace.start9.com/marketplace). To read more about the Marketplace ecosystem, check out this [blog post](https://blog.start9.com/start9-marketplace-strategy/)
+
+## 🖥️ User Interface Screenshots
+
 <p align="center">
-<img src="assets/eos-services.png" alt="Embassy Services" width="45%">
-<img src="assets/eos-preferences.png" alt="Embassy Preferences" width="45%">
-</p>
-<p align="center">
-<img src="assets/eos-bitcoind-health-check.png" alt="Embassy Bitcoin Health Checks" width="45%"> <img src="assets/eos-logs.png" alt="Embassy Logs" width="45%">
+<img src="assets/registry.png" alt="StartOS Marketplace" width="49%">
+<img src="assets/community.png" alt="StartOS Community Registry" width="49%">
+<img src="assets/c-lightning.png" alt="StartOS NextCloud Service" width="49%">
+<img src="assets/btcpay.png" alt="StartOS BTCPay Service" width="49%">
+<img src="assets/nextcloud.png" alt="StartOS System Settings" width="49%">
+<img src="assets/system.png" alt="StartOS System Settings" width="49%">
+<img src="assets/welcome.png" alt="StartOS System Settings" width="49%">
+<img src="assets/logs.png" alt="StartOS System Settings" width="49%">
 </p>
--- a/agents/VERSION_BUMP.md
+++ b/agents/VERSION_BUMP.md
@@ -0,0 +1,201 @@
+# StartOS Version Bump Guide
+
+This document explains how to bump the StartOS version across the entire codebase.
+
+## Overview
+
+When bumping from version `X.Y.Z-alpha.N` to `X.Y.Z-alpha.N+1`, you need to update files in multiple locations across the repository. The `// VERSION_BUMP` comment markers indicate where changes are needed.
+
+## Files to Update
+
+### 1. Core Rust Crate Version
+
+**File: `core/Cargo.toml`**
+
+Update the version string (line ~18):
+
+```toml
+version = "0.4.0-alpha.15" # VERSION_BUMP
+```
+
+**File: `core/Cargo.lock`**
+
+This file is auto-generated. After updating `Cargo.toml`, run:
+
+```bash
+cd core
+cargo check
+```
+
+This will update the version in `Cargo.lock` automatically.
+
+### 2. Create New Version Migration Module
+
+**File: `core/src/version/vX_Y_Z_alpha_N+1.rs`**
+
+Create a new version file by copying the previous version and updating:
+
+```rust
+use exver::{PreReleaseSegment, VersionRange};
+
+use super::v0_3_5::V0_3_0_COMPAT;
+use super::{VersionT, v0_4_0_alpha_14};  // Update to previous version
+use crate::prelude::*;
+
+lazy_static::lazy_static! {
+    static ref V0_4_0_alpha_15: exver::Version = exver::Version::new(
+        [0, 4, 0],
+        [PreReleaseSegment::String("alpha".into()), 15.into()]  // Update number
+    );
+}
+
+#[derive(Clone, Copy, Debug, Default)]
+pub struct Version;
+
+impl VersionT for Version {
+    type Previous = v0_4_0_alpha_14::Version;  // Update to previous version
+    type PreUpRes = ();
+
+    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
+        Ok(())
+    }
+    fn semver(self) -> exver::Version {
+        V0_4_0_alpha_15.clone()  // Update version name
+    }
+    fn compat(self) -> &'static VersionRange {
+        &V0_3_0_COMPAT
+    }
+    #[instrument(skip_all)]
+    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
+        // Add migration logic here if needed
+        Ok(Value::Null)
+    }
+    fn down(self, _db: &mut Value) -> Result<(), Error> {
+        // Add rollback logic here if needed
+        Ok(())
+    }
+}
+```
+
+### 3. Update Version Module Registry
+
+**File: `core/src/version/mod.rs`**
+
+Make changes in **5 locations**:
+
+#### Location 1: Module Declaration (~line 57)
+
+Add the new module after the previous version:
+
+```rust
+mod v0_4_0_alpha_14;
+mod v0_4_0_alpha_15;  // Add this
+```
+
+#### Location 2: Current Type Alias (~line 59)
+
+Update the `Current` type and move the `// VERSION_BUMP` comment:
+
+```rust
+pub type Current = v0_4_0_alpha_15::Version; // VERSION_BUMP
+```
+
+#### Location 3: Version Enum (~line 175)
+
+Remove `// VERSION_BUMP` from the previous version, add new variant, add comment:
+
+```rust
+    V0_4_0_alpha_14(Wrapper<v0_4_0_alpha_14::Version>),
+    V0_4_0_alpha_15(Wrapper<v0_4_0_alpha_15::Version>), // VERSION_BUMP
+    Other(exver::Version),
+```
+
+#### Location 4: as_version_t() Match (~line 233)
+
+Remove `// VERSION_BUMP`, add new match arm, add comment:
+
+```rust
+            Self::V0_4_0_alpha_14(v) => DynVersion(Box::new(v.0)),
+            Self::V0_4_0_alpha_15(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::Other(v) => {
+```
+
+#### Location 5: as_exver() Match (~line 284, inside #[cfg(test)])
+
+Remove `// VERSION_BUMP`, add new match arm, add comment:
+
+```rust
+            Version::V0_4_0_alpha_14(Wrapper(x)) => x.semver(),
+            Version::V0_4_0_alpha_15(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::Other(x) => x.clone(),
+```
+
+### 4. SDK TypeScript Version
+
+**File: `sdk/package/lib/StartSdk.ts`**
+
+Update the OSVersion constant (~line 64):
+
+```typescript
+export const OSVersion = testTypeVersion("0.4.0-alpha.15");
+```
+
+### 5. Web UI Package Version
+
+**File: `web/package.json`**
+
+Update the version field:
+
+```json
+{
+  "name": "startos-ui",
+  "version": "0.4.0-alpha.15",
+  ...
+}
+```
+
+**File: `web/package-lock.json`**
+
+This file is auto-generated, but it's faster to update manually. Find all instances of "startos-ui" and update the version field.
+
+## Verification Step
+
+```
+make
+```
+
+## VERSION_BUMP Comment Pattern
+
+The `// VERSION_BUMP` comment serves as a marker for where to make changes next time:
+
+- Always **remove** it from the old location
+- **Add** the new version entry
+- **Move** the comment to mark the new location
+
+This pattern helps you quickly find all the places that need updating in the next version bump.
+
+## Summary Checklist
+
+- [ ] Update `core/Cargo.toml` version
+- [ ] Create new `core/src/version/vX_Y_Z_alpha_N+1.rs` file
+- [ ] Update `core/src/version/mod.rs` in 5 locations
+- [ ] Run `cargo check` to update `core/Cargo.lock`
+- [ ] Update `sdk/package/lib/StartSdk.ts` OSVersion
+- [ ] Update `web/package.json` and `web/package-lock.json` version
+- [ ] Verify all changes compile/build successfully
+
+## Migration Logic
+
+The `up()` and `down()` methods in the version file handle database migrations:
+
+- **up()**: Migrates the database from the previous version to this version
+- **down()**: Rolls back from this version to the previous version
+- **pre_up()**: Runs before migration, useful for pre-migration checks or data gathering
+
+If no migration is needed, return `Ok(Value::Null)` for `up()` and `Ok(())` for `down()`.
+
+For complex migrations, you may need to:
+
+1. Update `type PreUpRes` to pass data between `pre_up()` and `up()`
+2. Implement database transformations in the `up()` method
+3. Implement reverse transformations in `down()` for rollback support
--- a/assets/EmbassyOS.png
+++ b/assets/EmbassyOS.png
--- a/assets/StartOS.png
+++ b/assets/StartOS.png
--- a/assets/btcpay.png
+++ b/assets/btcpay.png
--- a/assets/c-lightning.png
+++ b/assets/c-lightning.png
--- a/assets/community.png
+++ b/assets/community.png
--- a/assets/create-vm/step-1.png
+++ b/assets/create-vm/step-1.png
--- a/assets/create-vm/step-10.png
+++ b/assets/create-vm/step-10.png
--- a/assets/create-vm/step-11.png
+++ b/assets/create-vm/step-11.png
--- a/assets/create-vm/step-12.png
+++ b/assets/create-vm/step-12.png
--- a/assets/create-vm/step-2.png
+++ b/assets/create-vm/step-2.png
--- a/assets/create-vm/step-3.png
+++ b/assets/create-vm/step-3.png
--- a/assets/create-vm/step-4.png
+++ b/assets/create-vm/step-4.png
--- a/assets/create-vm/step-5.png
+++ b/assets/create-vm/step-5.png
--- a/assets/create-vm/step-6.png
+++ b/assets/create-vm/step-6.png
--- a/assets/create-vm/step-7.png
+++ b/assets/create-vm/step-7.png
--- a/assets/create-vm/step-8.png
+++ b/assets/create-vm/step-8.png
--- a/assets/create-vm/step-9.png
+++ b/assets/create-vm/step-9.png
--- a/assets/eos-bitcoind-health-check.png
+++ b/assets/eos-bitcoind-health-check.png
--- a/assets/eos-logs.png
+++ b/assets/eos-logs.png
--- a/assets/eos-preferences.png
+++ b/assets/eos-preferences.png
--- a/assets/eos-services.png
+++ b/assets/eos-services.png
--- a/assets/logs.png
+++ b/assets/logs.png
--- a/assets/nextcloud.png
+++ b/assets/nextcloud.png
--- a/assets/registry.png
+++ b/assets/registry.png
--- a/assets/system.png
+++ b/assets/system.png
--- a/assets/welcome.png
+++ b/assets/welcome.png
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -1,10 +0,0 @@
-/target
-**/*.rs.bk
-.DS_Store
-.vscode
-secrets.db
-*.s9pk
-*.sqlite3
-.env
-.editorconfig
-proptest-regressions/*
--- a/backend/Cargo.lock
+++ b/backend/Cargo.lock
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -1,149 +0,0 @@
-[package]
-authors = ["Aiden McClelland <me@drbonez.dev>"]
-description = "The core of the Start9 Embassy Operating System"
-documentation = "https://docs.rs/embassy-os"
-edition = "2018"
-keywords = [
-  "self-hosted",
-  "raspberry-pi",
-  "privacy",
-  "bitcoin",
-  "full-node",
-  "lightning",
-]
-name = "embassy-os"
-readme = "README.md"
-repository = "https://github.com/Start9Labs/embassy-os"
-version = "0.3.1"
-
-[lib]
-name = "embassy"
-path = "src/lib.rs"
-
-[[bin]]
-name = "embassyd"
-path = "src/bin/embassyd.rs"
-
-[[bin]]
-name = "embassy-init"
-path = "src/bin/embassy-init.rs"
-
-[[bin]]
-name = "embassy-sdk"
-path = "src/bin/embassy-sdk.rs"
-
-[[bin]]
-name = "embassy-cli"
-path = "src/bin/embassy-cli.rs"
-
-[features]
-avahi = ["avahi-sys"]
-default = ["avahi", "sound", "metal", "js_engine"]
-dev = []
-metal = []
-sound = []
-unstable = ["patch-db/unstable"]
-
-[dependencies]
-aes = { version = "0.7.5", features = ["ctr"] }
-async-stream = "0.3.3"
-async-trait = "0.1.51"
-avahi-sys = { git = "https://github.com/Start9Labs/avahi-sys", version = "0.10.0", branch = "feature/dynamic-linking", features = [
-  "dynamic",
-], optional = true }
-base32 = "0.4.0"
-base64 = "0.13.0"
-base64ct = "1.5.0"
-basic-cookies = "0.1.4"
-bollard = "0.11.0"
-chrono = { version = "0.4.19", features = ["serde"] }
-clap = "2.33"
-color-eyre = "0.5"
-cookie_store = "0.15.0"
-digest = "0.10.3"
-digest-old = { package = "digest", version = "0.9.0" }
-divrem = "1.0.0"
-ed25519 = { version = "1.5.2", features = ["pkcs8", "pem", "alloc"] }
-ed25519-dalek = { version = "1.0.1", features = ["serde"] }
-emver = { version = "0.1.6", features = ["serde"] }
-fd-lock-rs = "0.1.3"
-futures = "0.3.17"
-git-version = "0.3.5"
-helpers = { path = "../libs/helpers" }
-hex = "0.4.3"
-hmac = "0.12.1"
-http = "0.2.5"
-hyper = "0.14.13"
-hyper-ws-listener = { git = "https://github.com/Start9Labs/hyper-ws-listener.git", branch = "main" }
-imbl = "1.0.1"
-indexmap = { version = "1.8.1", features = ["serde"] }
-isocountry = "0.3.2"
-itertools = "0.10.1"
-js_engine = { path = '../libs/js_engine', optional = true }
-jsonpath_lib = "0.3.0"
-lazy_static = "1.4"
-libc = "0.2.103"
-log = "0.4.14"
-models = { version = "*", path = "../libs/models" }
-nix = "0.23.0"
-nom = "7.0.0"
-num = "0.4.0"
-num_enum = "0.5.4"
-openssh-keys = "0.5.0"
-openssl = { version = "0.10.36", features = ["vendored"] }
-patch-db = { version = "*", path = "../patch-db/patch-db", features = [
-  "trace",
-] }
-pbkdf2 = "0.11.0"
-pin-project = "1.0.8"
-pkcs8 = { version = "0.9.0", features = ["std"] }
-platforms = "1.1.0"
-prettytable-rs = "0.8.0"
-proptest = "1.0.0"
-proptest-derive = "0.3.0"
-rand = "0.7.3"
-regex = "1.5.4"
-reqwest = { version = "0.11.4", features = ["stream", "json", "socks"] }
-reqwest_cookie_store = "0.2.0"
-rpassword = "5.0.1"
-rpc-toolkit = { version = "*", path = "../rpc-toolkit/rpc-toolkit" }
-rust-argon2 = "0.8.3"
-scopeguard = "1.1" # because avahi-sys fucks your shit up
-serde = { version = "1.0.130", features = ["derive", "rc"] }
-serde_cbor = { package = "ciborium", version = "0.2.0" }
-serde_json = "1.0.68"
-serde_toml = { package = "toml", version = "0.5.8" }
-serde_yaml = "0.8.21"
-sha2 = "0.10.2"
-sha2-old = { package = "sha2", version = "0.9.8" }
-simple-logging = "2.0"
-sqlx = { version = "0.5.11", features = [
-  "chrono",
-  "offline",
-  "runtime-tokio-rustls",
-  "sqlite",
-] }
-stderrlog = "0.5.1"
-tar = "0.4.37"
-thiserror = "1.0.29"
-tokio = { version = "1.15.0", features = ["full"] }
-tokio-compat-02 = "0.2.0"
-tokio-stream = { version = "0.1.7", features = ["io-util", "sync"] }
-tokio-tar = { git = "https://github.com/dr-bonez/tokio-tar.git" }
-tokio-tungstenite = "0.14.0"
-tokio-util = { version = "0.6.8", features = ["io"] }
-torut = "0.2.0"
-tracing = "0.1"
-tracing-error = "0.1"
-tracing-futures = "0.2"
-tracing-subscriber = "0.2"
-trust-dns-server = "0.21.2"
-typed-builder = "0.9.1"
-url = { version = "2.2.2", features = ["serde"] }
-
-[dependencies.serde_with]
-features = ["macros", "json"]
-version = "1.10.0"
-
-[profile.dev.package.backtrace]
-opt-level = 3
--- a/backend/README.md
+++ b/backend/README.md
@@ -1,35 +0,0 @@
-# EmbassyOS Backend
-
- Requirements:
-  - [Install Rust](https://rustup.rs)
-  - Recommended: [rust-analyzer](https://rust-analyzer.github.io/)
-  - [Docker](https://docs.docker.com/get-docker/)
-  - [Rust ARM64 Build Container](https://github.com/Start9Labs/rust-arm-builder)
- Scripts (run withing the `./backend` directory)
-  - `build-prod.sh` - compiles a release build of the artifacts for running on ARM64
-  - `build-dev.sh` - compiles a development build of the artifacts for running on ARM64
- A Linux computer or VM
-
-## Structure
-
-The EmbassyOS backend is broken up into 4 different binaries:
-
- embassyd: This is the main workhorse of EmbassyOS - any new functionality you want will likely go here
- embassy-init: This is the component responsible for allowing you to set up your device, and handles system initialization on startup
- embassy-cli: This is a CLI tool that will allow you to issue commands to embassyd and control it similarly to the UI
- embassy-sdk: This is a CLI tool that aids in building and packaging services you wish to deploy to the Embassy
-
-Finally there is a library `embassy` that supports all four of these tools.
-
-See [here](/backend/Cargo.toml) for details.
-
-## Building
-
-You can build the entire operating system image using `make` from the root of the EmbassyOS project. This will subsequently invoke the build scripts above to actually create the requisite binaries and put them onto the final operating system image.
-
-## Questions
-
-If you have questions about how various pieces of the backend system work. Open an issue and tag the following people
-
- dr-bonez
- ProofOfKeags
--- a/backend/build-dev.sh
+++ b/backend/build-dev.sh
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./build-dev.sh" ]; then
-	>&2 echo "Must be run from backend directory"
-	exit 1
-fi
-
-USE_TTY=
-if tty -s; then
-	USE_TTY="-it"
-fi
-
-alias 'rust-arm64-builder'='docker run $USE_TTY --rm -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)":/home/rust/src start9/rust-arm-cross:aarch64'
-
-cd ..
-rust-arm64-builder sh -c "(cd backend && cargo build)"
-cd backend
-#rust-arm64-builder aarch64-linux-gnu-strip target/aarch64-unknown-linux-gnu/release/embassyd
--- a/backend/build-portable-dev.sh
+++ b/backend/build-portable-dev.sh
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./build-portable-dev.sh" ]; then
-	>&2 echo "Must be run from backend directory"
-	exit 1
-fi
-
-USE_TTY=
-if tty -s; then
-	USE_TTY="-it"
-fi
-
-alias 'rust-musl-builder'='docker run $USE_TTY --rm -v "$HOME"/.cargo/registry:/root/.cargo/registry -v "$(pwd)":/home/rust/src start9/rust-musl-cross:x86_64-musl'
-
-cd ..
-rust-musl-builder sh -c "(cd backend && cargo +beta build --target=x86_64-unknown-linux-musl --no-default-features)"
-cd backend
--- a/backend/build-portable.sh
+++ b/backend/build-portable.sh
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./build-portable.sh" ]; then
-	>&2 echo "Must be run from backend directory"
-	exit 1
-fi
-
-USE_TTY=
-if tty -s; then
-	USE_TTY="-it"
-fi
-
-alias 'rust-musl-builder'='docker run $USE_TTY --rm -v "$HOME"/.cargo/registry:/root/.cargo/registry -v "$(pwd)":/home/rust/src start9/rust-musl-cross:x86_64-musl'
-
-cd ..
-rust-musl-builder sh -c "(cd backend && cargo +beta build --release --target=x86_64-unknown-linux-musl --no-default-features)"
-cd backend
--- a/backend/build-prod.sh
+++ b/backend/build-prod.sh
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./build-prod.sh" ]; then
-	>&2 echo "Must be run from backend directory"
-	exit 1
-fi
-
-USE_TTY=
-if tty -s; then
-	USE_TTY="-it"
-fi
-
-alias 'rust-arm64-builder'='docker run $USE_TTY --rm -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)":/home/rust/src -P start9/rust-arm-cross:aarch64'
-
-cd ..
-FLAGS=""
-if [[ "$ENVIRONMENT" =~ (^|-)unstable($|-) ]]; then
-	FLAGS="unstable,$FLAGS"
-fi
-if [[ "$ENVIRONMENT" =~ (^|-)dev($|-) ]]; then
-	FLAGS="dev,$FLAGS"
-fi
-if [[ "$FLAGS" = "" ]]; then
-	rust-arm64-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release)"
-else
-	echo "FLAGS=$FLAGS"
-	rust-arm64-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release --features $FLAGS)"
-fi
-cd backend
-#rust-arm64-builder aarch64-linux-gnu-strip target/aarch64-unknown-linux-gnu/release/embassyd
--- a/backend/deny.toml
+++ b/backend/deny.toml
@@ -1,22 +0,0 @@
-[licenses]
-unlicensed = "warn"
-allow-osi-fsf-free = "neither"
-copyleft = "deny"
-confidence-threshold = 0.93
-allow = [
-    "Apache-2.0",
-    "Apache-2.0 WITH LLVM-exception",
-    "MIT",
-    "ISC",
-    "MPL-2.0",
-    "CC0-1.0",
-    "BSD-2-Clause",
-    "BSD-3-Clause",
-    "LGPL-3.0",
-    "OpenSSL",
-]
-
-clarify = [
-    { name = "webpki", expression = "ISC", license-files = [ { path = "LICENSE", hash = 0x001c7e6c } ] },
-    { name = "ring", expression = "OpenSSL", license-files = [ { path = "LICENSE", hash = 0xbd0eed23 } ] },
-]
--- a/backend/embassy-init.service
+++ b/backend/embassy-init.service
@@ -1,14 +0,0 @@
-[Unit]
-Description=Embassy Init
-After=network.target
-Requires=network.target
-Wants=avahi-daemon.service nginx.service tor.service
-
-[Service]
-Type=oneshot
-Environment=RUST_LOG=embassy_init=debug,embassy=debug,js_engine=debug
-ExecStart=/usr/local/bin/embassy-init
-RemainAfterExit=true
-
-[Install]
-WantedBy=embassyd.service
--- a/backend/embassyd.service
+++ b/backend/embassyd.service
@@ -1,17 +0,0 @@
-[Unit]
-Description=Embassy Daemon
-After=embassy-init.service
-Requires=embassy-init.service
-
-[Service]
-Type=simple
-Environment=RUST_LOG=embassyd=debug,embassy=debug,js_engine=debug
-ExecStart=/usr/local/bin/embassyd
-Restart=always
-RestartSec=3
-ManagedOOMPreference=avoid
-CPUAccounting=true
-CPUWeight=1000
-
-[Install]
-WantedBy=multi-user.target
--- a/backend/install-sdk.sh
+++ b/backend/install-sdk.sh
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./install-sdk.sh" ]; then
-	>&2 echo "Must be run from backend directory"
-	exit 1
-fi
-
-cargo install --bin=embassy-sdk --bin=embassy-cli --path=. --no-default-features --features=js_engine
--- a/backend/migrations/20210629193146_Init.sql
+++ b/backend/migrations/20210629193146_Init.sql
@@ -1,58 +0,0 @@
-- Add migration script here
-CREATE TABLE IF NOT EXISTS tor
-(
-    package     TEXT NOT NULL,
-    interface   TEXT NOT NULL,
-    key         BLOB NOT NULL CHECK (length(key) = 64),
-    PRIMARY KEY (package, interface)
-);
-CREATE TABLE IF NOT EXISTS session
-(
-    id         TEXT NOT NULL PRIMARY KEY,
-    logged_in TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    logged_out TIMESTAMP,
-    last_active TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    user_agent TEXT,
-    metadata   TEXT NOT NULL DEFAULT 'null'
-);
-CREATE TABLE IF NOT EXISTS account
-(
-    id INTEGER PRIMARY KEY CHECK (id = 0),
-    password TEXT NOT NULL,
-    tor_key BLOB NOT NULL CHECK (length(tor_key) = 64)
-);
-CREATE TABLE IF NOT EXISTS ssh_keys
-(
-    fingerprint     TEXT NOT NULL,
-    openssh_pubkey  TEXT NOT NULL,
-    created_at      TEXT NOT NULL,
-    PRIMARY KEY (fingerprint)
-);
-CREATE TABLE IF NOT EXISTS certificates
-(
-    id INTEGER PRIMARY KEY, -- Root = 0, Int = 1, Other = 2..
-    priv_key_pem TEXT NOT NULL,
-    certificate_pem TEXT NOT NULL,
-    lookup_string TEXT UNIQUE,
-    created_at TEXT,
-    updated_at TEXT
-);
-CREATE TABLE IF NOT EXISTS notifications
-(
-    id INTEGER PRIMARY KEY,
-    package_id TEXT,
-    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    code INTEGER NOT NULL,
-    level TEXT NOT NULL,
-    title TEXT NOT NULL,
-    message TEXT NOT NULL,
-    data TEXT
-);
-CREATE TABLE IF NOT EXISTS cifs_shares
-(
-    id INTEGER PRIMARY KEY,
-    hostname TEXT NOT NULL,
-    path TEXT NOT NULL,
-    username TEXT NOT NULL,
-    password TEXT
-);
--- a/backend/sqlx-data.json
+++ b/backend/sqlx-data.json
@@ -1,715 +0,0 @@
-{
-  "db": "SQLite",
-  "10350f5a16f1b2a6ce91672ae5dc6acc46691bd8f901861545ec83c326a8ccef": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "INSERT INTO ssh_keys (fingerprint, openssh_pubkey, created_at) VALUES (?, ?, ?)"
-  },
-  "118d59de5cf930d5a3b5667b2220e9a3d593bd84276beb2b76c93b2694b0fd72": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "INSERT INTO session (id, user_agent, metadata) VALUES (?, ?, ?)"
-  },
-  "165daa7d6a60cb42122373b2c5ac7d39399bcc99992f0002ee7bfef50a8daceb": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "DELETE FROM certificates WHERE id = 0 OR id = 1;"
-  },
-  "177c4b9cc7901a3b906e5969b86b1c11e6acbfb8e86e98f197d7333030b17964": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "DELETE FROM notifications WHERE id = ?"
-  },
-  "1b2242afa55e730b37b00929b656d80940b457ec86c234ddd0de917bd8872611": {
-    "describe": {
-      "columns": [
-        {
-          "name": "id: u32",
-          "ordinal": 0,
-          "type_info": "Int64"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Right": 4
-      }
-    },
-    "query": "INSERT INTO cifs_shares (hostname, path, username, password) VALUES (?, ?, ?, ?) RETURNING id AS \"id: u32\""
-  },
-  "1eee1fdc793919c391008854407143d7a11b4668486c11a760b49af49992f9f8": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 2
-      }
-    },
-    "query": "REPLACE INTO tor (package, interface, key) VALUES (?, 'main', ?)"
-  },
-  "2932aa02735b6422fca4ba889abfb3de8598178d4690076dc278898753d9df62": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "UPDATE session SET logged_out = CURRENT_TIMESTAMP WHERE id = ?"
-  },
-  "3502e58f2ab48fb4566d21c920c096f81acfa3ff0d02f970626a4dcd67bac71d": {
-    "describe": {
-      "columns": [
-        {
-          "name": "tor_key",
-          "ordinal": 0,
-          "type_info": "Blob"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT tor_key FROM account"
-  },
-  "3e57a0e52b69f33e9411c13b03a5d82c5856d63f0375eb4c23b255a09c54f8b1": {
-    "describe": {
-      "columns": [
-        {
-          "name": "key",
-          "ordinal": 0,
-          "type_info": "Blob"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Right": 2
-      }
-    },
-    "query": "SELECT key FROM tor WHERE package = ? AND interface = ?"
-  },
-  "4691e3a2ce80b59009ac17124f54f925f61dc5ea371903e62cdffa5d7b67ca96": {
-    "describe": {
-      "columns": [
-        {
-          "name": "id",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "logged_in",
-          "ordinal": 1,
-          "type_info": "Datetime"
-        },
-        {
-          "name": "logged_out",
-          "ordinal": 2,
-          "type_info": "Datetime"
-        },
-        {
-          "name": "last_active",
-          "ordinal": 3,
-          "type_info": "Datetime"
-        },
-        {
-          "name": "user_agent",
-          "ordinal": 4,
-          "type_info": "Text"
-        },
-        {
-          "name": "metadata",
-          "ordinal": 5,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false,
-        true,
-        false,
-        true,
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT * FROM session WHERE logged_out IS NULL OR logged_out > CURRENT_TIMESTAMP"
-  },
-  "530192a2a530ee6b92e5b98e1eb1bf6d1426c7b0cb2578593a367cb0bf2c3ca8": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "UPDATE certificates SET priv_key_pem = ?, certificate_pem = ?, updated_at = datetime('now') WHERE lookup_string = ?"
-  },
-  "56b986f2a2b7091d9c3acdd78f75d9842242de1f4da8f3672f2793d9fb256928": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "DELETE FROM tor WHERE package = ?"
-  },
-  "5b114c450073f77f466c980a2541293f30087b57301c379630326e5e5c2fb792": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "REPLACE INTO tor (package, interface, key) VALUES (?, ?, ?)"
-  },
-  "5c47da44b9c84468e95a13fc47301989900f130b3b5899d1ee6664df3ed812ac": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 2
-      }
-    },
-    "query": "INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (0, ?, ?, NULL, datetime('now'), datetime('now'))"
-  },
-  "629be61c3c341c131ddbbff0293a83dbc6afd07cae69d246987f62cf0cc35c2a": {
-    "describe": {
-      "columns": [
-        {
-          "name": "password",
-          "ordinal": 0,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT password FROM account"
-  },
-  "63785dc5f193ea31e6f641a910c75857ccd288a3f6e9c4f704331531e4f0689f": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "UPDATE session SET last_active = CURRENT_TIMESTAMP WHERE id = ? AND logged_out IS NULL OR logged_out > CURRENT_TIMESTAMP"
-  },
-  "6440354d73a67c041ea29508b43b5f309d45837a44f1a562051ad540d894c7d6": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "DELETE FROM ssh_keys WHERE fingerprint = ?"
-  },
-  "65e6c3fbb138da5cf385af096fdd3c062b6e826e12a8a4b23e16fcc773004c29": {
-    "describe": {
-      "columns": [
-        {
-          "name": "id",
-          "ordinal": 0,
-          "type_info": "Int64"
-        },
-        {
-          "name": "package_id",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "created_at",
-          "ordinal": 2,
-          "type_info": "Datetime"
-        },
-        {
-          "name": "code",
-          "ordinal": 3,
-          "type_info": "Int64"
-        },
-        {
-          "name": "level",
-          "ordinal": 4,
-          "type_info": "Text"
-        },
-        {
-          "name": "title",
-          "ordinal": 5,
-          "type_info": "Text"
-        },
-        {
-          "name": "message",
-          "ordinal": 6,
-          "type_info": "Text"
-        },
-        {
-          "name": "data",
-          "ordinal": 7,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        true,
-        false,
-        false,
-        false,
-        false,
-        false,
-        true
-      ],
-      "parameters": {
-        "Right": 2
-      }
-    },
-    "query": "SELECT id, package_id, created_at, code, level, title, message, data FROM notifications WHERE id < ? ORDER BY id DESC LIMIT ?"
-  },
-  "668f39c868f90cdbcc635858bac9e55ed73192ed2aec5c52dcfba9800a7a4a41": {
-    "describe": {
-      "columns": [
-        {
-          "name": "id: u32",
-          "ordinal": 0,
-          "type_info": "Int64"
-        },
-        {
-          "name": "hostname",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "path",
-          "ordinal": 2,
-          "type_info": "Text"
-        },
-        {
-          "name": "username",
-          "ordinal": 3,
-          "type_info": "Text"
-        },
-        {
-          "name": "password",
-          "ordinal": 4,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false,
-        false,
-        false,
-        true
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT id AS \"id: u32\", hostname, path, username, password FROM cifs_shares"
-  },
-  "6b9abc9e079cff975f8a7f07ff70548c7877ecae3be0d0f2d3f439a6713326c0": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "DELETE FROM notifications WHERE id < ?"
-  },
-  "6c96d76bffcc5f03290d8d8544a58521345ed2a843a509b17bbcd6257bb81821": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 1;"
-  },
-  "7d548d2472fa3707bd17364b4800e229b9c2b1c0a22e245bf4e635b9b16b8c24": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "INSERT INTO certificates (priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (?, ?, ?, datetime('now'), datetime('now'))"
-  },
-  "82a8fa7eae8a73b5345015c72af024b4f21489b1d9b42235398d7eb8977fb132": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "UPDATE account SET password = ?"
-  },
-  "8595651866e7db772260bd79e19d55b7271fd795b82a99821c935a9237c1aa16": {
-    "describe": {
-      "columns": [
-        {
-          "name": "interface",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "key",
-          "ordinal": 1,
-          "type_info": "Blob"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "SELECT interface, key FROM tor WHERE package = ?"
-  },
-  "9496e17a73672ac3675e02efa7c4bf8bd479b866c0d31fa1e3a85ef159310a57": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE lookup_string = ?"
-  },
-  "9fcedab1ba34daa2c6ae97c5953c09821b35b55be75b0c66045ab31a2cf4553e": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "REPLACE INTO account (id, password, tor_key) VALUES (?, ?, ?)"
-  },
-  "a1cbaac36d8e14c8c3e7276237c4824bff18861f91b0b08aa5791704c492acb7": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 2
-      }
-    },
-    "query": "INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (1, ?, ?, NULL, datetime('now'), datetime('now'))"
-  },
-  "a4e7162322b28508310b9de7ebc891e619b881ff6d3ea09eba13da39626ab12f": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 5
-      }
-    },
-    "query": "UPDATE cifs_shares SET hostname = ?, path = ?, username = ?, password = ? WHERE id = ?"
-  },
-  "a6b0c8909a3a5d6d9156aebfb359424e6b5a1d1402e028219e21726f1ebd282e": {
-    "describe": {
-      "columns": [
-        {
-          "name": "fingerprint",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "openssh_pubkey",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "created_at",
-          "ordinal": 2,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT fingerprint, openssh_pubkey, created_at FROM ssh_keys"
-  },
-  "abfdeea8cd10343b85f647d7abc5dc3bd0b5891101b143485938192ee3b8c907": {
-    "describe": {
-      "columns": [
-        {
-          "name": "id",
-          "ordinal": 0,
-          "type_info": "Int64"
-        },
-        {
-          "name": "package_id",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "created_at",
-          "ordinal": 2,
-          "type_info": "Datetime"
-        },
-        {
-          "name": "code",
-          "ordinal": 3,
-          "type_info": "Int64"
-        },
-        {
-          "name": "level",
-          "ordinal": 4,
-          "type_info": "Text"
-        },
-        {
-          "name": "title",
-          "ordinal": 5,
-          "type_info": "Text"
-        },
-        {
-          "name": "message",
-          "ordinal": 6,
-          "type_info": "Text"
-        },
-        {
-          "name": "data",
-          "ordinal": 7,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        true,
-        false,
-        false,
-        false,
-        false,
-        false,
-        true
-      ],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "SELECT id, package_id, created_at, code, level, title, message, data FROM notifications ORDER BY id DESC LIMIT ?"
-  },
-  "b376d9e77e0861a9af2d1081ca48d14e83abc5a1546213d15bb570972c403beb": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "-- Add migration script here\nCREATE TABLE IF NOT EXISTS tor\n(\n    package     TEXT NOT NULL,\n    interface   TEXT NOT NULL,\n    key         BLOB NOT NULL CHECK (length(key) = 64),\n    PRIMARY KEY (package, interface)\n);\nCREATE TABLE IF NOT EXISTS session\n(\n    id         TEXT NOT NULL PRIMARY KEY,\n    logged_in TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,\n    logged_out TIMESTAMP,\n    last_active TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,\n    user_agent TEXT,\n    metadata   TEXT NOT NULL DEFAULT 'null'\n);\nCREATE TABLE IF NOT EXISTS account\n(\n    id INTEGER PRIMARY KEY CHECK (id = 0),\n    password TEXT NOT NULL,\n    tor_key BLOB NOT NULL CHECK (length(tor_key) = 64)\n);\nCREATE TABLE IF NOT EXISTS ssh_keys\n(\n    fingerprint     TEXT NOT NULL,\n    openssh_pubkey  TEXT NOT NULL,\n    created_at      TEXT NOT NULL,\n    PRIMARY KEY (fingerprint)\n);\nCREATE TABLE IF NOT EXISTS certificates\n(\n    id INTEGER PRIMARY KEY, -- Root = 0, Int = 1, Other = 2..\n    priv_key_pem TEXT NOT NULL,\n    certificate_pem TEXT NOT NULL,\n    lookup_string TEXT UNIQUE,\n    created_at TEXT,\n    updated_at TEXT\n);\nCREATE TABLE IF NOT EXISTS notifications\n(\n    id INTEGER PRIMARY KEY,\n    package_id TEXT,\n    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,\n    code INTEGER NOT NULL,\n    level TEXT NOT NULL,\n    title TEXT NOT NULL,\n    message TEXT NOT NULL,\n    data TEXT\n);\nCREATE TABLE IF NOT EXISTS cifs_shares\n(\n    id INTEGER PRIMARY KEY,\n    hostname TEXT NOT NULL,\n    path TEXT NOT NULL,\n    username TEXT NOT NULL,\n    password TEXT\n);"
-  },
-  "cc33fe2958fe7caeac6999a217f918a68b45ad596664170b4d07671c6ea49566": {
-    "describe": {
-      "columns": [
-        {
-          "name": "hostname",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "path",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "username",
-          "ordinal": 2,
-          "type_info": "Text"
-        },
-        {
-          "name": "password",
-          "ordinal": 3,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false,
-        false,
-        true
-      ],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "SELECT hostname, path, username, password FROM cifs_shares WHERE id = ?"
-  },
-  "d5117054072476377f3c4f040ea429d4c9b2cf534e76f35c80a2bf60e8599cca": {
-    "describe": {
-      "columns": [
-        {
-          "name": "openssh_pubkey",
-          "ordinal": 0,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT openssh_pubkey FROM ssh_keys"
-  },
-  "d54bd5b53f8c760e1f8cde604aa8b1bdc66e4e025a636bc44ffbcd788b5168fd": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 6
-      }
-    },
-    "query": "INSERT INTO notifications (package_id, code, level, title, message, data) VALUES (?, ?, ?, ?, ?, ?)"
-  },
-  "d79d608ceb862c15b741a6040044c6dd54a837a3a0c5594d15a6041c7bc68ea8": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 3
-      }
-    },
-    "query": "INSERT OR IGNORE INTO tor (package, interface, key) VALUES (?, ?, ?)"
-  },
-  "de2a5e90798d606047ab8180c044baac05469c0cdf151316bd58ee8c7196fdef": {
-    "describe": {
-      "columns": [
-        {
-          "name": "fingerprint",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "openssh_pubkey",
-          "ordinal": 1,
-          "type_info": "Text"
-        },
-        {
-          "name": "created_at",
-          "ordinal": 2,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "SELECT * FROM ssh_keys WHERE fingerprint = ?"
-  },
-  "ed848affa5bf92997cd441e3a50b3616b6724df3884bd9d199b3225e0bea8a54": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Right": 0
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 0;"
-  },
-  "f63c8c5a8754b34a49ef5d67802fa2b72aa409bbec92ecc6901492092974b71a": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Right": 1
-      }
-    },
-    "query": "DELETE FROM cifs_shares WHERE id = ?"
-  }
-}
--- a/backend/src/action.rs
+++ b/backend/src/action.rs
@@ -1,157 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use indexmap::IndexSet;
-use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use tracing::instrument;
-
-use crate::config::{Config, ConfigSpec};
-use crate::context::RpcContext;
-use crate::id::{ ImageId};
-use crate::procedure::{PackageProcedure, ProcedureName};
-use crate::s9pk::manifest::PackageId;
-use crate::util::serde::{display_serializable, parse_stdin_deserializable, IoFormat};
-use crate::util::Version;
-use crate::volume::Volumes;
-use crate::{Error, ResultExt};
-
-pub use models::ActionId;
-#[derive(Clone, Debug, Default, Deserialize, Serialize)]
-pub struct Actions(pub BTreeMap<ActionId, Action>);
-
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(tag = "version")]
-pub enum ActionResult {
-    #[serde(rename = "0")]
-    V0(ActionResultV0),
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-pub struct ActionResultV0 {
-    pub message: String,
-    pub value: Option<String>,
-    pub copyable: bool,
-    pub qr: bool,
-}
-
-#[derive(Clone, Copy, Debug, Hash, PartialEq, Eq, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum DockerStatus {
-    Running,
-    Stopped,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct Action {
-    pub name: String,
-    pub description: String,
-    #[serde(default)]
-    pub warning: Option<String>,
-    pub implementation: PackageProcedure,
-    pub allowed_statuses: IndexSet<DockerStatus>,
-    #[serde(default)]
-    pub input_spec: ConfigSpec,
-}
-impl Action {
-    #[instrument]
-    pub fn validate(&self, volumes: &Volumes, image_ids: &BTreeSet<ImageId>) -> Result<(), Error> {
-        self.implementation
-            .validate(volumes, image_ids, true)
-            .with_ctx(|_| {
-                (
-                    crate::ErrorKind::ValidateS9pk,
-                    format!("Action {}", self.name),
-                )
-            })
-    }
-
-    #[instrument(skip(ctx))]
-    pub async fn execute(
-        &self,
-        ctx: &RpcContext,
-        pkg_id: &PackageId,
-        pkg_version: &Version,
-        action_id: &ActionId,
-        volumes: &Volumes,
-        input: Option<Config>,
-    ) -> Result<ActionResult, Error> {
-        if let Some(ref input) = input {
-            self.input_spec
-                .matches(&input)
-                .with_kind(crate::ErrorKind::ConfigSpecViolation)?;
-        }
-        self.implementation
-            .execute(
-                ctx,
-                pkg_id,
-                pkg_version,
-                ProcedureName::Action(action_id.clone()),
-                volumes,
-                input,
-                true,
-                None,
-            )
-            .await?
-            .map_err(|e| Error::new(eyre!("{}", e.1), crate::ErrorKind::Action))
-    }
-}
-
-fn display_action_result(action_result: ActionResult, matches: &ArgMatches<'_>) {
-    if matches.is_present("format") {
-        return display_serializable(action_result, matches);
-    }
-    match action_result {
-        ActionResult::V0(ar) => {
-            println!(
-                "{}: {}",
-                ar.message,
-                serde_json::to_string(&ar.value).unwrap()
-            );
-        }
-    }
-}
-
-#[command(about = "Executes an action", display(display_action_result))]
-#[instrument(skip(ctx))]
-pub async fn action(
-    #[context] ctx: RpcContext,
-    #[arg(rename = "id")] pkg_id: PackageId,
-    #[arg(rename = "action-id")] action_id: ActionId,
-    #[arg(stdin, parse(parse_stdin_deserializable))] input: Option<Config>,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<ActionResult, Error> {
-    let mut db = ctx.db.handle();
-    let manifest = crate::db::DatabaseModel::new()
-        .package_data()
-        .idx_model(&pkg_id)
-        .and_then(|p| p.installed())
-        .expect(&mut db)
-        .await
-        .with_kind(crate::ErrorKind::NotFound)?
-        .manifest()
-        .get(&mut db, true)
-        .await?
-        .to_owned();
-    if let Some(action) = manifest.actions.0.get(&action_id) {
-        action
-            .execute(
-                &ctx,
-                &manifest.id,
-                &manifest.version,
-                &action_id,
-                &manifest.volumes,
-                input,
-            )
-            .await
-    } else {
-        Err(Error::new(
-            eyre!("Action not found in manifest"),
-            crate::ErrorKind::NotFound,
-        ))
-    }
-}
--- a/backend/src/auth.rs
+++ b/backend/src/auth.rs
@@ -1,369 +0,0 @@
-use std::collections::BTreeMap;
-use std::marker::PhantomData;
-
-use chrono::{DateTime, Utc};
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use patch_db::{DbHandle, LockReceipt};
-use rpc_toolkit::command;
-use rpc_toolkit::command_helpers::prelude::{RequestParts, ResponseParts};
-use rpc_toolkit::yajrc::RpcError;
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use sqlx::{Executor, Sqlite};
-use tracing::instrument;
-
-use crate::context::{CliContext, RpcContext};
-use crate::middleware::auth::{AsLogoutSessionId, HasLoggedOutSessions, HashSessionToken};
-use crate::util::display_none;
-use crate::util::serde::{display_serializable, IoFormat};
-use crate::{ensure_code, Error, ResultExt};
-
-#[command(subcommands(login, logout, session, reset_password))]
-pub fn auth() -> Result<(), Error> {
-    Ok(())
-}
-
-pub fn parse_metadata(_: &str, _: &ArgMatches<'_>) -> Result<Value, Error> {
-    Ok(serde_json::json!({
-        "platforms": ["cli"],
-    }))
-}
-
-#[test]
-fn gen_pwd() {
-    println!(
-        "{:?}",
-        argon2::hash_encoded(
-            b"testing1234",
-            &rand::random::<[u8; 16]>()[..],
-            &argon2::Config::default()
-        )
-        .unwrap()
-    )
-}
-
-#[instrument(skip(ctx, password))]
-async fn cli_login(
-    ctx: CliContext,
-    password: Option<String>,
-    metadata: Value,
-) -> Result<(), RpcError> {
-    let password = if let Some(password) = password {
-        password
-    } else {
-        rpassword::prompt_password_stdout("Password: ")?
-    };
-
-    rpc_toolkit::command_helpers::call_remote(
-        ctx,
-        "auth.login",
-        serde_json::json!({ "password": password, "metadata": metadata }),
-        PhantomData::<()>,
-    )
-    .await?
-    .result?;
-
-    Ok(())
-}
-
-pub fn check_password(hash: &str, password: &str) -> Result<(), Error> {
-    ensure_code!(
-        argon2::verify_encoded(&hash, password.as_bytes()).map_err(|_| {
-            Error::new(
-                eyre!("Password Incorrect"),
-                crate::ErrorKind::IncorrectPassword,
-            )
-        })?,
-        crate::ErrorKind::IncorrectPassword,
-        "Password Incorrect"
-    );
-    Ok(())
-}
-
-pub async fn check_password_against_db<Ex>(secrets: &mut Ex, password: &str) -> Result<(), Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-{
-    let pw_hash = sqlx::query!("SELECT password FROM account")
-        .fetch_one(secrets)
-        .await?
-        .password;
-    check_password(&pw_hash, password)?;
-    Ok(())
-}
-
-#[command(
-    custom_cli(cli_login(async, context(CliContext))),
-    display(display_none),
-    metadata(authenticated = false)
-)]
-#[instrument(skip(ctx, password))]
-pub async fn login(
-    #[context] ctx: RpcContext,
-    #[request] req: &RequestParts,
-    #[response] res: &mut ResponseParts,
-    #[arg] password: Option<String>,
-    #[arg(
-        parse(parse_metadata),
-        default = "",
-        help = "RPC Only: This value cannot be overidden from the cli"
-    )]
-    metadata: Value,
-) -> Result<(), Error> {
-    let password = password.unwrap_or_default();
-    let mut handle = ctx.secret_store.acquire().await?;
-    check_password_against_db(&mut handle, &password).await?;
-
-    let hash_token = HashSessionToken::new();
-    let user_agent = req.headers.get("user-agent").and_then(|h| h.to_str().ok());
-    let metadata = serde_json::to_string(&metadata).with_kind(crate::ErrorKind::Database)?;
-    let hash_token_hashed = hash_token.hashed();
-    sqlx::query!(
-        "INSERT INTO session (id, user_agent, metadata) VALUES (?, ?, ?)",
-        hash_token_hashed,
-        user_agent,
-        metadata,
-    )
-    .execute(&mut handle)
-    .await?;
-    res.headers.insert(
-        "set-cookie",
-        hash_token.header_value()?, // Should be impossible, but don't want to panic
-    );
-
-    Ok(())
-}
-
-#[command(display(display_none), metadata(authenticated = false))]
-#[instrument(skip(ctx))]
-pub async fn logout(
-    #[context] ctx: RpcContext,
-    #[request] req: &RequestParts,
-) -> Result<Option<HasLoggedOutSessions>, Error> {
-    let auth = match HashSessionToken::from_request_parts(req) {
-        Err(_) => return Ok(None),
-        Ok(a) => a,
-    };
-    Ok(Some(HasLoggedOutSessions::new(vec![auth], &ctx).await?))
-}
-
-#[derive(Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct Session {
-    logged_in: DateTime<Utc>,
-    last_active: DateTime<Utc>,
-    user_agent: Option<String>,
-    metadata: Value,
-}
-
-#[derive(Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SessionList {
-    current: String,
-    sessions: BTreeMap<String, Session>,
-}
-
-#[command(subcommands(list, kill))]
-pub async fn session() -> Result<(), Error> {
-    Ok(())
-}
-
-fn display_sessions(arg: SessionList, matches: &ArgMatches<'_>) {
-    use prettytable::*;
-
-    if matches.is_present("format") {
-        return display_serializable(arg, matches);
-    }
-
-    let mut table = Table::new();
-    table.add_row(row![bc =>
-        "ID",
-        "LOGGED IN",
-        "LAST ACTIVE",
-        "USER AGENT",
-        "METADATA",
-    ]);
-    for (id, session) in arg.sessions {
-        let mut row = row![
-            &id,
-            &format!("{}", session.logged_in),
-            &format!("{}", session.last_active),
-            session.user_agent.as_deref().unwrap_or("N/A"),
-            &format!("{}", session.metadata),
-        ];
-        if id == arg.current {
-            row.iter_mut()
-                .map(|c| c.style(Attr::ForegroundColor(color::GREEN)))
-                .collect::<()>()
-        }
-        table.add_row(row);
-    }
-    table.print_tty(false);
-}
-
-#[command(display(display_sessions))]
-#[instrument(skip(ctx))]
-pub async fn list(
-    #[context] ctx: RpcContext,
-    #[request] req: &RequestParts,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<SessionList, Error> {
-    Ok(SessionList {
-        current: HashSessionToken::from_request_parts(req)?.as_hash(),
-        sessions: sqlx::query!(
-            "SELECT * FROM session WHERE logged_out IS NULL OR logged_out > CURRENT_TIMESTAMP"
-        )
-        .fetch_all(&mut ctx.secret_store.acquire().await?)
-        .await?
-        .into_iter()
-        .map(|row| {
-            Ok((
-                row.id,
-                Session {
-                    logged_in: DateTime::from_utc(row.logged_in, Utc),
-                    last_active: DateTime::from_utc(row.last_active, Utc),
-                    user_agent: row.user_agent,
-                    metadata: serde_json::from_str(&row.metadata)
-                        .with_kind(crate::ErrorKind::Database)?,
-                },
-            ))
-        })
-        .collect::<Result<_, Error>>()?,
-    })
-}
-
-fn parse_comma_separated(arg: &str, _: &ArgMatches<'_>) -> Result<Vec<String>, RpcError> {
-    Ok(arg.split(",").map(|s| s.trim().to_owned()).collect())
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-struct KillSessionId(String);
-
-impl AsLogoutSessionId for KillSessionId {
-    fn as_logout_session_id(self) -> String {
-        self.0
-    }
-}
-
-#[command(display(display_none))]
-#[instrument(skip(ctx))]
-pub async fn kill(
-    #[context] ctx: RpcContext,
-    #[arg(parse(parse_comma_separated))] ids: Vec<String>,
-) -> Result<(), Error> {
-    HasLoggedOutSessions::new(ids.into_iter().map(KillSessionId), &ctx).await?;
-    Ok(())
-}
-
-#[instrument(skip(ctx, old_password, new_password))]
-async fn cli_reset_password(
-    ctx: CliContext,
-    old_password: Option<String>,
-    new_password: Option<String>,
-) -> Result<(), RpcError> {
-    let old_password = if let Some(old_password) = old_password {
-        old_password
-    } else {
-        rpassword::prompt_password_stdout("Current Password: ")?
-    };
-
-    let new_password = if let Some(new_password) = new_password {
-        new_password
-    } else {
-        let new_password = rpassword::prompt_password_stdout("New Password: ")?;
-        if new_password != rpassword::prompt_password_stdout("Confirm: ")? {
-            return Err(Error::new(
-                eyre!("Passwords do not match"),
-                crate::ErrorKind::IncorrectPassword,
-            )
-            .into());
-        }
-        new_password
-    };
-
-    rpc_toolkit::command_helpers::call_remote(
-        ctx,
-        "auth.reset-password",
-        serde_json::json!({ "old-password": old_password, "new-password": new_password }),
-        PhantomData::<()>,
-    )
-    .await?
-    .result?;
-
-    Ok(())
-}
-
-pub struct SetPasswordReceipt(LockReceipt<String, ()>);
-impl SetPasswordReceipt {
-    pub async fn new<Db: DbHandle>(db: &mut Db) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let password_hash = crate::db::DatabaseModel::new()
-            .server_info()
-            .password_hash()
-            .make_locker(patch_db::LockType::Write)
-            .add_to_keys(locks);
-        move |skeleton_key| Ok(Self(password_hash.verify(skeleton_key)?))
-    }
-}
-
-pub async fn set_password<Db: DbHandle, Ex>(
-    db: &mut Db,
-    receipt: &SetPasswordReceipt,
-    secrets: &mut Ex,
-    password: &str,
-) -> Result<(), Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-{
-    let password = argon2::hash_encoded(
-        password.as_bytes(),
-        &rand::random::<[u8; 16]>()[..],
-        &argon2::Config::default(),
-    )
-    .with_kind(crate::ErrorKind::PasswordHashGeneration)?;
-
-    sqlx::query!("UPDATE account SET password = ?", password,)
-        .execute(secrets)
-        .await?;
-
-    receipt.0.set(db, password).await?;
-
-    Ok(())
-}
-
-#[command(
-    rename = "reset-password",
-    custom_cli(cli_reset_password(async, context(CliContext))),
-    display(display_none)
-)]
-#[instrument(skip(ctx, old_password, new_password))]
-pub async fn reset_password(
-    #[context] ctx: RpcContext,
-    #[arg(rename = "old-password")] old_password: Option<String>,
-    #[arg(rename = "new-password")] new_password: Option<String>,
-) -> Result<(), Error> {
-    let old_password = old_password.unwrap_or_default();
-    let new_password = new_password.unwrap_or_default();
-
-    let mut secrets = ctx.secret_store.acquire().await?;
-    check_password_against_db(&mut secrets, &old_password).await?;
-
-    let mut db = ctx.db.handle();
-
-    let set_password_receipt = SetPasswordReceipt::new(&mut db).await?;
-
-    set_password(&mut db, &set_password_receipt, &mut secrets, &new_password).await?;
-
-    Ok(())
-}
--- a/backend/src/backup/backup_bulk.rs
+++ b/backend/src/backup/backup_bulk.rs
@@ -1,459 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-use std::sync::Arc;
-
-use chrono::Utc;
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use openssl::pkey::{PKey, Private};
-use openssl::x509::X509;
-use patch_db::{DbHandle, LockType, PatchDbHandle, Revision};
-use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use tokio::io::AsyncWriteExt;
-use torut::onion::TorSecretKeyV3;
-use tracing::instrument;
-
-use super::target::BackupTargetId;
-use super::PackageBackupReport;
-use crate::auth::check_password_against_db;
-use crate::backup::{BackupReport, ServerBackupReport};
-use crate::context::RpcContext;
-use crate::db::model::BackupProgress;
-use crate::db::util::WithRevision;
-use crate::disk::mount::backup::BackupMountGuard;
-use crate::disk::mount::filesystem::ReadWrite;
-use crate::disk::mount::guard::TmpMountGuard;
-use crate::notifications::NotificationLevel;
-use crate::s9pk::manifest::PackageId;
-use crate::status::MainStatus;
-use crate::util::serde::IoFormat;
-use crate::util::{display_none, AtomicFile};
-use crate::version::VersionT;
-use crate::Error;
-
-#[derive(Debug)]
-pub struct OsBackup {
-    pub tor_key: TorSecretKeyV3,
-    pub root_ca_key: PKey<Private>,
-    pub root_ca_cert: X509,
-    pub ui: Value,
-}
-impl<'de> Deserialize<'de> for OsBackup {
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: serde::Deserializer<'de>,
-    {
-        #[derive(Deserialize)]
-        #[serde(rename = "kebab-case")]
-        struct OsBackupDe {
-            tor_key: String,
-            root_ca_key: String,
-            root_ca_cert: String,
-            ui: Value,
-        }
-        let int = OsBackupDe::deserialize(deserializer)?;
-        let key_vec = base32::decode(base32::Alphabet::RFC4648 { padding: true }, &int.tor_key)
-            .ok_or_else(|| {
-                serde::de::Error::invalid_value(
-                    serde::de::Unexpected::Str(&int.tor_key),
-                    &"an RFC4648 encoded string",
-                )
-            })?;
-        if key_vec.len() != 64 {
-            return Err(serde::de::Error::invalid_value(
-                serde::de::Unexpected::Str(&int.tor_key),
-                &"a 64 byte value encoded as an RFC4648 string",
-            ));
-        }
-        let mut key_slice = [0; 64];
-        key_slice.clone_from_slice(&key_vec);
-        Ok(OsBackup {
-            tor_key: TorSecretKeyV3::from(key_slice),
-            root_ca_key: PKey::<Private>::private_key_from_pem(int.root_ca_key.as_bytes())
-                .map_err(serde::de::Error::custom)?,
-            root_ca_cert: X509::from_pem(int.root_ca_cert.as_bytes())
-                .map_err(serde::de::Error::custom)?,
-            ui: int.ui,
-        })
-    }
-}
-impl Serialize for OsBackup {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::Serializer,
-    {
-        #[derive(Serialize)]
-        #[serde(rename = "kebab-case")]
-        struct OsBackupSer<'a> {
-            tor_key: String,
-            root_ca_key: String,
-            root_ca_cert: String,
-            ui: &'a Value,
-        }
-        OsBackupSer {
-            tor_key: base32::encode(
-                base32::Alphabet::RFC4648 { padding: true },
-                &self.tor_key.as_bytes(),
-            ),
-            root_ca_key: String::from_utf8(
-                self.root_ca_key
-                    .private_key_to_pem_pkcs8()
-                    .map_err(serde::ser::Error::custom)?,
-            )
-            .map_err(serde::ser::Error::custom)?,
-            root_ca_cert: String::from_utf8(
-                self.root_ca_cert
-                    .to_pem()
-                    .map_err(serde::ser::Error::custom)?,
-            )
-            .map_err(serde::ser::Error::custom)?,
-            ui: &self.ui,
-        }
-        .serialize(serializer)
-    }
-}
-
-fn parse_comma_separated(arg: &str, _: &ArgMatches<'_>) -> Result<BTreeSet<PackageId>, Error> {
-    arg.split(',')
-        .map(|s| s.trim().parse().map_err(Error::from))
-        .collect()
-}
-
-#[command(rename = "create", display(display_none))]
-#[instrument(skip(ctx, old_password, password))]
-pub async fn backup_all(
-    #[context] ctx: RpcContext,
-    #[arg(rename = "target-id")] target_id: BackupTargetId,
-    #[arg(rename = "old-password", long = "old-password")] old_password: Option<String>,
-    #[arg(
-        rename = "package-ids",
-        long = "package-ids",
-        parse(parse_comma_separated)
-    )]
-    package_ids: Option<BTreeSet<PackageId>>,
-    #[arg] password: String,
-) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    check_password_against_db(&mut ctx.secret_store.acquire().await?, &password).await?;
-    let fs = target_id
-        .load(&mut ctx.secret_store.acquire().await?)
-        .await?;
-    let mut backup_guard = BackupMountGuard::mount(
-        TmpMountGuard::mount(&fs, ReadWrite).await?,
-        old_password.as_ref().unwrap_or(&password),
-    )
-    .await?;
-    let all_packages = crate::db::DatabaseModel::new()
-        .package_data()
-        .get(&mut db, false)
-        .await?
-        .0
-        .keys()
-        .into_iter()
-        .cloned()
-        .collect();
-    let package_ids = package_ids.unwrap_or(all_packages);
-    if old_password.is_some() {
-        backup_guard.change_password(&password)?;
-    }
-    let revision = assure_backing_up(&mut db, &package_ids).await?;
-    tokio::task::spawn(async move {
-        let backup_res = perform_backup(&ctx, &mut db, backup_guard, &package_ids).await;
-        let backup_progress = crate::db::DatabaseModel::new()
-            .server_info()
-            .status_info()
-            .backup_progress();
-        backup_progress
-            .clone()
-            .lock(&mut db, LockType::Write)
-            .await
-            .expect("failed to lock server status");
-        match backup_res {
-            Ok(report) if report.iter().all(|(_, rep)| rep.error.is_none()) => ctx
-                .notification_manager
-                .notify(
-                    &mut db,
-                    None,
-                    NotificationLevel::Success,
-                    "Backup Complete".to_owned(),
-                    "Your backup has completed".to_owned(),
-                    BackupReport {
-                        server: ServerBackupReport {
-                            attempted: true,
-                            error: None,
-                        },
-                        packages: report,
-                    },
-                    None,
-                )
-                .await
-                .expect("failed to send notification"),
-            Ok(report) => ctx
-                .notification_manager
-                .notify(
-                    &mut db,
-                    None,
-                    NotificationLevel::Warning,
-                    "Backup Complete".to_owned(),
-                    "Your backup has completed, but some package(s) failed to backup".to_owned(),
-                    BackupReport {
-                        server: ServerBackupReport {
-                            attempted: true,
-                            error: None,
-                        },
-                        packages: report,
-                    },
-                    None,
-                )
-                .await
-                .expect("failed to send notification"),
-            Err(e) => {
-                tracing::error!("Backup Failed: {}", e);
-                tracing::debug!("{:?}", e);
-                ctx.notification_manager
-                    .notify(
-                        &mut db,
-                        None,
-                        NotificationLevel::Error,
-                        "Backup Failed".to_owned(),
-                        "Your backup failed to complete.".to_owned(),
-                        BackupReport {
-                            server: ServerBackupReport {
-                                attempted: true,
-                                error: Some(e.to_string()),
-                            },
-                            packages: BTreeMap::new(),
-                        },
-                        None,
-                    )
-                    .await
-                    .expect("failed to send notification");
-            }
-        }
-        backup_progress
-            .delete(&mut db)
-            .await
-            .expect("failed to change server status");
-    });
-    Ok(WithRevision {
-        response: (),
-        revision,
-    })
-}
-
-#[instrument(skip(db, packages))]
-async fn assure_backing_up(
-    db: &mut PatchDbHandle,
-    packages: impl IntoIterator<Item = &PackageId>,
-) -> Result<Option<Arc<Revision>>, Error> {
-    let mut tx = db.begin().await?;
-    let mut backing_up = crate::db::DatabaseModel::new()
-        .server_info()
-        .status_info()
-        .backup_progress()
-        .get_mut(&mut tx)
-        .await?;
-
-    if backing_up
-        .iter()
-        .flat_map(|x| x.values())
-        .fold(false, |acc, x| {
-            if !x.complete {
-                return true;
-            }
-            acc
-        })
-    {
-        return Err(Error::new(
-            eyre!("Server is already backing up!"),
-            crate::ErrorKind::InvalidRequest,
-        ));
-    }
-    *backing_up = Some(
-        packages
-            .into_iter()
-            .map(|x| (x.clone(), BackupProgress { complete: false }))
-            .collect(),
-    );
-    backing_up.save(&mut tx).await?;
-    Ok(tx.commit(None).await?)
-}
-
-#[instrument(skip(ctx, db, backup_guard))]
-async fn perform_backup<Db: DbHandle>(
-    ctx: &RpcContext,
-    mut db: Db,
-    mut backup_guard: BackupMountGuard<TmpMountGuard>,
-    package_ids: &BTreeSet<PackageId>,
-) -> Result<BTreeMap<PackageId, PackageBackupReport>, Error> {
-    let mut backup_report = BTreeMap::new();
-
-    for package_id in crate::db::DatabaseModel::new()
-        .package_data()
-        .keys(&mut db, false)
-        .await?
-        .into_iter()
-        .filter(|id| package_ids.contains(id))
-    {
-        let mut tx = db.begin().await?; // for lock scope
-        let installed_model = if let Some(installed_model) = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(&package_id)
-            .and_then(|m| m.installed())
-            .check(&mut tx)
-            .await?
-        {
-            installed_model
-        } else {
-            continue;
-        };
-        let main_status_model = installed_model.clone().status().main();
-
-        main_status_model.lock(&mut tx, LockType::Write).await?;
-        let (started, health) = match main_status_model.get(&mut tx, true).await?.into_owned() {
-            MainStatus::Starting { .. } => (Some(Utc::now()), Default::default()),
-            MainStatus::Running { started, health } => (Some(started), health.clone()),
-            MainStatus::Stopped | MainStatus::Stopping | MainStatus::Restarting => {
-                (None, Default::default())
-            }
-            MainStatus::BackingUp { .. } => {
-                backup_report.insert(
-                    package_id,
-                    PackageBackupReport {
-                        error: Some(
-                            "Can't do backup because service is in a backing up state".to_owned(),
-                        ),
-                    },
-                );
-                continue;
-            }
-        };
-        main_status_model
-            .put(
-                &mut tx,
-                &MainStatus::BackingUp {
-                    started,
-                    health: health.clone(),
-                },
-            )
-            .await?;
-        tx.save().await?; // drop locks
-
-        let manifest = installed_model
-            .clone()
-            .manifest()
-            .get(&mut db, false)
-            .await?;
-
-        ctx.managers
-            .get(&(manifest.id.clone(), manifest.version.clone()))
-            .await
-            .ok_or_else(|| {
-                Error::new(eyre!("Manager not found"), crate::ErrorKind::InvalidRequest)
-            })?
-            .synchronize()
-            .await;
-
-        let mut tx = db.begin().await?;
-
-        installed_model.lock(&mut tx, LockType::Write).await?;
-
-        let guard = backup_guard.mount_package_backup(&package_id).await?;
-        let res = manifest
-            .backup
-            .create(
-                ctx,
-                &package_id,
-                &manifest.title,
-                &manifest.version,
-                &manifest.interfaces,
-                &manifest.volumes,
-            )
-            .await;
-        guard.unmount().await?;
-        backup_report.insert(
-            package_id.clone(),
-            PackageBackupReport {
-                error: res.as_ref().err().map(|e| e.to_string()),
-            },
-        );
-
-        if let Ok(pkg_meta) = res {
-            installed_model
-                .last_backup()
-                .put(&mut tx, &Some(pkg_meta.timestamp))
-                .await?;
-            backup_guard
-                .metadata
-                .package_backups
-                .insert(package_id.clone(), pkg_meta);
-        }
-
-        main_status_model
-            .put(
-                &mut tx,
-                &match started {
-                    Some(started) => MainStatus::Running { started, health },
-                    None => MainStatus::Stopped,
-                },
-            )
-            .await?;
-
-        let mut backup_progress = crate::db::DatabaseModel::new()
-            .server_info()
-            .status_info()
-            .backup_progress()
-            .get_mut(&mut tx)
-            .await?;
-        if backup_progress.is_none() {
-            *backup_progress = Some(Default::default());
-        }
-        if let Some(mut backup_progress) = backup_progress
-            .as_mut()
-            .and_then(|bp| bp.get_mut(&package_id))
-        {
-            (*backup_progress).complete = true;
-        }
-        backup_progress.save(&mut tx).await?;
-        tx.save().await?;
-    }
-
-    crate::db::DatabaseModel::new()
-        .lock(&mut db, LockType::Write)
-        .await?;
-
-    let (root_ca_key, root_ca_cert) = ctx.net_controller.ssl.export_root_ca().await?;
-    let mut os_backup_file = AtomicFile::new(backup_guard.as_ref().join("os-backup.cbor")).await?;
-    os_backup_file
-        .write_all(
-            &IoFormat::Cbor.to_vec(&OsBackup {
-                tor_key: ctx.net_controller.tor.embassyd_tor_key().await,
-                root_ca_key,
-                root_ca_cert,
-                ui: crate::db::DatabaseModel::new()
-                    .ui()
-                    .get(&mut db, true)
-                    .await?
-                    .into_owned(),
-            })?,
-        )
-        .await?;
-    os_backup_file.save().await?;
-
-    let timestamp = Some(Utc::now());
-
-    backup_guard.unencrypted_metadata.version = crate::version::Current::new().semver().into();
-    backup_guard.unencrypted_metadata.full = true;
-    backup_guard.metadata.version = crate::version::Current::new().semver().into();
-    backup_guard.metadata.timestamp = timestamp;
-
-    backup_guard.save_and_unmount().await?;
-
-    crate::db::DatabaseModel::new()
-        .server_info()
-        .last_backup()
-        .put(&mut db, &timestamp)
-        .await?;
-    Ok(backup_report)
-}
--- a/backend/src/backup/mod.rs
+++ b/backend/src/backup/mod.rs
@@ -1,248 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-use std::path::Path;
-
-use chrono::{DateTime, Utc};
-use color_eyre::eyre::eyre;
-use patch_db::{DbHandle, HasModel, LockType};
-use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use sqlx::{Executor, Sqlite};
-use tokio::fs::File;
-use tokio::io::AsyncWriteExt;
-use tracing::instrument;
-
-use self::target::PackageBackupInfo;
-use crate::context::RpcContext;
-use crate::dependencies::reconfigure_dependents_with_live_pointers;
-use crate::id::ImageId;
-use crate::install::PKG_ARCHIVE_DIR;
-use crate::net::interface::{InterfaceId, Interfaces};
-use crate::procedure::{NoOutput, PackageProcedure, ProcedureName};
-use crate::s9pk::manifest::PackageId;
-use crate::util::serde::IoFormat;
-use crate::util::{AtomicFile, Version};
-use crate::version::{Current, VersionT};
-use crate::volume::{backup_dir, Volume, VolumeId, Volumes, BACKUP_DIR};
-use crate::{Error, ResultExt};
-
-pub mod backup_bulk;
-pub mod restore;
-pub mod target;
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct BackupReport {
-    server: ServerBackupReport,
-    packages: BTreeMap<PackageId, PackageBackupReport>,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct ServerBackupReport {
-    attempted: bool,
-    error: Option<String>,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct PackageBackupReport {
-    error: Option<String>,
-}
-
-#[command(subcommands(backup_bulk::backup_all, target::target))]
-pub fn backup() -> Result<(), Error> {
-    Ok(())
-}
-
-#[command(rename = "backup", subcommands(restore::restore_packages_rpc))]
-pub fn package_backup() -> Result<(), Error> {
-    Ok(())
-}
-
-#[derive(Deserialize, Serialize)]
-struct BackupMetadata {
-    pub timestamp: DateTime<Utc>,
-    pub tor_keys: BTreeMap<InterfaceId, String>,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize, HasModel)]
-pub struct BackupActions {
-    pub create: PackageProcedure,
-    pub restore: PackageProcedure,
-}
-impl BackupActions {
-    pub fn validate(&self, volumes: &Volumes, image_ids: &BTreeSet<ImageId>) -> Result<(), Error> {
-        self.create
-            .validate(volumes, image_ids, false)
-            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Backup Create"))?;
-        self.restore
-            .validate(volumes, image_ids, false)
-            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Backup Restore"))?;
-        Ok(())
-    }
-
-    #[instrument(skip(ctx))]
-    pub async fn create(
-        &self,
-        ctx: &RpcContext,
-        pkg_id: &PackageId,
-        pkg_title: &str,
-        pkg_version: &Version,
-        interfaces: &Interfaces,
-        volumes: &Volumes,
-    ) -> Result<PackageBackupInfo, Error> {
-        let mut volumes = volumes.to_readonly();
-        volumes.insert(VolumeId::Backup, Volume::Backup { readonly: false });
-        let backup_dir = backup_dir(pkg_id);
-        if tokio::fs::metadata(&backup_dir).await.is_err() {
-            tokio::fs::create_dir_all(&backup_dir).await?
-        }
-        self.create
-            .execute::<(), NoOutput>(
-                ctx,
-                pkg_id,
-                pkg_version,
-                ProcedureName::CreateBackup,
-                &volumes,
-                None,
-                false,
-                None,
-            )
-            .await?
-            .map_err(|e| eyre!("{}", e.1))
-            .with_kind(crate::ErrorKind::Backup)?;
-        let tor_keys = interfaces
-            .tor_keys(&mut ctx.secret_store.acquire().await?, pkg_id)
-            .await?
-            .into_iter()
-            .map(|(id, key)| {
-                (
-                    id,
-                    base32::encode(base32::Alphabet::RFC4648 { padding: true }, &key.as_bytes()),
-                )
-            })
-            .collect();
-        let tmp_path = Path::new(BACKUP_DIR)
-            .join(pkg_id)
-            .join(format!("{}.s9pk", pkg_id));
-        let s9pk_path = ctx
-            .datadir
-            .join(PKG_ARCHIVE_DIR)
-            .join(pkg_id)
-            .join(pkg_version.as_str())
-            .join(format!("{}.s9pk", pkg_id));
-        let mut infile = File::open(&s9pk_path).await?;
-        let mut outfile = AtomicFile::new(&tmp_path).await?;
-        tokio::io::copy(&mut infile, &mut *outfile)
-            .await
-            .with_ctx(|_| {
-                (
-                    crate::ErrorKind::Filesystem,
-                    format!("cp {} -> {}", s9pk_path.display(), tmp_path.display()),
-                )
-            })?;
-        outfile.save().await?;
-        let timestamp = Utc::now();
-        let metadata_path = Path::new(BACKUP_DIR).join(pkg_id).join("metadata.cbor");
-        let mut outfile = AtomicFile::new(&metadata_path).await?;
-        outfile
-            .write_all(&IoFormat::Cbor.to_vec(&BackupMetadata {
-                timestamp,
-                tor_keys,
-            })?)
-            .await?;
-        outfile.save().await?;
-        Ok(PackageBackupInfo {
-            os_version: Current::new().semver().into(),
-            title: pkg_title.to_owned(),
-            version: pkg_version.clone(),
-            timestamp,
-        })
-    }
-
-    #[instrument(skip(ctx, db, secrets))]
-    pub async fn restore<Ex, Db: DbHandle>(
-        &self,
-        ctx: &RpcContext,
-        db: &mut Db,
-        secrets: &mut Ex,
-        pkg_id: &PackageId,
-        pkg_version: &Version,
-        interfaces: &Interfaces,
-        volumes: &Volumes,
-    ) -> Result<(), Error>
-    where
-        for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-    {
-        let mut volumes = volumes.clone();
-        volumes.insert(VolumeId::Backup, Volume::Backup { readonly: true });
-        self.restore
-            .execute::<(), NoOutput>(
-                ctx,
-                pkg_id,
-                pkg_version,
-                ProcedureName::RestoreBackup,
-                &volumes,
-                None,
-                false,
-                None,
-            )
-            .await?
-            .map_err(|e| eyre!("{}", e.1))
-            .with_kind(crate::ErrorKind::Restore)?;
-        let metadata_path = Path::new(BACKUP_DIR).join(pkg_id).join("metadata.cbor");
-        let metadata: BackupMetadata = IoFormat::Cbor.from_slice(
-            &tokio::fs::read(&metadata_path).await.with_ctx(|_| {
-                (
-                    crate::ErrorKind::Filesystem,
-                    metadata_path.display().to_string(),
-                )
-            })?,
-        )?;
-        for (iface, key) in metadata.tor_keys {
-            let key_vec = base32::decode(base32::Alphabet::RFC4648 { padding: true }, &key)
-                .ok_or_else(|| {
-                    Error::new(
-                        eyre!("invalid base32 string"),
-                        crate::ErrorKind::Deserialization,
-                    )
-                })?;
-            sqlx::query!(
-                "REPLACE INTO tor (package, interface, key) VALUES (?, ?, ?)",
-                **pkg_id,
-                *iface,
-                key_vec,
-            )
-            .execute(&mut *secrets)
-            .await?;
-        }
-        crate::db::DatabaseModel::new()
-            .package_data()
-            .lock(db, LockType::Write)
-            .await?;
-        crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(pkg_id)
-            .expect(db)
-            .await?
-            .installed()
-            .expect(db)
-            .await?
-            .interface_addresses()
-            .put(db, &interfaces.install(&mut *secrets, pkg_id).await?)
-            .await?;
-
-        let entry = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(pkg_id)
-            .expect(db)
-            .await?
-            .installed()
-            .expect(db)
-            .await?
-            .get(db, true)
-            .await?;
-
-        let receipts = crate::config::ConfigReceipts::new(db).await?;
-        reconfigure_dependents_with_live_pointers(ctx, db, &receipts, &entry).await?;
-
-        Ok(())
-    }
-}
--- a/backend/src/backup/restore.rs
+++ b/backend/src/backup/restore.rs
@@ -1,420 +0,0 @@
-use std::collections::BTreeMap;
-use std::path::Path;
-use std::sync::atomic::Ordering;
-use std::sync::Arc;
-use std::time::Duration;
-
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use futures::future::BoxFuture;
-use futures::FutureExt;
-use openssl::x509::X509;
-use patch_db::{DbHandle, PatchDbHandle, Revision};
-use rpc_toolkit::command;
-use tokio::fs::File;
-use tokio::task::JoinHandle;
-use torut::onion::OnionAddressV3;
-use tracing::instrument;
-
-use super::target::BackupTargetId;
-use crate::backup::backup_bulk::OsBackup;
-use crate::context::{RpcContext, SetupContext};
-use crate::db::model::{PackageDataEntry, StaticFiles};
-use crate::db::util::WithRevision;
-use crate::disk::mount::backup::{BackupMountGuard, PackageBackupMountGuard};
-use crate::disk::mount::filesystem::ReadOnly;
-use crate::disk::mount::guard::TmpMountGuard;
-use crate::install::progress::InstallProgress;
-use crate::install::{download_install_s9pk, PKG_PUBLIC_DIR};
-use crate::net::ssl::SslManager;
-use crate::notifications::NotificationLevel;
-use crate::s9pk::manifest::{Manifest, PackageId};
-use crate::s9pk::reader::S9pkReader;
-use crate::setup::RecoveryStatus;
-use crate::util::display_none;
-use crate::util::io::dir_size;
-use crate::util::serde::IoFormat;
-use crate::volume::{backup_dir, BACKUP_DIR, PKG_VOLUME_DIR};
-use crate::{Error, ResultExt};
-
-fn parse_comma_separated(arg: &str, _: &ArgMatches<'_>) -> Result<Vec<PackageId>, Error> {
-    arg.split(',')
-        .map(|s| s.trim().parse().map_err(Error::from))
-        .collect()
-}
-
-#[command(rename = "restore", display(display_none))]
-#[instrument(skip(ctx, password))]
-pub async fn restore_packages_rpc(
-    #[context] ctx: RpcContext,
-    #[arg(parse(parse_comma_separated))] ids: Vec<PackageId>,
-    #[arg(rename = "target-id")] target_id: BackupTargetId,
-    #[arg] password: String,
-) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    let fs = target_id
-        .load(&mut ctx.secret_store.acquire().await?)
-        .await?;
-    let backup_guard = BackupMountGuard::mount(
-        TmpMountGuard::mount(&fs, ReadOnly).await?,
-        &password,
-    )
-    .await?;
-
-    let (revision, backup_guard, tasks, _) =
-        restore_packages(&ctx, &mut db, backup_guard, ids).await?;
-
-    tokio::spawn(async {
-        futures::future::join_all(tasks).await;
-        if let Err(e) = backup_guard.unmount().await {
-            tracing::error!("Error unmounting backup drive: {}", e);
-            tracing::debug!("{:?}", e);
-        }
-    });
-
-    Ok(WithRevision {
-        response: (),
-        revision,
-    })
-}
-
-async fn approximate_progress(
-    rpc_ctx: &RpcContext,
-    progress: &mut ProgressInfo,
-) -> Result<(), Error> {
-    for (id, size) in &mut progress.target_volume_size {
-        let dir = rpc_ctx.datadir.join(PKG_VOLUME_DIR).join(id).join("data");
-        if tokio::fs::metadata(&dir).await.is_err() {
-            *size = 0;
-        } else {
-            *size = dir_size(&dir).await?;
-        }
-    }
-    Ok(())
-}
-
-async fn approximate_progress_loop(
-    ctx: &SetupContext,
-    rpc_ctx: &RpcContext,
-    mut starting_info: ProgressInfo,
-) {
-    loop {
-        if let Err(e) = approximate_progress(rpc_ctx, &mut starting_info).await {
-            tracing::error!("Failed to approximate restore progress: {}", e);
-            tracing::debug!("{:?}", e);
-        } else {
-            *ctx.recovery_status.write().await = Some(Ok(starting_info.flatten()));
-        }
-        tokio::time::sleep(Duration::from_secs(1)).await;
-    }
-}
-
-#[derive(Debug, Default)]
-struct ProgressInfo {
-    package_installs: BTreeMap<PackageId, Arc<InstallProgress>>,
-    src_volume_size: BTreeMap<PackageId, u64>,
-    target_volume_size: BTreeMap<PackageId, u64>,
-}
-impl ProgressInfo {
-    fn flatten(&self) -> RecoveryStatus {
-        let mut total_bytes = 0;
-        let mut bytes_transferred = 0;
-
-        for progress in self.package_installs.values() {
-            total_bytes += ((progress.size.unwrap_or(0) as f64) * 2.2) as u64;
-            bytes_transferred += progress.downloaded.load(Ordering::SeqCst);
-            bytes_transferred += ((progress.validated.load(Ordering::SeqCst) as f64) * 0.2) as u64;
-            bytes_transferred += progress.unpacked.load(Ordering::SeqCst);
-        }
-
-        for size in self.src_volume_size.values() {
-            total_bytes += *size;
-        }
-
-        for size in self.target_volume_size.values() {
-            bytes_transferred += *size;
-        }
-
-        if bytes_transferred > total_bytes {
-            bytes_transferred = total_bytes;
-        }
-
-        RecoveryStatus {
-            total_bytes,
-            bytes_transferred,
-            complete: false,
-        }
-    }
-}
-
-#[instrument(skip(ctx))]
-pub async fn recover_full_embassy(
-    ctx: SetupContext,
-    disk_guid: Arc<String>,
-    embassy_password: String,
-    recovery_source: TmpMountGuard,
-    recovery_password: Option<String>,
-) -> Result<(OnionAddressV3, X509, BoxFuture<'static, Result<(), Error>>), Error> {
-    let backup_guard = BackupMountGuard::mount(
-        recovery_source,
-        recovery_password.as_deref().unwrap_or_default(),
-    )
-    .await?;
-
-    let os_backup_path = backup_guard.as_ref().join("os-backup.cbor");
-    let os_backup: OsBackup =
-        IoFormat::Cbor.from_slice(&tokio::fs::read(&os_backup_path).await.with_ctx(|_| {
-            (
-                crate::ErrorKind::Filesystem,
-                os_backup_path.display().to_string(),
-            )
-        })?)?;
-
-    let password = argon2::hash_encoded(
-        embassy_password.as_bytes(),
-        &rand::random::<[u8; 16]>()[..],
-        &argon2::Config::default(),
-    )
-    .with_kind(crate::ErrorKind::PasswordHashGeneration)?;
-    let key_vec = os_backup.tor_key.as_bytes().to_vec();
-    let secret_store = ctx.secret_store().await?;
-    sqlx::query!(
-        "REPLACE INTO account (id, password, tor_key) VALUES (?, ?, ?)",
-        0,
-        password,
-        key_vec,
-    )
-    .execute(&mut secret_store.acquire().await?)
-    .await?;
-
-    SslManager::import_root_ca(
-        secret_store.clone(),
-        os_backup.root_ca_key,
-        os_backup.root_ca_cert.clone(),
-    )
-    .await?;
-    secret_store.close().await;
-
-    Ok((
-        os_backup.tor_key.public().get_onion_address(),
-        os_backup.root_ca_cert,
-        async move {
-            let rpc_ctx = RpcContext::init(ctx.config_path.as_ref(), disk_guid).await?;
-            let mut db = rpc_ctx.db.handle();
-
-            let ids = backup_guard
-            .metadata
-            .package_backups
-            .keys()
-            .cloned()
-            .collect();
-            let (_, backup_guard, tasks, progress_info) = restore_packages(
-                &rpc_ctx,
-                &mut db,
-                backup_guard,
-                ids,
-            )
-            .await?;
-
-            tokio::select! {
-                res = futures::future::join_all(tasks) => {
-                    for res in res {
-                        match res.with_kind(crate::ErrorKind::Unknown) {
-                            Ok((Ok(_), _)) => (),
-                            Ok((Err(err), package_id)) => {
-                                if let Err(err) = rpc_ctx.notification_manager.notify(
-                                    &mut db,
-                                    Some(package_id.clone()),
-                                    NotificationLevel::Error, 
-                                    "Restoration Failure".to_string(), format!("Error restoring package {}: {}", package_id,err), (), None).await{
-                                    tracing::error!("Failed to notify: {}", err);
-                                    tracing::debug!("{:?}", err);
-                                    };
-                                tracing::error!("Error restoring package {}: {}", package_id, err);
-                                tracing::debug!("{:?}", err);
-                            },
-                            Err(e) => {
-                                if let Err(err) = rpc_ctx.notification_manager.notify(
-                                    &mut db,
-                                    None,
-                                    NotificationLevel::Error, 
-                                    "Restoration Failure".to_string(), format!("Error restoring ?: {}", e), (), None).await {
-
-                                    tracing::error!("Failed to notify: {}", err);
-                                    tracing::debug!("{:?}", err);
-                                }
-                                tracing::error!("Error restoring packages: {}", e);
-                                tracing::debug!("{:?}", e);
-                            },
-
-                        }
-                    }
-                },
-                _ = approximate_progress_loop(&ctx, &rpc_ctx, progress_info) => unreachable!(concat!(module_path!(), "::approximate_progress_loop should not terminate")),
-            }
-
-            backup_guard.unmount().await?;
-            rpc_ctx.shutdown().await
-        }.boxed()
-    ))
-}
-
-async fn restore_packages(
-    ctx: &RpcContext,
-    db: &mut PatchDbHandle,
-    backup_guard: BackupMountGuard<TmpMountGuard>,
-    ids: Vec<PackageId>,
-) -> Result<
-    (
-        Option<Arc<Revision>>,
-        BackupMountGuard<TmpMountGuard>,
-        Vec<JoinHandle<(Result<(), Error>, PackageId)>>,
-        ProgressInfo,
-    ),
-    Error,
-> {
-    let (revision, guards) = assure_restoring(ctx, db, ids, &backup_guard).await?;
-
-    let mut progress_info = ProgressInfo::default();
-
-    let mut tasks = Vec::with_capacity(guards.len());
-    for (manifest, guard) in guards {
-        let id = manifest.id.clone();
-        let (progress, task) = restore_package(ctx.clone(), manifest, guard).await?;
-        progress_info.package_installs.insert(id.clone(), progress);
-        progress_info
-            .src_volume_size
-            .insert(id.clone(), dir_size(backup_dir(&id)).await?);
-        progress_info.target_volume_size.insert(id.clone(), 0);
-        let package_id = id.clone();
-        tasks.push(tokio::spawn(
-            async move {
-                if let Err(e) = task.await {
-                    tracing::error!("Error restoring package {}: {}", id, e);
-                    tracing::debug!("{:?}", e);
-                    Err(e)
-                } else {
-                    Ok(())
-                }
-            }
-            .map(|x| (x, package_id)),
-        ));
-    }
-
-    Ok((revision, backup_guard, tasks, progress_info))
-}
-
-#[instrument(skip(ctx, db, backup_guard))]
-async fn assure_restoring(
-    ctx: &RpcContext,
-    db: &mut PatchDbHandle,
-    ids: Vec<PackageId>,
-    backup_guard: &BackupMountGuard<TmpMountGuard>,
-) -> Result<
-    (
-        Option<Arc<Revision>>,
-        Vec<(Manifest, PackageBackupMountGuard)>,
-    ),
-    Error,
-> {
-    let mut tx = db.begin().await?;
-
-    let mut guards = Vec::with_capacity(ids.len());
-
-    for id in ids {
-        let mut model = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(&id)
-            .get_mut(&mut tx)
-            .await?;
-
-        if !model.is_none() {
-            return Err(Error::new(
-                eyre!("Can't restore over existing package: {}", id),
-                crate::ErrorKind::InvalidRequest,
-            ));
-        }
-
-        let guard = backup_guard.mount_package_backup(&id).await?;
-        let s9pk_path = Path::new(BACKUP_DIR).join(&id).join(format!("{}.s9pk", id));
-        let mut rdr = S9pkReader::open(&s9pk_path, false).await?;
-
-        let manifest = rdr.manifest().await?;
-        let version = manifest.version.clone();
-        let progress = InstallProgress::new(Some(tokio::fs::metadata(&s9pk_path).await?.len()));
-
-        let public_dir_path = ctx
-            .datadir
-            .join(PKG_PUBLIC_DIR)
-            .join(&id)
-            .join(version.as_str());
-        tokio::fs::create_dir_all(&public_dir_path).await?;
-
-        let license_path = public_dir_path.join("LICENSE.md");
-        let mut dst = File::create(&license_path).await?;
-        tokio::io::copy(&mut rdr.license().await?, &mut dst).await?;
-        dst.sync_all().await?;
-
-        let instructions_path = public_dir_path.join("INSTRUCTIONS.md");
-        let mut dst = File::create(&instructions_path).await?;
-        tokio::io::copy(&mut rdr.instructions().await?, &mut dst).await?;
-        dst.sync_all().await?;
-
-        let icon_path = Path::new("icon").with_extension(&manifest.assets.icon_type());
-        let icon_path = public_dir_path.join(&icon_path);
-        let mut dst = File::create(&icon_path).await?;
-        tokio::io::copy(&mut rdr.icon().await?, &mut dst).await?;
-        dst.sync_all().await?;
-
-        *model = Some(PackageDataEntry::Restoring {
-            install_progress: progress.clone(),
-            static_files: StaticFiles::local(&id, &version, manifest.assets.icon_type()),
-            manifest: manifest.clone(),
-        });
-        model.save(&mut tx).await?;
-
-        guards.push((manifest, guard));
-    }
-
-    Ok((tx.commit(None).await?, guards))
-}
-
-#[instrument(skip(ctx, guard))]
-async fn restore_package<'a>(
-    ctx: RpcContext,
-    manifest: Manifest,
-    guard: PackageBackupMountGuard,
-) -> Result<(Arc<InstallProgress>, BoxFuture<'static, Result<(), Error>>), Error> {
-    let s9pk_path = Path::new(BACKUP_DIR)
-        .join(&manifest.id)
-        .join(format!("{}.s9pk", manifest.id));
-    let len = tokio::fs::metadata(&s9pk_path)
-        .await
-        .with_ctx(|_| {
-            (
-                crate::ErrorKind::Filesystem,
-                s9pk_path.display().to_string(),
-            )
-        })?
-        .len();
-    let file = File::open(&s9pk_path).await.with_ctx(|_| {
-        (
-            crate::ErrorKind::Filesystem,
-            s9pk_path.display().to_string(),
-        )
-    })?;
-
-    let progress = InstallProgress::new(Some(len));
-
-    Ok((
-        progress.clone(),
-        async move {
-            download_install_s9pk(&ctx, &manifest, None, progress, file).await?;
-
-            guard.unmount().await?;
-
-            Ok(())
-        }
-        .boxed(),
-    ))
-}
--- a/backend/src/backup/target/cifs.rs
+++ b/backend/src/backup/target/cifs.rs
@@ -1,212 +0,0 @@
-use std::path::{Path, PathBuf};
-
-use color_eyre::eyre::eyre;
-use futures::TryStreamExt;
-use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use sqlx::{Executor, Sqlite};
-
-use super::{BackupTarget, BackupTargetId};
-use crate::context::RpcContext;
-use crate::disk::mount::filesystem::cifs::Cifs;
-use crate::disk::mount::filesystem::ReadOnly;
-use crate::disk::mount::guard::TmpMountGuard;
-use crate::disk::util::{recovery_info, EmbassyOsRecoveryInfo};
-use crate::util::display_none;
-use crate::util::serde::KeyVal;
-use crate::Error;
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct CifsBackupTarget {
-    hostname: String,
-    path: PathBuf,
-    username: String,
-    mountable: bool,
-    embassy_os: Option<EmbassyOsRecoveryInfo>,
-}
-
-#[command(subcommands(add, update, remove))]
-pub fn cifs() -> Result<(), Error> {
-    Ok(())
-}
-
-#[command(display(display_none))]
-pub async fn add(
-    #[context] ctx: RpcContext,
-    #[arg] hostname: String,
-    #[arg] path: PathBuf,
-    #[arg] username: String,
-    #[arg] password: Option<String>,
-) -> Result<KeyVal<BackupTargetId, BackupTarget>, Error> {
-    let cifs = Cifs {
-        hostname,
-        path,
-        username,
-        password,
-    };
-    let guard = TmpMountGuard::mount(&cifs, ReadOnly).await?;
-    let embassy_os = recovery_info(&guard).await?;
-    guard.unmount().await?;
-    let path_string = Path::new("/").join(&cifs.path).display().to_string();
-    let id: u32 = sqlx::query!(
-        "INSERT INTO cifs_shares (hostname, path, username, password) VALUES (?, ?, ?, ?) RETURNING id AS \"id: u32\"",
-        cifs.hostname,
-        path_string,
-        cifs.username,
-        cifs.password,
-    )
-    .fetch_one(&ctx.secret_store)
-    .await?.id;
-    Ok(KeyVal {
-        key: BackupTargetId::Cifs { id },
-        value: BackupTarget::Cifs(CifsBackupTarget {
-            hostname: cifs.hostname,
-            path: cifs.path,
-            username: cifs.username,
-            mountable: true,
-            embassy_os,
-        }),
-    })
-}
-
-#[command(display(display_none))]
-pub async fn update(
-    #[context] ctx: RpcContext,
-    #[arg] id: BackupTargetId,
-    #[arg] hostname: String,
-    #[arg] path: PathBuf,
-    #[arg] username: String,
-    #[arg] password: Option<String>,
-) -> Result<KeyVal<BackupTargetId, BackupTarget>, Error> {
-    let id = if let BackupTargetId::Cifs { id } = id {
-        id
-    } else {
-        return Err(Error::new(
-            eyre!("Backup Target ID {} Not Found", id),
-            crate::ErrorKind::NotFound,
-        ));
-    };
-    let cifs = Cifs {
-        hostname,
-        path,
-        username,
-        password,
-    };
-    let guard = TmpMountGuard::mount(&cifs, ReadOnly).await?;
-    let embassy_os = recovery_info(&guard).await?;
-    guard.unmount().await?;
-    let path_string = Path::new("/").join(&cifs.path).display().to_string();
-    if sqlx::query!(
-        "UPDATE cifs_shares SET hostname = ?, path = ?, username = ?, password = ? WHERE id = ?",
-        cifs.hostname,
-        path_string,
-        cifs.username,
-        cifs.password,
-        id,
-    )
-    .execute(&ctx.secret_store)
-    .await?
-    .rows_affected()
-        == 0
-    {
-        return Err(Error::new(
-            eyre!("Backup Target ID {} Not Found", BackupTargetId::Cifs { id }),
-            crate::ErrorKind::NotFound,
-        ));
-    };
-    Ok(KeyVal {
-        key: BackupTargetId::Cifs { id },
-        value: BackupTarget::Cifs(CifsBackupTarget {
-            hostname: cifs.hostname,
-            path: cifs.path,
-            username: cifs.username,
-            mountable: true,
-            embassy_os,
-        }),
-    })
-}
-
-#[command(display(display_none))]
-pub async fn remove(#[context] ctx: RpcContext, #[arg] id: BackupTargetId) -> Result<(), Error> {
-    let id = if let BackupTargetId::Cifs { id } = id {
-        id
-    } else {
-        return Err(Error::new(
-            eyre!("Backup Target ID {} Not Found", id),
-            crate::ErrorKind::NotFound,
-        ));
-    };
-    if sqlx::query!("DELETE FROM cifs_shares WHERE id = ?", id)
-        .execute(&ctx.secret_store)
-        .await?
-        .rows_affected()
-        == 0
-    {
-        return Err(Error::new(
-            eyre!("Backup Target ID {} Not Found", BackupTargetId::Cifs { id }),
-            crate::ErrorKind::NotFound,
-        ));
-    };
-    Ok(())
-}
-
-pub async fn load<Ex>(secrets: &mut Ex, id: u32) -> Result<Cifs, Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-{
-    let record = sqlx::query!(
-        "SELECT hostname, path, username, password FROM cifs_shares WHERE id = ?",
-        id
-    )
-    .fetch_one(secrets)
-    .await?;
-
-    Ok(Cifs {
-        hostname: record.hostname,
-        path: PathBuf::from(record.path),
-        username: record.username,
-        password: record.password,
-    })
-}
-
-pub async fn list<Ex>(secrets: &mut Ex) -> Result<Vec<(u32, CifsBackupTarget)>, Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-{
-    let mut records = sqlx::query!(
-        "SELECT id AS \"id: u32\", hostname, path, username, password FROM cifs_shares"
-    )
-    .fetch_many(secrets);
-
-    let mut cifs = Vec::new();
-    while let Some(query_result) = records.try_next().await? {
-        if let Some(record) = query_result.right() {
-            let mount_info = Cifs {
-                hostname: record.hostname,
-                path: PathBuf::from(record.path),
-                username: record.username,
-                password: record.password,
-            };
-            let embassy_os = async {
-                let guard = TmpMountGuard::mount(&mount_info, ReadOnly).await?;
-                let embassy_os = recovery_info(&guard).await?;
-                guard.unmount().await?;
-                Ok::<_, Error>(embassy_os)
-            }
-            .await;
-            cifs.push((
-                record.id,
-                CifsBackupTarget {
-                    hostname: mount_info.hostname,
-                    path: mount_info.path,
-                    username: mount_info.username,
-                    mountable: embassy_os.is_ok(),
-                    embassy_os: embassy_os.ok().and_then(|a| a),
-                },
-            ));
-        }
-    }
-
-    Ok(cifs)
-}
--- a/backend/src/backup/target/mod.rs
+++ b/backend/src/backup/target/mod.rs
@@ -1,249 +0,0 @@
-use std::collections::BTreeMap;
-use std::path::{Path, PathBuf};
-
-use async_trait::async_trait;
-use chrono::{DateTime, Utc};
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use digest::generic_array::GenericArray;
-use digest::{Digest, OutputSizeUser};
-use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use sha2::Sha256;
-use sqlx::{Executor, Sqlite};
-use tracing::instrument;
-
-use self::cifs::CifsBackupTarget;
-use crate::context::RpcContext;
-use crate::disk::mount::backup::BackupMountGuard;
-use crate::disk::mount::filesystem::block_dev::BlockDev;
-use crate::disk::mount::filesystem::cifs::Cifs;
-use crate::disk::mount::filesystem::{FileSystem, MountType, ReadOnly};
-use crate::disk::mount::guard::TmpMountGuard;
-use crate::disk::util::PartitionInfo;
-use crate::s9pk::manifest::PackageId;
-use crate::util::serde::{deserialize_from_str, display_serializable, serialize_display};
-use crate::util::Version;
-use crate::Error;
-
-pub mod cifs;
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(tag = "type")]
-#[serde(rename_all = "kebab-case")]
-pub enum BackupTarget {
-    #[serde(rename_all = "kebab-case")]
-    Disk {
-        vendor: Option<String>,
-        model: Option<String>,
-        #[serde(flatten)]
-        partition_info: PartitionInfo,
-    },
-    Cifs(CifsBackupTarget),
-}
-
-#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]
-pub enum BackupTargetId {
-    Disk { logicalname: PathBuf },
-    Cifs { id: u32 },
-}
-impl BackupTargetId {
-    pub async fn load<Ex>(self, secrets: &mut Ex) -> Result<BackupTargetFS, Error>
-    where
-        for<'a> &'a mut Ex: Executor<'a, Database = Sqlite>,
-    {
-        Ok(match self {
-            BackupTargetId::Disk { logicalname } => {
-                BackupTargetFS::Disk(BlockDev::new(logicalname))
-            }
-            BackupTargetId::Cifs { id } => BackupTargetFS::Cifs(cifs::load(secrets, id).await?),
-        })
-    }
-}
-impl std::fmt::Display for BackupTargetId {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            BackupTargetId::Disk { logicalname } => write!(f, "disk-{}", logicalname.display()),
-            BackupTargetId::Cifs { id } => write!(f, "cifs-{}", id),
-        }
-    }
-}
-impl std::str::FromStr for BackupTargetId {
-    type Err = Error;
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s.split_once("-") {
-            Some(("disk", logicalname)) => Ok(BackupTargetId::Disk {
-                logicalname: Path::new(logicalname).to_owned(),
-            }),
-            Some(("cifs", id)) => Ok(BackupTargetId::Cifs { id: id.parse()? }),
-            _ => Err(Error::new(
-                eyre!("Invalid Backup Target ID"),
-                crate::ErrorKind::InvalidBackupTargetId,
-            )),
-        }
-    }
-}
-impl<'de> Deserialize<'de> for BackupTargetId {
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: serde::Deserializer<'de>,
-    {
-        deserialize_from_str(deserializer)
-    }
-}
-impl Serialize for BackupTargetId {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::Serializer,
-    {
-        serialize_display(self, serializer)
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(tag = "type")]
-#[serde(rename_all = "kebab-case")]
-pub enum BackupTargetFS {
-    Disk(BlockDev<PathBuf>),
-    Cifs(Cifs),
-}
-#[async_trait]
-impl FileSystem for BackupTargetFS {
-    async fn mount<P: AsRef<Path> + Send + Sync>(
-        &self,
-        mountpoint: P,
-        mount_type: MountType,
-    ) -> Result<(), Error> {
-        match self {
-            BackupTargetFS::Disk(a) => a.mount(mountpoint, mount_type).await,
-            BackupTargetFS::Cifs(a) => a.mount(mountpoint, mount_type).await,
-        }
-    }
-    async fn source_hash(
-        &self,
-    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
-        match self {
-            BackupTargetFS::Disk(a) => a.source_hash().await,
-            BackupTargetFS::Cifs(a) => a.source_hash().await,
-        }
-    }
-}
-
-#[command(subcommands(cifs::cifs, list, info))]
-pub fn target() -> Result<(), Error> {
-    Ok(())
-}
-
-// TODO: incorporate reconnect into this response as well
-#[command(display(display_serializable))]
-pub async fn list(
-    #[context] ctx: RpcContext,
-) -> Result<BTreeMap<BackupTargetId, BackupTarget>, Error> {
-    let mut sql_handle = ctx.secret_store.acquire().await?;
-    let (disks_res, cifs) =
-        tokio::try_join!(crate::disk::util::list(), cifs::list(&mut sql_handle),)?;
-    Ok(disks_res
-        .disks
-        .into_iter()
-        .flat_map(|mut disk| {
-            std::mem::take(&mut disk.partitions)
-                .into_iter()
-                .map(|part| {
-                    (
-                        BackupTargetId::Disk {
-                            logicalname: part.logicalname.clone(),
-                        },
-                        BackupTarget::Disk {
-                            vendor: disk.vendor.clone(),
-                            model: disk.model.clone(),
-                            partition_info: part,
-                        },
-                    )
-                })
-                .collect::<Vec<_>>()
-        })
-        .chain(
-            cifs.into_iter()
-                .map(|(id, cifs)| (BackupTargetId::Cifs { id }, BackupTarget::Cifs(cifs))),
-        )
-        .collect())
-}
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct BackupInfo {
-    pub version: Version,
-    pub timestamp: Option<DateTime<Utc>>,
-    pub package_backups: BTreeMap<PackageId, PackageBackupInfo>,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct PackageBackupInfo {
-    pub title: String,
-    pub version: Version,
-    pub os_version: Version,
-    pub timestamp: DateTime<Utc>,
-}
-
-fn display_backup_info(info: BackupInfo, matches: &ArgMatches<'_>) {
-    use prettytable::*;
-
-    if matches.is_present("format") {
-        return display_serializable(info, matches);
-    }
-
-    let mut table = Table::new();
-    table.add_row(row![bc =>
-        "ID",
-        "VERSION",
-        "OS VERSION",
-        "TIMESTAMP",
-    ]);
-    table.add_row(row![
-        "EMBASSY OS",
-        info.version.as_str(),
-        info.version.as_str(),
-        &if let Some(ts) = &info.timestamp {
-            ts.to_string()
-        } else {
-            "N/A".to_owned()
-        },
-    ]);
-    for (id, info) in info.package_backups {
-        let row = row![
-            id.as_str(),
-            info.version.as_str(),
-            info.os_version.as_str(),
-            &info.timestamp.to_string(),
-        ];
-        table.add_row(row);
-    }
-    table.print_tty(false);
-}
-
-#[command(display(display_backup_info))]
-#[instrument(skip(ctx, password))]
-pub async fn info(
-    #[context] ctx: RpcContext,
-    #[arg(rename = "target-id")] target_id: BackupTargetId,
-    #[arg] password: String,
-) -> Result<BackupInfo, Error> {
-    let guard = BackupMountGuard::mount(
-        TmpMountGuard::mount(
-            &target_id
-                .load(&mut ctx.secret_store.acquire().await?)
-                .await?,
-            ReadOnly,
-        )
-        .await?,
-        &password,
-    )
-    .await?;
-
-    let res = guard.metadata.clone();
-
-    guard.unmount().await?;
-
-    Ok(res)
-}
--- a/backend/src/bin/embassy-cli.rs
+++ b/backend/src/bin/embassy-cli.rs
@@ -1,57 +0,0 @@
-use clap::Arg;
-use embassy::context::CliContext;
-use embassy::util::logger::EmbassyLogger;
-use embassy::version::{Current, VersionT};
-use embassy::Error;
-use rpc_toolkit::run_cli;
-use rpc_toolkit::yajrc::RpcError;
-use serde_json::Value;
-
-fn inner_main() -> Result<(), Error> {
-    run_cli!({
-        command: embassy::main_api,
-        app: app => app
-            .name("Embassy CLI")
-            .version(Current::new().semver().to_string().as_str())
-            .arg(
-                clap::Arg::with_name("config")
-                    .short("c")
-                    .long("config")
-                    .takes_value(true),
-            )
-            .arg(Arg::with_name("host").long("host").short("h").takes_value(true))
-            .arg(Arg::with_name("proxy").long("proxy").short("p").takes_value(true)),
-        context: matches => {
-            EmbassyLogger::init();
-            CliContext::init(matches)?
-        },
-        exit: |e: RpcError| {
-            match e.data {
-                Some(Value::String(s)) => eprintln!("{}: {}", e.message, s),
-                Some(Value::Object(o)) => if let Some(Value::String(s)) = o.get("details") {
-                    eprintln!("{}: {}", e.message, s);
-                    if let Some(Value::String(s)) = o.get("debug") {
-                        tracing::debug!("{}", s)
-                    }
-                }
-                Some(a) => eprintln!("{}: {}", e.message, a),
-                None => eprintln!("{}", e.message),
-            }
-
-            std::process::exit(e.code);
-        }
-    });
-    Ok(())
-}
-
-fn main() {
-    match inner_main() {
-        Ok(_) => (),
-        Err(e) => {
-            eprintln!("{}", e.source);
-            tracing::debug!("{:?}", e.source);
-            drop(e.source);
-            std::process::exit(e.kind as i32)
-        }
-    }
-}
--- a/backend/src/bin/embassy-init.rs
+++ b/backend/src/bin/embassy-init.rs
@@ -1,240 +0,0 @@
-use std::path::Path;
-use std::sync::Arc;
-use std::time::Duration;
-
-use embassy::context::rpc::RpcContextConfig;
-use embassy::context::{DiagnosticContext, SetupContext};
-use embassy::disk::fsck::RepairStrategy;
-use embassy::disk::main::DEFAULT_PASSWORD;
-use embassy::disk::REPAIR_DISK_PATH;
-use embassy::hostname::get_product_key;
-use embassy::middleware::cors::cors;
-use embassy::middleware::diagnostic::diagnostic;
-use embassy::middleware::encrypt::encrypt;
-#[cfg(feature = "avahi")]
-use embassy::net::mdns::MdnsController;
-use embassy::shutdown::Shutdown;
-use embassy::sound::CHIME;
-use embassy::util::logger::EmbassyLogger;
-use embassy::util::Invoke;
-use embassy::{Error, ResultExt};
-use http::StatusCode;
-use rpc_toolkit::rpc_server;
-use tokio::process::Command;
-use tracing::instrument;
-
-fn status_fn(_: i32) -> StatusCode {
-    StatusCode::OK
-}
-
-#[instrument]
-async fn setup_or_init(cfg_path: Option<&str>) -> Result<(), Error> {
-    if tokio::fs::metadata("/embassy-os/disk.guid").await.is_err() {
-        #[cfg(feature = "avahi")]
-        let _mdns = MdnsController::init();
-        tokio::fs::write(
-            "/etc/nginx/sites-available/default",
-            include_str!("../nginx/setup-wizard.conf"),
-        )
-        .await
-        .with_ctx(|_| {
-            (
-                embassy::ErrorKind::Filesystem,
-                "/etc/nginx/sites-available/default",
-            )
-        })?;
-        Command::new("systemctl")
-            .arg("reload")
-            .arg("nginx")
-            .invoke(embassy::ErrorKind::Nginx)
-            .await?;
-        let ctx = SetupContext::init(cfg_path).await?;
-        let keysource_ctx = ctx.clone();
-        let keysource = move || {
-            let ctx = keysource_ctx.clone();
-            async move { ctx.product_key().await }
-        };
-        let encrypt = encrypt(keysource);
-        tokio::time::sleep(Duration::from_secs(1)).await; // let the record state that I hate this
-        CHIME.play().await?;
-        rpc_server!({
-            command: embassy::setup_api,
-            context: ctx.clone(),
-            status: status_fn,
-            middleware: [
-                cors,
-                encrypt,
-            ]
-        })
-        .with_graceful_shutdown({
-            let mut shutdown = ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        })
-        .await
-        .with_kind(embassy::ErrorKind::Network)?;
-    } else {
-        let cfg = RpcContextConfig::load(cfg_path).await?;
-        let guid_string = tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
-            .await?;
-        let guid = guid_string.trim();
-        let requires_reboot = embassy::disk::main::import(
-            guid,
-            cfg.datadir(),
-            if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() {
-                RepairStrategy::Aggressive
-            } else {
-                RepairStrategy::Preen
-            },
-            DEFAULT_PASSWORD,
-        )
-        .await?;
-        if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() {
-            tokio::fs::remove_file(REPAIR_DISK_PATH)
-                .await
-                .with_ctx(|_| (embassy::ErrorKind::Filesystem, REPAIR_DISK_PATH))?;
-        }
-        if requires_reboot.0 {
-            embassy::disk::main::export(guid, cfg.datadir()).await?;
-            Command::new("reboot")
-                .invoke(embassy::ErrorKind::Unknown)
-                .await?;
-        }
-        tracing::info!("Loaded Disk");
-        embassy::init::init(&cfg, &get_product_key().await?).await?;
-    }
-
-    Ok(())
-}
-
-async fn run_script_if_exists<P: AsRef<Path>>(path: P) {
-    let script = path.as_ref();
-    if script.exists() {
-        match Command::new("/bin/bash").arg(script).spawn() {
-            Ok(mut c) => {
-                if let Err(e) = c.wait().await {
-                    tracing::error!("Error Running {}: {}", script.display(), e);
-                    tracing::debug!("{:?}", e);
-                }
-            }
-            Err(e) => {
-                tracing::error!("Error Running {}: {}", script.display(), e);
-                tracing::debug!("{:?}", e);
-            }
-        }
-    }
-}
-
-#[instrument]
-async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
-    embassy::sound::BEP.play().await?;
-
-    run_script_if_exists("/embassy-os/preinit.sh").await;
-
-    let res = if let Err(e) = setup_or_init(cfg_path).await {
-        async {
-            tracing::error!("{}", e.source);
-            tracing::debug!("{}", e.source);
-            embassy::sound::BEETHOVEN.play().await?;
-            #[cfg(feature = "avahi")]
-            let _mdns = MdnsController::init();
-            tokio::fs::write(
-                "/etc/nginx/sites-available/default",
-                include_str!("../nginx/diagnostic-ui.conf"),
-            )
-            .await
-            .with_ctx(|_| {
-                (
-                    embassy::ErrorKind::Filesystem,
-                    "/etc/nginx/sites-available/default",
-                )
-            })?;
-            Command::new("systemctl")
-                .arg("reload")
-                .arg("nginx")
-                .invoke(embassy::ErrorKind::Nginx)
-                .await?;
-            let ctx = DiagnosticContext::init(
-                cfg_path,
-                if tokio::fs::metadata("/embassy-os/disk.guid").await.is_ok() {
-                    Some(Arc::new(
-                        tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
-                            .await?
-                            .trim()
-                            .to_owned(),
-                    ))
-                } else {
-                    None
-                },
-                e,
-            )
-            .await?;
-            let mut shutdown_recv = ctx.shutdown.subscribe();
-            rpc_server!({
-                command: embassy::diagnostic_api,
-                context: ctx.clone(),
-                status: status_fn,
-                middleware: [
-                    cors,
-                    diagnostic,
-                ]
-            })
-            .with_graceful_shutdown({
-                let mut shutdown = ctx.shutdown.subscribe();
-                async move {
-                    shutdown.recv().await.expect("context dropped");
-                }
-            })
-            .await
-            .with_kind(embassy::ErrorKind::Network)?;
-
-            Ok::<_, Error>(
-                shutdown_recv
-                    .recv()
-                    .await
-                    .with_kind(embassy::ErrorKind::Network)?,
-            )
-        }
-        .await
-    } else {
-        Ok(None)
-    };
-
-    run_script_if_exists("/embassy-os/postinit.sh").await;
-
-    res
-}
-
-fn main() {
-    let matches = clap::App::new("embassyd")
-        .arg(
-            clap::Arg::with_name("config")
-                .short("c")
-                .long("config")
-                .takes_value(true),
-        )
-        .get_matches();
-
-    EmbassyLogger::init();
-
-    let cfg_path = matches.value_of("config");
-    let res = {
-        let rt = tokio::runtime::Builder::new_multi_thread()
-            .enable_all()
-            .build()
-            .expect("failed to initialize runtime");
-        rt.block_on(inner_main(cfg_path))
-    };
-
-    match res {
-        Ok(Some(shutdown)) => shutdown.execute(),
-        Ok(None) => (),
-        Err(e) => {
-            eprintln!("{}", e.source);
-            tracing::debug!("{:?}", e.source);
-            drop(e.source);
-            std::process::exit(e.kind as i32)
-        }
-    }
-}
--- a/backend/src/bin/embassy-sdk.rs
+++ b/backend/src/bin/embassy-sdk.rs
@@ -1,56 +0,0 @@
-use embassy::context::SdkContext;
-use embassy::util::logger::EmbassyLogger;
-use embassy::version::{Current, VersionT};
-use embassy::Error;
-use rpc_toolkit::run_cli;
-use rpc_toolkit::yajrc::RpcError;
-use serde_json::Value;
-
-fn inner_main() -> Result<(), Error> {
-    run_cli!({
-        command: embassy::portable_api,
-        app: app => app
-            .name("Embassy SDK")
-            .version(Current::new().semver().to_string().as_str())
-            .arg(
-                clap::Arg::with_name("config")
-                    .short("c")
-                    .long("config")
-                    .takes_value(true),
-            ),
-        context: matches => {
-            if let Err(_) = std::env::var("RUST_LOG") {
-                std::env::set_var("RUST_LOG", "embassy=warn,js_engine=warn");
-            }
-            EmbassyLogger::init();
-            SdkContext::init(matches)?
-        },
-        exit: |e: RpcError| {
-            match e.data {
-                Some(Value::String(s)) => eprintln!("{}: {}", e.message, s),
-                Some(Value::Object(o)) => if let Some(Value::String(s)) = o.get("details") {
-                    eprintln!("{}: {}", e.message, s);
-                    if let Some(Value::String(s)) = o.get("debug") {
-                        tracing::debug!("{}", s)
-                    }
-                }
-                Some(a) => eprintln!("{}: {}", e.message, a),
-                None => eprintln!("{}", e.message),
-            }
-            std::process::exit(e.code);
-        }
-    });
-    Ok(())
-}
-
-fn main() {
-    match inner_main() {
-        Ok(_) => (),
-        Err(e) => {
-            eprintln!("{}", e.source);
-            tracing::debug!("{:?}", e.source);
-            drop(e.source);
-            std::process::exit(e.kind as i32)
-        }
-    }
-}
--- a/backend/src/bin/embassyd.rs
+++ b/backend/src/bin/embassyd.rs
@@ -1,381 +0,0 @@
-use std::sync::Arc;
-use std::time::Duration;
-
-use color_eyre::eyre::eyre;
-use embassy::context::{DiagnosticContext, RpcContext};
-use embassy::core::rpc_continuations::RequestGuid;
-use embassy::db::subscribe;
-use embassy::middleware::auth::auth;
-use embassy::middleware::cors::cors;
-use embassy::middleware::diagnostic::diagnostic;
-#[cfg(feature = "avahi")]
-use embassy::net::mdns::MdnsController;
-use embassy::net::tor::tor_health_check;
-use embassy::shutdown::Shutdown;
-use embassy::system::launch_metrics_task;
-use embassy::util::logger::EmbassyLogger;
-use embassy::util::{daemon, Invoke};
-use embassy::{static_server, Error, ErrorKind, ResultExt};
-use futures::{FutureExt, TryFutureExt};
-use reqwest::{Client, Proxy};
-use rpc_toolkit::hyper::{Body, Response, Server, StatusCode};
-use rpc_toolkit::rpc_server;
-use tokio::process::Command;
-use tokio::signal::unix::signal;
-use tracing::instrument;
-
-fn status_fn(_: i32) -> StatusCode {
-    StatusCode::OK
-}
-
-fn err_to_500(e: Error) -> Response<Body> {
-    tracing::error!("{}", e);
-    tracing::debug!("{:?}", e);
-    Response::builder()
-        .status(StatusCode::INTERNAL_SERVER_ERROR)
-        .body(Body::empty())
-        .unwrap()
-}
-
-#[instrument]
-async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
-    let (rpc_ctx, shutdown) = {
-        embassy::hostname::sync_hostname().await?;
-        let rpc_ctx = RpcContext::init(
-            cfg_path,
-            Arc::new(
-                tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
-                    .await?
-                    .trim()
-                    .to_owned(),
-            ),
-        )
-        .await?;
-        let mut shutdown_recv = rpc_ctx.shutdown.subscribe();
-
-        let sig_handler_ctx = rpc_ctx.clone();
-        let sig_handler = tokio::spawn(async move {
-            use tokio::signal::unix::SignalKind;
-            futures::future::select_all(
-                [
-                    SignalKind::interrupt(),
-                    SignalKind::quit(),
-                    SignalKind::terminate(),
-                ]
-                .iter()
-                .map(|s| {
-                    async move {
-                        signal(*s)
-                            .expect(&format!("register {:?} handler", s))
-                            .recv()
-                            .await
-                    }
-                    .boxed()
-                }),
-            )
-            .await;
-            sig_handler_ctx
-                .shutdown
-                .send(None)
-                .map_err(|_| ())
-                .expect("send shutdown signal");
-        });
-
-        let mut db = rpc_ctx.db.handle();
-        let receipts = embassy::context::rpc::RpcSetNginxReceipts::new(&mut db).await?;
-
-        rpc_ctx.set_nginx_conf(&mut db, receipts).await?;
-        drop(db);
-        let auth = auth(rpc_ctx.clone());
-        let ctx = rpc_ctx.clone();
-        let server = rpc_server!({
-            command: embassy::main_api,
-            context: ctx,
-            status: status_fn,
-            middleware: [
-                cors,
-                auth,
-            ]
-        })
-        .with_graceful_shutdown({
-            let mut shutdown = rpc_ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        });
-
-        let metrics_ctx = rpc_ctx.clone();
-        let metrics_task = tokio::spawn(async move {
-            launch_metrics_task(&metrics_ctx.metrics_cache, || {
-                metrics_ctx.shutdown.subscribe()
-            })
-            .await
-        });
-
-        let rev_cache_ctx = rpc_ctx.clone();
-        let revision_cache_task = tokio::spawn(async move {
-            let mut sub = rev_cache_ctx.db.subscribe();
-            let mut shutdown = rev_cache_ctx.shutdown.subscribe();
-            loop {
-                let rev = match tokio::select! {
-                    a = sub.recv() => a,
-                    _ = shutdown.recv() => break,
-                } {
-                    Ok(a) => a,
-                    Err(_) => {
-                        rev_cache_ctx.revision_cache.write().await.truncate(0);
-                        continue;
-                    }
-                }; // TODO: handle falling behind
-                let mut cache = rev_cache_ctx.revision_cache.write().await;
-                cache.push_back(rev);
-                if cache.len() > rev_cache_ctx.revision_cache_size {
-                    cache.pop_front();
-                }
-            }
-        });
-
-        let ws_ctx = rpc_ctx.clone();
-        let ws_server = {
-            let builder = Server::bind(&ws_ctx.bind_ws);
-
-            let make_svc = ::rpc_toolkit::hyper::service::make_service_fn(move |_| {
-                let ctx = ws_ctx.clone();
-                async move {
-                    Ok::<_, ::rpc_toolkit::hyper::Error>(::rpc_toolkit::hyper::service::service_fn(
-                        move |req| {
-                            let ctx = ctx.clone();
-                            async move {
-                                tracing::debug!("Request to {}", req.uri().path());
-                                match req.uri().path() {
-                                    "/ws/db" => {
-                                        Ok(subscribe(ctx, req).await.unwrap_or_else(err_to_500))
-                                    }
-                                    path if path.starts_with("/rest/rpc/") => {
-                                        match RequestGuid::from(
-                                            path.strip_prefix("/rest/rpc/").unwrap(),
-                                        ) {
-                                            None => {
-                                                tracing::debug!("No Guid Path");
-                                                Response::builder()
-                                                    .status(StatusCode::BAD_REQUEST)
-                                                    .body(Body::empty())
-                                            }
-                                            Some(guid) => {
-                                                match ctx
-                                                    .rpc_stream_continuations
-                                                    .lock()
-                                                    .await
-                                                    .remove(&guid)
-                                                {
-                                                    None => Response::builder()
-                                                        .status(StatusCode::NOT_FOUND)
-                                                        .body(Body::empty()),
-                                                    Some(cont) => match (cont.handler)(req).await {
-                                                        Ok(r) => Ok(r),
-                                                        Err(e) => Response::builder()
-                                                            .status(
-                                                                StatusCode::INTERNAL_SERVER_ERROR,
-                                                            )
-                                                            .body(Body::from(format!("{}", e))),
-                                                    },
-                                                }
-                                            }
-                                        }
-                                    }
-                                    _ => Response::builder()
-                                        .status(StatusCode::NOT_FOUND)
-                                        .body(Body::empty()),
-                                }
-                            }
-                        },
-                    ))
-                }
-            });
-            builder.serve(make_svc)
-        }
-        .with_graceful_shutdown({
-            let mut shutdown = rpc_ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        });
-
-        let file_server_ctx = rpc_ctx.clone();
-        let file_server = {
-            static_server::init(file_server_ctx, {
-                let mut shutdown = rpc_ctx.shutdown.subscribe();
-                async move {
-                    shutdown.recv().await.expect("context dropped");
-                }
-            })
-        };
-
-        let tor_health_ctx = rpc_ctx.clone();
-        let tor_client = Client::builder()
-            .proxy(
-                Proxy::http(format!(
-                    "socks5h://{}:{}",
-                    rpc_ctx.tor_socks.ip(),
-                    rpc_ctx.tor_socks.port()
-                ))
-                .with_kind(crate::ErrorKind::Network)?,
-            )
-            .build()
-            .with_kind(crate::ErrorKind::Network)?;
-        let tor_health_daemon = daemon(
-            move || {
-                let ctx = tor_health_ctx.clone();
-                let client = tor_client.clone();
-                async move { tor_health_check(&client, &ctx.net_controller.tor).await }
-            },
-            Duration::from_secs(300),
-            rpc_ctx.shutdown.subscribe(),
-        );
-
-        embassy::sound::CHIME.play().await?;
-
-        futures::try_join!(
-            server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("RPC Server Shutdown")),
-            metrics_task
-                .map_err(|e| Error::new(
-                    eyre!("{}", e).wrap_err("Metrics daemon panicked!"),
-                    ErrorKind::Unknown
-                ))
-                .map_ok(|_| tracing::debug!("Metrics daemon Shutdown")),
-            revision_cache_task
-                .map_err(|e| Error::new(
-                    eyre!("{}", e).wrap_err("Revision Cache daemon panicked!"),
-                    ErrorKind::Unknown
-                ))
-                .map_ok(|_| tracing::debug!("Revision Cache daemon Shutdown")),
-            ws_server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("WebSocket Server Shutdown")),
-            file_server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("Static File Server Shutdown")),
-            tor_health_daemon
-                .map_err(|e| Error::new(
-                    e.wrap_err("Tor Health daemon panicked!"),
-                    ErrorKind::Unknown
-                ))
-                .map_ok(|_| tracing::debug!("Tor Health daemon Shutdown")),
-        )?;
-
-        let mut shutdown = shutdown_recv
-            .recv()
-            .await
-            .with_kind(crate::ErrorKind::Unknown)?;
-
-        sig_handler.abort();
-
-        if let Some(shutdown) = &mut shutdown {
-            drop(shutdown.db_handle.take());
-        }
-
-        (rpc_ctx, shutdown)
-    };
-    rpc_ctx.shutdown().await?;
-
-    Ok(shutdown)
-}
-
-fn main() {
-    let matches = clap::App::new("embassyd")
-        .arg(
-            clap::Arg::with_name("config")
-                .short("c")
-                .long("config")
-                .takes_value(true),
-        )
-        .get_matches();
-
-    EmbassyLogger::init();
-
-    let cfg_path = matches.value_of("config");
-
-    let res = {
-        let rt = tokio::runtime::Builder::new_multi_thread()
-            .enable_all()
-            .build()
-            .expect("failed to initialize runtime");
-        rt.block_on(async {
-            match inner_main(cfg_path).await {
-                Ok(a) => Ok(a),
-                Err(e) => {
-                    (|| async {
-                        tracing::error!("{}", e.source);
-                        tracing::debug!("{:?}", e.source);
-                        embassy::sound::BEETHOVEN.play().await?;
-                        #[cfg(feature = "avahi")]
-                        let _mdns = MdnsController::init();
-                        tokio::fs::write(
-                            "/etc/nginx/sites-available/default",
-                            include_str!("../nginx/diagnostic-ui.conf"),
-                        )
-                        .await
-                        .with_ctx(|_| {
-                            (
-                                embassy::ErrorKind::Filesystem,
-                                "/etc/nginx/sites-available/default",
-                            )
-                        })?;
-                        Command::new("systemctl")
-                            .arg("reload")
-                            .arg("nginx")
-                            .invoke(embassy::ErrorKind::Nginx)
-                            .await?;
-                        let ctx = DiagnosticContext::init(
-                            cfg_path,
-                            if tokio::fs::metadata("/embassy-os/disk.guid").await.is_ok() {
-                                Some(Arc::new(
-                                    tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
-                                        .await?
-                                        .trim()
-                                        .to_owned(),
-                                ))
-                            } else {
-                                None
-                            },
-                            e,
-                        )
-                        .await?;
-                        rpc_server!({
-                            command: embassy::diagnostic_api,
-                            context: ctx.clone(),
-                            status: status_fn,
-                            middleware: [
-                                cors,
-                                diagnostic,
-                            ]
-                        })
-                        .with_graceful_shutdown({
-                            let mut shutdown = ctx.shutdown.subscribe();
-                            async move {
-                                shutdown.recv().await.expect("context dropped");
-                            }
-                        })
-                        .await
-                        .with_kind(embassy::ErrorKind::Network)?;
-                        Ok::<_, Error>(None)
-                    })()
-                    .await
-                }
-            }
-        })
-    };
-
-    match res {
-        Ok(None) => (),
-        Ok(Some(s)) => s.execute(),
-        Err(e) => {
-            eprintln!("{}", e.source);
-            tracing::debug!("{:?}", e.source);
-            drop(e.source);
-            std::process::exit(e.kind as i32)
-        }
-    }
-}
--- a/backend/src/config/action.rs
+++ b/backend/src/config/action.rs
@@ -1,115 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-
-use color_eyre::eyre::eyre;
-use nix::sys::signal::Signal;
-use patch_db::HasModel;
-use serde::{Deserialize, Serialize};
-use tracing::instrument;
-
-use super::{Config, ConfigSpec};
-use crate::context::RpcContext;
-use crate::dependencies::Dependencies;
-use crate::id::ImageId;
-use crate::procedure::{PackageProcedure, ProcedureName};
-use crate::s9pk::manifest::PackageId;
-use crate::status::health_check::HealthCheckId;
-use crate::util::Version;
-use crate::volume::Volumes;
-use crate::{Error, ResultExt};
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct ConfigRes {
-    pub config: Option<Config>,
-    pub spec: ConfigSpec,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize, HasModel)]
-pub struct ConfigActions {
-    pub get: PackageProcedure,
-    pub set: PackageProcedure,
-}
-impl ConfigActions {
-    #[instrument]
-    pub fn validate(&self, volumes: &Volumes, image_ids: &BTreeSet<ImageId>) -> Result<(), Error> {
-        self.get
-            .validate(volumes, image_ids, true)
-            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Config Get"))?;
-        self.set
-            .validate(volumes, image_ids, true)
-            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Config Set"))?;
-        Ok(())
-    }
-    #[instrument(skip(ctx))]
-    pub async fn get(
-        &self,
-        ctx: &RpcContext,
-        pkg_id: &PackageId,
-        pkg_version: &Version,
-        volumes: &Volumes,
-    ) -> Result<ConfigRes, Error> {
-        self.get
-            .execute(
-                ctx,
-                pkg_id,
-                pkg_version,
-                ProcedureName::GetConfig,
-                volumes,
-                None::<()>,
-                false,
-                None,
-            )
-            .await
-            .and_then(|res| {
-                res.map_err(|e| Error::new(eyre!("{}", e.1), crate::ErrorKind::ConfigGen))
-            })
-    }
-
-    #[instrument(skip(ctx))]
-    pub async fn set(
-        &self,
-        ctx: &RpcContext,
-        pkg_id: &PackageId,
-        pkg_version: &Version,
-        dependencies: &Dependencies,
-        volumes: &Volumes,
-        input: &Config,
-    ) -> Result<SetResult, Error> {
-        let res: SetResult = self
-            .set
-            .execute(
-                ctx,
-                pkg_id,
-                pkg_version,
-                ProcedureName::SetConfig,
-                volumes,
-                Some(input),
-                false,
-                None,
-            )
-            .await
-            .and_then(|res| {
-                res.map_err(|e| {
-                    Error::new(eyre!("{}", e.1), crate::ErrorKind::ConfigRulesViolation)
-                })
-            })?;
-        Ok(SetResult {
-            signal: res.signal,
-            depends_on: res
-                .depends_on
-                .into_iter()
-                .filter(|(pkg, _)| dependencies.0.contains_key(pkg))
-                .collect(),
-        })
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SetResult {
-    #[serde(default)]
-    #[serde(deserialize_with = "crate::util::serde::deserialize_from_str_opt")]
-    #[serde(serialize_with = "crate::util::serde::serialize_display_opt")]
-    pub signal: Option<Signal>,
-    pub depends_on: BTreeMap<PackageId, BTreeSet<HealthCheckId>>,
-}
--- a/backend/src/config/mod.rs
+++ b/backend/src/config/mod.rs
@@ -1,832 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-use std::path::PathBuf;
-use std::time::Duration;
-
-use color_eyre::eyre::eyre;
-use futures::future::{BoxFuture, FutureExt};
-use indexmap::IndexSet;
-use itertools::Itertools;
-use patch_db::{DbHandle, LockReceipt, LockTarget, LockTargetId, LockType, Verifier};
-use rand::SeedableRng;
-use regex::Regex;
-use rpc_toolkit::command;
-use serde_json::Value;
-use tracing::instrument;
-
-use crate::context::RpcContext;
-use crate::db::model::{CurrentDependencies, CurrentDependencyInfo, CurrentDependents};
-use crate::db::util::WithRevision;
-use crate::dependencies::{
-    add_dependent_to_current_dependents_lists, break_transitive, heal_all_dependents_transitive,
-    BreakTransitiveReceipts, BreakageRes, Dependencies, DependencyConfig, DependencyError,
-    DependencyErrors, DependencyReceipt, TaggedDependencyError, TryHealReceipts,
-};
-use crate::install::cleanup::{remove_from_current_dependents_lists, UpdateDependencyReceipts};
-use crate::s9pk::manifest::{Manifest, PackageId};
-use crate::util::display_none;
-use crate::util::serde::{display_serializable, parse_stdin_deserializable, IoFormat};
-use crate::Error;
-
-pub mod action;
-pub mod spec;
-pub mod util;
-
-pub use spec::{ConfigSpec, Defaultable};
-use util::NumRange;
-
-use self::action::{ConfigActions, ConfigRes};
-use self::spec::{ConfigPointerReceipts, PackagePointerSpec, ValueSpecPointer};
-
-pub type Config = serde_json::Map<String, Value>;
-pub trait TypeOf {
-    fn type_of(&self) -> &'static str;
-}
-impl TypeOf for Value {
-    fn type_of(&self) -> &'static str {
-        match self {
-            Value::Array(_) => "list",
-            Value::Bool(_) => "boolean",
-            Value::Null => "null",
-            Value::Number(_) => "number",
-            Value::Object(_) => "object",
-            Value::String(_) => "string",
-        }
-    }
-}
-
-#[derive(Debug, thiserror::Error)]
-pub enum ConfigurationError {
-    #[error("Timeout Error")]
-    TimeoutError(#[from] TimeoutError),
-    #[error("No Match: {0}")]
-    NoMatch(#[from] NoMatchWithPath),
-    #[error("System Error: {0}")]
-    SystemError(Error),
-    #[error("Permission Denied: {0}")]
-    PermissionDenied(ValueSpecPointer),
-}
-impl From<ConfigurationError> for Error {
-    fn from(err: ConfigurationError) -> Self {
-        let kind = match &err {
-            ConfigurationError::SystemError(e) => e.kind,
-            _ => crate::ErrorKind::ConfigGen,
-        };
-        crate::Error::new(err, kind)
-    }
-}
-
-#[derive(Clone, Copy, Debug, thiserror::Error)]
-#[error("Timeout Error")]
-pub struct TimeoutError;
-
-#[derive(Clone, Debug, thiserror::Error)]
-pub struct NoMatchWithPath {
-    pub path: Vec<String>,
-    pub error: MatchError,
-}
-impl NoMatchWithPath {
-    pub fn new(error: MatchError) -> Self {
-        NoMatchWithPath {
-            path: Vec::new(),
-            error,
-        }
-    }
-    pub fn prepend(mut self, seg: String) -> Self {
-        self.path.push(seg);
-        self
-    }
-}
-impl std::fmt::Display for NoMatchWithPath {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}: {}", self.path.iter().rev().join("."), self.error)
-    }
-}
-impl From<NoMatchWithPath> for Error {
-    fn from(e: NoMatchWithPath) -> Self {
-        ConfigurationError::from(e).into()
-    }
-}
-
-#[derive(Clone, Debug, thiserror::Error)]
-pub enum MatchError {
-    #[error("String {0:?} Does Not Match Pattern {1}")]
-    Pattern(String, Regex),
-    #[error("String {0:?} Is Not In Enum {1:?}")]
-    Enum(String, IndexSet<String>),
-    #[error("Field Is Not Nullable")]
-    NotNullable,
-    #[error("Length Mismatch: expected {0}, actual: {1}")]
-    LengthMismatch(NumRange<usize>, usize),
-    #[error("Invalid Type: expected {0}, actual: {1}")]
-    InvalidType(&'static str, &'static str),
-    #[error("Number Out Of Range: expected {0}, actual: {1}")]
-    OutOfRange(NumRange<f64>, f64),
-    #[error("Number Is Not Integral: {0}")]
-    NonIntegral(f64),
-    #[error("Variant {0:?} Is Not In Union {1:?}")]
-    Union(String, IndexSet<String>),
-    #[error("Variant Is Missing Tag {0:?}")]
-    MissingTag(String),
-    #[error("Property {0:?} Of Variant {1:?} Conflicts With Union Tag")]
-    PropertyMatchesUnionTag(String, String),
-    #[error("Name of Property {0:?} Conflicts With Map Tag Name")]
-    PropertyNameMatchesMapTag(String),
-    #[error("Pointer Is Invalid: {0}")]
-    InvalidPointer(spec::ValueSpecPointer),
-    #[error("Object Key Is Invalid: {0}")]
-    InvalidKey(String),
-    #[error("Value In List Is Not Unique")]
-    ListUniquenessViolation,
-}
-
-#[command(rename = "config-spec", cli_only, blocking, display(display_none))]
-pub fn verify_spec(#[arg] path: PathBuf) -> Result<(), Error> {
-    let mut file = std::fs::File::open(&path)?;
-    let format = match path.extension().and_then(|s| s.to_str()) {
-        Some("yaml") | Some("yml") => IoFormat::Yaml,
-        Some("json") => IoFormat::Json,
-        Some("toml") => IoFormat::Toml,
-        Some("cbor") => IoFormat::Cbor,
-        _ => {
-            return Err(Error::new(
-                eyre!("Unknown file format. Expected one of yaml, json, toml, cbor."),
-                crate::ErrorKind::Deserialization,
-            ));
-        }
-    };
-    let _: ConfigSpec = format.from_reader(&mut file)?;
-
-    Ok(())
-}
-
-#[command(subcommands(get, set))]
-pub fn config(#[arg] id: PackageId) -> Result<PackageId, Error> {
-    Ok(id)
-}
-
-pub struct ConfigGetReceipts {
-    manifest_volumes: LockReceipt<crate::volume::Volumes, ()>,
-    manifest_version: LockReceipt<crate::util::Version, ()>,
-    manifest_config: LockReceipt<Option<ConfigActions>, ()>,
-}
-
-impl ConfigGetReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle, id: &PackageId) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks, id);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<LockTargetId>,
-        id: &PackageId,
-    ) -> impl FnOnce(&Verifier) -> Result<Self, Error> {
-        let manifest_version = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.manifest().version())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        let manifest_volumes = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.manifest().volumes())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        let manifest_config = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.manifest().config())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                manifest_volumes: manifest_volumes.verify(skeleton_key)?,
-                manifest_version: manifest_version.verify(skeleton_key)?,
-                manifest_config: manifest_config.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-#[command(display(display_serializable))]
-#[instrument(skip(ctx))]
-pub async fn get(
-    #[context] ctx: RpcContext,
-    #[parent_data] id: PackageId,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<ConfigRes, Error> {
-    let mut db = ctx.db.handle();
-    let receipts = ConfigGetReceipts::new(&mut db, &id).await?;
-    let action = receipts
-        .manifest_config
-        .get(&mut db)
-        .await?
-        .ok_or_else(|| Error::new(eyre!("{} has no config", id), crate::ErrorKind::NotFound))?;
-
-    let volumes = receipts.manifest_volumes.get(&mut db).await?;
-    let version = receipts.manifest_version.get(&mut db).await?;
-    action.get(&ctx, &id, &version, &volumes).await
-}
-
-#[command(
-    subcommands(self(set_impl(async, context(RpcContext))), set_dry),
-    display(display_none)
-)]
-#[instrument]
-pub fn set(
-    #[parent_data] id: PackageId,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-    #[arg(long = "timeout")] timeout: Option<crate::util::serde::Duration>,
-    #[arg(stdin, parse(parse_stdin_deserializable))] config: Option<Config>,
-    #[arg(rename = "expire-id", long = "expire-id")] expire_id: Option<String>,
-) -> Result<(PackageId, Option<Config>, Option<Duration>, Option<String>), Error> {
-    Ok((id, config, timeout.map(|d| *d), expire_id))
-}
-
-/// So, the new locking finds all the possible locks and lifts them up into a bundle of locks.
-/// Then this bundle will be passed down into the functions that will need to touch the db, and
-/// instead of doing the locks down in the system, we have already done the locks and can
-/// do the operation on the db.
-/// An UnlockedLock has two types, the type of setting and getting from the db, and the second type
-/// is the keys that we need to insert on getting/setting because we have included wild cards into the paths.
-pub struct ConfigReceipts {
-    pub dependency_receipt: DependencyReceipt,
-    pub config_receipts: ConfigPointerReceipts,
-    pub update_dependency_receipts: UpdateDependencyReceipts,
-    pub try_heal_receipts: TryHealReceipts,
-    pub break_transitive_receipts: BreakTransitiveReceipts,
-    configured: LockReceipt<bool, String>,
-    config_actions: LockReceipt<ConfigActions, String>,
-    dependencies: LockReceipt<Dependencies, String>,
-    volumes: LockReceipt<crate::volume::Volumes, String>,
-    version: LockReceipt<crate::util::Version, String>,
-    manifest: LockReceipt<Manifest, String>,
-    system_pointers: LockReceipt<Vec<spec::SystemPointerSpec>, String>,
-    pub current_dependents: LockReceipt<CurrentDependents, String>,
-    pub current_dependencies: LockReceipt<CurrentDependencies, String>,
-    dependency_errors: LockReceipt<DependencyErrors, String>,
-    manifest_dependencies_config: LockReceipt<DependencyConfig, (String, String)>,
-}
-
-impl ConfigReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(locks: &mut Vec<LockTargetId>) -> impl FnOnce(&Verifier) -> Result<Self, Error> {
-        let dependency_receipt = DependencyReceipt::setup(locks);
-        let config_receipts = ConfigPointerReceipts::setup(locks);
-        let update_dependency_receipts = UpdateDependencyReceipts::setup(locks);
-        let break_transitive_receipts = BreakTransitiveReceipts::setup(locks);
-        let try_heal_receipts = TryHealReceipts::setup(locks);
-
-        let configured: LockTarget<bool, String> = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.status().configured())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        let config_actions = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .and_then(|x| x.manifest().config())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-
-        let dependencies = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.manifest().dependencies())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-
-        let volumes = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.manifest().volumes())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-
-        let version = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.manifest().version())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-
-        let manifest = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.manifest())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-
-        let system_pointers = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.system_pointers())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        let current_dependents = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.current_dependents())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        let current_dependencies = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.current_dependencies())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        let dependency_errors = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .map(|x| x.status().dependency_errors())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        let manifest_dependencies_config = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .installed()
-            .and_then(|x| x.manifest().dependencies().star().config())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
-        move |skeleton_key| {
-            Ok(Self {
-                dependency_receipt: dependency_receipt(skeleton_key)?,
-                config_receipts: config_receipts(skeleton_key)?,
-                try_heal_receipts: try_heal_receipts(skeleton_key)?,
-                break_transitive_receipts: break_transitive_receipts(skeleton_key)?,
-                update_dependency_receipts: update_dependency_receipts(skeleton_key)?,
-                configured: configured.verify(skeleton_key)?,
-                config_actions: config_actions.verify(skeleton_key)?,
-                dependencies: dependencies.verify(skeleton_key)?,
-                volumes: volumes.verify(skeleton_key)?,
-                version: version.verify(skeleton_key)?,
-                manifest: manifest.verify(skeleton_key)?,
-                system_pointers: system_pointers.verify(skeleton_key)?,
-                current_dependents: current_dependents.verify(skeleton_key)?,
-                current_dependencies: current_dependencies.verify(skeleton_key)?,
-                dependency_errors: dependency_errors.verify(skeleton_key)?,
-                manifest_dependencies_config: manifest_dependencies_config.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-#[command(rename = "dry", display(display_serializable))]
-#[instrument(skip(ctx))]
-pub async fn set_dry(
-    #[context] ctx: RpcContext,
-    #[parent_data] (id, config, timeout, _): (
-        PackageId,
-        Option<Config>,
-        Option<Duration>,
-        Option<String>,
-    ),
-) -> Result<BreakageRes, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-    let mut breakages = BTreeMap::new();
-    let locks = ConfigReceipts::new(&mut tx).await?;
-    configure(
-        &ctx,
-        &mut tx,
-        &id,
-        config,
-        &timeout,
-        true,
-        &mut BTreeMap::new(),
-        &mut breakages,
-        &locks,
-    )
-    .await?;
-
-    locks.configured.set(&mut tx, true, &id).await?;
-    tx.abort().await?;
-    Ok(BreakageRes(breakages))
-}
-
-#[instrument(skip(ctx))]
-pub async fn set_impl(
-    ctx: RpcContext,
-    (id, config, timeout, expire_id): (PackageId, Option<Config>, Option<Duration>, Option<String>),
-) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-    let mut breakages = BTreeMap::new();
-    let locks = ConfigReceipts::new(&mut tx).await?;
-    configure(
-        &ctx,
-        &mut tx,
-        &id,
-        config,
-        &timeout,
-        false,
-        &mut BTreeMap::new(),
-        &mut breakages,
-        &locks,
-    )
-    .await?;
-    Ok(WithRevision {
-        response: (),
-        revision: tx.commit(expire_id).await?,
-    })
-}
-
-#[instrument(skip(ctx, db, receipts))]
-pub async fn configure<'a, Db: DbHandle>(
-    ctx: &RpcContext,
-    db: &'a mut Db,
-    id: &PackageId,
-    config: Option<Config>,
-    timeout: &Option<Duration>,
-    dry_run: bool,
-    overrides: &mut BTreeMap<PackageId, Config>,
-    breakages: &mut BTreeMap<PackageId, TaggedDependencyError>,
-    receipts: &ConfigReceipts,
-) -> Result<(), Error> {
-    configure_rec(
-        ctx, db, id, config, timeout, dry_run, overrides, breakages, receipts,
-    )
-    .await?;
-    receipts.configured.set(db, true, &id).await?;
-    Ok(())
-}
-
-#[instrument(skip(ctx, db, receipts))]
-pub fn configure_rec<'a, Db: DbHandle>(
-    ctx: &'a RpcContext,
-    db: &'a mut Db,
-    id: &'a PackageId,
-    config: Option<Config>,
-    timeout: &'a Option<Duration>,
-    dry_run: bool,
-    overrides: &'a mut BTreeMap<PackageId, Config>,
-    breakages: &'a mut BTreeMap<PackageId, TaggedDependencyError>,
-    receipts: &'a ConfigReceipts,
-) -> BoxFuture<'a, Result<(), Error>> {
-    async move {
-        // fetch data from db
-        let action = receipts
-            .config_actions
-            .get(db, id)
-            .await?
-            .ok_or_else(not_found)?;
-        let dependencies = receipts
-            .dependencies
-            .get(db, id)
-            .await?
-            .ok_or_else(not_found)?;
-        let volumes = receipts.volumes.get(db, id).await?.ok_or_else(not_found)?;
-        let is_needs_config = !receipts
-            .configured
-            .get(db, id)
-            .await?
-            .ok_or_else(not_found)?;
-        let version = receipts.version.get(db, id).await?.ok_or_else(not_found)?;
-
-        // get current config and current spec
-        let ConfigRes {
-            config: old_config,
-            spec,
-        } = action.get(ctx, id, &version, &volumes).await?;
-
-        // determine new config to use
-        let mut config = if let Some(config) = config.or_else(|| old_config.clone()) {
-            config
-        } else {
-            spec.gen(&mut rand::rngs::StdRng::from_entropy(), timeout)?
-        };
-
-        let manifest = receipts.manifest.get(db, id).await?.ok_or_else(not_found)?;
-
-        spec.validate(&manifest)?;
-        spec.matches(&config)?; // check that new config matches spec
-        spec.update(
-            ctx,
-            db,
-            &manifest,
-            &*overrides,
-            &mut config,
-            &receipts.config_receipts,
-        )
-        .await?; // dereference pointers in the new config
-
-        // create backreferences to pointers
-        let mut sys = receipts
-            .system_pointers
-            .get(db, &id)
-            .await?
-            .ok_or_else(not_found)?;
-        sys.truncate(0);
-        let mut current_dependencies: CurrentDependencies = CurrentDependencies(
-            dependencies
-                .0
-                .iter()
-                .filter_map(|(id, info)| {
-                    if info.requirement.required() {
-                        Some((id.clone(), CurrentDependencyInfo::default()))
-                    } else {
-                        None
-                    }
-                })
-                .collect(),
-        );
-        for ptr in spec.pointers(&config)? {
-            match ptr {
-                ValueSpecPointer::Package(pkg_ptr) => {
-                    if let Some(current_dependency) =
-                        current_dependencies.0.get_mut(pkg_ptr.package_id())
-                    {
-                        current_dependency.pointers.push(pkg_ptr);
-                    } else {
-                        current_dependencies.0.insert(
-                            pkg_ptr.package_id().to_owned(),
-                            CurrentDependencyInfo {
-                                pointers: vec![pkg_ptr],
-                                health_checks: BTreeSet::new(),
-                            },
-                        );
-                    }
-                }
-                ValueSpecPointer::System(s) => sys.push(s),
-            }
-        }
-        receipts.system_pointers.set(db, sys, &id).await?;
-
-        let signal = if !dry_run {
-            // run config action
-            let res = action
-                .set(ctx, id, &version, &dependencies, &volumes, &config)
-                .await?;
-
-            // track dependencies with no pointers
-            for (package_id, health_checks) in res.depends_on.into_iter() {
-                if let Some(current_dependency) = current_dependencies.0.get_mut(&package_id) {
-                    current_dependency.health_checks.extend(health_checks);
-                } else {
-                    current_dependencies.0.insert(
-                        package_id,
-                        CurrentDependencyInfo {
-                            pointers: Vec::new(),
-                            health_checks,
-                        },
-                    );
-                }
-            }
-
-            // track dependency health checks
-            current_dependencies = current_dependencies.map(|x| {
-                x.into_iter()
-                    .filter(|(dep_id, _)| {
-                        if dep_id != id && !manifest.dependencies.0.contains_key(dep_id) {
-                            tracing::warn!("Illegal dependency specified: {}", dep_id);
-                            false
-                        } else {
-                            true
-                        }
-                    })
-                    .collect()
-            });
-            res.signal
-        } else {
-            None
-        };
-
-        // update dependencies
-        let prev_current_dependencies = receipts
-            .current_dependencies
-            .get(db, &id)
-            .await?
-            .unwrap_or_default();
-        remove_from_current_dependents_lists(
-            db,
-            id,
-            &prev_current_dependencies,
-            &receipts.current_dependents,
-        )
-        .await?; // remove previous
-        add_dependent_to_current_dependents_lists(
-            db,
-            id,
-            &current_dependencies,
-            &receipts.current_dependents,
-        )
-        .await?; // add new
-        current_dependencies.0.remove(id);
-        receipts
-            .current_dependencies
-            .set(db, current_dependencies.clone(), &id)
-            .await?;
-
-        let errs = receipts
-            .dependency_errors
-            .get(db, &id)
-            .await?
-            .ok_or_else(not_found)?;
-        tracing::warn!("Dependency Errors: {:?}", errs);
-        let errs = DependencyErrors::init(
-            ctx,
-            db,
-            &manifest,
-            &current_dependencies,
-            &receipts.dependency_receipt.try_heal,
-        )
-        .await?;
-        receipts.dependency_errors.set(db, errs, &id).await?;
-
-        // cache current config for dependents
-        overrides.insert(id.clone(), config.clone());
-
-        // handle dependents
-        let dependents = receipts
-            .current_dependents
-            .get(db, id)
-            .await?
-            .ok_or_else(not_found)?;
-        let prev = if is_needs_config { None } else { old_config }
-            .map(Value::Object)
-            .unwrap_or_default();
-        let next = Value::Object(config.clone());
-        for (dependent, dep_info) in dependents.0.iter().filter(|(dep_id, _)| dep_id != &id) {
-            // check if config passes dependent check
-            if let Some(cfg) = receipts
-                .manifest_dependencies_config
-                .get(db, (&dependent, &id))
-                .await?
-            {
-                let manifest = receipts
-                    .manifest
-                    .get(db, &dependent)
-                    .await?
-                    .ok_or_else(not_found)?;
-                if let Err(error) = cfg
-                    .check(
-                        ctx,
-                        dependent,
-                        &manifest.version,
-                        &manifest.volumes,
-                        id,
-                        &config,
-                    )
-                    .await?
-                {
-                    let dep_err = DependencyError::ConfigUnsatisfied { error };
-                    break_transitive(
-                        db,
-                        dependent,
-                        id,
-                        dep_err,
-                        breakages,
-                        &receipts.break_transitive_receipts,
-                    )
-                    .await?;
-                }
-
-                // handle backreferences
-                for ptr in &dep_info.pointers {
-                    if let PackagePointerSpec::Config(cfg_ptr) = ptr {
-                        if cfg_ptr.select(&next) != cfg_ptr.select(&prev) {
-                            if let Err(e) = configure_rec(
-                                ctx, db, dependent, None, timeout, dry_run, overrides, breakages,
-                                receipts,
-                            )
-                            .await
-                            {
-                                if e.kind == crate::ErrorKind::ConfigRulesViolation {
-                                    break_transitive(
-                                        db,
-                                        dependent,
-                                        id,
-                                        DependencyError::ConfigUnsatisfied {
-                                            error: format!("{}", e),
-                                        },
-                                        breakages,
-                                        &receipts.break_transitive_receipts,
-                                    )
-                                    .await?;
-                                } else {
-                                    return Err(e);
-                                }
-                            }
-                        }
-                    }
-                }
-                heal_all_dependents_transitive(ctx, db, id, &receipts.dependency_receipt).await?;
-            }
-        }
-
-        if let Some(signal) = signal {
-            match ctx.managers.get(&(id.clone(), version.clone())).await {
-                None => {
-                    // in theory this should never happen, which indicates this function should be moved behind the
-                    // Manager interface
-                    return Err(Error::new(
-                        eyre!("Manager Not Found for package being configured"),
-                        crate::ErrorKind::Incoherent,
-                    ));
-                }
-                Some(m) => {
-                    m.signal(&signal).await?;
-                }
-            }
-        }
-
-        Ok(())
-    }
-    .boxed()
-}
-#[instrument]
-pub fn not_found() -> Error {
-    Error::new(eyre!("Could not find"), crate::ErrorKind::Incoherent)
-}
-
-/// We want to have a double check that the paths are what we expect them to be.
-/// Found that earlier the paths where not what we expected them to be.
-#[tokio::test]
-async fn ensure_creation_of_config_paths_makes_sense() {
-    let mut fake = patch_db::test_utils::NoOpDb();
-    let config_locks = ConfigReceipts::new(&mut fake).await.unwrap();
-    assert_eq!(
-        &format!("{}", config_locks.configured.lock.glob),
-        "/package-data/*/installed/status/configured"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.config_actions.lock.glob),
-        "/package-data/*/installed/manifest/config"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.dependencies.lock.glob),
-        "/package-data/*/installed/manifest/dependencies"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.volumes.lock.glob),
-        "/package-data/*/installed/manifest/volumes"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.version.lock.glob),
-        "/package-data/*/installed/manifest/version"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.volumes.lock.glob),
-        "/package-data/*/installed/manifest/volumes"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.manifest.lock.glob),
-        "/package-data/*/installed/manifest"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.manifest.lock.glob),
-        "/package-data/*/installed/manifest"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.system_pointers.lock.glob),
-        "/package-data/*/installed/system-pointers"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.current_dependents.lock.glob),
-        "/package-data/*/installed/current-dependents"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.dependency_errors.lock.glob),
-        "/package-data/*/installed/status/dependency-errors"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.manifest_dependencies_config.lock.glob),
-        "/package-data/*/installed/manifest/dependencies/*/config"
-    );
-    assert_eq!(
-        &format!("{}", config_locks.system_pointers.lock.glob),
-        "/package-data/*/installed/system-pointers"
-    );
-}
--- a/backend/src/config/spec.rs
+++ b/backend/src/config/spec.rs
--- a/backend/src/config/util.rs
+++ b/backend/src/config/util.rs
@@ -1,368 +0,0 @@
-use std::borrow::Cow;
-use std::ops::{Bound, RangeBounds, RangeInclusive};
-
-use rand::distributions::Distribution;
-use rand::Rng;
-use serde_json::Value;
-
-use super::Config;
-
-pub const STATIC_NULL: Value = Value::Null;
-
-#[derive(Clone, Debug)]
-pub struct CharSet(pub Vec<(RangeInclusive<char>, usize)>, usize);
-impl CharSet {
-    pub fn contains(&self, c: &char) -> bool {
-        self.0.iter().any(|r| r.0.contains(c))
-    }
-    pub fn gen<R: Rng>(&self, rng: &mut R) -> char {
-        let mut idx = rng.gen_range(0, self.1);
-        for r in &self.0 {
-            if idx < r.1 {
-                return std::convert::TryFrom::try_from(
-                    rand::distributions::Uniform::new_inclusive(
-                        u32::from(*r.0.start()),
-                        u32::from(*r.0.end()),
-                    )
-                    .sample(rng),
-                )
-                .unwrap();
-            } else {
-                idx -= r.1;
-            }
-        }
-        unreachable!()
-    }
-}
-impl Default for CharSet {
-    fn default() -> Self {
-        CharSet(vec![('!'..='~', 94)], 94)
-    }
-}
-impl<'de> serde::de::Deserialize<'de> for CharSet {
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: serde::de::Deserializer<'de>,
-    {
-        let s = String::deserialize(deserializer)?;
-        let mut res = Vec::new();
-        let mut len = 0;
-        let mut a: Option<char> = None;
-        let mut b: Option<char> = None;
-        let mut in_range = false;
-        for c in s.chars() {
-            match c {
-                ',' => match (a, b, in_range) {
-                    (Some(start), Some(end), _) => {
-                        if !end.is_ascii() {
-                            return Err(serde::de::Error::custom("Invalid Character"));
-                        }
-                        if start >= end {
-                            return Err(serde::de::Error::custom("Invalid Bounds"));
-                        }
-                        let l = u32::from(end) - u32::from(start) + 1;
-                        res.push((start..=end, l as usize));
-                        len += l as usize;
-                        a = None;
-                        b = None;
-                        in_range = false;
-                    }
-                    (Some(start), None, false) => {
-                        len += 1;
-                        res.push((start..=start, 1));
-                        a = None;
-                    }
-                    (Some(_), None, true) => {
-                        b = Some(',');
-                    }
-                    (None, None, false) => {
-                        a = Some(',');
-                    }
-                    _ => {
-                        return Err(serde::de::Error::custom("Syntax Error"));
-                    }
-                },
-                '-' => {
-                    if a.is_none() {
-                        a = Some('-');
-                    } else if !in_range {
-                        in_range = true;
-                    } else if b.is_none() {
-                        b = Some('-')
-                    } else {
-                        return Err(serde::de::Error::custom("Syntax Error"));
-                    }
-                }
-                _ => {
-                    if a.is_none() {
-                        a = Some(c);
-                    } else if in_range && b.is_none() {
-                        b = Some(c);
-                    } else {
-                        return Err(serde::de::Error::custom("Syntax Error"));
-                    }
-                }
-            }
-        }
-        match (a, b) {
-            (Some(start), Some(end)) => {
-                if !end.is_ascii() {
-                    return Err(serde::de::Error::custom("Invalid Character"));
-                }
-                if start >= end {
-                    return Err(serde::de::Error::custom("Invalid Bounds"));
-                }
-                let l = u32::from(end) - u32::from(start) + 1;
-                res.push((start..=end, l as usize));
-                len += l as usize;
-            }
-            (Some(c), None) => {
-                len += 1;
-                res.push((c..=c, 1));
-            }
-            _ => (),
-        }
-
-        Ok(CharSet(res, len))
-    }
-}
-impl serde::ser::Serialize for CharSet {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::ser::Serializer,
-    {
-        <&str>::serialize(
-            &self
-                .0
-                .iter()
-                .map(|r| match r.1 {
-                    1 => format!("{}", r.0.start()),
-                    _ => format!("{}-{}", r.0.start(), r.0.end()),
-                })
-                .collect::<Vec<_>>()
-                .join(",")
-                .as_str(),
-            serializer,
-        )
-    }
-}
-
-pub mod serde_regex {
-    use regex::Regex;
-    use serde::*;
-
-    pub fn serialize<S>(regex: &Regex, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
-        <&str>::serialize(&regex.as_str(), serializer)
-    }
-
-    pub fn deserialize<'de, D>(deserializer: D) -> Result<Regex, D::Error>
-    where
-        D: Deserializer<'de>,
-    {
-        let s = String::deserialize(deserializer)?;
-        Regex::new(&s).map_err(|e| de::Error::custom(e))
-    }
-}
-
-#[derive(Clone, Debug)]
-pub struct NumRange<T: std::str::FromStr + std::fmt::Display + std::cmp::PartialOrd>(
-    pub (Bound<T>, Bound<T>),
-);
-impl<T> std::ops::Deref for NumRange<T>
-where
-    T: std::str::FromStr + std::fmt::Display + std::cmp::PartialOrd,
-{
-    type Target = (Bound<T>, Bound<T>);
-
-    fn deref(&self) -> &Self::Target {
-        &self.0
-    }
-}
-impl<'de, T> serde::de::Deserialize<'de> for NumRange<T>
-where
-    T: std::str::FromStr + std::fmt::Display + std::cmp::PartialOrd,
-    <T as std::str::FromStr>::Err: std::fmt::Display,
-{
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: serde::de::Deserializer<'de>,
-    {
-        let s = String::deserialize(deserializer)?;
-        let mut split = s.split(",");
-        let start = split
-            .next()
-            .map(|s| match s.get(..1) {
-                Some("(") => match s.get(1..2) {
-                    Some("*") => Ok(Bound::Unbounded),
-                    _ => s[1..]
-                        .trim()
-                        .parse()
-                        .map(Bound::Excluded)
-                        .map_err(|e| serde::de::Error::custom(e)),
-                },
-                Some("[") => s[1..]
-                    .trim()
-                    .parse()
-                    .map(Bound::Included)
-                    .map_err(|e| serde::de::Error::custom(e)),
-                _ => Err(serde::de::Error::custom(format!(
-                    "Could not parse left bound: {}",
-                    s
-                ))),
-            })
-            .transpose()?
-            .unwrap();
-        let end = split
-            .next()
-            .map(|s| match s.get(s.len() - 1..) {
-                Some(")") => match s.get(s.len() - 2..s.len() - 1) {
-                    Some("*") => Ok(Bound::Unbounded),
-                    _ => s[..s.len() - 1]
-                        .trim()
-                        .parse()
-                        .map(Bound::Excluded)
-                        .map_err(|e| serde::de::Error::custom(e)),
-                },
-                Some("]") => s[..s.len() - 1]
-                    .trim()
-                    .parse()
-                    .map(Bound::Included)
-                    .map_err(|e| serde::de::Error::custom(e)),
-                _ => Err(serde::de::Error::custom(format!(
-                    "Could not parse right bound: {}",
-                    s
-                ))),
-            })
-            .transpose()?
-            .unwrap_or(Bound::Unbounded);
-
-        Ok(NumRange((start, end)))
-    }
-}
-impl<T> std::fmt::Display for NumRange<T>
-where
-    T: std::str::FromStr + std::fmt::Display + std::cmp::PartialOrd,
-{
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self.start_bound() {
-            Bound::Excluded(n) => write!(f, "({},", n)?,
-            Bound::Included(n) => write!(f, "[{},", n)?,
-            Bound::Unbounded => write!(f, "(*,")?,
-        };
-        match self.end_bound() {
-            Bound::Excluded(n) => write!(f, "{})", n),
-            Bound::Included(n) => write!(f, "{}]", n),
-            Bound::Unbounded => write!(f, "*)"),
-        }
-    }
-}
-impl<T> serde::ser::Serialize for NumRange<T>
-where
-    T: std::str::FromStr + std::fmt::Display + std::cmp::PartialOrd,
-{
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::ser::Serializer,
-    {
-        <&str>::serialize(&format!("{}", self).as_str(), serializer)
-    }
-}
-
-#[derive(Clone, Debug)]
-pub enum UniqueBy {
-    Any(Vec<UniqueBy>),
-    All(Vec<UniqueBy>),
-    Exactly(String),
-    NotUnique,
-}
-impl UniqueBy {
-    pub fn eq(&self, lhs: &Config, rhs: &Config) -> bool {
-        match self {
-            UniqueBy::Any(any) => any.iter().any(|u| u.eq(lhs, rhs)),
-            UniqueBy::All(all) => all.iter().all(|u| u.eq(lhs, rhs)),
-            UniqueBy::Exactly(key) => lhs.get(key) == rhs.get(key),
-            UniqueBy::NotUnique => false,
-        }
-    }
-}
-impl Default for UniqueBy {
-    fn default() -> Self {
-        UniqueBy::NotUnique
-    }
-}
-impl<'de> serde::de::Deserialize<'de> for UniqueBy {
-    fn deserialize<D: serde::de::Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
-        struct Visitor;
-        impl<'de> serde::de::Visitor<'de> for Visitor {
-            type Value = UniqueBy;
-            fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
-                write!(formatter, "a key, an \"any\" object, or an \"all\" object")
-            }
-            fn visit_str<E: serde::de::Error>(self, v: &str) -> Result<Self::Value, E> {
-                Ok(UniqueBy::Exactly(v.to_owned()))
-            }
-            fn visit_string<E: serde::de::Error>(self, v: String) -> Result<Self::Value, E> {
-                Ok(UniqueBy::Exactly(v))
-            }
-            fn visit_map<A: serde::de::MapAccess<'de>>(
-                self,
-                mut map: A,
-            ) -> Result<Self::Value, A::Error> {
-                let mut variant = None;
-                while let Some(key) = map.next_key::<Cow<str>>()? {
-                    match key.as_ref() {
-                        "any" => {
-                            return Ok(UniqueBy::Any(map.next_value()?));
-                        }
-                        "all" => {
-                            return Ok(UniqueBy::All(map.next_value()?));
-                        }
-                        _ => {
-                            variant = Some(key);
-                        }
-                    }
-                }
-                Err(serde::de::Error::unknown_variant(
-                    variant.unwrap_or_default().as_ref(),
-                    &["any", "all"],
-                ))
-            }
-            fn visit_unit<E: serde::de::Error>(self) -> Result<Self::Value, E> {
-                Ok(UniqueBy::NotUnique)
-            }
-            fn visit_none<E: serde::de::Error>(self) -> Result<Self::Value, E> {
-                Ok(UniqueBy::NotUnique)
-            }
-        }
-        deserializer.deserialize_any(Visitor)
-    }
-}
-
-impl serde::ser::Serialize for UniqueBy {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::ser::Serializer,
-    {
-        use serde::ser::SerializeMap;
-
-        match self {
-            UniqueBy::Any(any) => {
-                let mut map = serializer.serialize_map(Some(1))?;
-                map.serialize_key("any")?;
-                map.serialize_value(any)?;
-                map.end()
-            }
-            UniqueBy::All(all) => {
-                let mut map = serializer.serialize_map(Some(1))?;
-                map.serialize_key("all")?;
-                map.serialize_value(all)?;
-                map.end()
-            }
-            UniqueBy::Exactly(key) => serializer.serialize_str(key),
-            UniqueBy::NotUnique => serializer.serialize_unit(),
-        }
-    }
-}
--- a/backend/src/context/cli.rs
+++ b/backend/src/context/cli.rs
@@ -1,169 +0,0 @@
-use std::fs::File;
-use std::io::BufReader;
-use std::net::{Ipv4Addr, SocketAddr};
-use std::path::{Path, PathBuf};
-use std::sync::Arc;
-
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use cookie_store::CookieStore;
-use reqwest::Proxy;
-use reqwest_cookie_store::CookieStoreMutex;
-use rpc_toolkit::reqwest::{Client, Url};
-use rpc_toolkit::url::Host;
-use rpc_toolkit::Context;
-use serde::Deserialize;
-use tracing::instrument;
-
-use crate::util::config::{load_config_from_paths, local_config_path};
-use crate::ResultExt;
-
-#[derive(Debug, Default, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct CliContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
-    pub host: Option<Url>,
-    #[serde(deserialize_with = "crate::util::serde::deserialize_from_str_opt")]
-    #[serde(default)]
-    pub proxy: Option<Url>,
-    pub cookie_path: Option<PathBuf>,
-}
-
-#[derive(Debug)]
-pub struct CliContextSeed {
-    pub base_url: Url,
-    pub rpc_url: Url,
-    pub client: Client,
-    pub cookie_store: Arc<CookieStoreMutex>,
-    pub cookie_path: PathBuf,
-}
-impl Drop for CliContextSeed {
-    fn drop(&mut self) {
-        let tmp = format!("{}.tmp", self.cookie_path.display());
-        let parent_dir = self.cookie_path.parent().unwrap_or(Path::new("/"));
-        if !parent_dir.exists() {
-            std::fs::create_dir_all(&parent_dir).unwrap();
-        }
-        let mut writer = fd_lock_rs::FdLock::lock(
-            File::create(&tmp).unwrap(),
-            fd_lock_rs::LockType::Exclusive,
-            true,
-        )
-        .unwrap();
-        let store = self.cookie_store.lock().unwrap();
-        store.save_json(&mut *writer).unwrap();
-        writer.sync_all().unwrap();
-        std::fs::rename(tmp, &self.cookie_path).unwrap();
-    }
-}
-
-const DEFAULT_HOST: Host<&'static str> = Host::Ipv4(Ipv4Addr::new(127, 0, 0, 1));
-const DEFAULT_PORT: u16 = 5959;
-
-#[derive(Debug, Clone)]
-pub struct CliContext(Arc<CliContextSeed>);
-impl CliContext {
-    /// BLOCKING
-    #[instrument(skip(matches))]
-    pub fn init(matches: &ArgMatches) -> Result<Self, crate::Error> {
-        let local_config_path = local_config_path();
-        let base: CliContextConfig = load_config_from_paths(
-            matches
-                .values_of("config")
-                .into_iter()
-                .flatten()
-                .map(|p| Path::new(p))
-                .chain(local_config_path.as_deref().into_iter())
-                .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
-        )?;
-        let mut url = if let Some(host) = matches.value_of("host") {
-            host.parse()?
-        } else if let Some(host) = base.host {
-            host
-        } else {
-            format!(
-                "http://{}",
-                base.bind_rpc.unwrap_or(([127, 0, 0, 1], 80).into())
-            )
-            .parse()?
-        };
-        let proxy = if let Some(proxy) = matches.value_of("proxy") {
-            Some(proxy.parse()?)
-        } else {
-            base.proxy
-        };
-
-        let cookie_path = base.cookie_path.unwrap_or_else(|| {
-            local_config_path
-                .as_deref()
-                .unwrap_or_else(|| Path::new(crate::util::config::CONFIG_PATH))
-                .parent()
-                .unwrap_or(Path::new("/"))
-                .join(".cookies.json")
-        });
-        let cookie_store = Arc::new(CookieStoreMutex::new(if cookie_path.exists() {
-            CookieStore::load_json(BufReader::new(File::open(&cookie_path)?))
-                .map_err(|e| eyre!("{}", e))
-                .with_kind(crate::ErrorKind::Deserialization)?
-        } else {
-            CookieStore::default()
-        }));
-        Ok(CliContext(Arc::new(CliContextSeed {
-            base_url: url.clone(),
-            rpc_url: {
-                url.path_segments_mut()
-                    .map_err(|_| eyre!("Url cannot be base"))
-                    .with_kind(crate::ErrorKind::ParseUrl)?
-                    .push("rpc")
-                    .push("v1");
-                url
-            },
-            client: {
-                let mut builder = Client::builder().cookie_provider(cookie_store.clone());
-                if let Some(proxy) = proxy {
-                    builder =
-                        builder.proxy(Proxy::all(proxy).with_kind(crate::ErrorKind::ParseUrl)?)
-                }
-                builder.build().expect("cannot fail")
-            },
-            cookie_store,
-            cookie_path,
-        })))
-    }
-}
-impl std::ops::Deref for CliContext {
-    type Target = CliContextSeed;
-    fn deref(&self) -> &Self::Target {
-        &*self.0
-    }
-}
-impl Context for CliContext {
-    fn protocol(&self) -> &str {
-        self.0.base_url.scheme()
-    }
-    fn host(&self) -> Host<&str> {
-        self.0.base_url.host().unwrap_or(DEFAULT_HOST)
-    }
-    fn port(&self) -> u16 {
-        self.0.base_url.port().unwrap_or(DEFAULT_PORT)
-    }
-    fn path(&self) -> &str {
-        self.0.rpc_url.path()
-    }
-    fn url(&self) -> Url {
-        self.0.rpc_url.clone()
-    }
-    fn client(&self) -> &Client {
-        &self.0.client
-    }
-}
-/// When we had an empty proxy the system wasn't working like it used to, which allowed empty proxy
-#[test]
-fn test_cli_proxy_empty() {
-    serde_yaml::from_str::<CliContextConfig>(
-        "
-        bind_rpc:
-    ",
-    )
-    .unwrap();
-}
--- a/backend/src/context/diagnostic.rs
+++ b/backend/src/context/diagnostic.rs
@@ -1,95 +0,0 @@
-use std::net::{IpAddr, SocketAddr};
-use std::ops::Deref;
-use std::path::{Path, PathBuf};
-use std::sync::Arc;
-
-use rpc_toolkit::yajrc::RpcError;
-use rpc_toolkit::Context;
-use serde::Deserialize;
-use tokio::fs::File;
-use tokio::sync::broadcast::Sender;
-use tracing::instrument;
-use url::Host;
-
-use crate::shutdown::Shutdown;
-use crate::util::io::from_toml_async_reader;
-use crate::util::AsyncFileExt;
-use crate::{Error, ResultExt};
-
-#[derive(Debug, Default, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct DiagnosticContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
-    pub datadir: Option<PathBuf>,
-}
-impl DiagnosticContextConfig {
-    #[instrument(skip(path))]
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_toml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
-    }
-    pub fn datadir(&self) -> &Path {
-        self.datadir
-            .as_deref()
-            .unwrap_or_else(|| Path::new("/embassy-data"))
-    }
-}
-
-pub struct DiagnosticContextSeed {
-    pub bind_rpc: SocketAddr,
-    pub datadir: PathBuf,
-    pub shutdown: Sender<Option<Shutdown>>,
-    pub error: Arc<RpcError>,
-    pub disk_guid: Option<Arc<String>>,
-}
-
-#[derive(Clone)]
-pub struct DiagnosticContext(Arc<DiagnosticContextSeed>);
-impl DiagnosticContext {
-    #[instrument(skip(path))]
-    pub async fn init<P: AsRef<Path>>(
-        path: Option<P>,
-        disk_guid: Option<Arc<String>>,
-        error: Error,
-    ) -> Result<Self, Error> {
-        let cfg = DiagnosticContextConfig::load(path).await?;
-
-        let (shutdown, _) = tokio::sync::broadcast::channel(1);
-
-        Ok(Self(Arc::new(DiagnosticContextSeed {
-            bind_rpc: cfg.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
-            datadir: cfg.datadir().to_owned(),
-            shutdown,
-            disk_guid,
-            error: Arc::new(error.into()),
-        })))
-    }
-}
-
-impl Context for DiagnosticContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
-    }
-}
-impl Deref for DiagnosticContext {
-    type Target = DiagnosticContextSeed;
-    fn deref(&self) -> &Self::Target {
-        &*self.0
-    }
-}
--- a/backend/src/context/mod.rs
+++ b/backend/src/context/mod.rs
@@ -1,37 +0,0 @@
-pub mod cli;
-pub mod diagnostic;
-pub mod rpc;
-pub mod sdk;
-pub mod setup;
-
-pub use cli::CliContext;
-pub use diagnostic::DiagnosticContext;
-pub use rpc::RpcContext;
-pub use sdk::SdkContext;
-pub use setup::SetupContext;
-
-impl From<CliContext> for () {
-    fn from(_: CliContext) -> Self {
-        ()
-    }
-}
-impl From<DiagnosticContext> for () {
-    fn from(_: DiagnosticContext) -> Self {
-        ()
-    }
-}
-impl From<RpcContext> for () {
-    fn from(_: RpcContext) -> Self {
-        ()
-    }
-}
-impl From<SdkContext> for () {
-    fn from(_: SdkContext) -> Self {
-        ()
-    }
-}
-impl From<SetupContext> for () {
-    fn from(_: SetupContext) -> Self {
-        ()
-    }
-}
--- a/backend/src/context/rpc.rs
+++ b/backend/src/context/rpc.rs
@@ -1,412 +0,0 @@
-use std::collections::{BTreeMap, VecDeque};
-use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4};
-use std::ops::Deref;
-use std::path::{Path, PathBuf};
-use std::sync::atomic::{AtomicBool, Ordering};
-use std::sync::Arc;
-use std::time::Duration;
-
-use bollard::Docker;
-use patch_db::json_ptr::JsonPointer;
-use patch_db::{DbHandle, LockReceipt, LockType, PatchDb, Revision};
-use reqwest::Url;
-use rpc_toolkit::url::Host;
-use rpc_toolkit::Context;
-use serde::Deserialize;
-use sqlx::sqlite::SqliteConnectOptions;
-use sqlx::SqlitePool;
-use tokio::fs::File;
-use tokio::process::Command;
-use tokio::sync::{broadcast, oneshot, Mutex, RwLock};
-use tracing::instrument;
-
-use crate::core::rpc_continuations::{RequestGuid, RpcContinuation};
-use crate::db::model::{Database, InstalledPackageDataEntry, PackageDataEntry};
-use crate::hostname::{derive_hostname, derive_id, get_product_key};
-use crate::install::cleanup::{cleanup_failed, uninstall, CleanupFailedReceipts};
-use crate::manager::ManagerMap;
-use crate::middleware::auth::HashSessionToken;
-use crate::net::tor::os_key;
-use crate::net::wifi::WpaCli;
-use crate::net::NetController;
-use crate::notifications::NotificationManager;
-use crate::setup::password_hash;
-use crate::shutdown::Shutdown;
-use crate::status::{MainStatus, Status};
-use crate::util::io::from_yaml_async_reader;
-use crate::util::{AsyncFileExt, Invoke};
-use crate::{Error, ResultExt};
-
-#[derive(Debug, Default, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct RpcContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
-    pub bind_ws: Option<SocketAddr>,
-    pub bind_static: Option<SocketAddr>,
-    pub tor_control: Option<SocketAddr>,
-    pub tor_socks: Option<SocketAddr>,
-    pub dns_bind: Option<Vec<SocketAddr>>,
-    pub revision_cache_size: Option<usize>,
-    pub datadir: Option<PathBuf>,
-    pub log_server: Option<Url>,
-}
-impl RpcContextConfig {
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_yaml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
-    }
-    pub fn datadir(&self) -> &Path {
-        self.datadir
-            .as_deref()
-            .unwrap_or_else(|| Path::new("/embassy-data"))
-    }
-    pub async fn db(&self, secret_store: &SqlitePool, product_key: &str) -> Result<PatchDb, Error> {
-        let sid = derive_id(product_key);
-        let hostname = derive_hostname(&sid);
-        let db_path = self.datadir().join("main").join("embassy.db");
-        let db = PatchDb::open(&db_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, db_path.display().to_string()))?;
-        if !db.exists(&<JsonPointer>::default()).await? {
-            db.put(
-                &<JsonPointer>::default(),
-                &Database::init(
-                    sid,
-                    &hostname,
-                    &os_key(&mut secret_store.acquire().await?).await?,
-                    password_hash(&mut secret_store.acquire().await?).await?,
-                ),
-                None,
-            )
-            .await?;
-        }
-        Ok(db)
-    }
-    #[instrument]
-    pub async fn secret_store(&self) -> Result<SqlitePool, Error> {
-        let secret_store = SqlitePool::connect_with(
-            SqliteConnectOptions::new()
-                .filename(self.datadir().join("main").join("secrets.db"))
-                .create_if_missing(true)
-                .busy_timeout(Duration::from_secs(30)),
-        )
-        .await?;
-        sqlx::migrate!()
-            .run(&secret_store)
-            .await
-            .with_kind(crate::ErrorKind::Database)?;
-        Ok(secret_store)
-    }
-}
-
-pub struct RpcContextSeed {
-    is_closed: AtomicBool,
-    pub bind_rpc: SocketAddr,
-    pub bind_ws: SocketAddr,
-    pub bind_static: SocketAddr,
-    pub datadir: PathBuf,
-    pub disk_guid: Arc<String>,
-    pub db: PatchDb,
-    pub secret_store: SqlitePool,
-    pub docker: Docker,
-    pub net_controller: NetController,
-    pub managers: ManagerMap,
-    pub revision_cache_size: usize,
-    pub revision_cache: RwLock<VecDeque<Arc<Revision>>>,
-    pub metrics_cache: RwLock<Option<crate::system::Metrics>>,
-    pub shutdown: broadcast::Sender<Option<Shutdown>>,
-    pub tor_socks: SocketAddr,
-    pub notification_manager: NotificationManager,
-    pub open_authed_websockets: Mutex<BTreeMap<HashSessionToken, Vec<oneshot::Sender<()>>>>,
-    pub rpc_stream_continuations: Mutex<BTreeMap<RequestGuid, RpcContinuation>>,
-    pub wifi_manager: Arc<RwLock<WpaCli>>,
-}
-
-pub struct RpcCleanReceipts {
-    cleanup_receipts: CleanupFailedReceipts,
-    packages: LockReceipt<crate::db::model::AllPackageData, ()>,
-    package: LockReceipt<crate::db::model::PackageDataEntry, String>,
-}
-
-impl RpcCleanReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let cleanup_receipts = CleanupFailedReceipts::setup(locks);
-
-        let packages = crate::db::DatabaseModel::new()
-            .package_data()
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        let package = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                cleanup_receipts: cleanup_receipts(skeleton_key)?,
-                packages: packages.verify(skeleton_key)?,
-                package: package.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-pub struct RpcSetNginxReceipts {
-    server_info: LockReceipt<crate::db::model::ServerInfo, ()>,
-}
-
-impl RpcSetNginxReceipts {
-    pub async fn new(db: &'_ mut impl DbHandle) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let server_info = crate::db::DatabaseModel::new()
-            .server_info()
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                server_info: server_info.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-#[derive(Clone)]
-pub struct RpcContext(Arc<RpcContextSeed>);
-impl RpcContext {
-    #[instrument(skip(cfg_path))]
-    pub async fn init<P: AsRef<Path>>(
-        cfg_path: Option<P>,
-        disk_guid: Arc<String>,
-    ) -> Result<Self, Error> {
-        let base = RpcContextConfig::load(cfg_path).await?;
-        tracing::info!("Loaded Config");
-        let tor_proxy = base.tor_socks.unwrap_or(SocketAddr::V4(SocketAddrV4::new(
-            Ipv4Addr::new(127, 0, 0, 1),
-            9050,
-        )));
-        let (shutdown, _) = tokio::sync::broadcast::channel(1);
-        let secret_store = base.secret_store().await?;
-        tracing::info!("Opened Sqlite DB");
-        let db = base.db(&secret_store, &get_product_key().await?).await?;
-        tracing::info!("Opened PatchDB");
-        let docker = Docker::connect_with_unix_defaults()?;
-        tracing::info!("Connected to Docker");
-        let net_controller = NetController::init(
-            ([127, 0, 0, 1], 80).into(),
-            crate::net::tor::os_key(&mut secret_store.acquire().await?).await?,
-            base.tor_control
-                .unwrap_or(SocketAddr::from(([127, 0, 0, 1], 9051))),
-            base.dns_bind
-                .as_ref()
-                .map(|v| v.as_slice())
-                .unwrap_or(&[SocketAddr::from(([127, 0, 0, 1], 53))]),
-            secret_store.clone(),
-            None,
-        )
-        .await?;
-        tracing::info!("Initialized Net Controller");
-        let managers = ManagerMap::default();
-        let metrics_cache = RwLock::new(None);
-        let notification_manager = NotificationManager::new(secret_store.clone());
-        tracing::info!("Initialized Notification Manager");
-        let seed = Arc::new(RpcContextSeed {
-            is_closed: AtomicBool::new(false),
-            bind_rpc: base.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
-            bind_ws: base.bind_ws.unwrap_or(([127, 0, 0, 1], 5960).into()),
-            bind_static: base.bind_static.unwrap_or(([127, 0, 0, 1], 5961).into()),
-            datadir: base.datadir().to_path_buf(),
-            disk_guid,
-            db,
-            secret_store,
-            docker,
-            net_controller,
-            managers,
-            revision_cache_size: base.revision_cache_size.unwrap_or(512),
-            revision_cache: RwLock::new(VecDeque::new()),
-            metrics_cache,
-            shutdown,
-            tor_socks: tor_proxy,
-            notification_manager,
-            open_authed_websockets: Mutex::new(BTreeMap::new()),
-            rpc_stream_continuations: Mutex::new(BTreeMap::new()),
-            wifi_manager: Arc::new(RwLock::new(WpaCli::init("wlan0".to_string()))),
-        });
-
-        let res = Self(seed);
-        res.cleanup().await?;
-        tracing::info!("Cleaned up transient states");
-        res.managers
-            .init(
-                &res,
-                &mut res.db.handle(),
-                &mut res.secret_store.acquire().await?,
-            )
-            .await?;
-        tracing::info!("Initialized Package Managers");
-        Ok(res)
-    }
-
-    #[instrument(skip(self, db, receipts))]
-    pub async fn set_nginx_conf<Db: DbHandle>(
-        &self,
-        db: &mut Db,
-        receipts: RpcSetNginxReceipts,
-    ) -> Result<(), Error> {
-        tokio::fs::write("/etc/nginx/sites-available/default", {
-            let info = receipts.server_info.get(db).await?;
-            format!(
-                include_str!("../nginx/main-ui.conf.template"),
-                lan_hostname = info.lan_address.host_str().unwrap(),
-                tor_hostname = info.tor_address.host_str().unwrap(),
-            )
-        })
-        .await
-        .with_ctx(|_| {
-            (
-                crate::ErrorKind::Filesystem,
-                "/etc/nginx/sites-available/default",
-            )
-        })?;
-        Command::new("systemctl")
-            .arg("reload")
-            .arg("nginx")
-            .invoke(crate::ErrorKind::Nginx)
-            .await?;
-        Ok(())
-    }
-    #[instrument(skip(self))]
-    pub async fn shutdown(self) -> Result<(), Error> {
-        self.managers.empty().await?;
-        self.secret_store.close().await;
-        self.is_closed.store(true, Ordering::SeqCst);
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    pub async fn cleanup(&self) -> Result<(), Error> {
-        let mut db = self.db.handle();
-        let receipts = RpcCleanReceipts::new(&mut db).await?;
-        for (package_id, package) in receipts.packages.get(&mut db).await?.0 {
-            if let Err(e) = async {
-                match package {
-                    PackageDataEntry::Installing { .. }
-                    | PackageDataEntry::Restoring { .. }
-                    | PackageDataEntry::Updating { .. } => {
-                        cleanup_failed(self, &mut db, &package_id, &receipts.cleanup_receipts)
-                            .await?;
-                    }
-                    PackageDataEntry::Removing { .. } => {
-                        uninstall(
-                            self,
-                            &mut db,
-                            &mut self.secret_store.acquire().await?,
-                            &package_id,
-                        )
-                        .await?;
-                    }
-                    PackageDataEntry::Installed {
-                        installed,
-                        static_files,
-                        manifest,
-                    } => {
-                        let status = installed.status;
-                        let main = match status.main {
-                            MainStatus::BackingUp { started, .. } => {
-                                if let Some(_) = started {
-                                    MainStatus::Starting { restarting: false }
-                                } else {
-                                    MainStatus::Stopped
-                                }
-                            }
-                            MainStatus::Running { .. } => {
-                                MainStatus::Starting { restarting: false }
-                            }
-                            a => a.clone(),
-                        };
-                        let new_package = PackageDataEntry::Installed {
-                            installed: InstalledPackageDataEntry {
-                                status: Status { main, ..status },
-                                ..installed
-                            },
-                            static_files,
-                            manifest,
-                        };
-                        receipts
-                            .package
-                            .set(&mut db, new_package, &package_id)
-                            .await?;
-                    }
-                }
-                Ok::<_, Error>(())
-            }
-            .await
-            {
-                tracing::error!("Failed to clean up package {}: {}", package_id, e);
-                tracing::debug!("{:?}", e);
-            }
-        }
-        Ok(())
-    }
-}
-impl Context for RpcContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
-    }
-}
-impl Deref for RpcContext {
-    type Target = RpcContextSeed;
-    fn deref(&self) -> &Self::Target {
-        #[cfg(feature = "unstable")]
-        if self.0.is_closed.load(Ordering::SeqCst) {
-            panic!(
-                "RpcContext used after shutdown! {}",
-                tracing_error::SpanTrace::capture()
-            );
-        }
-        &*self.0
-    }
-}
-impl Drop for RpcContext {
-    fn drop(&mut self) {
-        #[cfg(feature = "unstable")]
-        if self.0.is_closed.load(Ordering::SeqCst) {
-            tracing::info!(
-                "RpcContext dropped. {} left.",
-                Arc::strong_count(&self.0) - 1
-            );
-        }
-    }
-}
--- a/backend/src/context/sdk.rs
+++ b/backend/src/context/sdk.rs
@@ -1,76 +0,0 @@
-use std::path::{Path, PathBuf};
-use std::sync::Arc;
-
-use clap::ArgMatches;
-use color_eyre::eyre::eyre;
-use rpc_toolkit::Context;
-use serde::Deserialize;
-use tracing::instrument;
-
-use crate::util::config::{load_config_from_paths, local_config_path};
-use crate::{Error, ResultExt};
-
-#[derive(Debug, Default, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SdkContextConfig {
-    pub developer_key_path: Option<PathBuf>,
-}
-
-#[derive(Debug)]
-pub struct SdkContextSeed {
-    pub developer_key_path: PathBuf,
-}
-
-#[derive(Debug, Clone)]
-pub struct SdkContext(Arc<SdkContextSeed>);
-impl SdkContext {
-    /// BLOCKING
-    #[instrument(skip(matches))]
-    pub fn init(matches: &ArgMatches) -> Result<Self, crate::Error> {
-        let local_config_path = local_config_path();
-        let base: SdkContextConfig = load_config_from_paths(
-            matches
-                .values_of("config")
-                .into_iter()
-                .flatten()
-                .map(|p| Path::new(p))
-                .chain(local_config_path.as_deref().into_iter())
-                .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
-        )?;
-        Ok(SdkContext(Arc::new(SdkContextSeed {
-            developer_key_path: base.developer_key_path.unwrap_or_else(|| {
-                local_config_path
-                    .as_deref()
-                    .unwrap_or_else(|| Path::new(crate::util::config::CONFIG_PATH))
-                    .parent()
-                    .unwrap_or(Path::new("/"))
-                    .join("developer.key.pem")
-            }),
-        })))
-    }
-    /// BLOCKING
-    #[instrument]
-    pub fn developer_key(&self) -> Result<ed25519_dalek::Keypair, Error> {
-        if !self.developer_key_path.exists() {
-            return Err(Error::new(eyre!("Developer Key does not exist! Please run `embassy-sdk init` before running this command."), crate::ErrorKind::Uninitialized));
-        }
-        let pair = <ed25519::KeypairBytes as ed25519::pkcs8::DecodePrivateKey>::from_pkcs8_pem(
-            &std::fs::read_to_string(&self.developer_key_path)?,
-        )
-        .with_kind(crate::ErrorKind::Pem)?;
-        let secret = ed25519_dalek::SecretKey::from_bytes(&pair.secret_key[..])?;
-        let public = if let Some(public) = pair.public_key {
-            ed25519_dalek::PublicKey::from_bytes(&public[..])?
-        } else {
-            (&secret).into()
-        };
-        Ok(ed25519_dalek::Keypair { secret, public })
-    }
-}
-impl std::ops::Deref for SdkContext {
-    type Target = SdkContextSeed;
-    fn deref(&self) -> &Self::Target {
-        &*self.0
-    }
-}
-impl Context for SdkContext {}
--- a/backend/src/context/setup.rs
+++ b/backend/src/context/setup.rs
@@ -1,169 +0,0 @@
-use std::net::{IpAddr, SocketAddr};
-use std::ops::Deref;
-use std::path::{Path, PathBuf};
-use std::sync::Arc;
-use std::time::Duration;
-
-use patch_db::json_ptr::JsonPointer;
-use patch_db::PatchDb;
-use rpc_toolkit::yajrc::RpcError;
-use rpc_toolkit::Context;
-use serde::{Deserialize, Serialize};
-use sqlx::sqlite::SqliteConnectOptions;
-use sqlx::SqlitePool;
-use tokio::fs::File;
-use tokio::sync::broadcast::Sender;
-use tokio::sync::RwLock;
-use tracing::instrument;
-use url::Host;
-
-use crate::db::model::Database;
-use crate::hostname::{derive_hostname, derive_id, get_product_key};
-use crate::net::tor::os_key;
-use crate::setup::{password_hash, RecoveryStatus};
-use crate::util::io::from_yaml_async_reader;
-use crate::util::AsyncFileExt;
-use crate::{Error, ResultExt};
-
-#[derive(Clone, Serialize, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SetupResult {
-    pub tor_address: String,
-    pub lan_address: String,
-    pub root_ca: String,
-}
-
-#[derive(Debug, Default, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SetupContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
-    pub datadir: Option<PathBuf>,
-}
-impl SetupContextConfig {
-    #[instrument(skip(path))]
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_yaml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
-    }
-    pub fn datadir(&self) -> &Path {
-        self.datadir
-            .as_deref()
-            .unwrap_or_else(|| Path::new("/embassy-data"))
-    }
-}
-
-pub struct SetupContextSeed {
-    pub config_path: Option<PathBuf>,
-    pub bind_rpc: SocketAddr,
-    pub shutdown: Sender<()>,
-    pub datadir: PathBuf,
-    pub selected_v2_drive: RwLock<Option<PathBuf>>,
-    pub cached_product_key: RwLock<Option<Arc<String>>>,
-    pub recovery_status: RwLock<Option<Result<RecoveryStatus, RpcError>>>,
-    pub setup_result: RwLock<Option<(Arc<String>, SetupResult)>>,
-}
-
-#[derive(Clone)]
-pub struct SetupContext(Arc<SetupContextSeed>);
-impl SetupContext {
-    #[instrument(skip(path))]
-    pub async fn init<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg = SetupContextConfig::load(path.as_ref()).await?;
-        let (shutdown, _) = tokio::sync::broadcast::channel(1);
-        let datadir = cfg.datadir().to_owned();
-        Ok(Self(Arc::new(SetupContextSeed {
-            config_path: path.as_ref().map(|p| p.as_ref().to_owned()),
-            bind_rpc: cfg.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
-            shutdown,
-            datadir,
-            selected_v2_drive: RwLock::new(None),
-            cached_product_key: RwLock::new(None),
-            recovery_status: RwLock::new(None),
-            setup_result: RwLock::new(None),
-        })))
-    }
-    #[instrument(skip(self))]
-    pub async fn db(&self, secret_store: &SqlitePool) -> Result<PatchDb, Error> {
-        let db_path = self.datadir.join("main").join("embassy.db");
-        let db = PatchDb::open(&db_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, db_path.display().to_string()))?;
-        if !db.exists(&<JsonPointer>::default()).await? {
-            let pkey = self.product_key().await?;
-            let sid = derive_id(&*pkey);
-            let hostname = derive_hostname(&sid);
-            db.put(
-                &<JsonPointer>::default(),
-                &Database::init(
-                    sid,
-                    &hostname,
-                    &os_key(&mut secret_store.acquire().await?).await?,
-                    password_hash(&mut secret_store.acquire().await?).await?,
-                ),
-                None,
-            )
-            .await?;
-        }
-        Ok(db)
-    }
-    #[instrument(skip(self))]
-    pub async fn secret_store(&self) -> Result<SqlitePool, Error> {
-        let secret_store = SqlitePool::connect_with(
-            SqliteConnectOptions::new()
-                .filename(self.datadir.join("main").join("secrets.db"))
-                .create_if_missing(true)
-                .busy_timeout(Duration::from_secs(30)),
-        )
-        .await?;
-        sqlx::migrate!()
-            .run(&secret_store)
-            .await
-            .with_kind(crate::ErrorKind::Database)?;
-        Ok(secret_store)
-    }
-    #[instrument(skip(self))]
-    pub async fn product_key(&self) -> Result<Arc<String>, Error> {
-        Ok(
-            if let Some(k) = {
-                let guard = self.cached_product_key.read().await;
-                let res = guard.clone();
-                drop(guard);
-                res
-            } {
-                k
-            } else {
-                let k = Arc::new(get_product_key().await?);
-                *self.cached_product_key.write().await = Some(k.clone());
-                k
-            },
-        )
-    }
-}
-
-impl Context for SetupContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
-    }
-}
-impl Deref for SetupContext {
-    type Target = SetupContextSeed;
-    fn deref(&self) -> &Self::Target {
-        &*self.0
-    }
-}
--- a/backend/src/control.rs
+++ b/backend/src/control.rs
@@ -1,216 +0,0 @@
-use std::collections::BTreeMap;
-
-use color_eyre::eyre::eyre;
-use patch_db::{DbHandle, LockReceipt, LockType};
-use rpc_toolkit::command;
-use tracing::instrument;
-
-use crate::context::RpcContext;
-use crate::db::util::WithRevision;
-use crate::dependencies::{
-    break_all_dependents_transitive, heal_all_dependents_transitive, BreakageRes, DependencyError,
-    DependencyReceipt, TaggedDependencyError,
-};
-use crate::s9pk::manifest::PackageId;
-use crate::status::MainStatus;
-use crate::util::display_none;
-use crate::util::serde::display_serializable;
-use crate::Error;
-
-#[derive(Clone)]
-pub struct StartReceipts {
-    dependency_receipt: DependencyReceipt,
-    status: LockReceipt<MainStatus, ()>,
-    version: LockReceipt<crate::util::Version, ()>,
-}
-
-impl StartReceipts {
-    pub async fn new(db: &mut impl DbHandle, id: &PackageId) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks, id);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-        id: &PackageId,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let dependency_receipt = DependencyReceipt::setup(locks);
-        let status = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.status().main())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        let version = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.manifest().version())
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                dependency_receipt: dependency_receipt(skeleton_key)?,
-                status: status.verify(skeleton_key)?,
-                version: version.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-#[command(display(display_none))]
-#[instrument(skip(ctx))]
-pub async fn start(
-    #[context] ctx: RpcContext,
-    #[arg] id: PackageId,
-) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-    let receipts = StartReceipts::new(&mut tx, &id).await?;
-    let version = receipts.version.get(&mut tx).await?;
-    receipts
-        .status
-        .set(&mut tx, MainStatus::Starting { restarting: false })
-        .await?;
-    heal_all_dependents_transitive(&ctx, &mut tx, &id, &receipts.dependency_receipt).await?;
-
-    let revision = tx.commit(None).await?;
-    drop(receipts);
-
-    ctx.managers
-        .get(&(id, version))
-        .await
-        .ok_or_else(|| Error::new(eyre!("Manager not found"), crate::ErrorKind::InvalidRequest))?
-        .synchronize()
-        .await;
-
-    Ok(WithRevision {
-        revision,
-        response: (),
-    })
-}
-#[derive(Clone)]
-pub struct StopReceipts {
-    breaks: crate::dependencies::BreakTransitiveReceipts,
-    status: LockReceipt<MainStatus, ()>,
-}
-
-impl StopReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle, id: &PackageId) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks, id);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-        id: &PackageId,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let breaks = crate::dependencies::BreakTransitiveReceipts::setup(locks);
-        let status = crate::db::DatabaseModel::new()
-            .package_data()
-            .idx_model(id)
-            .and_then(|x| x.installed())
-            .map(|x| x.status().main())
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                breaks: breaks(skeleton_key)?,
-                status: status.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
-#[instrument(skip(db))]
-async fn stop_common<Db: DbHandle>(
-    db: &mut Db,
-    id: &PackageId,
-    breakages: &mut BTreeMap<PackageId, TaggedDependencyError>,
-) -> Result<(), Error> {
-    let mut tx = db.begin().await?;
-    let receipts = StopReceipts::new(&mut tx, id).await?;
-    receipts.status.set(&mut tx, MainStatus::Stopping).await?;
-
-    tx.save().await?;
-    break_all_dependents_transitive(
-        db,
-        id,
-        DependencyError::NotRunning,
-        breakages,
-        &receipts.breaks,
-    )
-    .await?;
-
-    Ok(())
-}
-
-#[command(subcommands(self(stop_impl(async)), stop_dry), display(display_none))]
-pub fn stop(#[arg] id: PackageId) -> Result<PackageId, Error> {
-    Ok(id)
-}
-
-#[command(rename = "dry", display(display_serializable))]
-#[instrument(skip(ctx))]
-pub async fn stop_dry(
-    #[context] ctx: RpcContext,
-    #[parent_data] id: PackageId,
-) -> Result<BreakageRes, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-
-    let mut breakages = BTreeMap::new();
-    stop_common(&mut tx, &id, &mut breakages).await?;
-
-    tx.abort().await?;
-
-    Ok(BreakageRes(breakages))
-}
-
-#[instrument(skip(ctx))]
-pub async fn stop_impl(ctx: RpcContext, id: PackageId) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-
-    stop_common(&mut tx, &id, &mut BTreeMap::new()).await?;
-
-    Ok(WithRevision {
-        revision: tx.commit(None).await?,
-        response: (),
-    })
-}
-
-#[command(display(display_none))]
-pub async fn restart(
-    #[context] ctx: RpcContext,
-    #[arg] id: PackageId,
-) -> Result<WithRevision<()>, Error> {
-    let mut db = ctx.db.handle();
-    let mut tx = db.begin().await?;
-
-    let mut status = crate::db::DatabaseModel::new()
-        .package_data()
-        .idx_model(&id)
-        .and_then(|pde| pde.installed())
-        .map(|i| i.status().main())
-        .get_mut(&mut tx)
-        .await?;
-    if !matches!(&*status, Some(MainStatus::Running { .. })) {
-        return Err(Error::new(
-            eyre!("{} is not running", id),
-            crate::ErrorKind::InvalidRequest,
-        ));
-    }
-    *status = Some(MainStatus::Restarting);
-    status.save(&mut tx).await?;
-
-    Ok(WithRevision {
-        revision: tx.commit(None).await?,
-        response: (),
-    })
-}
--- a/backend/src/core/mod.rs
+++ b/backend/src/core/mod.rs
@@ -1 +0,0 @@
-pub mod rpc_continuations;
--- a/backend/src/core/rpc_continuations.rs
+++ b/backend/src/core/rpc_continuations.rs
@@ -1,53 +0,0 @@
-use std::time::Instant;
-
-use futures::future::BoxFuture;
-use http::{Request, Response};
-use hyper::Body;
-use rand::RngCore;
-
-#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, serde::Serialize, serde::Deserialize)]
-pub struct RequestGuid<T: AsRef<str> = String>(T);
-impl RequestGuid {
-    pub fn new() -> Self {
-        let mut buf = [0; 40];
-        rand::thread_rng().fill_bytes(&mut buf);
-        RequestGuid(base32::encode(
-            base32::Alphabet::RFC4648 { padding: false },
-            &buf,
-        ))
-    }
-
-    pub fn from(r: &str) -> Option<RequestGuid> {
-        if r.len() != 64 {
-            return None;
-        }
-        for c in r.chars() {
-            if !(c >= 'A' && c <= 'Z' || c >= '2' && c <= '7') {
-                return None;
-            }
-        }
-        Some(RequestGuid(r.to_owned()))
-    }
-}
-#[test]
-fn parse_guid() {
-    println!(
-        "{:?}",
-        RequestGuid::from(&format!("{}", RequestGuid::new()))
-    )
-}
-
-impl<T: AsRef<str>> std::fmt::Display for RequestGuid<T> {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        self.0.as_ref().fmt(f)
-    }
-}
-
-pub struct RpcContinuation {
-    pub created_at: Instant,
-    pub handler: Box<
-        dyn FnOnce(Request<Body>) -> BoxFuture<'static, Result<Response<Body>, crate::Error>>
-            + Send
-            + Sync,
-    >,
-}
--- a/backend/src/db/mod.rs
+++ b/backend/src/db/mod.rs
@@ -1,279 +0,0 @@
-pub mod model;
-pub mod package;
-pub mod util;
-
-use std::borrow::Cow;
-use std::future::Future;
-use std::sync::Arc;
-use std::time::Duration;
-
-use color_eyre::eyre::eyre;
-use futures::{FutureExt, SinkExt, StreamExt};
-use patch_db::json_ptr::JsonPointer;
-use patch_db::{Dump, Revision};
-use rpc_toolkit::command;
-use rpc_toolkit::hyper::upgrade::Upgraded;
-use rpc_toolkit::hyper::{Body, Error as HyperError, Request, Response};
-use rpc_toolkit::yajrc::{GenericRpcMethod, RpcError, RpcResponse};
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use tokio::sync::{broadcast, oneshot};
-use tokio::task::JoinError;
-use tokio_tungstenite::tungstenite::Message;
-use tokio_tungstenite::WebSocketStream;
-use tracing::instrument;
-
-pub use self::model::DatabaseModel;
-use self::util::WithRevision;
-use crate::context::RpcContext;
-use crate::middleware::auth::{HasValidSession, HashSessionToken};
-use crate::util::serde::{display_serializable, IoFormat};
-use crate::{Error, ResultExt};
-
-#[instrument(skip(ctx, ws_fut))]
-async fn ws_handler<
-    WSFut: Future<Output = Result<Result<WebSocketStream<Upgraded>, HyperError>, JoinError>>,
->(
-    ctx: RpcContext,
-    ws_fut: WSFut,
-) -> Result<(), Error> {
-    let (dump, sub) = ctx.db.dump_and_sub().await;
-    let mut stream = ws_fut
-        .await
-        .with_kind(crate::ErrorKind::Network)?
-        .with_kind(crate::ErrorKind::Unknown)?;
-
-    let (has_valid_session, token) = loop {
-        if let Some(Message::Text(cookie)) = stream
-            .next()
-            .await
-            .transpose()
-            .with_kind(crate::ErrorKind::Network)?
-        {
-            let cookie_str = serde_json::from_str::<Cow<str>>(&cookie)
-                .with_kind(crate::ErrorKind::Deserialization)?;
-
-            let id = basic_cookies::Cookie::parse(&cookie_str)
-                .with_kind(crate::ErrorKind::Authorization)?
-                .into_iter()
-                .find(|c| c.get_name() == "session")
-                .ok_or_else(|| {
-                    Error::new(eyre!("UNAUTHORIZED"), crate::ErrorKind::Authorization)
-                })?;
-            let authenticated_session = HashSessionToken::from_cookie(&id);
-            match HasValidSession::from_session(&authenticated_session, &ctx).await {
-                Err(e) => {
-                    stream
-                        .send(Message::Text(
-                            serde_json::to_string(
-                                &RpcResponse::<GenericRpcMethod<String>>::from_result(Err::<
-                                    _,
-                                    RpcError,
-                                >(
-                                    e.into()
-                                )),
-                            )
-                            .with_kind(crate::ErrorKind::Serialization)?,
-                        ))
-                        .await
-                        .with_kind(crate::ErrorKind::Network)?;
-                    return Ok(());
-                }
-                Ok(has_validation) => break (has_validation, authenticated_session),
-            }
-        }
-    };
-    let kill = subscribe_to_session_kill(&ctx, token).await;
-    send_dump(has_valid_session, &mut stream, dump).await?;
-
-    deal_with_messages(has_valid_session, kill, sub, stream).await?;
-    Ok(())
-}
-
-async fn subscribe_to_session_kill(
-    ctx: &RpcContext,
-    token: HashSessionToken,
-) -> oneshot::Receiver<()> {
-    let (send, recv) = oneshot::channel();
-    let mut guard = ctx.open_authed_websockets.lock().await;
-    if !guard.contains_key(&token) {
-        guard.insert(token, vec![send]);
-    } else {
-        guard.get_mut(&token).unwrap().push(send);
-    }
-    recv
-}
-
-#[instrument(skip(_has_valid_authentication, kill, sub, stream))]
-async fn deal_with_messages(
-    _has_valid_authentication: HasValidSession,
-    mut kill: oneshot::Receiver<()>,
-    mut sub: broadcast::Receiver<Arc<Revision>>,
-    mut stream: WebSocketStream<Upgraded>,
-) -> Result<(), Error> {
-    loop {
-        futures::select! {
-            _ = (&mut kill).fuse() => {
-                tracing::info!("Closing WebSocket: Reason: Session Terminated");
-                return Ok(())
-            }
-            new_rev = sub.recv().fuse() => {
-                let rev = new_rev.with_kind(crate::ErrorKind::Database)?;
-                stream
-                    .send(Message::Text(
-                        serde_json::to_string(
-                            &RpcResponse::<GenericRpcMethod<String>>::from_result(Ok::<_, RpcError>(
-                                serde_json::to_value(&rev).with_kind(crate::ErrorKind::Serialization)?,
-                            )),
-                        )
-                        .with_kind(crate::ErrorKind::Serialization)?,
-                    ))
-                    .await
-                    .with_kind(crate::ErrorKind::Network)?;
-            }
-            message = stream.next().fuse() => {
-                let message = message.transpose().with_kind(crate::ErrorKind::Network)?;
-                match message {
-                    Some(Message::Ping(a)) => {
-                        stream
-                            .send(Message::Pong(a))
-                            .await
-                            .with_kind(crate::ErrorKind::Network)?;
-                    }
-                    Some(Message::Close(frame)) => {
-                        if let Some(reason) = frame.as_ref() {
-                            tracing::info!("Closing WebSocket: Reason: {} {}", reason.code, reason.reason);
-                        } else {
-                            tracing::info!("Closing WebSocket: Reason: Unknown");
-                        }
-                        return Ok(())
-                    }
-                    None => {
-                        tracing::info!("Closing WebSocket: Stream Finished");
-                        return Ok(())
-                    }
-                    _ => (),
-                }
-            }
-            _ = tokio::time::sleep(Duration::from_secs(10)).fuse() => {
-                stream
-                    .send(Message::Ping(Vec::new()))
-                    .await
-                    .with_kind(crate::ErrorKind::Network)?;
-            }
-        }
-    }
-}
-
-async fn send_dump(
-    _has_valid_authentication: HasValidSession,
-    stream: &mut WebSocketStream<Upgraded>,
-    dump: Dump,
-) -> Result<(), Error> {
-    stream
-        .send(Message::Text(
-            serde_json::to_string(&RpcResponse::<GenericRpcMethod<String>>::from_result(Ok::<
-                _,
-                RpcError,
-            >(
-                serde_json::to_value(&dump).with_kind(crate::ErrorKind::Serialization)?,
-            )))
-            .with_kind(crate::ErrorKind::Serialization)?,
-        ))
-        .await
-        .with_kind(crate::ErrorKind::Network)?;
-    Ok(())
-}
-
-pub async fn subscribe(ctx: RpcContext, req: Request<Body>) -> Result<Response<Body>, Error> {
-    let (parts, body) = req.into_parts();
-    let req = Request::from_parts(parts, body);
-    let (res, ws_fut) = hyper_ws_listener::create_ws(req).with_kind(crate::ErrorKind::Network)?;
-    if let Some(ws_fut) = ws_fut {
-        tokio::task::spawn(async move {
-            match ws_handler(ctx, ws_fut).await {
-                Ok(()) => (),
-                Err(e) => {
-                    tracing::error!("WebSocket Closed: {}", e);
-                    tracing::debug!("{:?}", e);
-                }
-            }
-        });
-    }
-
-    Ok(res)
-}
-
-#[command(subcommands(revisions, dump, put))]
-pub fn db() -> Result<(), RpcError> {
-    Ok(())
-}
-
-#[derive(Deserialize, Serialize)]
-#[serde(untagged)]
-pub enum RevisionsRes {
-    Revisions(Vec<Arc<Revision>>),
-    Dump(Dump),
-}
-
-#[command(display(display_serializable))]
-pub async fn revisions(
-    #[context] ctx: RpcContext,
-    #[arg] since: u64,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<RevisionsRes, RpcError> {
-    let cache = ctx.revision_cache.read().await;
-    if cache
-        .front()
-        .map(|rev| rev.id <= since + 1)
-        .unwrap_or(false)
-    {
-        Ok(RevisionsRes::Revisions(
-            cache
-                .iter()
-                .skip_while(|rev| rev.id < since + 1)
-                .cloned()
-                .collect(),
-        ))
-    } else {
-        drop(cache);
-        Ok(RevisionsRes::Dump(ctx.db.dump().await))
-    }
-}
-
-#[command(display(display_serializable))]
-pub async fn dump(
-    #[context] ctx: RpcContext,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<Dump, RpcError> {
-    Ok(ctx.db.dump().await)
-}
-
-#[command(subcommands(ui))]
-pub fn put() -> Result<(), RpcError> {
-    Ok(())
-}
-
-#[command(display(display_serializable))]
-#[instrument(skip(ctx))]
-pub async fn ui(
-    #[context] ctx: RpcContext,
-    #[arg] pointer: JsonPointer,
-    #[arg] value: Value,
-    #[allow(unused_variables)]
-    #[arg(long = "format")]
-    format: Option<IoFormat>,
-) -> Result<WithRevision<()>, Error> {
-    let ptr = "/ui"
-        .parse::<JsonPointer>()
-        .with_kind(crate::ErrorKind::Database)?
-        + &pointer;
-    Ok(WithRevision {
-        response: (),
-        revision: ctx.db.put(&ptr, &value, None).await?,
-    })
-}
--- a/backend/src/db/model.rs
+++ b/backend/src/db/model.rs
@@ -1,371 +0,0 @@
-use std::collections::{BTreeMap, BTreeSet};
-use std::sync::Arc;
-
-use chrono::{DateTime, Utc};
-use emver::VersionRange;
-use isocountry::CountryCode;
-use patch_db::json_ptr::JsonPointer;
-use patch_db::{HasModel, Map, MapModel, OptionModel};
-use reqwest::Url;
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use torut::onion::TorSecretKeyV3;
-
-use crate::config::spec::{PackagePointerSpec, SystemPointerSpec};
-use crate::install::progress::InstallProgress;
-use crate::net::interface::InterfaceId;
-use crate::s9pk::manifest::{Manifest, ManifestModel, PackageId};
-use crate::status::health_check::HealthCheckId;
-use crate::status::Status;
-use crate::util::Version;
-use crate::version::{Current, VersionT};
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct Database {
-    #[model]
-    pub server_info: ServerInfo,
-    #[model]
-    pub package_data: AllPackageData,
-    #[model]
-    pub recovered_packages: BTreeMap<PackageId, RecoveredPackageInfo>,
-    pub ui: Value,
-}
-impl Database {
-    pub fn init(
-        id: String,
-        hostname: &str,
-        tor_key: &TorSecretKeyV3,
-        password_hash: String,
-    ) -> Self {
-        // TODO
-        Database {
-            server_info: ServerInfo {
-                id,
-                version: Current::new().semver().into(),
-                last_backup: None,
-                last_wifi_region: None,
-                eos_version_compat: Current::new().compat().clone(),
-                lan_address: format!("https://{}.local", hostname).parse().unwrap(),
-                tor_address: format!("http://{}", tor_key.public().get_onion_address())
-                    .parse()
-                    .unwrap(),
-                status_info: ServerStatus {
-                    backup_progress: None,
-                    updated: false,
-                    update_progress: None,
-                },
-                wifi: WifiInfo {
-                    ssids: Vec::new(),
-                    connected: None,
-                    selected: None,
-                },
-                unread_notification_count: 0,
-                connection_addresses: ConnectionAddresses {
-                    tor: Vec::new(),
-                    clearnet: Vec::new(),
-                },
-                password_hash,
-            },
-            package_data: AllPackageData::default(),
-            recovered_packages: BTreeMap::new(),
-            ui: Value::Object(Default::default()),
-        }
-    }
-}
-impl DatabaseModel {
-    pub fn new() -> Self {
-        Self::from(JsonPointer::default())
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct ServerInfo {
-    pub id: String,
-    pub version: Version,
-    pub last_backup: Option<DateTime<Utc>>,
-    /// Used in the wifi to determine the region to set the system to
-    pub last_wifi_region: Option<CountryCode>,
-    pub eos_version_compat: VersionRange,
-    pub lan_address: Url,
-    pub tor_address: Url,
-    #[model]
-    #[serde(default)]
-    pub status_info: ServerStatus,
-    pub wifi: WifiInfo,
-    pub unread_notification_count: u64,
-    pub connection_addresses: ConnectionAddresses,
-    pub password_hash: String,
-}
-
-#[derive(Debug, Default, Deserialize, Serialize, HasModel)]
-pub struct BackupProgress {
-    pub complete: bool,
-}
-
-#[derive(Debug, Default, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct ServerStatus {
-    #[model]
-    pub backup_progress: Option<BTreeMap<PackageId, BackupProgress>>,
-    pub updated: bool,
-    #[model]
-    pub update_progress: Option<UpdateProgress>,
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct UpdateProgress {
-    pub size: Option<u64>,
-    pub downloaded: u64,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct WifiInfo {
-    pub ssids: Vec<String>,
-    pub selected: Option<String>,
-    pub connected: Option<String>,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct ServerSpecs {
-    pub cpu: String,
-    pub disk: String,
-    pub memory: String,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct ConnectionAddresses {
-    pub tor: Vec<String>,
-    pub clearnet: Vec<String>,
-}
-
-#[derive(Debug, Default, Deserialize, Serialize)]
-pub struct AllPackageData(pub BTreeMap<PackageId, PackageDataEntry>);
-impl Map for AllPackageData {
-    type Key = PackageId;
-    type Value = PackageDataEntry;
-    fn get(&self, key: &Self::Key) -> Option<&Self::Value> {
-        self.0.get(key)
-    }
-}
-impl HasModel for AllPackageData {
-    type Model = MapModel<Self>;
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct StaticFiles {
-    license: String,
-    instructions: String,
-    icon: String,
-}
-impl StaticFiles {
-    pub fn local(id: &PackageId, version: &Version, icon_type: &str) -> Self {
-        StaticFiles {
-            license: format!("/public/package-data/{}/{}/LICENSE.md", id, version),
-            instructions: format!("/public/package-data/{}/{}/INSTRUCTIONS.md", id, version),
-            icon: format!("/public/package-data/{}/{}/icon.{}", id, version, icon_type),
-        }
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(tag = "state")]
-#[serde(rename_all = "kebab-case")]
-pub enum PackageDataEntry {
-    #[serde(rename_all = "kebab-case")]
-    Installing {
-        static_files: StaticFiles,
-        manifest: Manifest,
-        install_progress: Arc<InstallProgress>,
-    },
-    #[serde(rename_all = "kebab-case")]
-    Updating {
-        static_files: StaticFiles,
-        manifest: Manifest,
-        installed: InstalledPackageDataEntry,
-        install_progress: Arc<InstallProgress>,
-    },
-    #[serde(rename_all = "kebab-case")]
-    Restoring {
-        static_files: StaticFiles,
-        manifest: Manifest,
-        install_progress: Arc<InstallProgress>,
-    },
-    #[serde(rename_all = "kebab-case")]
-    Removing {
-        static_files: StaticFiles,
-        manifest: Manifest,
-        removing: InstalledPackageDataEntry,
-    },
-    #[serde(rename_all = "kebab-case")]
-    Installed {
-        static_files: StaticFiles,
-        manifest: Manifest,
-        installed: InstalledPackageDataEntry,
-    },
-}
-impl PackageDataEntry {
-    pub fn installed(&self) -> Option<&InstalledPackageDataEntry> {
-        match self {
-            Self::Installing { .. } | Self::Restoring { .. } | Self::Removing { .. } => None,
-            Self::Updating { installed, .. } | Self::Installed { installed, .. } => Some(installed),
-        }
-    }
-    pub fn installed_mut(&mut self) -> Option<&mut InstalledPackageDataEntry> {
-        match self {
-            Self::Installing { .. } | Self::Restoring { .. } | Self::Removing { .. } => None,
-            Self::Updating { installed, .. } | Self::Installed { installed, .. } => Some(installed),
-        }
-    }
-    pub fn into_installed(self) -> Option<InstalledPackageDataEntry> {
-        match self {
-            Self::Installing { .. } | Self::Restoring { .. } | Self::Removing { .. } => None,
-            Self::Updating { installed, .. } | Self::Installed { installed, .. } => Some(installed),
-        }
-    }
-    pub fn manifest(self) -> Manifest {
-        match self {
-            PackageDataEntry::Installing { manifest, .. } => manifest,
-            PackageDataEntry::Updating { manifest, .. } => manifest,
-            PackageDataEntry::Restoring { manifest, .. } => manifest,
-            PackageDataEntry::Removing { manifest, .. } => manifest,
-            PackageDataEntry::Installed { manifest, .. } => manifest,
-        }
-    }
-}
-impl PackageDataEntryModel {
-    pub fn installed(self) -> OptionModel<InstalledPackageDataEntry> {
-        self.0.child("installed").into()
-    }
-    pub fn removing(self) -> OptionModel<InstalledPackageDataEntry> {
-        self.0.child("removing").into()
-    }
-    pub fn install_progress(self) -> OptionModel<InstallProgress> {
-        self.0.child("install-progress").into()
-    }
-    pub fn manifest(self) -> ManifestModel {
-        self.0.child("manifest").into()
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct InstalledPackageDataEntry {
-    #[model]
-    pub status: Status,
-    pub marketplace_url: Option<Url>,
-    #[serde(default)]
-    #[serde(with = "crate::util::serde::ed25519_pubkey")]
-    pub developer_key: ed25519_dalek::PublicKey,
-    #[model]
-    pub manifest: Manifest,
-    pub last_backup: Option<DateTime<Utc>>,
-    #[model]
-    pub system_pointers: Vec<SystemPointerSpec>,
-    #[model]
-    pub dependency_info: BTreeMap<PackageId, StaticDependencyInfo>,
-    #[model]
-    pub current_dependents: CurrentDependents,
-    #[model]
-    pub current_dependencies: CurrentDependencies,
-    #[model]
-    pub interface_addresses: InterfaceAddressMap,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct CurrentDependents(pub BTreeMap<PackageId, CurrentDependencyInfo>);
-impl CurrentDependents {
-    pub fn map(
-        mut self,
-        transform: impl Fn(
-            BTreeMap<PackageId, CurrentDependencyInfo>,
-        ) -> BTreeMap<PackageId, CurrentDependencyInfo>,
-    ) -> Self {
-        self.0 = transform(self.0);
-        self
-    }
-}
-impl Map for CurrentDependents {
-    type Key = PackageId;
-    type Value = CurrentDependencyInfo;
-    fn get(&self, key: &Self::Key) -> Option<&Self::Value> {
-        self.0.get(key)
-    }
-}
-impl HasModel for CurrentDependents {
-    type Model = MapModel<Self>;
-}
-
-#[derive(Debug, Clone, Default, Deserialize, Serialize)]
-pub struct CurrentDependencies(pub BTreeMap<PackageId, CurrentDependencyInfo>);
-impl CurrentDependencies {
-    pub fn map(
-        mut self,
-        transform: impl Fn(
-            BTreeMap<PackageId, CurrentDependencyInfo>,
-        ) -> BTreeMap<PackageId, CurrentDependencyInfo>,
-    ) -> Self {
-        self.0 = transform(self.0);
-        self
-    }
-}
-impl Map for CurrentDependencies {
-    type Key = PackageId;
-    type Value = CurrentDependencyInfo;
-    fn get(&self, key: &Self::Key) -> Option<&Self::Value> {
-        self.0.get(key)
-    }
-}
-impl HasModel for CurrentDependencies {
-    type Model = MapModel<Self>;
-}
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct StaticDependencyInfo {
-    pub manifest: Option<Manifest>,
-    pub icon: String,
-}
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct CurrentDependencyInfo {
-    pub pointers: Vec<PackagePointerSpec>,
-    pub health_checks: BTreeSet<HealthCheckId>,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct InterfaceAddressMap(pub BTreeMap<InterfaceId, InterfaceAddresses>);
-impl Map for InterfaceAddressMap {
-    type Key = InterfaceId;
-    type Value = InterfaceAddresses;
-    fn get(&self, key: &Self::Key) -> Option<&Self::Value> {
-        self.0.get(key)
-    }
-}
-impl HasModel for InterfaceAddressMap {
-    type Model = MapModel<Self>;
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct InterfaceAddresses {
-    #[model]
-    pub tor_address: Option<String>,
-    #[model]
-    pub lan_address: Option<String>,
-}
-
-#[derive(Debug, Deserialize, Serialize, HasModel)]
-#[serde(rename_all = "kebab-case")]
-pub struct RecoveredPackageInfo {
-    pub title: String,
-    pub icon: String,
-    pub version: Version,
-}
--- a/backend/src/db/package.rs
+++ b/backend/src/db/package.rs
@@ -1,75 +0,0 @@
-use patch_db::{DbHandle, LockReceipt, LockTargetId, LockType, Verifier};
-
-use crate::s9pk::manifest::{Manifest, PackageId};
-use crate::Error;
-
-pub struct PackageReceipts {
-    package_data: LockReceipt<super::model::AllPackageData, ()>,
-}
-
-impl PackageReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(locks: &mut Vec<LockTargetId>) -> impl FnOnce(&Verifier) -> Result<Self, Error> {
-        let package_data = crate::db::DatabaseModel::new()
-            .package_data()
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                package_data: package_data.verify(&skeleton_key)?,
-            })
-        }
-    }
-}
-
-pub async fn get_packages<Db: DbHandle>(
-    db: &mut Db,
-    receipts: &PackageReceipts,
-) -> Result<Vec<PackageId>, Error> {
-    let packages = receipts.package_data.get(db).await?;
-    Ok(packages.0.keys().cloned().collect())
-}
-
-pub struct ManifestReceipts {
-    manifest: LockReceipt<Manifest, String>,
-}
-
-impl ManifestReceipts {
-    pub async fn new<'a>(db: &'a mut impl DbHandle, id: &PackageId) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks, id);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<LockTargetId>,
-        _id: &PackageId,
-    ) -> impl FnOnce(&Verifier) -> Result<Self, Error> {
-        let manifest = crate::db::DatabaseModel::new()
-            .package_data()
-            .star()
-            .manifest()
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                manifest: manifest.verify(&skeleton_key)?,
-            })
-        }
-    }
-}
-
-pub async fn get_manifest<Db: DbHandle>(
-    db: &mut Db,
-    pkg: &PackageId,
-    receipts: &ManifestReceipts,
-) -> Result<Option<Manifest>, Error> {
-    Ok(receipts.manifest.get(db, pkg).await?)
-}
--- a/backend/src/db/util.rs
+++ b/backend/src/db/util.rs
@@ -1,10 +0,0 @@
-use std::sync::Arc;
-
-use patch_db::Revision;
-use serde::{Deserialize, Serialize};
-
-#[derive(Clone, Debug, Deserialize, Serialize)]
-pub struct WithRevision<T> {
-    pub response: T,
-    pub revision: Option<Arc<Revision>>,
-}
--- a/backend/src/dependencies.rs
+++ b/backend/src/dependencies.rs
--- a/backend/src/developer/mod.rs
+++ b/backend/src/developer/mod.rs
@@ -1,45 +0,0 @@
-use std::fs::File;
-use std::io::Write;
-use std::path::Path;
-
-use ed25519::pkcs8::EncodePrivateKey;
-use ed25519_dalek::Keypair;
-use rpc_toolkit::command;
-use tracing::instrument;
-
-use crate::context::SdkContext;
-use crate::util::display_none;
-use crate::{Error, ResultExt};
-
-#[command(cli_only, blocking, display(display_none))]
-#[instrument(skip(ctx))]
-pub fn init(#[context] ctx: SdkContext) -> Result<(), Error> {
-    if !ctx.developer_key_path.exists() {
-        let parent = ctx.developer_key_path.parent().unwrap_or(Path::new("/"));
-        if !parent.exists() {
-            std::fs::create_dir_all(parent)
-                .with_ctx(|_| (crate::ErrorKind::Filesystem, parent.display().to_string()))?;
-        }
-        tracing::info!("Generating new developer key...");
-        let keypair = Keypair::generate(&mut rand::thread_rng());
-        tracing::info!("Writing key to {}", ctx.developer_key_path.display());
-        let keypair_bytes = ed25519::KeypairBytes {
-            secret_key: keypair.secret.to_bytes(),
-            public_key: Some(keypair.public.to_bytes()),
-        };
-        let mut dev_key_file = File::create(&ctx.developer_key_path)?;
-        dev_key_file.write_all(
-            keypair_bytes
-                .to_pkcs8_pem(base64ct::LineEnding::default())
-                .with_kind(crate::ErrorKind::Pem)?
-                .as_bytes(),
-        )?;
-        dev_key_file.sync_all()?;
-    }
-    Ok(())
-}
-
-#[command(subcommands(crate::s9pk::verify, crate::config::verify_spec))]
-pub fn verify() -> Result<(), Error> {
-    Ok(())
-}
--- a/backend/src/diagnostic.rs
+++ b/backend/src/diagnostic.rs
@@ -1,72 +0,0 @@
-use std::path::Path;
-use std::sync::Arc;
-
-use rpc_toolkit::command;
-use rpc_toolkit::yajrc::RpcError;
-
-use crate::context::DiagnosticContext;
-use crate::disk::repair;
-use crate::logs::{display_logs, fetch_logs, LogResponse, LogSource};
-use crate::shutdown::Shutdown;
-use crate::util::display_none;
-use crate::Error;
-
-pub const SYSTEMD_UNIT: &'static str = "embassy-init";
-
-#[command(subcommands(error, logs, exit, restart, forget_disk, disk))]
-pub fn diagnostic() -> Result<(), Error> {
-    Ok(())
-}
-
-#[command]
-pub fn error(#[context] ctx: DiagnosticContext) -> Result<Arc<RpcError>, Error> {
-    Ok(ctx.error.clone())
-}
-
-#[command(display(display_logs))]
-pub async fn logs(
-    #[arg] limit: Option<usize>,
-    #[arg] cursor: Option<String>,
-    #[arg] before_flag: Option<bool>,
-) -> Result<LogResponse, Error> {
-    Ok(fetch_logs(
-        LogSource::Service(SYSTEMD_UNIT),
-        limit,
-        cursor,
-        before_flag.unwrap_or(false),
-    )
-    .await?)
-}
-
-#[command(display(display_none))]
-pub fn exit(#[context] ctx: DiagnosticContext) -> Result<(), Error> {
-    ctx.shutdown.send(None).expect("receiver dropped");
-    Ok(())
-}
-
-#[command(display(display_none))]
-pub fn restart(#[context] ctx: DiagnosticContext) -> Result<(), Error> {
-    ctx.shutdown
-        .send(Some(Shutdown {
-            datadir: ctx.datadir.clone(),
-            disk_guid: ctx.disk_guid.clone(),
-            db_handle: None,
-            restart: true,
-        }))
-        .expect("receiver dropped");
-    Ok(())
-}
-
-#[command(subcommands(forget_disk, repair))]
-pub fn disk() -> Result<(), Error> {
-    Ok(())
-}
-
-#[command(rename = "forget", display(display_none))]
-pub async fn forget_disk() -> Result<(), Error> {
-    let disk_guid = Path::new("/embassy-os/disk.guid");
-    if tokio::fs::metadata(disk_guid).await.is_ok() {
-        tokio::fs::remove_file(disk_guid).await?;
-    }
-    Ok(())
-}
--- a/backend/src/disk/fsck.rs
+++ b/backend/src/disk/fsck.rs
@@ -1,120 +0,0 @@
-use std::ffi::OsStr;
-use std::path::Path;
-
-use color_eyre::eyre::eyre;
-use futures::future::BoxFuture;
-use futures::FutureExt;
-use tokio::process::Command;
-use tracing::instrument;
-
-use crate::Error;
-
-#[derive(Debug, Clone, Copy)]
-#[must_use]
-pub struct RequiresReboot(pub bool);
-impl std::ops::BitOrAssign for RequiresReboot {
-    fn bitor_assign(&mut self, rhs: Self) {
-        self.0 |= rhs.0
-    }
-}
-
-#[derive(Debug, Clone, Copy)]
-pub enum RepairStrategy {
-    Preen,
-    Aggressive,
-}
-impl RepairStrategy {
-    pub async fn e2fsck(
-        &self,
-        logicalname: impl AsRef<Path> + std::fmt::Debug,
-    ) -> Result<RequiresReboot, Error> {
-        match self {
-            RepairStrategy::Preen => e2fsck_preen(logicalname).await,
-            RepairStrategy::Aggressive => e2fsck_aggressive(logicalname).await,
-        }
-    }
-}
-
-#[instrument]
-pub async fn e2fsck_preen(
-    logicalname: impl AsRef<Path> + std::fmt::Debug,
-) -> Result<RequiresReboot, Error> {
-    e2fsck_runner(Command::new("e2fsck").arg("-p"), logicalname).await
-}
-
-fn backup_existing_undo_file<'a>(path: &'a Path) -> BoxFuture<'a, Result<(), Error>> {
-    async move {
-        if tokio::fs::metadata(path).await.is_ok() {
-            let bak = path.with_extension(format!(
-                "{}.bak",
-                path.extension()
-                    .and_then(|s| s.to_str())
-                    .unwrap_or_default()
-            ));
-            backup_existing_undo_file(&bak).await?;
-            tokio::fs::rename(path, &bak).await?;
-        }
-        Ok(())
-    }
-    .boxed()
-}
-
-#[instrument]
-pub async fn e2fsck_aggressive(
-    logicalname: impl AsRef<Path> + std::fmt::Debug,
-) -> Result<RequiresReboot, Error> {
-    let undo_path = Path::new("/embassy-os")
-        .join(
-            logicalname
-                .as_ref()
-                .file_name()
-                .unwrap_or(OsStr::new("unknown")),
-        )
-        .with_extension("e2undo");
-    backup_existing_undo_file(&undo_path).await?;
-    e2fsck_runner(
-        Command::new("e2fsck").arg("-y").arg("-z").arg(undo_path),
-        logicalname,
-    )
-    .await
-}
-
-async fn e2fsck_runner(
-    e2fsck_cmd: &mut Command,
-    logicalname: impl AsRef<Path> + std::fmt::Debug,
-) -> Result<RequiresReboot, Error> {
-    let e2fsck_out = e2fsck_cmd.arg(logicalname.as_ref()).output().await?;
-    let e2fsck_stderr = String::from_utf8(e2fsck_out.stderr)?;
-    let code = e2fsck_out.status.code().ok_or_else(|| {
-        Error::new(
-            eyre!("e2fsck: process terminated by signal"),
-            crate::ErrorKind::DiskManagement,
-        )
-    })?;
-    if code & 4 != 0 {
-        tracing::error!(
-            "some filesystem errors NOT corrected on {}:\n{}",
-            logicalname.as_ref().display(),
-            e2fsck_stderr,
-        );
-    } else if code & 1 != 0 {
-        tracing::warn!(
-            "filesystem errors corrected on {}:\n{}",
-            logicalname.as_ref().display(),
-            e2fsck_stderr,
-        );
-    }
-    if code < 8 {
-        if code & 2 != 0 {
-            tracing::warn!("reboot required");
-            Ok(RequiresReboot(true))
-        } else {
-            Ok(RequiresReboot(false))
-        }
-    } else {
-        Err(Error::new(
-            eyre!("e2fsck: {}", e2fsck_stderr),
-            crate::ErrorKind::DiskManagement,
-        ))
-    }
-}
--- a/backend/src/disk/main.rs
+++ b/backend/src/disk/main.rs
@@ -1,298 +0,0 @@
-use std::collections::BTreeMap;
-use std::path::{Path, PathBuf};
-
-use color_eyre::eyre::eyre;
-use tokio::process::Command;
-use tracing::instrument;
-
-use super::fsck::{RepairStrategy, RequiresReboot};
-use super::util::pvscan;
-use crate::disk::mount::filesystem::block_dev::mount;
-use crate::disk::mount::filesystem::ReadWrite;
-use crate::disk::mount::util::unmount;
-use crate::util::Invoke;
-use crate::{Error, ResultExt};
-
-pub const PASSWORD_PATH: &'static str = "/etc/embassy/password";
-pub const DEFAULT_PASSWORD: &'static str = "password";
-pub const MAIN_FS_SIZE: FsSize = FsSize::Gigabytes(8);
-
-#[instrument(skip(disks, datadir, password))]
-pub async fn create<I, P>(
-    disks: &I,
-    pvscan: &BTreeMap<PathBuf, Option<String>>,
-    datadir: impl AsRef<Path>,
-    password: &str,
-) -> Result<String, Error>
-where
-    for<'a> &'a I: IntoIterator<Item = &'a P>,
-    P: AsRef<Path>,
-{
-    let guid = create_pool(disks, pvscan).await?;
-    create_all_fs(&guid, &datadir, password).await?;
-    export(&guid, datadir).await?;
-    Ok(guid)
-}
-
-#[instrument(skip(disks))]
-pub async fn create_pool<I, P>(
-    disks: &I,
-    pvscan: &BTreeMap<PathBuf, Option<String>>,
-) -> Result<String, Error>
-where
-    for<'a> &'a I: IntoIterator<Item = &'a P>,
-    P: AsRef<Path>,
-{
-    Command::new("dmsetup")
-        .arg("remove_all") // TODO: find a higher finesse way to do this for portability reasons
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    for disk in disks {
-        if pvscan.contains_key(disk.as_ref()) {
-            Command::new("pvremove")
-                .arg("-yff")
-                .arg(disk.as_ref())
-                .invoke(crate::ErrorKind::DiskManagement)
-                .await?;
-        }
-        tokio::fs::write(disk.as_ref(), &[0; 2048]).await?; // wipe partition table
-        Command::new("pvcreate")
-            .arg("-yff")
-            .arg(disk.as_ref())
-            .invoke(crate::ErrorKind::DiskManagement)
-            .await?;
-    }
-    let guid = format!(
-        "EMBASSY_{}",
-        base32::encode(
-            base32::Alphabet::RFC4648 { padding: false },
-            &rand::random::<[u8; 32]>(),
-        )
-    );
-    let mut cmd = Command::new("vgcreate");
-    cmd.arg("-y").arg(&guid);
-    for disk in disks {
-        cmd.arg(disk.as_ref());
-    }
-    cmd.invoke(crate::ErrorKind::DiskManagement).await?;
-    Ok(guid)
-}
-
-#[derive(Debug, Clone, Copy)]
-pub enum FsSize {
-    Gigabytes(usize),
-    FreePercentage(usize),
-}
-
-#[instrument(skip(datadir, password))]
-pub async fn create_fs<P: AsRef<Path>>(
-    guid: &str,
-    datadir: P,
-    name: &str,
-    size: FsSize,
-    password: &str,
-) -> Result<(), Error> {
-    tokio::fs::write(PASSWORD_PATH, password)
-        .await
-        .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
-    let mut cmd = Command::new("lvcreate");
-    match size {
-        FsSize::Gigabytes(a) => cmd.arg("-L").arg(format!("{}G", a)),
-        FsSize::FreePercentage(a) => cmd.arg("-l").arg(format!("{}%FREE", a)),
-    };
-    cmd.arg("-y")
-        .arg("-n")
-        .arg(name)
-        .arg(guid)
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Command::new("cryptsetup")
-        .arg("-q")
-        .arg("luksFormat")
-        .arg(format!("--key-file={}", PASSWORD_PATH))
-        .arg(format!("--keyfile-size={}", password.len()))
-        .arg(Path::new("/dev").join(guid).join(name))
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Command::new("cryptsetup")
-        .arg("-q")
-        .arg("luksOpen")
-        .arg(format!("--key-file={}", PASSWORD_PATH))
-        .arg(format!("--keyfile-size={}", password.len()))
-        .arg(Path::new("/dev").join(guid).join(name))
-        .arg(format!("{}_{}", guid, name))
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Command::new("mkfs.ext4")
-        .arg(Path::new("/dev/mapper").join(format!("{}_{}", guid, name)))
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    mount(
-        Path::new("/dev/mapper").join(format!("{}_{}", guid, name)),
-        datadir.as_ref().join(name),
-        ReadWrite,
-    )
-    .await?;
-    tokio::fs::remove_file(PASSWORD_PATH)
-        .await
-        .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
-    Ok(())
-}
-
-#[instrument(skip(datadir, password))]
-pub async fn create_all_fs<P: AsRef<Path>>(
-    guid: &str,
-    datadir: P,
-    password: &str,
-) -> Result<(), Error> {
-    create_fs(guid, &datadir, "main", MAIN_FS_SIZE, password).await?;
-    create_fs(
-        guid,
-        &datadir,
-        "package-data",
-        FsSize::FreePercentage(100),
-        password,
-    )
-    .await?;
-    Ok(())
-}
-
-#[instrument(skip(datadir))]
-pub async fn unmount_fs<P: AsRef<Path>>(guid: &str, datadir: P, name: &str) -> Result<(), Error> {
-    unmount(datadir.as_ref().join(name)).await?;
-    Command::new("cryptsetup")
-        .arg("-q")
-        .arg("luksClose")
-        .arg(format!("{}_{}", guid, name))
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-
-    Ok(())
-}
-
-#[instrument(skip(datadir))]
-pub async fn unmount_all_fs<P: AsRef<Path>>(guid: &str, datadir: P) -> Result<(), Error> {
-    unmount_fs(guid, &datadir, "main").await?;
-    unmount_fs(guid, &datadir, "package-data").await?;
-    Command::new("dmsetup")
-        .arg("remove_all") // TODO: find a higher finesse way to do this for portability reasons
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Ok(())
-}
-
-#[instrument(skip(datadir))]
-pub async fn export<P: AsRef<Path>>(guid: &str, datadir: P) -> Result<(), Error> {
-    unmount_all_fs(guid, datadir).await?;
-    Command::new("vgchange")
-        .arg("-an")
-        .arg(guid)
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Command::new("vgexport")
-        .arg(guid)
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    Ok(())
-}
-
-#[instrument(skip(datadir, password))]
-pub async fn import<P: AsRef<Path>>(
-    guid: &str,
-    datadir: P,
-    repair: RepairStrategy,
-    password: &str,
-) -> Result<RequiresReboot, Error> {
-    let scan = pvscan().await?;
-    if scan
-        .values()
-        .filter_map(|a| a.as_ref())
-        .filter(|a| a.starts_with("EMBASSY_"))
-        .next()
-        .is_none()
-    {
-        return Err(Error::new(
-            eyre!("Embassy disk not found."),
-            crate::ErrorKind::DiskNotAvailable,
-        ));
-    }
-    if !scan
-        .values()
-        .filter_map(|a| a.as_ref())
-        .any(|id| id == guid)
-    {
-        return Err(Error::new(
-            eyre!("An Embassy disk was found, but it is not the correct disk for this device."),
-            crate::ErrorKind::IncorrectDisk,
-        ));
-    }
-    Command::new("dmsetup")
-        .arg("remove_all") // TODO: find a higher finesse way to do this for portability reasons
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    match Command::new("vgimport")
-        .arg(guid)
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await
-    {
-        Ok(_) => Ok(()),
-        Err(e)
-            if format!("{}", e.source)
-                .lines()
-                .any(|l| l.trim() == format!("Volume group \"{}\" is not exported", guid)) =>
-        {
-            Ok(())
-        }
-        Err(e) => Err(e),
-    }?;
-    Command::new("vgchange")
-        .arg("-ay")
-        .arg(guid)
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    mount_all_fs(guid, datadir, repair, password).await
-}
-
-#[instrument(skip(datadir, password))]
-pub async fn mount_fs<P: AsRef<Path>>(
-    guid: &str,
-    datadir: P,
-    name: &str,
-    repair: RepairStrategy,
-    password: &str,
-) -> Result<RequiresReboot, Error> {
-    tokio::fs::write(PASSWORD_PATH, password)
-        .await
-        .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
-    Command::new("cryptsetup")
-        .arg("-q")
-        .arg("luksOpen")
-        .arg(format!("--key-file={}", PASSWORD_PATH))
-        .arg(format!("--keyfile-size={}", password.len()))
-        .arg(Path::new("/dev").join(guid).join(name))
-        .arg(format!("{}_{}", guid, name))
-        .invoke(crate::ErrorKind::DiskManagement)
-        .await?;
-    let mapper_path = Path::new("/dev/mapper").join(format!("{}_{}", guid, name));
-    let reboot = repair.e2fsck(&mapper_path).await?;
-    mount(&mapper_path, datadir.as_ref().join(name), ReadWrite).await?;
-
-    tokio::fs::remove_file(PASSWORD_PATH)
-        .await
-        .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
-
-    Ok(reboot)
-}
-
-#[instrument(skip(datadir, password))]
-pub async fn mount_all_fs<P: AsRef<Path>>(
-    guid: &str,
-    datadir: P,
-    repair: RepairStrategy,
-    password: &str,
-) -> Result<RequiresReboot, Error> {
-    let mut reboot = RequiresReboot(false);
-    reboot |= mount_fs(guid, &datadir, "main", repair, password).await?;
-    reboot |= mount_fs(guid, &datadir, "package-data", repair, password).await?;
-    Ok(reboot)
-}
--- a/backend/src/disk/mod.rs
+++ b/backend/src/disk/mod.rs
@@ -1,90 +0,0 @@
-use clap::ArgMatches;
-use rpc_toolkit::command;
-
-use self::util::DiskListResponse;
-use crate::util::display_none;
-use crate::util::serde::{display_serializable, IoFormat};
-use crate::Error;
-
-pub mod fsck;
-pub mod main;
-pub mod mount;
-pub mod quirks;
-pub mod util;
-
-pub const BOOT_RW_PATH: &str = "/media/boot-rw";
-pub const REPAIR_DISK_PATH: &str = "/embassy-os/repair-disk";
-
-#[command(subcommands(list, repair))]
-pub fn disk() -> Result<(), Error> {
-    Ok(())
-}
-
-fn display_disk_info(info: DiskListResponse, matches: &ArgMatches<'_>) {
-    use prettytable::*;
-
-    if matches.is_present("format") {
-        return display_serializable(info, matches);
-    }
-
-    let mut table = Table::new();
-    table.add_row(row![bc =>
-        "LOGICALNAME",
-        "LABEL",
-        "CAPACITY",
-        "USED",
-        "EMBASSY OS VERSION"
-    ]);
-    for disk in info.disks {
-        let row = row![
-            disk.logicalname.display(),
-            "N/A",
-            &format!("{:.2} GiB", disk.capacity as f64 / 1024.0 / 1024.0 / 1024.0),
-            "N/A",
-            "N/A",
-        ];
-        table.add_row(row);
-        for part in disk.partitions {
-            let row = row![
-                part.logicalname.display(),
-                if let Some(label) = part.label.as_ref() {
-                    label
-                } else {
-                    "N/A"
-                },
-                part.capacity,
-                if let Some(used) = part
-                    .used
-                    .map(|u| format!("{:.2} GiB", u as f64 / 1024.0 / 1024.0 / 1024.0))
-                    .as_ref()
-                {
-                    used
-                } else {
-                    "N/A"
-                },
-                if let Some(eos) = part.embassy_os.as_ref() {
-                    eos.version.as_str()
-                } else {
-                    "N/A"
-                },
-            ];
-            table.add_row(row);
-        }
-    }
-    table.print_tty(false);
-}
-
-#[command(display(display_disk_info))]
-pub async fn list(
-    #[allow(unused_variables)]
-    #[arg]
-    format: Option<IoFormat>,
-) -> Result<DiskListResponse, Error> {
-    crate::disk::util::list().await
-}
-
-#[command(display(display_none))]
-pub async fn repair() -> Result<(), Error> {
-    tokio::fs::write(REPAIR_DISK_PATH, b"").await?;
-    Ok(())
-}
--- a/backend/src/disk/mount/backup.rs
+++ b/backend/src/disk/mount/backup.rs
@@ -1,257 +0,0 @@
-use std::path::{Path, PathBuf};
-
-use color_eyre::eyre::eyre;
-use tokio::io::AsyncWriteExt;
-use tracing::instrument;
-
-use super::filesystem::ecryptfs::EcryptFS;
-use super::guard::{GenericMountGuard, TmpMountGuard};
-use super::util::{bind, unmount};
-use crate::auth::check_password;
-use crate::backup::target::BackupInfo;
-use crate::disk::mount::filesystem::ReadWrite;
-use crate::disk::util::EmbassyOsRecoveryInfo;
-use crate::middleware::encrypt::{decrypt_slice, encrypt_slice};
-use crate::s9pk::manifest::PackageId;
-use crate::util::serde::IoFormat;
-use crate::util::{AtomicFile, FileLock};
-use crate::volume::BACKUP_DIR;
-use crate::{Error, ResultExt};
-
-pub struct BackupMountGuard<G: GenericMountGuard> {
-    backup_disk_mount_guard: Option<G>,
-    encrypted_guard: Option<TmpMountGuard>,
-    enc_key: String,
-    pub unencrypted_metadata: EmbassyOsRecoveryInfo,
-    pub metadata: BackupInfo,
-}
-impl<G: GenericMountGuard> BackupMountGuard<G> {
-    fn backup_disk_path(&self) -> &Path {
-        if let Some(guard) = &self.backup_disk_mount_guard {
-            guard.as_ref()
-        } else {
-            unreachable!()
-        }
-    }
-
-    #[instrument(skip(password))]
-    pub async fn mount(backup_disk_mount_guard: G, password: &str) -> Result<Self, Error> {
-        let backup_disk_path = backup_disk_mount_guard.as_ref();
-        let unencrypted_metadata_path =
-            backup_disk_path.join("EmbassyBackups/unencrypted-metadata.cbor");
-        let mut unencrypted_metadata: EmbassyOsRecoveryInfo =
-            if tokio::fs::metadata(&unencrypted_metadata_path)
-                .await
-                .is_ok()
-            {
-                IoFormat::Cbor.from_slice(
-                    &tokio::fs::read(&unencrypted_metadata_path)
-                        .await
-                        .with_ctx(|_| {
-                            (
-                                crate::ErrorKind::Filesystem,
-                                unencrypted_metadata_path.display().to_string(),
-                            )
-                        })?,
-                )?
-            } else {
-                Default::default()
-            };
-        let enc_key = if let (Some(hash), Some(wrapped_key)) = (
-            unencrypted_metadata.password_hash.as_ref(),
-            unencrypted_metadata.wrapped_key.as_ref(),
-        ) {
-            let wrapped_key =
-                base32::decode(base32::Alphabet::RFC4648 { padding: true }, wrapped_key)
-                    .ok_or_else(|| {
-                        Error::new(
-                            eyre!("failed to decode wrapped key"),
-                            crate::ErrorKind::Backup,
-                        )
-                    })?;
-            check_password(hash, password)?;
-            String::from_utf8(decrypt_slice(wrapped_key, password))?
-        } else {
-            base32::encode(
-                base32::Alphabet::RFC4648 { padding: false },
-                &rand::random::<[u8; 32]>()[..],
-            )
-        };
-
-        if unencrypted_metadata.password_hash.is_none() {
-            unencrypted_metadata.password_hash = Some(
-                argon2::hash_encoded(
-                    password.as_bytes(),
-                    &rand::random::<[u8; 16]>()[..],
-                    &argon2::Config::default(),
-                )
-                .with_kind(crate::ErrorKind::PasswordHashGeneration)?,
-            );
-        }
-        if unencrypted_metadata.wrapped_key.is_none() {
-            unencrypted_metadata.wrapped_key = Some(base32::encode(
-                base32::Alphabet::RFC4648 { padding: true },
-                &encrypt_slice(&enc_key, password),
-            ));
-        }
-
-        let crypt_path = backup_disk_path.join("EmbassyBackups/crypt");
-        if tokio::fs::metadata(&crypt_path).await.is_err() {
-            tokio::fs::create_dir_all(&crypt_path).await.with_ctx(|_| {
-                (
-                    crate::ErrorKind::Filesystem,
-                    crypt_path.display().to_string(),
-                )
-            })?;
-        }
-        let encrypted_guard =
-            TmpMountGuard::mount(&EcryptFS::new(&crypt_path, &enc_key), ReadWrite).await?;
-
-        let metadata_path = encrypted_guard.as_ref().join("metadata.cbor");
-        let metadata: BackupInfo = if tokio::fs::metadata(&metadata_path).await.is_ok() {
-            IoFormat::Cbor.from_slice(&tokio::fs::read(&metadata_path).await.with_ctx(|_| {
-                (
-                    crate::ErrorKind::Filesystem,
-                    metadata_path.display().to_string(),
-                )
-            })?)?
-        } else {
-            Default::default()
-        };
-
-        Ok(Self {
-            backup_disk_mount_guard: Some(backup_disk_mount_guard),
-            encrypted_guard: Some(encrypted_guard),
-            enc_key,
-            unencrypted_metadata,
-            metadata,
-        })
-    }
-
-    pub fn change_password(&mut self, new_password: &str) -> Result<(), Error> {
-        self.unencrypted_metadata.password_hash = Some(
-            argon2::hash_encoded(
-                new_password.as_bytes(),
-                &rand::random::<[u8; 16]>()[..],
-                &argon2::Config::default(),
-            )
-            .with_kind(crate::ErrorKind::PasswordHashGeneration)?,
-        );
-        self.unencrypted_metadata.wrapped_key = Some(base32::encode(
-            base32::Alphabet::RFC4648 { padding: false },
-            &encrypt_slice(&self.enc_key, new_password),
-        ));
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    pub async fn mount_package_backup(
-        &self,
-        id: &PackageId,
-    ) -> Result<PackageBackupMountGuard, Error> {
-        let lock = FileLock::new(Path::new(BACKUP_DIR).join(format!("{}.lock", id)), false).await?;
-        let mountpoint = Path::new(BACKUP_DIR).join(id);
-        bind(self.as_ref().join(id), &mountpoint, false).await?;
-        Ok(PackageBackupMountGuard {
-            mountpoint: Some(mountpoint),
-            lock: Some(lock),
-        })
-    }
-
-    #[instrument(skip(self))]
-    pub async fn save(&self) -> Result<(), Error> {
-        let metadata_path = self.as_ref().join("metadata.cbor");
-        let backup_disk_path = self.backup_disk_path();
-        let mut file = AtomicFile::new(&metadata_path).await?;
-        file.write_all(&IoFormat::Cbor.to_vec(&self.metadata)?)
-            .await?;
-        file.save().await?;
-        let unencrypted_metadata_path =
-            backup_disk_path.join("EmbassyBackups/unencrypted-metadata.cbor");
-        let mut file = AtomicFile::new(&unencrypted_metadata_path).await?;
-        file.write_all(&IoFormat::Cbor.to_vec(&self.unencrypted_metadata)?)
-            .await?;
-        file.save().await?;
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    pub async fn unmount(mut self) -> Result<(), Error> {
-        if let Some(guard) = self.encrypted_guard.take() {
-            guard.unmount().await?;
-        }
-        if let Some(guard) = self.backup_disk_mount_guard.take() {
-            guard.unmount().await?;
-        }
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    pub async fn save_and_unmount(self) -> Result<(), Error> {
-        self.save().await?;
-        self.unmount().await?;
-        Ok(())
-    }
-}
-impl<G: GenericMountGuard> AsRef<Path> for BackupMountGuard<G> {
-    fn as_ref(&self) -> &Path {
-        if let Some(guard) = &self.encrypted_guard {
-            guard.as_ref()
-        } else {
-            unreachable!()
-        }
-    }
-}
-impl<G: GenericMountGuard> Drop for BackupMountGuard<G> {
-    fn drop(&mut self) {
-        let first = self.encrypted_guard.take();
-        let second = self.backup_disk_mount_guard.take();
-        tokio::spawn(async move {
-            if let Some(guard) = first {
-                guard.unmount().await.unwrap();
-            }
-            if let Some(guard) = second {
-                guard.unmount().await.unwrap();
-            }
-        });
-    }
-}
-
-pub struct PackageBackupMountGuard {
-    mountpoint: Option<PathBuf>,
-    lock: Option<FileLock>,
-}
-impl PackageBackupMountGuard {
-    pub async fn unmount(mut self) -> Result<(), Error> {
-        if let Some(mountpoint) = self.mountpoint.take() {
-            unmount(&mountpoint).await?;
-        }
-        if let Some(lock) = self.lock.take() {
-            lock.unlock().await?;
-        }
-        Ok(())
-    }
-}
-impl AsRef<Path> for PackageBackupMountGuard {
-    fn as_ref(&self) -> &Path {
-        if let Some(mountpoint) = &self.mountpoint {
-            mountpoint
-        } else {
-            unreachable!()
-        }
-    }
-}
-impl Drop for PackageBackupMountGuard {
-    fn drop(&mut self) {
-        let mountpoint = self.mountpoint.take();
-        let lock = self.lock.take();
-        tokio::spawn(async move {
-            if let Some(mountpoint) = mountpoint {
-                unmount(&mountpoint).await.unwrap();
-            }
-            if let Some(lock) = lock {
-                lock.unlock().await.unwrap();
-            }
-        });
-    }
-}
--- a/backend/src/disk/mount/filesystem/block_dev.rs
+++ b/backend/src/disk/mount/filesystem/block_dev.rs
@@ -1,67 +0,0 @@
-use std::os::unix::ffi::OsStrExt;
-use std::path::Path;
-
-use async_trait::async_trait;
-use digest::generic_array::GenericArray;
-use digest::{Digest, OutputSizeUser};
-use serde::{Deserialize, Serialize};
-use sha2::Sha256;
-
-use super::{FileSystem, MountType, ReadOnly};
-use crate::util::Invoke;
-use crate::{Error, ResultExt};
-
-pub async fn mount(
-    logicalname: impl AsRef<Path>,
-    mountpoint: impl AsRef<Path>,
-    mount_type: MountType,
-) -> Result<(), Error> {
-    tokio::fs::create_dir_all(mountpoint.as_ref()).await?;
-    let mut cmd = tokio::process::Command::new("mount");
-    cmd.arg(logicalname.as_ref()).arg(mountpoint.as_ref());
-    if mount_type == ReadOnly {
-        cmd.arg("-o").arg("ro");
-    }
-    cmd.invoke(crate::ErrorKind::Filesystem).await?;
-    Ok(())
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct BlockDev<LogicalName: AsRef<Path>> {
-    logicalname: LogicalName,
-}
-impl<LogicalName: AsRef<Path>> BlockDev<LogicalName> {
-    pub fn new(logicalname: LogicalName) -> Self {
-        BlockDev { logicalname }
-    }
-}
-#[async_trait]
-impl<LogicalName: AsRef<Path> + Send + Sync> FileSystem for BlockDev<LogicalName> {
-    async fn mount<P: AsRef<Path> + Send + Sync>(
-        &self,
-        mountpoint: P,
-        mount_type: MountType,
-    ) -> Result<(), Error> {
-        mount(self.logicalname.as_ref(), mountpoint, mount_type).await
-    }
-    async fn source_hash(
-        &self,
-    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
-        let mut sha = Sha256::new();
-        sha.update("BlockDev");
-        sha.update(
-            tokio::fs::canonicalize(self.logicalname.as_ref())
-                .await
-                .with_ctx(|_| {
-                    (
-                        crate::ErrorKind::Filesystem,
-                        self.logicalname.as_ref().display().to_string(),
-                    )
-                })?
-                .as_os_str()
-                .as_bytes(),
-        );
-        Ok(sha.finalize())
-    }
-}
--- a/backend/src/disk/mount/filesystem/cifs.rs
+++ b/backend/src/disk/mount/filesystem/cifs.rs
@@ -1,105 +0,0 @@
-use std::net::IpAddr;
-use std::os::unix::ffi::OsStrExt;
-use std::path::{Path, PathBuf};
-
-use async_trait::async_trait;
-use digest::generic_array::GenericArray;
-use digest::{Digest, OutputSizeUser};
-use serde::{Deserialize, Serialize};
-use sha2::Sha256;
-use tokio::process::Command;
-use tracing::instrument;
-
-use super::{FileSystem, MountType, ReadOnly};
-use crate::disk::mount::guard::TmpMountGuard;
-use crate::util::Invoke;
-use crate::Error;
-
-async fn resolve_hostname(hostname: &str) -> Result<IpAddr, Error> {
-    #[cfg(feature = "avahi")]
-    if hostname.ends_with(".local") {
-        return Ok(IpAddr::V4(crate::net::mdns::resolve_mdns(hostname).await?));
-    }
-    Ok(String::from_utf8(
-        Command::new("nmblookup")
-            .arg(hostname)
-            .invoke(crate::ErrorKind::Network)
-            .await?,
-    )?
-    .split(" ")
-    .next()
-    .unwrap()
-    .trim()
-    .parse()?)
-}
-
-#[instrument(skip(path, password, mountpoint))]
-pub async fn mount_cifs(
-    hostname: &str,
-    path: impl AsRef<Path>,
-    username: &str,
-    password: Option<&str>,
-    mountpoint: impl AsRef<Path>,
-    mount_type: MountType,
-) -> Result<(), Error> {
-    tokio::fs::create_dir_all(mountpoint.as_ref()).await?;
-    let ip: IpAddr = resolve_hostname(hostname).await?;
-    let absolute_path = Path::new("/").join(path.as_ref());
-    let mut cmd = Command::new("mount");
-    cmd.arg("-t")
-        .arg("cifs")
-        .env("USER", username)
-        .env("PASSWD", password.unwrap_or_default())
-        .arg(format!("//{}{}", ip, absolute_path.display()))
-        .arg(mountpoint.as_ref());
-    if mount_type == ReadOnly {
-        cmd.arg("-o").arg("ro,noserverino");
-    } else {
-        cmd.arg("-o").arg("noserverino");
-    }
-    cmd.invoke(crate::ErrorKind::Filesystem).await?;
-    Ok(())
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct Cifs {
-    pub hostname: String,
-    pub path: PathBuf,
-    pub username: String,
-    pub password: Option<String>,
-}
-impl Cifs {
-    pub async fn mountable(&self) -> Result<(), Error> {
-        let guard = TmpMountGuard::mount(self, ReadOnly).await?;
-        guard.unmount().await?;
-        Ok(())
-    }
-}
-#[async_trait]
-impl FileSystem for Cifs {
-    async fn mount<P: AsRef<std::path::Path> + Send + Sync>(
-        &self,
-        mountpoint: P,
-        mount_type: MountType,
-    ) -> Result<(), Error> {
-        mount_cifs(
-            &self.hostname,
-            &self.path,
-            &self.username,
-            self.password.as_ref().map(|p| p.as_str()),
-            mountpoint,
-            mount_type,
-        )
-        .await
-    }
-    async fn source_hash(
-        &self,
-    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
-        let mut sha = Sha256::new();
-        sha.update("Cifs");
-        sha.update(self.hostname.as_bytes());
-        sha.update(self.path.as_os_str().as_bytes());
-        Ok(sha.finalize())
-    }
-}
--- a/backend/src/disk/mount/filesystem/ecryptfs.rs
+++ b/backend/src/disk/mount/filesystem/ecryptfs.rs
@@ -1,85 +0,0 @@
-use std::os::unix::ffi::OsStrExt;
-use std::path::Path;
-
-use async_trait::async_trait;
-use color_eyre::eyre::eyre;
-use digest::generic_array::GenericArray;
-use digest::{Digest, OutputSizeUser};
-use sha2::Sha256;
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use super::{FileSystem, MountType};
-use crate::{Error, ResultExt};
-
-pub async fn mount_ecryptfs<P0: AsRef<Path>, P1: AsRef<Path>>(
-    src: P0,
-    dst: P1,
-    key: &str,
-) -> Result<(), Error> {
-    tokio::fs::create_dir_all(dst.as_ref()).await?;
-    let mut ecryptfs = tokio::process::Command::new("mount")
-        .arg("-t")
-        .arg("ecryptfs")
-        .arg(src.as_ref())
-        .arg(dst.as_ref())
-        .arg("-o")
-        // for more information `man ecryptfs` 
-        .arg(format!("key=passphrase:passphrase_passwd={},ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache", key))
-        .stdin(std::process::Stdio::piped())
-        .stderr(std::process::Stdio::piped())
-        .spawn()?;
-    let mut stdin = ecryptfs.stdin.take().unwrap();
-    let mut stderr = ecryptfs.stderr.take().unwrap();
-    stdin.write_all(b"\n").await?;
-    stdin.flush().await?;
-    stdin.shutdown().await?;
-    drop(stdin);
-    let mut err = String::new();
-    stderr.read_to_string(&mut err).await?;
-    if !ecryptfs.wait().await?.success() {
-        Err(Error::new(eyre!("{}", err), crate::ErrorKind::Filesystem))
-    } else {
-        Ok(())
-    }
-}
-
-pub struct EcryptFS<EncryptedDir: AsRef<Path>, Key: AsRef<str>> {
-    encrypted_dir: EncryptedDir,
-    key: Key,
-}
-impl<EncryptedDir: AsRef<Path>, Key: AsRef<str>> EcryptFS<EncryptedDir, Key> {
-    pub fn new(encrypted_dir: EncryptedDir, key: Key) -> Self {
-        EcryptFS { encrypted_dir, key }
-    }
-}
-#[async_trait]
-impl<EncryptedDir: AsRef<Path> + Send + Sync, Key: AsRef<str> + Send + Sync> FileSystem
-    for EcryptFS<EncryptedDir, Key>
-{
-    async fn mount<P: AsRef<Path> + Send + Sync>(
-        &self,
-        mountpoint: P,
-        _mount_type: MountType, // ignored - inherited from parent fs
-    ) -> Result<(), Error> {
-        mount_ecryptfs(self.encrypted_dir.as_ref(), mountpoint, self.key.as_ref()).await
-    }
-    async fn source_hash(
-        &self,
-    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
-        let mut sha = Sha256::new();
-        sha.update("EcryptFS");
-        sha.update(
-            tokio::fs::canonicalize(self.encrypted_dir.as_ref())
-                .await
-                .with_ctx(|_| {
-                    (
-                        crate::ErrorKind::Filesystem,
-                        self.encrypted_dir.as_ref().display().to_string(),
-                    )
-                })?
-                .as_os_str()
-                .as_bytes(),
-        );
-        Ok(sha.finalize())
-    }
-}
--- a/backend/src/disk/mount/filesystem/label.rs
+++ b/backend/src/disk/mount/filesystem/label.rs
@@ -1,52 +0,0 @@
-use std::path::Path;
-
-use async_trait::async_trait;
-use digest::generic_array::GenericArray;
-use digest::{Digest, OutputSizeUser};
-use sha2::Sha256;
-
-use super::{FileSystem, MountType, ReadOnly};
-use crate::util::Invoke;
-use crate::Error;
-
-pub async fn mount_label(
-    label: &str,
-    mountpoint: impl AsRef<Path>,
-    mount_type: MountType,
-) -> Result<(), Error> {
-    tokio::fs::create_dir_all(mountpoint.as_ref()).await?;
-    let mut cmd = tokio::process::Command::new("mount");
-    cmd.arg("-L").arg(label).arg(mountpoint.as_ref());
-    if mount_type == ReadOnly {
-        cmd.arg("-o").arg("ro");
-    }
-    cmd.invoke(crate::ErrorKind::Filesystem).await?;
-    Ok(())
-}
-
-pub struct Label<S: AsRef<str>> {
-    label: S,
-}
-impl<S: AsRef<str>> Label<S> {
-    pub fn new(label: S) -> Self {
-        Label { label }
-    }
-}
-#[async_trait]
-impl<S: AsRef<str> + Send + Sync> FileSystem for Label<S> {
-    async fn mount<P: AsRef<Path> + Send + Sync>(
-        &self,
-        mountpoint: P,
-        mount_type: MountType,
-    ) -> Result<(), Error> {
-        mount_label(self.label.as_ref(), mountpoint, mount_type).await
-    }
-    async fn source_hash(
-        &self,
-    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
-        let mut sha = Sha256::new();
-        sha.update("Label");
-        sha.update(self.label.as_ref().as_bytes());
-        Ok(sha.finalize())
-    }
-}
--- a/Show More
+++ b/Show More