only when version higher and show after login (#2217 )

* only when version higher and show after login * unused import
fix caching (#2216 )
2026-03-27 02:41:53 +00:00 · 2023-03-14 11:24:54 -06:00 · 2023-03-13 17:25:10 -06:00 · 2023-03-13 17:24:59 -06:00 · 2023-03-13 15:45:36 -06:00 · 2023-03-13 15:29:39 -06:00
650 changed files with 33629 additions and 13203 deletions
--- a/.github/workflows/backend.yaml
+++ b/.github/workflows/backend.yaml
@@ -5,7 +5,8 @@ on:
  workflow_dispatch:

 env:
-  RUST_VERSION: "1.62.1"
+  RUST_VERSION: "1.67.1"
+  ENVIRONMENT: "dev"

 jobs:
  build_libs:
@@ -31,17 +32,18 @@ jobs:
        submodules: recursive
        
    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@v2
      if: ${{ matrix.target == 'aarch64' }}
      
    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
      if: ${{ matrix.target == 'aarch64' }}

-    - uses: actions-rs/toolchain@v1
-      with:
-        toolchain: ${{ env.RUST_VERSION }}
-        override: true
+    - name: "Install Rust"
+      run: |
+        rustup toolchain install ${{ env.RUST_VERSION }} --profile minimal --no-self-update
+        rustup default ${{ inputs.rust }}
+      shell: bash
      if: ${{ matrix.target == 'x86_64' }}
    
    - uses: actions/cache@v3
@@ -88,10 +90,11 @@ jobs:
        name: ${{ matrix.snapshot_download }}
        path: libs/js_engine/src/artifacts/
        
-    - uses: actions-rs/toolchain@v1
-      with:
-        toolchain: ${{ env.RUST_VERSION }}
-        override: true
+    - name: "Install Rust"
+      run: |
+        rustup toolchain install ${{ env.RUST_VERSION }} --profile minimal --no-self-update
+        rustup default ${{ inputs.rust }}
+      shell: bash
      if: ${{ matrix.target == 'x86_64' }}
    
    - uses: actions/cache@v3
@@ -105,7 +108,9 @@ jobs:
        key: ${{ runner.os }}-cargo-backend-${{ matrix.target }}-${{ hashFiles('backend/Cargo.lock') }}

    - name: Install dependencies
-      run: sudo apt-get install libavahi-client-dev
+      run: |
+        sudo apt-get update
+        sudo apt-get install libavahi-client-dev
      if: ${{ matrix.target == 'x86_64' }}

    - name: Check Git Hash
@@ -115,22 +120,7 @@ jobs:
      run: ./check-environment.sh

    - name: Build backend
-      run: cargo build --release --target x86_64-unknown-linux-gnu --locked
-      working-directory: backend
-      if: ${{ matrix.target == 'x86_64' }}
-
-    - name: Build backend
-      run: |
-        docker run --rm \
-        -v "/home/runner/.cargo/registry":/root/.cargo/registry \
-        -v "$(pwd)":/home/rust/src \
-        -P start9/rust-arm-cross:aarch64 \
-        sh -c 'cd /home/rust/src/backend &&
-          rustup install ${{ env.RUST_VERSION }} &&
-          rustup override set ${{ env.RUST_VERSION }} &&
-          rustup target add aarch64-unknown-linux-gnu &&
-          cargo build --release --target ${{ matrix.target }}-unknown-linux-gnu --locked'
-      if: ${{ matrix.target == 'aarch64' }}
+      run: make ARCH=${{ matrix.target }} backend

    - name: 'Tar files to preserve file permissions'
      run: make ARCH=${{ matrix.target }} backend-${{ matrix.target }}.tar
@@ -193,18 +183,20 @@ jobs:
        submodules: recursive

    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@v2
      if: ${{ matrix.target == 'aarch64' }}

    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
      if: ${{ matrix.target == 'aarch64' }}

    - run: mkdir -p ~/.cargo/bin
      if: ${{ matrix.target == 'x86_64' }}

    - name: Install nextest
-      uses: taiki-e/install-action@nextest
+      uses: taiki-e/install-action@v2
+      with:
+        tool: nextest@0.9.47
      if: ${{ matrix.target == 'x86_64' }}

    - name: Download archive
@@ -213,7 +205,7 @@ jobs:
        name: nextest-archive-${{ matrix.target }}

    - name: Download nextest (aarch64)
-      run: wget -O nextest-aarch64.tar.gz https://get.nexte.st/latest/linux-arm
+      run: wget -O nextest-aarch64.tar.gz https://get.nexte.st/0.9.47/linux-arm
      if: ${{ matrix.target == 'aarch64' }}

    - name: Run tests
@@ -230,8 +222,9 @@ jobs:
        -e CARGO_TERM_COLOR=${{ env.CARGO_TERM_COLOR }} \
        -P ubuntu:20.04 \
        sh -c '
-          apt update &&
-          apt install -y ca-certificates &&
+          apt-get update &&
+          apt-get install -y ca-certificates &&
+          apt-get install -y rsync &&
          cd /home/rust/src &&
          mkdir -p ~/.cargo/bin &&
          tar -zxvf nextest-aarch64.tar.gz -C ${CARGO_HOME:-~/.cargo}/bin &&
--- a/.github/workflows/debian.yaml
+++ b/.github/workflows/debian.yaml
@@ -0,0 +1,63 @@
+name: Debian Package
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+env:
+  NODEJS_VERSION: '16.11.0'
+  ENVIRONMENT: "dev"
+
+jobs:
+  dpkg:
+    name: Build dpkg
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        repository: Start9Labs/embassy-os-deb
+
+    - uses: actions/checkout@v3
+      with:
+        submodules: recursive
+        path: embassyos-0.3.x
+    - run: |
+        cp -r debian embassyos-0.3.x/
+        VERSION=0.3.x ./control.sh
+        cp embassyos-0.3.x/backend/embassyd.service embassyos-0.3.x/debian/embassyos.embassyd.service
+        cp embassyos-0.3.x/backend/embassy-init.service embassyos-0.3.x/debian/embassyos.embassy-init.service
+    
+    - uses: actions/setup-node@v3
+      with:
+        node-version: ${{ env.NODEJS_VERSION }}
+    
+    - name: Get npm cache directory
+      id: npm-cache-dir
+      run: |
+        echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
+    - uses: actions/cache@v3
+      id: npm-cache
+      with:
+        path: ${{ steps.npm-cache-dir.outputs.dir }}
+        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install debmake debhelper-compat
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+      
+    - name: Set up Docker Buildx        
+      uses: docker/setup-buildx-action@v2
+
+    - name: Run build
+      run: "make VERSION=0.3.x TAG=${{ github.ref_name }}"
+
+    - uses: actions/upload-artifact@v3
+      with:
+        name: deb
+        path: embassyos_0.3.x-1_amd64.deb
--- a/.github/workflows/frontend.yaml
+++ b/.github/workflows/frontend.yaml
@@ -5,7 +5,8 @@ on:
  workflow_dispatch:

 env:
-  NODEJS_VERSION: '16'
+  NODEJS_VERSION: '16.11.0'
+  ENVIRONMENT: "dev"

 jobs:
  frontend:
@@ -24,7 +25,7 @@ jobs:
    - name: Get npm cache directory
      id: npm-cache-dir
      run: |
-        echo "::set-output name=dir::$(npm config get cache)"
+        echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
    - uses: actions/cache@v3
      id: npm-cache
      with:
@@ -37,7 +38,7 @@ jobs:
      run: make frontends

    - name: 'Tar files to preserve file permissions'
-      run: tar -cvf frontend.tar ENVIRONMENT.txt GIT_HASH.txt frontend/dist frontend/config.json
+      run: tar -cvf frontend.tar ENVIRONMENT.txt GIT_HASH.txt VERSION.txt frontend/dist frontend/config.json

    - uses: actions/upload-artifact@v3
      with:
--- a/.github/workflows/product.yaml
+++ b/.github/workflows/product.yaml
@@ -11,34 +11,30 @@ on:
    - master
    - next

+env:
+  ENVIRONMENT: "dev"
+
 jobs:
  compat:
    uses: ./.github/workflows/reusable-workflow.yaml
    with:
-      build_command: make system-images/compat/compat.tar
+      build_command: make system-images/compat/docker-images/aarch64.tar
      artifact_name: compat.tar
-      artifact_path: system-images/compat/compat.tar
+      artifact_path: system-images/compat/docker-images/aarch64.tar

  utils:
    uses: ./.github/workflows/reusable-workflow.yaml
    with:
-      build_command: make system-images/utils/utils.tar
+      build_command: make system-images/utils/docker-images/aarch64.tar
      artifact_name: utils.tar
-      artifact_path: system-images/utils/utils.tar
+      artifact_path: system-images/utils/docker-images/aarch64.tar

  binfmt:
    uses: ./.github/workflows/reusable-workflow.yaml
    with:
-      build_command: make system-images/binfmt/binfmt.tar
+      build_command: make system-images/binfmt/docker-images/aarch64.tar
      artifact_name: binfmt.tar
-      artifact_path: system-images/binfmt/binfmt.tar
-
-  nc-broadcast:
-    uses: ./.github/workflows/reusable-workflow.yaml
-    with:
-      build_command: make cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast
-      artifact_name: nc-broadcast.tar
-      artifact_path: cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast
+      artifact_path: system-images/binfmt/docker-images/aarch64.tar

  backend:
    uses: ./.github/workflows/backend.yaml
@@ -50,7 +46,7 @@ jobs:
    name: Build image
    runs-on: ubuntu-latest
    timeout-minutes: 60
-    needs: [compat,utils,binfmt,nc-broadcast,backend,frontend]
+    needs: [compat,utils,binfmt,backend,frontend]
    steps:
    - uses: actions/checkout@v3
      with:
@@ -60,25 +56,19 @@ jobs:
      uses: actions/download-artifact@v3
      with:
        name: compat.tar
-        path: system-images/compat
-    
+        path: system-images/compat/docker-images/
+
    - name: Download utils.tar artifact
      uses: actions/download-artifact@v3
      with:
        name: utils.tar
-        path: system-images/utils
-
+        path: system-images/utils/docker-images/
+    
    - name: Download binfmt.tar artifact
      uses: actions/download-artifact@v3
      with:
        name: binfmt.tar
-        path: system-images/binfmt
-
-    - name: Download nc-broadcast.tar artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: nc-broadcast.tar
-        path: cargo-deps/aarch64-unknown-linux-gnu/release
+        path: system-images/binfmt/docker-images/

    - name: Download js_snapshot artifact
      uses: actions/download-artifact@v3
@@ -117,6 +107,10 @@ jobs:
      run: |
        tar -mxvf frontend.tar frontend/config.json
        tar -mxvf frontend.tar frontend/dist
+        tar -xvf frontend.tar GIT_HASH.txt
+        tar -xvf frontend.tar ENVIRONMENT.txt
+        tar -xvf frontend.tar VERSION.txt
+        rm frontend.tar

    - name: Cache raspiOS
      id: cache-raspios
@@ -126,12 +120,10 @@ jobs:
        key: cache-raspios
    
    - name: Build image
-      run: "make V=1 NO_KEY=1 eos.img --debug"
-      
-    - name: Compress image
-      run: "make gzip"
+      run: |
+        make V=1 eos_raspberrypi-uninit.img --debug
      
    - uses: actions/upload-artifact@v3
      with:
        name: image
-        path: eos.tar.gz
+        path: eos_raspberrypi-uninit.img
--- a/.github/workflows/pureos-iso.yaml
+++ b/.github/workflows/pureos-iso.yaml
@@ -0,0 +1,70 @@
+name: PureOS Based ISO
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  push:
+    branches:
+    - master
+    - next
+  pull_request:
+    branches:
+    - master
+    - next
+
+env:
+  ENVIRONMENT: "dev"
+
+jobs:
+  dpkg:
+    uses: ./.github/workflows/debian.yaml
+
+  iso:
+    name: Build iso
+    runs-on: ubuntu-22.04
+    needs: [dpkg]
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        repository: Start9Labs/eos-image-recipes
+
+    - name: Install dependencies
+      run: |
+        sudo apt update
+        wget http://ftp.us.debian.org/debian/pool/main/d/debspawn/debspawn_0.6.1-1_all.deb
+        sha256sum ./debspawn_0.6.1-1_all.deb | grep fb8a3f588438ff9ef51e713ec1d83306db893f0aa97447565e28bbba9c6e90c6
+        sudo apt-get install -y ./debspawn_0.6.1-1_all.deb
+        wget https://repo.pureos.net/pureos/pool/main/d/debootstrap/debootstrap_1.0.125pureos1_all.deb
+        sudo apt-get install -y --allow-downgrades ./debootstrap_1.0.125pureos1_all.deb
+        wget https://repo.pureos.net/pureos/pool/main/p/pureos-archive-keyring/pureos-archive-keyring_2021.11.0_all.deb
+        sudo apt-get install -y ./pureos-archive-keyring_2021.11.0_all.deb
+
+    - name: Configure debspawn
+      run: |
+        sudo mkdir -p /etc/debspawn/
+        echo "AllowUnsafePermissions=true" | sudo tee /etc/debspawn/global.toml
+
+    - uses: actions/cache@v3
+      with:
+        path: /var/lib/debspawn
+        key: ${{ runner.os }}-debspawn-init-byzantium
+
+    - name: Make build container
+      run: "debspawn list | grep byzantium || debspawn create --with-init byzantium"
+
+    - run: "mkdir -p overlays/vendor/root"
+
+    - name: Download dpkg
+      uses: actions/download-artifact@v3
+      with:
+        name: deb
+        path: overlays/vendor/root
+
+    - name: Run build
+      run: |
+        ./run-local-build.sh --no-fakemachine byzantium none custom "" true
+
+    - uses: actions/upload-artifact@v3
+      with:
+        name: iso
+        path: results/*.iso
--- a/.github/workflows/reusable-workflow.yaml
+++ b/.github/workflows/reusable-workflow.yaml
@@ -13,6 +13,9 @@ on:
        required: true
        type: string

+env:
+  ENVIRONMENT: "dev"
+
 jobs:
  generic_build_job:
    runs-on: ubuntu-latest
@@ -23,7 +26,7 @@ jobs:
        submodules: recursive

    - name: Set up Docker Buildx        
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2

    - name: Build image
      run: ${{ inputs.build_command }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,8 @@
 .DS_Store
 .idea
+system-images/binfmt/binfmt.tar
+system-images/compat/compat.tar
+system-images/util/util.tar
 /*.img
 /*.img.gz
 /*.img.xz
@@ -15,4 +18,11 @@ secrets.db
 /cargo-deps/**/*
 /ENVIRONMENT.txt
 /GIT_HASH.txt
-/eos.tar.gz
+/VERSION.txt
+/embassyos-*.tar.gz
+/eos-*.tar.gz
+/*.deb
+/target
+/*.squashfs
+/debian
+/DEBIAN
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,429 @@
+# v0.3.3
+## Highlights
+    - x86_64 architecture compatibility
+    - Kiosk mode - use your Embassy with monitor, keyboard, and mouse (available on x86 builds only, disabled on Raspberry Pi)
+    - "Updates" tab - view all service updates from all registries in one place
+    - Various UI/UX improvements
+    - Various bugfixes and optimizations
+
+## What's Changed
+    - Minor typo fixes by @kn0wmad in #1887
+    - Update build pipeline by @moerketh in #1896
+    - Feature/setup migrate by @elvece in #1841
+    - Feat/patch migration by @Blu-J in #1890
+    - make js cancellable by @dr-bonez in #1901
+    - wip: Making Injectable exec by @Blu-J in #1897
+    - Fix/debug by @Blu-J in #1909
+    - chore: Fix on the rsync not having stdout. by @Blu-J in #1911
+    - install wizard project by @MattDHill in #1893
+    - chore: Remove the duplicate loggging information that is making usele… by @Blu-J in #1912
+    - Http proxy by @redragonx in #1772
+    - fix(marketplace): loosen type in categories component by @waterplea in #1918
+    - set custom meta title by @MattDHill in #1915
+    - Feature/git hash by @dr-bonez in #1919
+    - closes #1900 by @dr-bonez in #1920
+    - feature/marketplace icons by @dr-bonez in #1921
+    - Bugfix/0.3.3 migration by @dr-bonez in #1922
+    - feat: Exposing the rsync that we have to the js by @Blu-J in #1907
+    - Feature/install wizard disk info by @dr-bonez in #1923
+    - bump shared and marketplace npm versions by @dr-bonez in #1924
+    - fix error handling when store unreachable by @dr-bonez in #1925
+    - wait for network online before launching init by @dr-bonez in #1930
+    - silence service crash notifications by @dr-bonez in #1929
+    - disable efi by @dr-bonez in #1931
+    - Tor daemon fix by @redragonx in #1934
+    - wait for url to be available before launching kiosk by @dr-bonez in #1933
+    - fix migration to support portable fatties by @dr-bonez in #1935
+    - Add guid to partition type by @MattDHill in #1932
+    - add localhost support to the http server by @redragonx in #1939
+    - refactor setup wizard by @dr-bonez in #1937
+    - feat(shared): Ticker add new component and use it in marketplace by @waterplea in #1940
+    - feat: For ota update using rsyncd by @Blu-J in #1938
+    - Feat/update progress by @MattDHill in #1944
+    - Fix/app show hidden by @MattDHill in #1948
+    - create dpkg and iso workflows by @dr-bonez in #1941
+    - changing ip addr type by @redragonx in #1950
+    - Create mountpoints first by @k0gen in #1949
+    - Hard code registry icons by @MattDHill in #1951
+    - fix: Cleanup by sending a command and kill when dropped by @Blu-J in #1945
+    - Update setup wizard styling by @elvece in #1954
+    - Feature/homepage by @elvece in #1956
+    - Fix millis by @Blu-J in #1960
+    - fix accessing dev tools by @MattDHill in #1966
+    - Update/misc UI fixes by @elvece in #1961
+    - Embassy-init typo by @redragonx in #1959
+    - feature: 0.3.2 -> 0.3.3 upgrade by @dr-bonez in #1958
+    - Fix/migrate by @Blu-J in #1962
+    - chore: Make validation reject containers by @Blu-J in #1970
+    - get pubkey and encrypt password on login by @elvece in #1965
+    - Multiple bugs and styling by @MattDHill in #1975
+    - filter out usb stick during install by @dr-bonez in #1974
+    - fix http upgrades by @dr-bonez in #1980
+    - restore interfaces before creating manager by @dr-bonez in #1982
+    - fuckit: no patch db locks by @dr-bonez in #1969
+    - fix websocket hangup error by @dr-bonez in #1981
+    - revert app show to use header and fix back button by @MattDHill in #1984
+    - Update/marketplace info by @elvece in #1983
+    - force docker image removal by @dr-bonez in #1985
+    - do not error if cannot determine live usb device by @dr-bonez in #1986
+    - remove community registry from FE defaults by @MattDHill in #1988
+    - check environment by @dr-bonez in #1990
+    - fix marketplace search and better category disabling by @MattDHill in #1991
+    - better migration progress bar by @dr-bonez in #1993
+    - bump cargo version by @dr-bonez in #1995
+    - preload icons and pause on setup complete for kiosk mode by @MattDHill in #1997
+    - use squashfs for rpi updates by @dr-bonez in #1998
+    - do not start progress at 0 before diff complete by @dr-bonez in #1999
+    - user must click continue in kiosk on success page by @MattDHill in #2001
+    - fix regex in image rip script by @dr-bonez in #2002
+    - fix bug with showing embassy drives and center error text by @MattDHill in #2006
+    - fix partition type by @dr-bonez in #2007
+    - lowercase service for alphabetic sorting by @MattDHill in #2008
+    - dont add updates cat by @MattDHill in #2009
+    - make downloaded page a full html doc by @MattDHill in #2011
+    - wait for monitor to be attached before launching firefox by @chrisguida in #2005
+    - UI fixes by @elvece in #2014
+    - fix: Stop service before by @Blu-J in #2019
+    - shield links update by @k0gen in #2018
+    - fix: Undoing the breaking introduced by trying to stopp by @Blu-J in #2023
+    - update link rename from embassy -> system by @elvece in #2027
+    - initialize embassy before restoring packages by @dr-bonez in #2029
+    - make procfs an optional dependency so sdk can build on macos by @elvece in #2028
+    - take(1) for recover select by @MattDHill in #2030
+    - take one from server info to prevent multiple reqs to registries by @MattDHill in #2032
+    - remove write lock during backup by @MattDHill in #2033
+    - fix: Ensure that during migration we make the urls have a trailing slash by @Blu-J in #2036
+    - fix: Make the restores limited # restore at a time by @Blu-J in #2037
+    - fix error and display of unknown font weight on success page by @elvece in #2038
+
+## Checksums
+```
+8602e759d3ece7cf503b9ca43e8419109f14e424617c2703b3771c8801483d7e  embassyos_amd64.deb
+b5c0d8d1af760881a1b5cf32bd7c5b1d1cf6468f6da594a1b4895a866d03a58c  embassyos_amd64.iso
+fe518453a7e1a8d8c2be43223a1a12adff054468f8082df0560e1ec50df3dbfd  embassyos_raspberrypi.img
+7b1ff0ada27b6714062aa991ec31c2d95ac4edf254cd464a4fa251905aa47ebd  embassyos_raspberrypi.tar.gz
+```
+
+# v0.3.2.1
+## What's Changed
+    - Update index.html copy and styling by @elvece in #1855
+    - increase maximum avahi entry group size by @dr-bonez in #1869
+    - bump version by @dr-bonez in #1871
+
+### Linux and Mac
+
+Download the `eos.tar.gz` file, then extract and flash the resulting eos.img to your SD Card
+Windows
+
+Download the `eos.zip` file, then extract and flash the resulting eos.img to your SD Card
+
+## SHA-256 Checksums
+```
+c4b17658910dd10c37df134d5d5fdd6478f962ba1b803d24477d563d44430f96  eos.tar.gz
+3a8b29878fe222a9d7cbf645c975b12805704b0f39c7daa46033d22380f9828c eos.zip
+dedff3eb408ea411812b8f46e6c6ed32bfbd97f61ec2b85a6be40373c0528256  eos.img
+```
+
+# v0.3.2
+## Highlights
+    - Autoscrolling for logs
+    - Improved connectivity between browser and Embassy
+    - Switch to Postgres for EOS database for better performance
+    - Multiple bug fixes and under-the-hood improvements
+    - Various UI/UX enhancements
+    - Removal of product keys
+
+Update Hash (SHA256): `d8ce908b06baee6420b45be1119e5eb9341ba8df920d1e255f94d1ffb7cc4de9`
+
+Image Hash (SHA256): `e035cd764e5ad9eb1c60e2f7bc3b9bd7248f42a91c69015c8a978a0f94b90bbb`
+
+Note: This image was uploaded as a gzipped POSIX sparse TAR file. The recommended command for unpacking it on systems that support sparse files is `tar --format=posix --sparse -zxvf eos.tar.gz`
+
+## What's Changed
+    - formatting by @dr-bonez in #1698
+    - Update README.md by @kn0wmad in #1705
+    - Update README.md by @dr-bonez in #1703
+    - feat: migrate to Angular 14 and RxJS 7 by @waterplea in #1681
+    - 0312 multiple FE by @MattDHill in #1712
+    - Fix http requests by @MattDHill in #1717
+    - Add build-essential to README.md by @chrisguida in #1716
+    - write image to sparse-aware archive format by @dr-bonez in #1709
+    - fix: Add modification to the max_user_watches by @Blu-J in #1695
+    - [Feat] follow logs by @chrisguida in #1714
+    - Update README.md by @dr-bonez in #1728
+    - fix build for patch-db client for consistency by @elvece in #1722
+    - fix cli install by @chrisguida in #1720
+    - highlight instructions if not viewed by @MattDHill in #1731
+    - Feat: HttpReader by @redragonx in #1733
+    - Bugfix/dns by @dr-bonez in #1741
+    - add x86 build and run unittests to backend pipeline by @moerketh in #1682
+    - [Fix] websocket connecting and patchDB connection monitoring by @MattDHill in #1738
+    - Set pipeline job timeouts and add ca-certificates to test container by @moerketh in #1753
+    - Disable bluetooth properly #862 by @redragonx in #1745
+    - [feat]: resumable downloads by @dr-bonez in #1746
+    - Fix/empty properties by @elvece in #1764
+    - use hostname from patchDB as default server name by @MattDHill in #1758
+    - switch to postgresql by @dr-bonez in #1763
+    - remove product key from setup flow by @MattDHill in #1750
+    - pinning cargo dep versions for CLI by @redragonx in #1775
+    - fix: Js deep dir by @Blu-J in #1784
+    - 0.3.2 final cleanup by @dr-bonez in #1782
+    - expect ui marketplace to be undefined by @MattDHill in #1787
+    - fix init to exit on failure by @dr-bonez in #1788
+    - fix search to return more accurate results by @MattDHill in #1792
+    - update backend dependencies by @dr-bonez in #1796
+    - use base64 for HTTP headers by @dr-bonez in #1795
+    - fix: Bad cert of *.local.local is now fixed to correct. by @Blu-J in #1798
+    - fix duplicate patch updates, add scroll button to setup success by @MattDHill in #1800
+    - level_slider reclaiming that precious RAM memory by @k0gen in #1799
+    - stop leaking avahi clients by @dr-bonez in #1802
+    - fix: Deep is_parent was wrong and could be escapped by @Blu-J in #1801
+    - prevent cfg str generation from running forever by @dr-bonez in #1804
+    - better RPC error message by @MattDHill in #1803
+    - Bugfix/marketplace add by @elvece in #1805
+    - fix mrketplace swtiching by @MattDHill in #1810
+    - clean up code and logs by @MattDHill in #1809
+    - fix: Minor fix that matt wanted by @Blu-J in #1808
+    - onion replace instead of adding tor repository by @k0gen in #1813
+    - bank Start as embassy hostname from the begining by @k0gen in #1814
+    - add descriptions to marketplace list page by @elvece in #1812
+    - Fix/encryption by @elvece in #1811
+    - restructure initialization by @dr-bonez in #1816
+    - update license by @MattDHill in #1819
+    - perform system rebuild after updating by @dr-bonez in #1820
+    - ignore file not found error for delete by @dr-bonez in #1822
+    - Multiple by @MattDHill in #1823
+    - Bugfix/correctly package backend job by @moerketh in #1826
+    - update patch-db by @dr-bonez in #1831
+    - give name to logs file by @MattDHill in #1833
+    - play song during update by @dr-bonez in #1832
+    - Seed patchdb UI data by @elvece in #1835
+    - update patch db and enable logging by @dr-bonez in #1837
+    - reduce patch-db log level to warn by @dr-bonez in #1840
+    - update ts matches to fix properties ordering bug by @elvece in #1843
+    - handle multiple image tags having the same hash and increase timeout by @dr-bonez in #1844
+    - retry pgloader up to 5x by @dr-bonez in #1845
+    - show connection bar right away by @MattDHill in #1849
+    - dizzy Rebranding to embassyOS by @k0gen in #1851
+    - update patch db by @MattDHill in #1852
+    - camera_flash screenshots update by @k0gen in #1853
+    - disable concurrency and delete tmpdir before retry by @dr-bonez in #1846
+
+## New Contributors
+
+	- @redragonx made their first contribution in #1733
+
+
+# v0.3.1.1
+## What's Changed
+
+    - whale2 docker stats fix by @k0gen in #1630
+    - update backend dependencies by @dr-bonez in #1637
+    - Fix/receipts health by @Blu-J in #1616
+    - return correct error on failed os download by @dr-bonez in #1636
+    - fix build by @dr-bonez in #1639
+    - Update product.yaml by @dr-bonez in #1638
+    - handle case where selected union enum is invalid after migration by @MattDHill in #1658
+    - fix: Resolve fighting with NM by @Blu-J in #1660
+    - sdk: don't allow mounts in inject actions by @chrisguida in #1653
+    - feat: Variable args by @Blu-J in #1667
+    - add readme to system-images folder by @elvece in #1665
+    - Mask chars beyond 16 by @MattDHill in #1666
+    - chore: Update to have the new version 0.3.1.1 by @Blu-J in #1668
+    - feat: Make the rename effect by @Blu-J in #1669
+    - fix migration, add logging by @dr-bonez in #1674
+    - run build checks only when relevant FE changes by @elvece in #1664
+    - trust local ca by @dr-bonez in #1670
+    - lower log level for docker deser fallback message by @dr-bonez in #1672
+    - refactor build process by @dr-bonez in #1675
+    - chore: enable strict mode by @waterplea in #1569
+    - draft releases notes for 0311 by @MattDHill in #1677
+    - add standby mode by @dr-bonez in #1671
+    - feat: atomic writing by @Blu-J in #1673
+    - allow server.update to update to current version by @dr-bonez in #1679
+    - allow falsey rpc response by @dr-bonez in #1680
+    - issue notification when individual package restore fails by @dr-bonez in #1685
+    - replace bang with question mark in html by @MattDHill in #1683
+    - only validate mounts for inject if eos >=0.3.1.1 by @dr-bonez in #1686
+    - add marketplace_url to backup metadata for service by @dr-bonez in #1688
+    - marketplace published at for service by @MattDHill in #1689
+    - sync data to fs before shutdown by @dr-bonez in #1690
+    - messaging for restart, shutdown, rebuild by @MattDHill in #1691
+    - honor shutdown from diagnostic ui by @dr-bonez in #1692
+    - ask for sudo password immediately during make by @dr-bonez in #1693
+    - sync blockdev after update by @dr-bonez in #1694
+    - set Matt as default assignee by @MattDHill in #1697
+    - NO_KEY for CI images by @dr-bonez in #1700
+    - fix typo by @dr-bonez in #1702
+
+# v0.3.1
+## What's Changed
+    - Feat bulk locking by @Blu-J in #1422
+    - Switching SSH keys to start9 user by @k0gen in #1321
+    - chore: Convert from ajv to ts-matches by @Blu-J in #1415
+    - Fix/id params by @elvece in #1414
+    - make nicer update sound by @ProofOfKeags in #1438
+    - adds product key to error message in setup flow when there is mismatch by @dr-bonez in #1436
+    - Update README.md to include yq by @cryptodread in #1385
+    - yin_yang For the peace of mind yin_yang by @k0gen in #1444
+    - Feature/update sound by @ProofOfKeags in #1439
+    - Feature/script packing by @ProofOfKeags in #1435
+    - rename ActionImplementation to PackageProcedure by @dr-bonez in #1448
+    - Chore/warning cleanse by @ProofOfKeags in #1447
+    - refactor packing to async by @ProofOfKeags in #1453
+    - Add nginx config for proxy redirect by @yzernik in #1421
+    - Proxy local frontend to remote backend by @elvece in #1452
+    - Feat/js action by @Blu-J in #1437
+    - Fix/making js work by @Blu-J in #1456
+    - fix: Dependency vs dependents by @Blu-J in #1462
+    - refactor: isolate network toast and login redirect to separate services by @waterplea in #1412
+    - Fix links in CONTRIBUTING.md, update ToC by @BBlackwo in #1463
+    - Feature/require script consistency by @ProofOfKeags in #1451
+    - Chore/version 0 3 1 0 by @Blu-J in #1475
+    - remove interactive TTY requirement from scripts by @moerketh in #1469
+    - Disable view in marketplace button when side-loaded by @BBlackwo in #1471
+    - Link to tor address on LAN setup page (#1277) by @BBlackwo in #1466
+    - UI version updates and welcome message for 0.3.1 by @elvece in #1479
+    - Update contribution and frontend readme by @BBlackwo in #1467
+    - Clean up config by @MattDHill in #1484
+    - Enable Control Groups for Docker containers by @k0gen in #1468
+    - Fix/patch db unwrap remove by @Blu-J in #1481
+    - handles spaces in working dir in make-image.sh by @moerketh in #1487
+    - UI cosmetic improvements by @MattDHill in #1486
+    - chore: fix the master by @Blu-J in #1495
+    - generate unique ca names based off of server id by @ProofOfKeags in #1500
+    - allow embassy-cli not as root by @dr-bonez in #1501
+    - fix: potential fix for the docker leaking the errors and such by @Blu-J in #1496
+    - Fix/memory leak docker by @Blu-J in #1505
+    - fixes serialization of regex pattern + description by @ProofOfKeags in #1509
+    - allow interactive TTY if available by @dr-bonez in #1508
+    - fix "missing proxy" error in embassy-cli by @dr-bonez in #1516
+    - Feat/js known errors by @Blu-J in #1514
+    - fixes a bug where nginx will crash if eos goes into diagnostic mode a… by @dr-bonez in #1506
+    - fix: restart/ uninstall sometimes didn't work by @Blu-J in #1527
+    - add "error_for_status" to static file downloads by @dr-bonez in #1532
+    - fixes #1169 by @dr-bonez in #1533
+    - disable unnecessary services by @dr-bonez in #1535
+    - chore: Update types to match embassyd by @Blu-J in #1539
+    - fix: found a unsaturaded args fix by @Blu-J in #1540
+    - chore: Update the lite types to include the union and enum by @Blu-J in #1542
+    - Feat: Make the js check for health by @Blu-J in #1543
+    - fix incorrect error message for deserialization in ValueSpecString by @dr-bonez in #1547
+    - fix dependency/dependent id issue by @dr-bonez in #1546
+    - add textarea to ValueSpecString by @dr-bonez in #1534
+    - Feat/js metadata by @Blu-J in #1548
+    - feat: uid/gid/mode added to metadata by @Blu-J in #1551
+    - Strict null checks by @waterplea in #1464
+    - fix backend builds for safe git config by @elvece in #1549
+    - update should send version not version spec by @elvece in #1559
+    - chore: Add tracing for debuging the js procedure slowness by @Blu-J in #1552
+    - Reset password through setup wizard by @MattDHill in #1490
+    - feat: Make sdk by @Blu-J in #1564
+    - fix: Missing a feature flat cfg by @Blu-J in #1563
+    - fixed sentence that didn't make sense by @BitcoinMechanic in #1565
+    - refactor(patch-db): use PatchDB class declaratively by @waterplea in #1562
+    - fix bugs with config and clean up dev options by @MattDHill in #1558
+    - fix: Make it so we only need the password on the backup by @Blu-J in #1566
+    - kill all sessions and remove ripple effect by @MattDHill in #1567
+    - adjust service marketplace button for installation source relevance by @elvece in #1571
+    - fix connection failure display monitoring and other style changes by @MattDHill in #1573
+    - add dns server to embassy-os by @dr-bonez in #1572
+    - Fix/mask generic inputs by @elvece in #1570
+    - Fix/sideload icon type by @elvece in #1577
+    - add avahi conditional compilation flags to dns by @dr-bonez in #1579
+    - selective backups and better drive selection interface by @MattDHill in #1576
+    - Feat/use modern tor by @kn0wmad in #1575
+    - update welcome notes for 031 by @MattDHill in #1580
+    - fix: Properties had a null description by @Blu-J in #1581
+    - fix backup lock ordering by @dr-bonez in #1582
+    - Bugfix/backup lock order by @dr-bonez in #1583
+    - preload redacted and visibility hidden by @MattDHill in #1584
+    - turn chevron red in config if error by @MattDHill in #1586
+    - switch to utc by @dr-bonez in #1587
+    - update patchdb for array patch fix by @elvece in #1588
+    - filter package ids when backing up by @dr-bonez in #1589
+    - add select/deselect all to backups and enum lists by @elvece in #1590
+    - fix: Stop the buffer from dropped pre-maturly by @Blu-J in #1591
+    - chore: commit the snapshots by @Blu-J in #1592
+    - nest new entries and message updates better by @MattDHill in #1595
+    - fix html parsing in logs by @elvece in #1598
+    - don't crash service if io-format is set for main by @dr-bonez in #1599
+    - strip html from colors from logs by @elvece in #1604
+    - feat: fetch effect by @Blu-J in #1605
+    - Fix/UI misc by @elvece in #1606
+    - display bottom item in backup list and refactor for cleanliness by @MattDHill in #1609
+
+# v0.3.0.3
+## What's Changed
+	- refactor: decompose app component by @waterplea in #1359
+	- Update Makefile by @kn0wmad in #1400
+	- ⬐ smarter wget by @k0gen in #1401
+	- prevent the kernel from OOMKilling embassyd by @dr-bonez in #1402
+	- attempt to heal when health check passes by @dr-bonez in #1420
+	- Feat new locking by @Blu-J in #1384
+	- version bump by @dr-bonez in #1423
+	- Update server-show.page.ts by @chrisguida in #1424
+	- Bump async from 2.6.3 to 2.6.4 in /frontend by @dependabot in #1426
+	- Update index.html by @mirkoRainer in #1419
+
+## New Contributors
+    - @dependabot made their first contribution in #1426
+    - @mirkoRainer made their first contribution in #1419
+
+# v0.3.0.2
+- Minor compatibility fixes
+  - #1392
+  - #1390
+  - #1388
+
+# v0.3.0.1
+Minor bugfixes and performance improvements
+
+# v0.3.0
+- Websockets
+	- Real-time sync
+- Patch DB
+	- Closely mirror FE and BE state. Most operating systems are connected to their GUI. Here it is served over the web. Patch DB and websockets serve to close the perceptual gap of this inherent challenge.
+- Switch kernel from Raspbian to Ubuntu
+	- 64 bit
+	- Possibility for alternative hardware
+- Merging of lifeline, agent, and appmgr into embassyd
+	- Elimination of Haskell in favor of pure Rust
+	- Unified API for interacting with the OS
+	- Easier to build from source
+- OS (quarantined from OS and service data)
+	- Kernel/boot
+	- Persistent metadata (disk guid, product key)
+	- Rootfs (the os)
+	- Reserved (for updates) - swaps with rootfs
+- Revamped OS updates
+	- Progress indicators
+	- Non-blocking
+	- Simple swap on reboot
+- Revamped setup flow
+	- Elimination of Setup App (Apple/Google dependencies gone)
+	- Setup Wizard on http://embassy.local
+- Revamped service config
+	- Dynamic, validated forms
+- Diagnostic UI
+	- Missing disk, wrong disk, corrupt disk
+- Turing complete API for actions, backup/restore, config, properties, notifications, health checks, and dependency requirements
+- Optional, arbitrary inputs for actions
+- Install, update, recover progress for apps
+- Multiple interfaces
+	- E.g. rpc, p2p, ui
+- Health checks
+	- Developer defined
+	- Internal, dependencies, and/or external
+- Full Embassy backup (diff-based)
+- External drive support/requirement
+	- Single at first
+	- Groundwork for extension and mirror drives
+- Disk encryption
+	- Random key encrypted with static value
+	- Groundwork for swapping static value with chosen password
+- Session Management
+	- List all active sessions
+	- Option to kill
+- More robust and extensive logs
+- Donations
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,11 +1,20 @@
 <!-- omit in toc -->
+
 # Contributing to Embassy OS

 First off, thanks for taking the time to contribute! ❤️

-All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
+All types of contributions are encouraged and valued. See the
+[Table of Contents](#table-of-contents) for different ways to help and details
+about how this project handles them. Please make sure to read the relevant
+section before making your contribution. It will make it a lot easier for us
+maintainers and smooth out the experience for all involved. The community looks
+forward to your contributions. 🎉

-> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
+> And if you like the project, but just don't have time to contribute, that's
+> fine. There are other easy ways to support the project and show your
+> appreciation, which we would also be very happy about:
+>
 > - Star the project
 > - Tweet about it
 > - Refer this project in your project's readme
@@ -13,6 +22,7 @@ All types of contributions are encouraged and valued. See the [Table of Contents
 > - Buy an [Embassy](https://start9labs.com)

 <!-- omit in toc -->
+
 ## Table of Contents

 - [I Have a Question](#i-have-a-question)
@@ -33,15 +43,19 @@ All types of contributions are encouraged and valued. See the [Table of Contents
 - [Join The Discussion](#join-the-discussion)
 - [Join The Project Team](#join-the-project-team)

-
-
 ## I Have a Question

-> If you want to ask a question, we assume that you have read the available [Documentation](https://docs.start9labs.com).
+> If you want to ask a question, we assume that you have read the available
+> [Documentation](https://docs.start9labs.com).

-Before you ask a question, it is best to search for existing [Issues](https://github.com/Start9Labs/embassy-os/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+Before you ask a question, it is best to search for existing
+[Issues](https://github.com/Start9Labs/embassy-os/issues) that might help you.
+In case you have found a suitable issue and still need clarification, you can
+write your question in this issue. It is also advisable to search the internet
+for answers first.

-If you then still feel the need to ask a question and need clarification, we recommend the following:
+If you then still feel the need to ask a question and need clarification, we
+recommend the following:

 - Open an [Issue](https://github.com/Start9Labs/embassy-os/issues/new).
 - Provide as much context as you can about what you're running into.
@@ -67,100 +81,180 @@ Depending on how large the project is, you may want to outsource the questioning
 ## I Want To Contribute

 > ### Legal Notice <!-- omit in toc -->
-> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license.
+>
+> When contributing to this project, you must agree that you have authored 100%
+> of the content, that you have the necessary rights to the content and that the
+> content you contribute may be provided under the project license.

 ### Reporting Bugs

 <!-- omit in toc -->
+
 #### Before Submitting a Bug Report

-A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible.
+A good bug report shouldn't leave others needing to chase you up for more
+information. Therefore, we ask you to investigate carefully, collect information
+and describe the issue in detail in your report. Please complete the following
+steps in advance to help us fix any potential bug as fast as possible.

 - Make sure that you are using the latest version.
- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](https://start9.com/latest/user-manual). If you are looking for support, you might want to check [this section](#i-have-a-question)).
- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/Start9Labs/embassy-os/issues?q=label%3Abug).
- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue.
+- Determine if your bug is really a bug and not an error on your side e.g. using
+  incompatible environment components/versions (Make sure that you have read the
+  [documentation](https://start9.com/latest/user-manual). If you are looking for
+  support, you might want to check [this section](#i-have-a-question)).
+- To see if other users have experienced (and potentially already solved) the
+  same issue you are having, check if there is not already a bug report existing
+  for your bug or error in the
+  [bug tracker](https://github.com/Start9Labs/embassy-os/issues?q=label%3Abug).
+- Also make sure to search the internet (including Stack Overflow) to see if
+  users outside of the GitHub community have discussed the issue.
 - Collect information about the bug:
  - Stack trace (Traceback)
-  - Client OS, Platform and Version (Windows/Linux/macOS/iOS/Android, Firefox/Tor Browser/Consulate)
-  - Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant.
+  - Client OS, Platform and Version (Windows/Linux/macOS/iOS/Android,
+    Firefox/Tor Browser/Consulate)
+  - Version of the interpreter, compiler, SDK, runtime environment, package
+    manager, depending on what seems relevant.
  - Possibly your input and the output
-  - Can you reliably reproduce the issue? And can you also reproduce it with older versions?
+  - Can you reliably reproduce the issue? And can you also reproduce it with
+    older versions?

 <!-- omit in toc -->
+
 #### How Do I Submit a Good Bug Report?

-> You must never report security related issues, vulnerabilities or bugs to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to <security@start9labs.com>.
+> You must never report security related issues, vulnerabilities or bugs to the
+> issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by
+> email to <security@start9labs.com>.
+
 <!-- You may add a PGP key to allow the messages to be sent encrypted as well. -->

-We use GitHub issues to track bugs and errors. If you run into an issue with the project:
+We use GitHub issues to track bugs and errors. If you run into an issue with the
+project:

- Open an [Issue](https://github.com/Start9Labs/embassy-os/issues/new/choose) selecting the appropriate type.
+- Open an [Issue](https://github.com/Start9Labs/embassy-os/issues/new/choose)
+  selecting the appropriate type.
 - Explain the behavior you would expect and the actual behavior.
- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
+- Please provide as much context as possible and describe the _reproduction
+  steps_ that someone else can follow to recreate the issue on their own. This
+  usually includes your code. For good bug reports you should isolate the
+  problem and create a reduced test case.
 - Provide the information you collected in the previous section.

 Once it's filed:

 - The project team will label the issue accordingly.
- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `Question`. Bugs with the `Question` tag will not be addressed until they are answered.
- If the team is able to reproduce the issue, it will be marked a scoping level tag, as well as possibly other tags (such as `Security`), and the issue will be left to be [implemented by someone](#your-first-code-contribution).
+- A team member will try to reproduce the issue with your provided steps. If
+  there are no reproduction steps or no obvious way to reproduce the issue, the
+  team will ask you for those steps and mark the issue as `Question`. Bugs with
+  the `Question` tag will not be addressed until they are answered.
+- If the team is able to reproduce the issue, it will be marked a scoping level
+  tag, as well as possibly other tags (such as `Security`), and the issue will
+  be left to be [implemented by someone](#your-first-code-contribution).

 <!-- You might want to create an issue template for bugs and errors that can be used as a guide and that defines the structure of the information to be included. If you do so, reference it here in the description. -->

-
 ### Suggesting Enhancements

-This section guides you through submitting an enhancement suggestion for Embassy OS, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions.
+This section guides you through submitting an enhancement suggestion for Embassy
+OS, **including completely new features and minor improvements to existing
+functionality**. Following these guidelines will help maintainers and the
+community to understand your suggestion and find related suggestions.

 <!-- omit in toc -->
+
 #### Before Submitting an Enhancement

 - Make sure that you are using the latest version.
- Read the [documentation](https://start9.com/latest/user-manual) carefully and find out if the functionality is already covered, maybe by an individual configuration.
- Perform a [search](https://github.com/Start9Labs/embassy-os/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library.
+- Read the [documentation](https://start9.com/latest/user-manual) carefully and
+  find out if the functionality is already covered, maybe by an individual
+  configuration.
+- Perform a [search](https://github.com/Start9Labs/embassy-os/issues) to see if
+  the enhancement has already been suggested. If it has, add a comment to the
+  existing issue instead of opening a new one.
+- Find out whether your idea fits with the scope and aims of the project. It's
+  up to you to make a strong case to convince the project's developers of the
+  merits of this feature. Keep in mind that we want features that will be useful
+  to the majority of our users and not just a small subset. If you're just
+  targeting a minority of users, consider writing an add-on/plugin library.

 <!-- omit in toc -->
+
 #### How Do I Submit a Good Enhancement Suggestion?

-Enhancement suggestions are tracked as [GitHub issues](https://github.com/Start9Labs/embassy-os/issues).
+Enhancement suggestions are tracked as
+[GitHub issues](https://github.com/Start9Labs/embassy-os/issues).

- Use a **clear and descriptive title** for the issue to identify the suggestion.
- Provide a **step-by-step description of the suggested enhancement** in as many details as possible.
- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you.
- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. <!-- this should only be included if the project has a GUI -->
- **Explain why this enhancement would be useful** to most Embassy OS users. You may also want to point out the other projects that solved it better and which could serve as inspiration.
+- Use a **clear and descriptive title** for the issue to identify the
+  suggestion.
+- Provide a **step-by-step description of the suggested enhancement** in as many
+  details as possible.
+- **Describe the current behavior** and **explain which behavior you expected to
+  see instead** and why. At this point you can also tell which alternatives do
+  not work for you.
+- You may want to **include screenshots and animated GIFs** which help you
+  demonstrate the steps or point out the part which the suggestion is related
+  to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on
+  macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast)
+  or [this tool](https://github.com/GNOME/byzanz) on Linux.
+  <!-- this should only be included if the project has a GUI -->
+- **Explain why this enhancement would be useful** to most Embassy OS users. You
+  may also want to point out the other projects that solved it better and which
+  could serve as inspiration.

 <!-- You might want to create an issue template for enhancement suggestions that can be used as a guide and that defines the structure of the information to be included. If you do so, reference it here in the description. -->

 ### Project Structure

-embassyOS is composed of the following components. Please visit the README for each component to understand the dependency requirements and installation instructions.
- [`ui`](frontend/README.md) (Typescript Ionic Angular) is the code that is deployed to the browser to provide the user interface for embassyOS.
- [`backend`](backend/README.md) (Rust) is a command line utility, daemon, and software development kit that sets up and manages services and their environments, provides the interface for the ui, manages system state, and provides utilities for packaging services for embassyOS.
- `patch-db` - A diff based data store that is used to synchronize data between the front and backend.
-  - Notably, `patch-db` has a [client](https://github.com/Start9Labs/patch-db/tree/master/client) with its own dependency and installation requirements.
- `rpc-toolkit` - A library for generating an rpc server with cli bindings from Rust functions.
- `system-images` - (Docker, Rust) A suite of utility Docker images that are preloaded with embassyOS to assist with functions relating to services (eg. configuration, backups, health checks).
- [`setup-wizard`](frontend/README.md)- Code for the user interface that is displayed during the setup and recovery process for embassyOS.
- [`diagnostic-ui`](frontend/README.md) - Code for the user interface that is displayed when something has gone wrong with starting up embassyOS, which provides helpful debugging tools.
+embassyOS is composed of the following components. Please visit the README for
+each component to understand the dependency requirements and installation
+instructions.
+
+- [`backend`](backend/README.md) (Rust) is a command line utility, daemon, and
+  software development kit that sets up and manages services and their
+  environments, provides the interface for the ui, manages system state, and
+  provides utilities for packaging services for embassyOS.
+- [`build`](build/README.md) contains scripts and necessary for deploying
+  embassyOS to a debian/raspbian system.
+- [`frontend`](frontend/README.md) (Typescript Ionic Angular) is the code that
+  is deployed to the browser to provide the user interface for embassyOS.
+  - `projects/ui` - Code for the user interface that is displayed when embassyOS
+    is running normally.
+  - `projects/setup-wizard`(frontend/README.md) - Code for the user interface
+    that is displayed during the setup and recovery process for embassyOS.
+  - `projects/diagnostic-ui` - Code for the user interface that is displayed
+    when something has gone wrong with starting up embassyOS, which provides
+    helpful debugging tools.
+- `libs` (Rust) is a set of standalone crates that were separated out of
+  `backend` for the purpose of portability
+- `patch-db` - A diff based data store that is used to synchronize data between
+  the front and backend.
+  - Notably, `patch-db` has a
+    [client](https://github.com/Start9Labs/patch-db/tree/master/client) with its
+    own dependency and installation requirements.
+- `system-images` - (Docker, Rust) A suite of utility Docker images that are
+  preloaded with embassyOS to assist with functions relating to services (eg.
+  configuration, backups, health checks).

 ### Your First Code Contribution

 #### Setting Up Your Development Environment

-First, clone the embassyOS repository and from the project root, pull in the submodules for dependent libraries.
+First, clone the embassyOS repository and from the project root, pull in the
+submodules for dependent libraries.

 ```sh
 git clone https://github.com/Start9Labs/embassy-os.git
 git submodule update --init --recursive
 ```

-Depending on which component of the ecosystem you are interested in contributing to, follow the installation requirements listed in that component's README (linked [above](#project-structure))
+Depending on which component of the ecosystem you are interested in contributing
+to, follow the installation requirements listed in that component's README
+(linked [above](#project-structure))

-#### Building The Image
-This step is for setting up an environment in which to test your code changes if you do not yet have a embassyOS.
+#### Building The Raspberry Pi Image
+
+This step is for setting up an environment in which to test your code changes if
+you do not yet have a embassyOS.

 - Requirements
  - `ext4fs` (available if running on the Linux kernel)
@@ -168,41 +262,79 @@ This step is for setting up an environment in which to test your code changes if
  - GNU Make
 - Building
  - see setup instructions [here](build/README.md)
-  - run `make` from the project root
+  - run `make embassyos-raspi.img ARCH=aarch64` from the project root

 ### Improving The Documentation
-You can find the repository for Start9's documentation [here](https://github.com/Start9Labs/documentation). If there is something you would like to see added, let us know, or create an issue yourself. Welcome are contributions for lacking or incorrect information, broken links, requested additions, or general style improvements.

-Contributions in the form of setup guides for integrations with external applications are highly encouraged. If you struggled through a process and would like to share your steps with others, check out the docs for each [service](https://github.com/Start9Labs/documentation/blob/master/source/user-manuals/available-services/index.rst) we support. The wrapper repos contain sections for adding integration guides, such as this [one](https://github.com/Start9Labs/bitcoind-wrapper/tree/master/docs). These not only help out others in the community, but inform how we can create a more seamless and intuitive experience.
+You can find the repository for Start9's documentation
+[here](https://github.com/Start9Labs/documentation). If there is something you
+would like to see added, let us know, or create an issue yourself. Welcome are
+contributions for lacking or incorrect information, broken links, requested
+additions, or general style improvements.
+
+Contributions in the form of setup guides for integrations with external
+applications are highly encouraged. If you struggled through a process and would
+like to share your steps with others, check out the docs for each
+[service](https://github.com/Start9Labs/documentation/blob/master/source/user-manuals/available-services/index.rst)
+we support. The wrapper repos contain sections for adding integration guides,
+such as this
+[one](https://github.com/Start9Labs/bitcoind-wrapper/tree/master/docs). These
+not only help out others in the community, but inform how we can create a more
+seamless and intuitive experience.

 ## Styleguides
+
 ### Formatting
-Each component of embassyOS contains its own style guide. Code must be formatted with the formatter designated for each component. These are outlined within each component folder's README.
+
+Each component of embassyOS contains its own style guide. Code must be formatted
+with the formatter designated for each component. These are outlined within each
+component folder's README.

 ### Atomic Commits
-Commits [should be atomic](https://en.wikipedia.org/wiki/Atomic_commit#Atomic_commit_convention) and diffs should be easy to read.
-Do not mix any formatting fixes or code moves with actual code changes.
+
+Commits
+[should be atomic](https://en.wikipedia.org/wiki/Atomic_commit#Atomic_commit_convention)
+and diffs should be easy to read. Do not mix any formatting fixes or code moves
+with actual code changes.

 ### Commit Messages
-If a commit touches only 1 component, prefix the message with the affected component. i.e. `backend: update to tokio v0.3`.
+
+If a commit touches only 1 component, prefix the message with the affected
+component. i.e. `backend: update to tokio v0.3`.

 ### Pull Requests
-The body of a pull request should contain sufficient description of what the changes do, as well as a justification.
-You should include references to any relevant [issues](https://github.com/Start9Labs/embassy-os/issues).
+
+The body of a pull request should contain sufficient description of what the
+changes do, as well as a justification. You should include references to any
+relevant [issues](https://github.com/Start9Labs/embassy-os/issues).

 ### Rebasing Changes
-When a pull request conflicts with the target branch, you may be asked to rebase it on top of the current target branch. The `git rebase` command will take care of rebuilding your commits on top of the new base.

-This project aims to have a clean git history, where code changes are only made in non-merge commits. This simplifies auditability because merge commits can be assumed to not contain arbitrary code changes.
+When a pull request conflicts with the target branch, you may be asked to rebase
+it on top of the current target branch. The `git rebase` command will take care
+of rebuilding your commits on top of the new base.
+
+This project aims to have a clean git history, where code changes are only made
+in non-merge commits. This simplifies auditability because merge commits can be
+assumed to not contain arbitrary code changes.

 ## Join The Discussion
-Current or aspiring contributors? Join our community developer [Matrix channel](https://matrix.to/#/#community-dev:matrix.start9labs.com).

-Just interested in or using the project? Join our community [Telegram](https://t.me/start9_labs) or [Matrix](https://matrix.to/#/#community:matrix.start9labs.com).
+Current or aspiring contributors? Join our community developer
+[Matrix channel](https://matrix.to/#/#community-dev:matrix.start9labs.com).
+
+Just interested in or using the project? Join our community
+[Telegram](https://t.me/start9_labs) or
+[Matrix](https://matrix.to/#/#community:matrix.start9labs.com).

 ## Join The Project Team
-Interested in becoming a part of the Start9 Labs team? Send an email to <jobs@start9labs.com>
+
+Interested in becoming a part of the Start9 Labs team? Send an email to
+<jobs@start9labs.com>

 <!-- omit in toc -->
+
 ## Attribution
-This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)!
+
+This guide is based on the **contributing-gen**.
+[Make your own](https://github.com/bttger/contributing-gen)!
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/163
+++ b/163
@@ -1,62 +1,150 @@
-ARCH = aarch64
-ENVIRONMENT_FILE := $(shell ./check-environment.sh)
-GIT_HASH_FILE := $(shell ./check-git-hash.sh)
-EMBASSY_BINS := backend/target/$(ARCH)-unknown-linux-gnu/release/embassyd backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-init backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-cli backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-sdk backend/target/$(ARCH)-unknown-linux-gnu/release/avahi-alias
-EMBASSY_UIS := frontend/dist/ui frontend/dist/setup-wizard frontend/dist/diagnostic-ui
-EMBASSY_SRC := raspios.img product_key.txt $(EMBASSY_BINS) backend/embassyd.service backend/embassy-init.service $(EMBASSY_UIS) $(shell find build)
-COMPAT_SRC := $(shell find system-images/compat/ -not -path 'system-images/compat/target/*' -and -not -name compat.tar -and -not -name target)
-UTILS_SRC := $(shell find system-images/utils/ -not -name utils.tar)
-BINFMT_SRC := $(shell find system-images/binfmt/ -not -name binfmt.tar)
-BACKEND_SRC := $(shell find backend/src) $(shell find backend/migrations) $(shell find patch-db/*/src) backend/Cargo.toml backend/Cargo.lock
-FRONTEND_SHARED_SRC := $(shell find frontend/projects/shared) $(shell find frontend/assets) $(shell ls -p frontend/ | grep -v / | sed 's/^/frontend\//g') frontend/node_modules frontend/config.json patch-db/client/dist frontend/patchdb-ui-seed.json
+RASPI_TARGETS := eos_raspberrypi-uninit.img eos_raspberrypi-uninit.tar.gz
+OS_ARCH := $(shell if echo $(RASPI_TARGETS) | grep -qw "$(MAKECMDGOALS)"; then echo raspberrypi; else uname -m; fi)
+ARCH := $(shell if [ "$(OS_ARCH)" = "raspberrypi" ]; then echo aarch64; else echo $(OS_ARCH); fi)
+ENVIRONMENT_FILE = $(shell ./check-environment.sh)
+GIT_HASH_FILE = $(shell ./check-git-hash.sh)
+VERSION_FILE = $(shell ./check-version.sh)
+EMBASSY_BINS := backend/target/$(ARCH)-unknown-linux-gnu/release/embassyd backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-init backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-cli backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-sdk backend/target/$(ARCH)-unknown-linux-gnu/release/avahi-alias libs/target/aarch64-unknown-linux-musl/release/embassy_container_init libs/target/x86_64-unknown-linux-musl/release/embassy_container_init
+EMBASSY_UIS := frontend/dist/ui frontend/dist/setup-wizard frontend/dist/diagnostic-ui frontend/dist/install-wizard
+BUILD_SRC := $(shell find build)
+EMBASSY_SRC := backend/embassyd.service backend/embassy-init.service $(EMBASSY_UIS) $(BUILD_SRC)
+COMPAT_SRC := $(shell find system-images/compat/ -not -path 'system-images/compat/target/*' -and -not -name *.tar -and -not -name target)
+UTILS_SRC := $(shell find system-images/utils/ -not -name *.tar)
+BINFMT_SRC := $(shell find system-images/binfmt/ -not -name *.tar)
+BACKEND_SRC := $(shell find backend/src) $(shell find backend/migrations) $(shell find patch-db/*/src) $(shell find libs/*/src) libs/*/Cargo.toml backend/Cargo.toml backend/Cargo.lock
+FRONTEND_SHARED_SRC := $(shell find frontend/projects/shared) $(shell ls -p frontend/ | grep -v / | sed 's/^/frontend\//g') frontend/package.json frontend/node_modules frontend/config.json patch-db/client/dist frontend/patchdb-ui-seed.json
 FRONTEND_UI_SRC := $(shell find frontend/projects/ui)
 FRONTEND_SETUP_WIZARD_SRC := $(shell find frontend/projects/setup-wizard)
 FRONTEND_DIAGNOSTIC_UI_SRC := $(shell find frontend/projects/diagnostic-ui)
+FRONTEND_INSTALL_WIZARD_SRC := $(shell find frontend/projects/install-wizard)
 PATCH_DB_CLIENT_SRC := $(shell find patch-db/client -not -path patch-db/client/dist)
 GZIP_BIN := $(shell which pigz || which gzip)
-$(shell sudo true)
+ALL_TARGETS := $(EMBASSY_BINS) system-images/compat/docker-images/$(ARCH).tar system-images/utils/docker-images/$(ARCH).tar system-images/binfmt/docker-images/$(ARCH).tar $(EMBASSY_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE)
+
+ifeq ($(REMOTE),)
+	mkdir = mkdir -p $1
+	rm = rm -rf $1
+	cp = cp -r $1 $2
+else
+	mkdir = ssh $(REMOTE) 'mkdir -p $1'
+	rm  = ssh $(REMOTE) 'sudo rm -rf $1'
+define cp
+	tar --transform "s|^$1|x|" -czv -f- $1 | ssh $(REMOTE) "sudo tar --transform 's|^x|$2|' -xzv -f- -C /"
+endef
+endif

 .DELETE_ON_ERROR:

-.PHONY: all gzip clean format sdk snapshots frontends ui backend
-all: eos.img
+.PHONY: all gzip install clean format sdk snapshots frontends ui backend reflash eos_raspberrypi.img sudo

-gzip: eos.tar.gz
+all: $(ALL_TARGETS)

-eos.tar.gz: eos.img
-	tar --format=posix -cS -f- eos.img | $(GZIP_BIN) > eos.tar.gz
+sudo:
+	sudo true

 clean:
-	rm -f eos.img
+	rm -f 2022-01-28-raspios-bullseye-arm64-lite.zip
+	rm -f raspios.img
+	rm -f eos_raspberrypi-uninit.img
+	rm -f eos_raspberrypi-uninit.tar.gz
 	rm -f ubuntu.img
 	rm -f product_key.txt
 	rm -f system-images/**/*.tar
-	sudo rm -f $(EMBASSY_BINS)
+	rm -rf system-images/compat/target
+	rm -rf backend/target
+	rm -rf frontend/.angular
 	rm -f frontend/config.json
 	rm -rf frontend/node_modules
 	rm -rf frontend/dist
+	rm -rf libs/target
 	rm -rf patch-db/client/node_modules
 	rm -rf patch-db/client/dist
-	sudo rm -rf cargo-deps
+	rm -rf patch-db/target
+	rm -rf cargo-deps
+	rm ENVIRONMENT.txt
+	rm GIT_HASH.txt
+	rm VERSION.txt

 format:
 	cd backend && cargo +nightly fmt
 	cd libs && cargo +nightly fmt

-sdk: 
+sdk:
 	cd backend/ && ./install-sdk.sh

-eos.img: $(EMBASSY_SRC) system-images/compat/compat.tar system-images/utils/utils.tar system-images/binfmt/binfmt.tar cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast $(ENVIRONMENT_FILE) $(GIT_HASH_FILE)
-	! test -f eos.img || rm eos.img
-	if [ "$(NO_KEY)" = "1" ]; then NO_KEY=1 ./build/make-image.sh; else ./build/make-image.sh; fi
+eos_raspberrypi-uninit.img: $(ALL_TARGETS) raspios.img cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast cargo-deps/aarch64-unknown-linux-gnu/release/pi-beep | sudo
+	! test -f eos_raspberrypi-uninit.img || rm eos_raspberrypi-uninit.img
+	./build/raspberry-pi/make-image.sh

-system-images/compat/compat.tar: $(COMPAT_SRC)
+lite-upgrade.img: raspios.img cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast cargo-deps/aarch64-unknown-linux-gnu/release/pi-beep $(BUILD_SRC) eos.raspberrypi.squashfs
+	! test -f lite-upgrade.img || rm lite-upgrade.img
+	./build/raspberry-pi/make-upgrade-image.sh
+
+eos_raspberrypi.img: raspios.img $(BUILD_SRC) eos.raspberrypi.squashfs $(VERSION_FILE) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) | sudo
+	! test -f eos_raspberrypi.img || rm eos_raspberrypi.img
+	./build/raspberry-pi/make-initialized-image.sh
+
+# For creating os images. DO NOT USE
+install: $(ALL_TARGETS)
+	$(call mkdir,$(DESTDIR)/usr/bin)
+	$(call cp,backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-init,$(DESTDIR)/usr/bin/embassy-init)
+	$(call cp,backend/target/$(ARCH)-unknown-linux-gnu/release/embassyd,$(DESTDIR)/usr/bin/embassyd)
+	$(call cp,backend/target/$(ARCH)-unknown-linux-gnu/release/embassy-cli,$(DESTDIR)/usr/bin/embassy-cli)
+	$(call cp,backend/target/$(ARCH)-unknown-linux-gnu/release/avahi-alias,$(DESTDIR)/usr/bin/avahi-alias)
+	
+	$(call mkdir,$(DESTDIR)/usr/lib)
+	$(call rm,$(DESTDIR)/usr/lib/embassy)
+	$(call cp,build/lib,$(DESTDIR)/usr/lib/embassy)
+
+	$(call cp,ENVIRONMENT.txt,$(DESTDIR)/usr/lib/embassy/ENVIRONMENT.txt)
+	$(call cp,GIT_HASH.txt,$(DESTDIR)/usr/lib/embassy/GIT_HASH.txt)
+	$(call cp,VERSION.txt,$(DESTDIR)/usr/lib/embassy/VERSION.txt)
+
+	$(call mkdir,$(DESTDIR)/usr/lib/embassy/container)
+	$(call cp,libs/target/aarch64-unknown-linux-musl/release/embassy_container_init,$(DESTDIR)/usr/lib/embassy/container/embassy_container_init.arm64)
+	$(call cp,libs/target/x86_64-unknown-linux-musl/release/embassy_container_init,$(DESTDIR)/usr/lib/embassy/container/embassy_container_init.amd64)
+
+	$(call mkdir,$(DESTDIR)/usr/lib/embassy/system-images)
+	$(call cp,system-images/compat/docker-images/$(ARCH).tar,$(DESTDIR)/usr/lib/embassy/system-images/compat.tar)
+	$(call cp,system-images/utils/docker-images/$(ARCH).tar,$(DESTDIR)/usr/lib/embassy/system-images/utils.tar)
+	$(call cp,system-images/binfmt/docker-images/$(ARCH).tar,$(DESTDIR)/usr/lib/embassy/system-images/binfmt.tar)
+
+	$(call mkdir,$(DESTDIR)/var/www/html)
+	$(call cp,frontend/dist/diagnostic-ui,$(DESTDIR)/var/www/html/diagnostic)
+	$(call cp,frontend/dist/setup-wizard,$(DESTDIR)/var/www/html/setup)
+	$(call cp,frontend/dist/install-wizard,$(DESTDIR)/var/www/html/install)
+	$(call cp,frontend/dist/ui,$(DESTDIR)/var/www/html/main)
+	$(call cp,index.html,$(DESTDIR)/var/www/html/index.html)
+
+update-overlay:
+	@echo "\033[33m!!! THIS WILL ONLY REFLASH YOUR DEVICE IN MEMORY !!!\033[0m"
+	@echo "\033[33mALL CHANGES WILL BE REVERTED IF YOU RESTART THE DEVICE\033[0m"
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	@if [ "`ssh $(REMOTE) 'cat /usr/lib/embassy/VERSION.txt'`" != "`cat ./VERSION.txt`" ]; then >&2 echo "Embassy requires migrations: update-overlay is unavailable." && false; fi
+	@if ssh $(REMOTE) "pidof embassy-init"; then >&2 echo "Embassy in INIT: update-overlay is unavailable." && false; fi
+	ssh $(REMOTE) "sudo systemctl stop embassyd"
+	$(MAKE) install REMOTE=$(REMOTE) OS_ARCH=$(OS_ARCH)
+	ssh $(REMOTE) "sudo systemctl start embassyd"
+
+update:
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	ssh $(REMOTE) "sudo rsync -a --delete --force --info=progress2 /media/embassy/embassyfs/current/ /media/embassy/next/"
+	$(MAKE) install REMOTE=$(REMOTE) DESTDIR=/media/embassy/next OS_ARCH=$(OS_ARCH)
+	ssh $(REMOTE) "sudo touch /media/embassy/config/upgrade && sudo sync && sudo reboot"
+
+emulate-reflash:
+	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
+	ssh $(REMOTE) "sudo rsync -a --delete --force --info=progress2 /media/embassy/embassyfs/current/ /media/embassy/next/"
+	$(MAKE) install REMOTE=$(REMOTE) DESTDIR=/media/embassy/next OS_ARCH=$(OS_ARCH)
+	ssh $(REMOTE) "sudo touch /media/embassy/config/upgrade && sudo rm -f /media/embassy/config/disk.guid && sudo sync && sudo reboot"
+
+system-images/compat/docker-images/aarch64.tar system-images/compat/docker-images/x86_64.tar: $(COMPAT_SRC)
 	cd system-images/compat && make

-system-images/utils/utils.tar: $(UTILS_SRC)
+system-images/utils/docker-images/aarch64.tar system-images/utils/docker-images/x86_64.tar: $(UTILS_SRC)
 	cd system-images/utils && make

-system-images/binfmt/binfmt.tar: $(BINFMT_SRC)
+system-images/binfmt/docker-images/aarch64.tar system-images/binfmt/docker-images/x86_64.tar: $(BINFMT_SRC)
 	cd system-images/binfmt && make

 raspios.img:
@@ -64,18 +152,12 @@ raspios.img:
 	unzip 2022-01-28-raspios-bullseye-arm64-lite.zip
 	mv 2022-01-28-raspios-bullseye-arm64-lite.img raspios.img

-product_key.txt:
-	$(shell which echo) -n "X" > product_key.txt
-	cat /dev/urandom | base32 | head -c11 | tr '[:upper:]' '[:lower:]' >> product_key.txt
-	if [ "$(KEY)" != "" ]; then $(shell which echo) -n "$(KEY)" > product_key.txt; fi
-	echo >> product_key.txt
-
-snapshots: libs/snapshot-creator/Cargo.toml
+snapshots: libs/snapshot_creator/Cargo.toml
 	cd libs/  && ./build-v8-snapshot.sh
 	cd libs/  && ./build-arm-v8-snapshot.sh

 $(EMBASSY_BINS): $(BACKEND_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) frontend/patchdb-ui-seed.json
-	cd backend && ./build-prod.sh
+	cd backend && ARCH=$(ARCH) ./build-prod.sh
 	touch $(EMBASSY_BINS)

 frontend/node_modules: frontend/package.json
@@ -90,8 +172,14 @@ frontend/dist/setup-wizard: $(FRONTEND_SETUP_WIZARD_SRC) $(FRONTEND_SHARED_SRC)
 frontend/dist/diagnostic-ui: $(FRONTEND_DIAGNOSTIC_UI_SRC) $(FRONTEND_SHARED_SRC) $(ENVIRONMENT_FILE)
 	npm --prefix frontend run build:dui

+frontend/dist/install-wizard: $(FRONTEND_INSTALL_WIZARD_SRC) $(FRONTEND_SHARED_SRC) $(ENVIRONMENT_FILE)
+	npm --prefix frontend run build:install-wiz
+
 frontend/config.json: $(GIT_HASH_FILE) frontend/config-sample.json
 	jq '.useMocks = false' frontend/config-sample.json > frontend/config.json
+	jq '.packageArch = "$(ARCH)"' frontend/config.json > frontend/config.json.tmp
+	jq '.osArch = "$(OS_ARCH)"' frontend/config.json.tmp > frontend/config.json
+	rm frontend/config.json.tmp
 	npm --prefix frontend run-script build-config

 frontend/patchdb-ui-seed.json: frontend/package.json
@@ -106,7 +194,7 @@ patch-db/client/dist: $(PATCH_DB_CLIENT_SRC) patch-db/client/node_modules
 	npm --prefix frontend run build:deps

 # used by github actions
-backend-$(ARCH).tar: $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(EMBASSY_BINS)
+backend-$(ARCH).tar: $(EMBASSY_BINS)
 	tar -cvf $@ $^

 # this is a convenience step to build all frontends - it is not referenced elsewhere in this file
@@ -120,3 +208,6 @@ backend: $(EMBASSY_BINS)

 cargo-deps/aarch64-unknown-linux-gnu/release/nc-broadcast:
 	./build-cargo-dep.sh nc-broadcast
+
+cargo-deps/aarch64-unknown-linux-gnu/release/pi-beep:
+	./build-cargo-dep.sh pi-beep
--- a/README.md
+++ b/README.md
@@ -3,9 +3,9 @@
 [![build](https://github.com/Start9Labs/embassy-os/actions/workflows/product.yaml/badge.svg)](https://github.com/Start9Labs/embassy-os/actions/workflows/product.yaml)
 [![community](https://img.shields.io/badge/community-matrix-yellow)](https://matrix.to/#/#community:matrix.start9labs.com)
 [![community](https://img.shields.io/badge/community-telegram-informational)](https://t.me/start9_labs)
-[![support](https://img.shields.io/badge/support-docs-important)](https://docs.start9labs.com)
+[![support](https://img.shields.io/badge/support-docs-important)](https://docs.start9.com)
 [![developer](https://img.shields.io/badge/developer-matrix-blueviolet)](https://matrix.to/#/#community-dev:matrix.start9labs.com)
-[![website](https://img.shields.io/website?down_color=lightgrey&down_message=offline&up_color=green&up_message=online&url=https%3A%2F%2Fstart9labs.com)](https://start9labs.com)
+[![website](https://img.shields.io/website?down_color=lightgrey&down_message=offline&up_color=green&up_message=online&url=https%3A%2F%2Fstart9.com)](https://start9.com)

 [![mastodon](https://img.shields.io/mastodon/follow/000000001?domain=https%3A%2F%2Fmastodon.start9labs.com&label=Follow&style=social)](http://mastodon.start9labs.com)
 [![twitter](https://img.shields.io/twitter/follow/start9labs?label=Follow)](https://twitter.com/start9labs)
@@ -22,12 +22,12 @@ This is the most convenient option. Simply [buy an Embassy](https://start9.com)

 ### :construction_worker: Build your own Embassy
 While not as convenient as buying an Embassy, this option is easier than you might imagine, and there are 4 reasons why you might prefer it:
-1. You already have a Raspberry Pi and would like to re-purpose it.
+1. You already have your own hardware.
 1. You want to save on shipping costs.
 1. You prefer not to divulge your physical address.
 1. You just like building things.

-To pursue this option, follow this [guide](https://start9.com/latest/diy).
+To pursue this option, follow one of our [DIY guides](https://start9.com/latest/diy).

 ### :hammer_and_wrench: Build embassyOS from Source

@@ -35,7 +35,7 @@ embassyOS can be built from source, for personal use, for free.
 A detailed guide for doing so can be found [here](https://github.com/Start9Labs/embassy-os/blob/master/build/README.md).

 ## :heart: Contributing
-There are multiple ways to contribute: work directly on embassyOS, package a service for the marketplace, or help with documentation and guides. To learn more about contributing, see [here](https://github.com/Start9Labs/embassy-os/blob/master/CONTRIBUTING.md).
+There are multiple ways to contribute: work directly on embassyOS, package a service for the marketplace, or help with documentation and guides. To learn more about contributing, see [here](https://docs.start9.com/latest/contribute/) or [here](https://github.com/Start9Labs/embassy-os/blob/master/CONTRIBUTING.md).

 ## UI Screenshots
 <p align="center">
--- a/backend/Cargo.lock
+++ b/backend/Cargo.lock
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -2,7 +2,7 @@
 authors = ["Aiden McClelland <me@drbonez.dev>"]
 description = "The core of the Start9 Embassy Operating System"
 documentation = "https://docs.rs/embassy-os"
-edition = "2018"
+edition = "2021"
 keywords = [
  "self-hosted",
  "raspberry-pi",
@@ -14,7 +14,7 @@ keywords = [
 name = "embassy-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/embassy-os"
-version = "0.3.2"
+version = "0.3.4"

 [lib]
 name = "embassy"
@@ -42,14 +42,17 @@ path = "src/bin/avahi-alias.rs"

 [features]
 avahi = ["avahi-sys"]
-default = ["avahi", "sound", "metal", "js_engine"]
+default = ["avahi", "js_engine"]
 dev = []
-metal = []
-sound = []
 unstable = ["patch-db/unstable"]

 [dependencies]
 aes = { version = "0.7.5", features = ["ctr"] }
+async-compression = { version = "0.3.15", features = [
+  "gzip",
+  "brotli",
+  "tokio",
+] }
 async-stream = "0.3.3"
 async-trait = "0.1.56"
 avahi-sys = { git = "https://github.com/Start9Labs/avahi-sys", version = "0.10.0", branch = "feature/dynamic-linking", features = [
@@ -60,28 +63,36 @@ base64 = "0.13.0"
 base64ct = "1.5.1"
 basic-cookies = "0.1.4"
 bollard = "0.13.0"
+bytes = "1"
 chrono = { version = "0.4.19", features = ["serde"] }
 clap = "3.2.8"
 color-eyre = "0.6.1"
-cookie_store = "0.16.1"
+cookie = "0.16.2"
+cookie_store = "0.19.0"
 current_platform = "0.2.0"
 digest = "0.10.3"
 digest-old = { package = "digest", version = "0.9.0" }
 divrem = "1.0.0"
 ed25519 = { version = "1.5.2", features = ["pkcs8", "pem", "alloc"] }
 ed25519-dalek = { version = "1.0.1", features = ["serde"] }
-emver = { version = "0.1.6", features = ["serde"] }
+emver = { version = "0.1.7", git = "https://github.com/Start9Labs/emver-rs.git", features = [
+  "serde",
+] }
 fd-lock-rs = "0.1.4"
 futures = "0.3.21"
 git-version = "0.3.5"
+gpt = "3.0.0"
 helpers = { path = "../libs/helpers" }
+embassy_container_init = { path = "../libs/embassy_container_init" }
 hex = "0.4.3"
 hmac = "0.12.1"
 http = "0.2.8"
-hyper = "0.14.20"
+hyper = { version = "0.14.20", features = ["full"] }
 hyper-ws-listener = "0.2.0"
 imbl = "2.0.0"
 indexmap = { version = "1.9.1", features = ["serde"] }
+ipnet = { version = "2.7.1", features = ["serde"] }
+iprange = { version = "0.6.7", features = ["serde"] }
 isocountry = "0.3.2"
 itertools = "0.10.3"
 josekit = "0.8.1"
@@ -90,6 +101,7 @@ jsonpath_lib = "0.3.0"
 lazy_static = "1.4.0"
 libc = "0.2.126"
 log = "0.4.17"
+mbrman = "0.5.0"
 models = { version = "*", path = "../libs/models" }
 nix = "0.25.0"
 nom = "7.1.1"
@@ -100,19 +112,20 @@ openssl = { version = "0.10.41", features = ["vendored"] }
 patch-db = { version = "*", path = "../patch-db/patch-db", features = [
  "trace",
 ] }
+p256 = { version = "0.12.0", features = ["pem"] }
 pbkdf2 = "0.11.0"
 pin-project = "1.0.11"
 pkcs8 = { version = "0.9.0", features = ["std"] }
-prettytable-rs = "0.9.0"
+prettytable-rs = "0.10.0"
 proptest = "1.0.0"
 proptest-derive = "0.3.0"
 rand = { version = "0.8.5", features = ["std"] }
 rand-old = { package = "rand", version = "0.7.3" }
 regex = "1.6.0"
 reqwest = { version = "0.11.11", features = ["stream", "json", "socks"] }
-reqwest_cookie_store = "0.4.0"
+reqwest_cookie_store = "0.5.0"
 rpassword = "7.0.0"
-rpc-toolkit = "0.2.1"
+rpc-toolkit = "0.2.2"
 rust-argon2 = "1.0.0"
 scopeguard = "1.1" # because avahi-sys fucks your shit up
 serde = { version = "1.0.139", features = ["derive", "rc"] }
@@ -130,13 +143,15 @@ sqlx = { version = "0.6.0", features = [
  "runtime-tokio-rustls",
  "postgres",
 ] }
+ssh-key = { version = "0.5.1", features = ["ed25519"] }
 stderrlog = "0.5.3"
 tar = "0.4.38"
 thiserror = "1.0.31"
-tokio = { version = "1.19.2", features = ["full"] }
-tokio-stream = { version = "0.1.9", features = ["io-util", "sync"] }
+tokio = { version = "1.23", features = ["full"] }
+tokio-stream = { version = "0.1.11", features = ["io-util", "sync", "net"] }
 tokio-tar = { git = "https://github.com/dr-bonez/tokio-tar.git" }
 tokio-tungstenite = { version = "0.17.1", features = ["native-tls"] }
+tokio-rustls = "0.23.4"
 tokio-util = { version = "0.7.3", features = ["io"] }
 torut = "0.2.1"
 tracing = "0.1.35"
@@ -147,6 +162,7 @@ trust-dns-server = "0.22.0"
 typed-builder = "0.10.0"
 url = { version = "2.2.2", features = ["serde"] }
 uuid = { version = "1.1.2", features = ["v4"] }
+zeroize = "1.5.7"

 [profile.test]
 opt-level = 3
--- a/backend/README.md
+++ b/backend/README.md
@@ -6,18 +6,22 @@
  - [Docker](https://docs.docker.com/get-docker/)
  - [Rust ARM64 Build Container](https://github.com/Start9Labs/rust-arm-builder)
 - Scripts (run withing the `./backend` directory)
-  - `build-prod.sh` - compiles a release build of the artifacts for running on ARM64
-  - `build-dev.sh` - compiles a development build of the artifacts for running on ARM64
+  - `build-prod.sh` - compiles a release build of the artifacts for running on
+    ARM64
 - A Linux computer or VM

 ## Structure

 The embassyOS backend is broken up into 4 different binaries:

- embassyd: This is the main workhorse of embassyOS - any new functionality you want will likely go here
- embassy-init: This is the component responsible for allowing you to set up your device, and handles system initialization on startup
- embassy-cli: This is a CLI tool that will allow you to issue commands to embassyd and control it similarly to the UI
- embassy-sdk: This is a CLI tool that aids in building and packaging services you wish to deploy to the Embassy
+- embassyd: This is the main workhorse of embassyOS - any new functionality you
+  want will likely go here
+- embassy-init: This is the component responsible for allowing you to set up
+  your device, and handles system initialization on startup
+- embassy-cli: This is a CLI tool that will allow you to issue commands to
+  embassyd and control it similarly to the UI
+- embassy-sdk: This is a CLI tool that aids in building and packaging services
+  you wish to deploy to the Embassy

 Finally there is a library `embassy` that supports all four of these tools.

@@ -25,11 +29,14 @@ See [here](/backend/Cargo.toml) for details.

 ## Building

-You can build the entire operating system image using `make` from the root of the embassyOS project. This will subsequently invoke the build scripts above to actually create the requisite binaries and put them onto the final operating system image.
+You can build the entire operating system image using `make` from the root of
+the embassyOS project. This will subsequently invoke the build scripts above to
+actually create the requisite binaries and put them onto the final operating
+system image.

 ## Questions

-If you have questions about how various pieces of the backend system work. Open an issue and tag the following people
+If you have questions about how various pieces of the backend system work. Open
+an issue and tag the following people

 - dr-bonez
- ProofOfKeags
--- a/backend/build-prod.sh
+++ b/backend/build-prod.sh
@@ -3,6 +3,10 @@
 set -e
 shopt -s expand_aliases

+if [ -z "$ARCH" ]; then
+	ARCH=$(uname -m)
+fi
+
 if [ "$0" != "./build-prod.sh" ]; then
 	>&2 echo "Must be run from backend directory"
 	exit 1
@@ -13,7 +17,8 @@ if tty -s; then
 	USE_TTY="-it"
 fi

-alias 'rust-arm64-builder'='docker run $USE_TTY --rm -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)":/home/rust/src -P start9/rust-arm-cross:aarch64'
+alias 'rust-gnu-builder'='docker run $USE_TTY --rm -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)":/home/rust/src -P start9/rust-arm-cross:aarch64'
+alias 'rust-musl-builder'='docker run $USE_TTY --rm -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)":/home/rust/src -P messense/rust-musl-cross:$ARCH-musl'

 cd ..
 FLAGS=""
@@ -23,15 +28,44 @@ fi
 if [[ "$ENVIRONMENT" =~ (^|-)dev($|-) ]]; then
 	FLAGS="dev,$FLAGS"
 fi
+
+set +e
+fail=
 if [[ "$FLAGS" = "" ]]; then
-	rust-arm64-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release --locked)"
+	rust-gnu-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release --locked  --target=$ARCH-unknown-linux-gnu)"
+	if test $? -ne 0; then 
+		fail=true
+	fi
+	for ARCH in x86_64 aarch64
+	do
+		rust-musl-builder sh -c "(git config --global --add safe.directory '*'; cd libs && cargo build --release --locked --bin embassy_container_init )"
+		if test $? -ne 0; then 
+			fail=true
+		fi
+	done
 else
 	echo "FLAGS=$FLAGS"
-	rust-arm64-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release --features $FLAGS --locked)"
+	rust-gnu-builder sh -c "(git config --global --add safe.directory '*'; cd backend && cargo build --release --features $FLAGS --locked --target=$ARCH-unknown-linux-gnu)"
+	if test $? -ne 0; then 
+		fail=true
+	fi
+	for ARCH in x86_64 aarch64
+	do
+		rust-musl-builder sh -c "(git config --global --add safe.directory '*'; cd libs && cargo build --release --features $FLAGS --locked --bin embassy_container_init)"
+		if test $? -ne 0; then 
+			fail=true
+		fi
+	done
 fi
+set -e
 cd backend

 sudo chown -R $USER target
 sudo chown -R $USER ~/.cargo
+sudo chown -R $USER ../libs/target
+
+if [ -n "$fail" ]; then
+	exit 1
+fi

 #rust-arm64-builder aarch64-linux-gnu-strip target/aarch64-unknown-linux-gnu/release/embassyd
--- a/backend/embassy-init.service
+++ b/backend/embassy-init.service
@@ -1,13 +1,13 @@
 [Unit]
 Description=Embassy Init
-After=network.target
-Requires=network.target
-Wants=avahi-daemon.service nginx.service tor.service
+After=network-online.target
+Requires=network-online.target
+Wants=avahi-daemon.service

 [Service]
 Type=oneshot
 Environment=RUST_LOG=embassy_init=debug,embassy=debug,js_engine=debug,patch_db=warn
-ExecStart=/usr/local/bin/embassy-init
+ExecStart=/usr/bin/embassy-init
 RemainAfterExit=true
 StandardOutput=append:/var/log/embassy-init.log

--- a/backend/embassyd.service
+++ b/backend/embassyd.service
@@ -6,7 +6,7 @@ Requires=embassy-init.service
 [Service]
 Type=simple
 Environment=RUST_LOG=embassyd=debug,embassy=debug,js_engine=debug,patch_db=warn
-ExecStart=/usr/local/bin/embassyd
+ExecStart=/usr/bin/embassyd
 Restart=always
 RestartSec=3
 ManagedOOMPreference=avoid
--- a/backend/migrations/20230118185232_NetworkKeys.sql
+++ b/backend/migrations/20230118185232_NetworkKeys.sql
@@ -0,0 +1,62 @@
+-- Add migration script here
+CREATE EXTENSION pgcrypto;
+
+ALTER TABLE
+    account
+ADD
+    COLUMN server_id TEXT,
+ADD
+    COLUMN hostname TEXT,
+ADD
+    COLUMN network_key BYTEA CHECK (length(network_key) = 32),
+ADD
+    COLUMN root_ca_key_pem TEXT,
+ADD
+    COLUMN root_ca_cert_pem TEXT;
+
+UPDATE
+    account
+SET
+    network_key = gen_random_bytes(32),
+    root_ca_key_pem = (
+        SELECT
+            priv_key_pem
+        FROM
+            certificates
+        WHERE
+            id = 0
+    ),
+    root_ca_cert_pem = (
+        SELECT
+            certificate_pem
+        FROM
+            certificates
+        WHERE
+            id = 0
+    )
+WHERE
+    id = 0;
+
+ALTER TABLE
+    account
+ALTER COLUMN
+    tor_key DROP NOT NULL,
+ALTER COLUMN
+    network_key
+SET
+    NOT NULL,
+ALTER COLUMN
+    root_ca_key_pem
+SET
+    NOT NULL,
+ALTER COLUMN
+    root_ca_cert_pem
+SET
+    NOT NULL;
+
+CREATE TABLE IF NOT EXISTS network_keys (
+    package TEXT NOT NULL,
+    interface TEXT NOT NULL,
+    key BYTEA NOT NULL CHECK (length(key) = 32),
+    PRIMARY KEY (package, interface)
+);
--- a/backend/sqlx-data.json
+++ b/backend/sqlx-data.json
@@ -1,6 +1,6 @@
 {
  "db": "PostgreSQL",
-  "094882d4d46d52e814f9aaf5fae172a5dd745b06cbde347f47b18e6498167269": {
+  "1ce5254f27de971fd87f5ab66d300f2b22433c86617a0dbf796bf2170186dd2e": {
    "describe": {
      "columns": [],
      "nullable": [],
@@ -8,35 +8,11 @@
        "Left": [
          "Text",
          "Text",
-          "Text"
+          "Bytea"
        ]
      }
    },
-    "query": "UPDATE certificates SET priv_key_pem = $1, certificate_pem = $2, updated_at = now() WHERE lookup_string = $3"
-  },
-  "165daa7d6a60cb42122373b2c5ac7d39399bcc99992f0002ee7bfef50a8daceb": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": []
-      }
-    },
-    "query": "DELETE FROM certificates WHERE id = 0 OR id = 1;"
-  },
-  "1f7936d27d63f01118ecd6f824e8a79607ed2b6e6def23f3e2487466dd2ddfe1": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Text",
-          "Text",
-          "Text"
-        ]
-      }
-    },
-    "query": "INSERT INTO certificates (priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES ($1, $2, $3, now(), now())"
+    "query": "INSERT INTO network_keys (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO NOTHING"
  },
  "21471490cdc3adb206274cc68e1ea745ffa5da4479478c1fd2158a45324b1930": {
    "describe": {
@@ -50,20 +26,6 @@
    },
    "query": "DELETE FROM ssh_keys WHERE fingerprint = $1"
  },
-  "22613628ff50341fdc35366e194fdcd850118824763cfe0dfff68dadc72167e9": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Text",
-          "Text",
-          "Bytea"
-        ]
-      }
-    },
-    "query": "INSERT INTO tor (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO UPDATE SET key = $3"
-  },
  "28ea34bbde836e0618c5fc9bb7c36e463c20c841a7d6a0eb15be0f24f4a928ec": {
    "describe": {
      "columns": [
@@ -102,24 +64,6 @@
    },
    "query": "SELECT hostname, path, username, password FROM cifs_shares WHERE id = $1"
  },
-  "3502e58f2ab48fb4566d21c920c096f81acfa3ff0d02f970626a4dcd67bac71d": {
-    "describe": {
-      "columns": [
-        {
-          "name": "tor_key",
-          "ordinal": 0,
-          "type_info": "Bytea"
-        }
-      ],
-      "nullable": [
-        false
-      ],
-      "parameters": {
-        "Left": []
-      }
-    },
-    "query": "SELECT tor_key FROM account"
-  },
  "4099028a5c0de578255bf54a67cef6cb0f1e9a4e158260700f1639dd4b438997": {
    "describe": {
      "columns": [
@@ -152,32 +96,6 @@
    },
    "query": "SELECT * FROM ssh_keys WHERE fingerprint = $1"
  },
-  "46815a4ac2c43e1dfbab3c0017ed09d5c833062e523205db4245a5218b2562b8": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Left": [
-          "Text"
-        ]
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE lookup_string = $1"
-  },
  "4691e3a2ce80b59009ac17124f54f925f61dc5ea371903e62cdffa5d7b67ca96": {
    "describe": {
      "columns": [
@@ -238,24 +156,6 @@
    },
    "query": "UPDATE session SET logged_out = CURRENT_TIMESTAMP WHERE id = $1"
  },
-  "548448e8ed8bcdf9efdc813d65af2cc55064685293b936f0f09e07f91a328eb9": {
-    "describe": {
-      "columns": [
-        {
-          "name": "setval",
-          "ordinal": 0,
-          "type_info": "Int8"
-        }
-      ],
-      "nullable": [
-        null
-      ],
-      "parameters": {
-        "Left": []
-      }
-    },
-    "query": "SELECT setval('certificates_id_seq', GREATEST(MAX(id) + 1, nextval('certificates_id_seq') - 1)) FROM certificates"
-  },
  "629be61c3c341c131ddbbff0293a83dbc6afd07cae69d246987f62cf0cc35c2a": {
    "describe": {
      "columns": [
@@ -295,30 +195,6 @@
    },
    "query": "SELECT key FROM tor WHERE package = $1 AND interface = $2"
  },
-  "6c96d76bffcc5f03290d8d8544a58521345ed2a843a509b17bbcd6257bb81821": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Left": []
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 1;"
-  },
  "6d35ccf780fb2bb62586dd1d3df9c1550a41ee580dad3f49d35cb843ebef10ca": {
    "describe": {
      "columns": [],
@@ -331,6 +207,28 @@
    },
    "query": "UPDATE session SET last_active = CURRENT_TIMESTAMP WHERE id = $1 AND logged_out IS NULL OR logged_out > CURRENT_TIMESTAMP"
  },
+  "770c1017734720453dc87b58c385b987c5af5807151ff71a59000014586752e0": {
+    "describe": {
+      "columns": [
+        {
+          "name": "key",
+          "ordinal": 0,
+          "type_info": "Bytea"
+        }
+      ],
+      "nullable": [
+        false
+      ],
+      "parameters": {
+        "Left": [
+          "Text",
+          "Text",
+          "Bytea"
+        ]
+      }
+    },
+    "query": "INSERT INTO network_keys (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO UPDATE SET package = EXCLUDED.package RETURNING key"
+  },
  "7b64f032d507e8ffe37c41f4c7ad514a66c421a11ab04c26d89a7aa8f6b67210": {
    "describe": {
      "columns": [
@@ -394,6 +292,23 @@
    },
    "query": "SELECT id, package_id, created_at, code, level, title, message, data FROM notifications WHERE id < $1 ORDER BY id DESC LIMIT $2"
  },
+  "7c7a3549c997eb75bf964ea65fbb98a73045adf618696cd838d79203ef5383fb": {
+    "describe": {
+      "columns": [],
+      "nullable": [],
+      "parameters": {
+        "Left": [
+          "Text",
+          "Text",
+          "Text",
+          "Bytea",
+          "Text",
+          "Text"
+        ]
+      }
+    },
+    "query": "\n            INSERT INTO account (\n                id,\n                server_id,\n                hostname,\n                password,\n                network_key,\n                root_ca_key_pem,\n                root_ca_cert_pem\n            ) VALUES (\n                0, $1, $2, $3, $4, $5, $6\n            ) ON CONFLICT (id) DO UPDATE SET\n                server_id = EXCLUDED.server_id,\n                hostname = EXCLUDED.hostname,\n                password = EXCLUDED.password,\n                network_key = EXCLUDED.network_key,\n                root_ca_key_pem = EXCLUDED.root_ca_key_pem,\n                root_ca_cert_pem = EXCLUDED.root_ca_cert_pem\n            "
+  },
  "7e0649d839927e57fa03ee51a2c9f96a8bdb0fc97ee8a3c6df1069e1e2b98576": {
    "describe": {
      "columns": [],
@@ -536,33 +451,6 @@
    },
    "query": "DELETE FROM cifs_shares WHERE id = $1"
  },
-  "a645d636be810a4ba61dcadf22e90de6e9baf3614aa9e97f053ff480cb3118a2": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Text",
-          "Bytea"
-        ]
-      }
-    },
-    "query": "INSERT INTO tor (package, interface, key) VALUES ($1, 'main', $2) ON CONFLICT (package, interface) DO UPDATE SET key = $2"
-  },
-  "a6645d91f76b3d5fac2191ea3bec5dab7d7d124715fde02e6a816fa5dbc7acf2": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Int4",
-          "Text",
-          "Bytea"
-        ]
-      }
-    },
-    "query": "INSERT INTO account (id, password, tor_key) VALUES ($1, $2, $3) ON CONFLICT (id) DO UPDATE SET password = $2, tor_key = $3"
-  },
  "a6b0c8909a3a5d6d9156aebfb359424e6b5a1d1402e028219e21726f1ebd282e": {
    "describe": {
      "columns": [
@@ -609,19 +497,6 @@
    },
    "query": "UPDATE cifs_shares SET hostname = $1, path = $2, username = $3, password = $4 WHERE id = $5"
  },
-  "cec8112be0ebc02ef7e651631be09efe26d1677b5b8aa95ceb3a92aff1afdbcc": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Text",
-          "Text"
-        ]
-      }
-    },
-    "query": "INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (1, $1, $2, NULL, now(), now())"
-  },
  "d5117054072476377f3c4f040ea429d4c9b2cf534e76f35c80a2bf60e8599cca": {
    "describe": {
      "columns": [
@@ -657,19 +532,6 @@
    },
    "query": "INSERT INTO notifications (package_id, code, level, title, message, data) VALUES ($1, $2, $3, $4, $5, $6)"
  },
-  "df4428ccb891bd791824bcd7990550cc9651e1cfaab1db33833ff7959d113b2c": {
-    "describe": {
-      "columns": [],
-      "nullable": [],
-      "parameters": {
-        "Left": [
-          "Text",
-          "Text"
-        ]
-      }
-    },
-    "query": "INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (0, $1, $2, NULL, now(), now())"
-  },
  "e185203cf84e43b801dfb23b4159e34aeaef1154dcd3d6811ab504915497ccf7": {
    "describe": {
      "columns": [],
@@ -682,17 +544,23 @@
    },
    "query": "DELETE FROM notifications WHERE id = $1"
  },
-  "e25e53c45c5a494a45cdb4d145de507df6f322ac6706e71b86895f1c64195f41": {
+  "e545696735f202f9d13cf22a561f3ff3f9aed7f90027a9ba97634bcb47d772f0": {
    "describe": {
-      "columns": [],
-      "nullable": [],
+      "columns": [
+        {
+          "name": "tor_key",
+          "ordinal": 0,
+          "type_info": "Bytea"
+        }
+      ],
+      "nullable": [
+        true
+      ],
      "parameters": {
-        "Left": [
-          "Text"
-        ]
+        "Left": []
      }
    },
-    "query": "UPDATE account SET password = $1"
+    "query": "SELECT tor_key FROM account WHERE id = 0"
  },
  "e5843c5b0e7819b29aa1abf2266799bd4f82e761837b526a0972c3d4439a264d": {
    "describe": {
@@ -708,21 +576,33 @@
    },
    "query": "INSERT INTO session (id, user_agent, metadata) VALUES ($1, $2, $3)"
  },
-  "e85749336fce4afaf16627bee8cfcb70be6f189ea7d1f05f9a26bead4be11839": {
+  "e95322a8e2ae3b93f1e974b24c0b81803f1e9ec9e8ebbf15cafddfc1c5a028ed": {
    "describe": {
      "columns": [
        {
-          "name": "interface",
+          "name": "package",
          "ordinal": 0,
          "type_info": "Text"
        },
        {
-          "name": "key",
+          "name": "interface",
          "ordinal": 1,
+          "type_info": "Text"
+        },
+        {
+          "name": "key",
+          "ordinal": 2,
+          "type_info": "Bytea"
+        },
+        {
+          "name": "tor_key?",
+          "ordinal": 3,
          "type_info": "Bytea"
        }
      ],
      "nullable": [
+        false,
+        false,
        false,
        false
      ],
@@ -732,7 +612,7 @@
        ]
      }
    },
-    "query": "SELECT interface, key FROM tor WHERE package = $1"
+    "query": "\n                SELECT\n                    network_keys.package,\n                    network_keys.interface,\n                    network_keys.key,\n                    tor.key AS \"tor_key?\"\n                FROM\n                    network_keys\n                LEFT JOIN\n                    tor\n                ON\n                    network_keys.package = tor.package\n                AND\n                    network_keys.interface = tor.interface\n                WHERE\n                    network_keys.package = $1\n            "
  },
  "eb750adaa305bdbf3c5b70aaf59139c7b7569602adb58f2d6b3a94da4f167b0a": {
    "describe": {
@@ -769,30 +649,6 @@
    },
    "query": "INSERT INTO cifs_shares (hostname, path, username, password) VALUES ($1, $2, $3, $4) RETURNING id"
  },
-  "ed848affa5bf92997cd441e3a50b3616b6724df3884bd9d199b3225e0bea8a54": {
-    "describe": {
-      "columns": [
-        {
-          "name": "priv_key_pem",
-          "ordinal": 0,
-          "type_info": "Text"
-        },
-        {
-          "name": "certificate_pem",
-          "ordinal": 1,
-          "type_info": "Text"
-        }
-      ],
-      "nullable": [
-        false,
-        false
-      ],
-      "parameters": {
-        "Left": []
-      }
-    },
-    "query": "SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 0;"
-  },
  "f6d1c5ef0f9d9577bea8382318967b9deb46da75788c7fe6082b43821c22d556": {
    "describe": {
      "columns": [],
@@ -806,5 +662,83 @@
      }
    },
    "query": "INSERT INTO ssh_keys (fingerprint, openssh_pubkey, created_at) VALUES ($1, $2, $3)"
+  },
+  "f7d2dae84613bcef330f7403352cc96547f3f6dbec11bf2eadfaf53ad8ab51b5": {
+    "describe": {
+      "columns": [
+        {
+          "name": "network_key",
+          "ordinal": 0,
+          "type_info": "Bytea"
+        }
+      ],
+      "nullable": [
+        false
+      ],
+      "parameters": {
+        "Left": []
+      }
+    },
+    "query": "SELECT network_key FROM account WHERE id = 0"
+  },
+  "fe6e4f09f3028e5b6b6259e86cbad285680ce157aae9d7837ac020c8b2945e7f": {
+    "describe": {
+      "columns": [
+        {
+          "name": "id",
+          "ordinal": 0,
+          "type_info": "Int4"
+        },
+        {
+          "name": "password",
+          "ordinal": 1,
+          "type_info": "Text"
+        },
+        {
+          "name": "tor_key",
+          "ordinal": 2,
+          "type_info": "Bytea"
+        },
+        {
+          "name": "server_id",
+          "ordinal": 3,
+          "type_info": "Text"
+        },
+        {
+          "name": "hostname",
+          "ordinal": 4,
+          "type_info": "Text"
+        },
+        {
+          "name": "network_key",
+          "ordinal": 5,
+          "type_info": "Bytea"
+        },
+        {
+          "name": "root_ca_key_pem",
+          "ordinal": 6,
+          "type_info": "Text"
+        },
+        {
+          "name": "root_ca_cert_pem",
+          "ordinal": 7,
+          "type_info": "Text"
+        }
+      ],
+      "nullable": [
+        false,
+        false,
+        true,
+        true,
+        true,
+        false,
+        false,
+        false
+      ],
+      "parameters": {
+        "Left": []
+      }
+    },
+    "query": "SELECT * FROM account WHERE id = 0"
  }
 }
--- a/backend/src/account.rs
+++ b/backend/src/account.rs
@@ -0,0 +1,120 @@
+use ed25519_dalek::{ExpandedSecretKey, SecretKey};
+use models::ResultExt;
+use openssl::pkey::{PKey, Private};
+use openssl::x509::X509;
+use sqlx::PgExecutor;
+
+use crate::hostname::{generate_hostname, generate_id, Hostname};
+use crate::net::keys::Key;
+use crate::net::ssl::{generate_key, make_root_cert};
+use crate::Error;
+
+fn hash_password(password: &str) -> Result<String, Error> {
+    argon2::hash_encoded(
+        password.as_bytes(),
+        &rand::random::<[u8; 16]>()[..],
+        &argon2::Config::default(),
+    )
+    .with_kind(crate::ErrorKind::PasswordHashGeneration)
+}
+
+#[derive(Debug, Clone)]
+pub struct AccountInfo {
+    pub server_id: String,
+    pub hostname: Hostname,
+    pub password: String,
+    pub key: Key,
+    pub root_ca_key: PKey<Private>,
+    pub root_ca_cert: X509,
+}
+impl AccountInfo {
+    pub fn new(password: &str) -> Result<Self, Error> {
+        let server_id = generate_id();
+        let hostname = generate_hostname();
+        let root_ca_key = generate_key()?;
+        let root_ca_cert = make_root_cert(&root_ca_key, &hostname)?;
+        Ok(Self {
+            server_id,
+            hostname,
+            password: hash_password(password)?,
+            key: Key::new(None),
+            root_ca_key,
+            root_ca_cert,
+        })
+    }
+
+    pub async fn load(secrets: impl PgExecutor<'_>) -> Result<Self, Error> {
+        let r = sqlx::query!("SELECT * FROM account WHERE id = 0")
+            .fetch_one(secrets)
+            .await?;
+
+        let server_id = r.server_id.unwrap_or_else(generate_id);
+        let hostname = r.hostname.map(Hostname).unwrap_or_else(generate_hostname);
+        let password = r.password;
+        let network_key = SecretKey::from_bytes(&r.network_key)?;
+        let tor_key = if let Some(k) = &r.tor_key {
+            ExpandedSecretKey::from_bytes(k)?
+        } else {
+            ExpandedSecretKey::from(&network_key)
+        };
+        let key = Key::from_pair(None, network_key.to_bytes(), tor_key.to_bytes());
+        let root_ca_key = PKey::private_key_from_pem(r.root_ca_key_pem.as_bytes())?;
+        let root_ca_cert = X509::from_pem(r.root_ca_cert_pem.as_bytes())?;
+
+        Ok(Self {
+            server_id,
+            hostname,
+            password,
+            key,
+            root_ca_key,
+            root_ca_cert,
+        })
+    }
+
+    pub async fn save(&self, secrets: impl PgExecutor<'_>) -> Result<(), Error> {
+        let server_id = self.server_id.as_str();
+        let hostname = self.hostname.0.as_str();
+        let password = self.password.as_str();
+        let network_key = self.key.as_bytes();
+        let network_key = network_key.as_slice();
+        let root_ca_key = String::from_utf8(self.root_ca_key.private_key_to_pem_pkcs8()?)?;
+        let root_ca_cert = String::from_utf8(self.root_ca_cert.to_pem()?)?;
+
+        sqlx::query!(
+            r#"
+            INSERT INTO account (
+                id,
+                server_id,
+                hostname,
+                password,
+                network_key,
+                root_ca_key_pem,
+                root_ca_cert_pem
+            ) VALUES (
+                0, $1, $2, $3, $4, $5, $6
+            ) ON CONFLICT (id) DO UPDATE SET
+                server_id = EXCLUDED.server_id,
+                hostname = EXCLUDED.hostname,
+                password = EXCLUDED.password,
+                network_key = EXCLUDED.network_key,
+                root_ca_key_pem = EXCLUDED.root_ca_key_pem,
+                root_ca_cert_pem = EXCLUDED.root_ca_cert_pem
+            "#,
+            server_id,
+            hostname,
+            password,
+            network_key,
+            root_ca_key,
+            root_ca_cert,
+        )
+        .execute(secrets)
+        .await?;
+
+        Ok(())
+    }
+
+    pub fn set_password(&mut self, password: &str) -> Result<(), Error> {
+        self.password = hash_password(password)?;
+        Ok(())
+    }
+}
--- a/backend/src/action.rs
+++ b/backend/src/action.rs
@@ -4,13 +4,14 @@ use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use indexmap::IndexSet;
 pub use models::ActionId;
+use models::ImageId;
 use rpc_toolkit::command;
 use serde::{Deserialize, Serialize};
 use tracing::instrument;

 use crate::config::{Config, ConfigSpec};
 use crate::context::RpcContext;
-use crate::id::ImageId;
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::{PackageProcedure, ProcedureName};
 use crate::s9pk::manifest::PackageId;
 use crate::util::serde::{display_serializable, parse_stdin_deserializable, IoFormat};
@@ -58,12 +59,13 @@ impl Action {
    #[instrument]
    pub fn validate(
        &self,
+        container: &Option<DockerContainers>,
        eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
    ) -> Result<(), Error> {
        self.implementation
-            .validate(eos_version, volumes, image_ids, true)
+            .validate(container, eos_version, volumes, image_ids, true)
            .with_ctx(|_| {
                (
                    crate::ErrorKind::ValidateS9pk,
@@ -95,7 +97,6 @@ impl Action {
                ProcedureName::Action(action_id.clone()),
                volumes,
                input,
-                true,
                None,
            )
            .await?
@@ -138,9 +139,10 @@ pub async fn action(
        .await
        .with_kind(crate::ErrorKind::NotFound)?
        .manifest()
-        .get(&mut db, true)
+        .get(&mut db)
        .await?
        .to_owned();
+
    if let Some(action) = manifest.actions.0.get(&action_id) {
        action
            .execute(
--- a/backend/src/auth.rs
+++ b/backend/src/auth.rs
@@ -4,6 +4,7 @@ use std::marker::PhantomData;
 use chrono::{DateTime, Utc};
 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
+use josekit::jwk::Jwk;
 use patch_db::{DbHandle, LockReceipt};
 use rpc_toolkit::command;
 use rpc_toolkit::command_helpers::prelude::{RequestParts, ResponseParts};
@@ -15,11 +16,53 @@ use tracing::instrument;

 use crate::context::{CliContext, RpcContext};
 use crate::middleware::auth::{AsLogoutSessionId, HasLoggedOutSessions, HashSessionToken};
+use crate::middleware::encrypt::EncryptedWire;
 use crate::util::display_none;
 use crate::util::serde::{display_serializable, IoFormat};
 use crate::{ensure_code, Error, ResultExt};
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum PasswordType {
+    EncryptedWire(EncryptedWire),
+    String(String),
+}
+impl PasswordType {
+    pub fn decrypt(self, current_secret: impl AsRef<Jwk>) -> Result<String, Error> {
+        match self {
+            PasswordType::String(x) => Ok(x),
+            PasswordType::EncryptedWire(x) => x.decrypt(current_secret).ok_or_else(|| {
+                Error::new(
+                    color_eyre::eyre::eyre!("Couldn't decode password"),
+                    crate::ErrorKind::Unknown,
+                )
+            }),
+        }
+    }
+}
+impl Default for PasswordType {
+    fn default() -> Self {
+        PasswordType::String(String::default())
+    }
+}
+impl std::fmt::Debug for PasswordType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "<REDACTED_PASSWORD>")?;
+        Ok(())
+    }
+}

-#[command(subcommands(login, logout, session, reset_password))]
+impl std::str::FromStr for PasswordType {
+    type Err = String;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(match serde_json::from_str(s) {
+            Ok(a) => a,
+            Err(_) => PasswordType::String(s.to_string()),
+        })
+    }
+}
+
+#[command(subcommands(login, logout, session, reset_password, get_pubkey))]
 pub fn auth() -> Result<(), Error> {
    Ok(())
 }
@@ -50,11 +93,11 @@ fn gen_pwd() {
 #[instrument(skip(ctx, password))]
 async fn cli_login(
    ctx: CliContext,
-    password: Option<String>,
+    password: Option<PasswordType>,
    metadata: Value,
 ) -> Result<(), RpcError> {
    let password = if let Some(password) = password {
-        password
+        password.decrypt(&ctx)?
    } else {
        rpassword::prompt_password("Password: ")?
    };
@@ -107,7 +150,7 @@ pub async fn login(
    #[context] ctx: RpcContext,
    #[request] req: &RequestParts,
    #[response] res: &mut ResponseParts,
-    #[arg] password: Option<String>,
+    #[arg] password: Option<PasswordType>,
    #[arg(
        parse(parse_metadata),
        default = "cli_metadata",
@@ -115,7 +158,7 @@ pub async fn login(
    )]
    metadata: Value,
 ) -> Result<(), Error> {
-    let password = password.unwrap_or_default();
+    let password = password.unwrap_or_default().decrypt(&ctx)?;
    let mut handle = ctx.secret_store.acquire().await?;
    check_password_against_db(&mut handle, &password).await?;

@@ -265,17 +308,17 @@ pub async fn kill(
 #[instrument(skip(ctx, old_password, new_password))]
 async fn cli_reset_password(
    ctx: CliContext,
-    old_password: Option<String>,
-    new_password: Option<String>,
+    old_password: Option<PasswordType>,
+    new_password: Option<PasswordType>,
 ) -> Result<(), RpcError> {
    let old_password = if let Some(old_password) = old_password {
-        old_password
+        old_password.decrypt(&ctx)?
    } else {
        rpassword::prompt_password("Current Password: ")?
    };

    let new_password = if let Some(new_password) = new_password {
-        new_password
+        new_password.decrypt(&ctx)?
    } else {
        let new_password = rpassword::prompt_password("New Password: ")?;
        if new_password != rpassword::prompt_password("Confirm: ")? {
@@ -321,31 +364,6 @@ impl SetPasswordReceipt {
    }
 }

-pub async fn set_password<Db: DbHandle, Ex>(
-    db: &mut Db,
-    receipt: &SetPasswordReceipt,
-    secrets: &mut Ex,
-    password: &str,
-) -> Result<(), Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Postgres>,
-{
-    let password = argon2::hash_encoded(
-        password.as_bytes(),
-        &rand::random::<[u8; 16]>()[..],
-        &argon2::Config::default(),
-    )
-    .with_kind(crate::ErrorKind::PasswordHashGeneration)?;
-
-    sqlx::query!("UPDATE account SET password = $1", password,)
-        .execute(secrets)
-        .await?;
-
-    receipt.0.set(db, password).await?;
-
-    Ok(())
-}
-
 #[command(
    rename = "reset-password",
    custom_cli(cli_reset_password(async, context(CliContext))),
@@ -354,20 +372,40 @@ where
 #[instrument(skip(ctx, old_password, new_password))]
 pub async fn reset_password(
    #[context] ctx: RpcContext,
-    #[arg(rename = "old-password")] old_password: Option<String>,
-    #[arg(rename = "new-password")] new_password: Option<String>,
+    #[arg(rename = "old-password")] old_password: Option<PasswordType>,
+    #[arg(rename = "new-password")] new_password: Option<PasswordType>,
 ) -> Result<(), Error> {
-    let old_password = old_password.unwrap_or_default();
-    let new_password = new_password.unwrap_or_default();
+    let old_password = old_password.unwrap_or_default().decrypt(&ctx)?;
+    let new_password = new_password.unwrap_or_default().decrypt(&ctx)?;

-    let mut secrets = ctx.secret_store.acquire().await?;
-    check_password_against_db(&mut secrets, &old_password).await?;
-
-    let mut db = ctx.db.handle();
-
-    let set_password_receipt = SetPasswordReceipt::new(&mut db).await?;
-
-    set_password(&mut db, &set_password_receipt, &mut secrets, &new_password).await?;
+    let mut account = ctx.account.write().await;
+    if !argon2::verify_encoded(&account.password, old_password.as_bytes())
+        .with_kind(crate::ErrorKind::IncorrectPassword)?
+    {
+        return Err(Error::new(
+            eyre!("Incorrect Password"),
+            crate::ErrorKind::IncorrectPassword,
+        ));
+    }
+    account.set_password(&new_password)?;
+    account.save(&ctx.secret_store).await?;
+    crate::db::DatabaseModel::new()
+        .server_info()
+        .password_hash()
+        .put(&mut ctx.db.handle(), &account.password)
+        .await?;

    Ok(())
 }
+
+#[command(
+    rename = "get-pubkey",
+    display(display_none),
+    metadata(authenticated = false)
+)]
+#[instrument(skip(ctx))]
+pub async fn get_pubkey(#[context] ctx: RpcContext) -> Result<Jwk, RpcError> {
+    let secret = ctx.as_ref().clone();
+    let pub_key = secret.to_public_key()?;
+    Ok(pub_key)
+}
--- a/backend/src/backup/backup_bulk.rs
+++ b/backend/src/backup/backup_bulk.rs
@@ -5,19 +5,15 @@ use chrono::Utc;
 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use helpers::AtomicFile;
-use openssl::pkey::{PKey, Private};
-use openssl::x509::X509;
 use patch_db::{DbHandle, LockType, PatchDbHandle};
 use rpc_toolkit::command;
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
 use tokio::io::AsyncWriteExt;
-use torut::onion::TorSecretKeyV3;
 use tracing::instrument;

 use super::target::BackupTargetId;
 use super::PackageBackupReport;
 use crate::auth::check_password_against_db;
+use crate::backup::os::OsBackup;
 use crate::backup::{BackupReport, ServerBackupReport};
 use crate::context::RpcContext;
 use crate::db::model::BackupProgress;
@@ -32,88 +28,6 @@ use crate::util::serde::IoFormat;
 use crate::version::VersionT;
 use crate::{Error, ErrorKind, ResultExt};

-#[derive(Debug)]
-pub struct OsBackup {
-    pub tor_key: TorSecretKeyV3,
-    pub root_ca_key: PKey<Private>,
-    pub root_ca_cert: X509,
-    pub ui: Value,
-}
-impl<'de> Deserialize<'de> for OsBackup {
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: serde::Deserializer<'de>,
-    {
-        #[derive(Deserialize)]
-        #[serde(rename = "kebab-case")]
-        struct OsBackupDe {
-            tor_key: String,
-            root_ca_key: String,
-            root_ca_cert: String,
-            ui: Value,
-        }
-        let int = OsBackupDe::deserialize(deserializer)?;
-        let key_vec = base32::decode(base32::Alphabet::RFC4648 { padding: true }, &int.tor_key)
-            .ok_or_else(|| {
-                serde::de::Error::invalid_value(
-                    serde::de::Unexpected::Str(&int.tor_key),
-                    &"an RFC4648 encoded string",
-                )
-            })?;
-        if key_vec.len() != 64 {
-            return Err(serde::de::Error::invalid_value(
-                serde::de::Unexpected::Str(&int.tor_key),
-                &"a 64 byte value encoded as an RFC4648 string",
-            ));
-        }
-        let mut key_slice = [0; 64];
-        key_slice.clone_from_slice(&key_vec);
-        Ok(OsBackup {
-            tor_key: TorSecretKeyV3::from(key_slice),
-            root_ca_key: PKey::<Private>::private_key_from_pem(int.root_ca_key.as_bytes())
-                .map_err(serde::de::Error::custom)?,
-            root_ca_cert: X509::from_pem(int.root_ca_cert.as_bytes())
-                .map_err(serde::de::Error::custom)?,
-            ui: int.ui,
-        })
-    }
-}
-impl Serialize for OsBackup {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::Serializer,
-    {
-        #[derive(Serialize)]
-        #[serde(rename = "kebab-case")]
-        struct OsBackupSer<'a> {
-            tor_key: String,
-            root_ca_key: String,
-            root_ca_cert: String,
-            ui: &'a Value,
-        }
-        OsBackupSer {
-            tor_key: base32::encode(
-                base32::Alphabet::RFC4648 { padding: true },
-                &self.tor_key.as_bytes(),
-            ),
-            root_ca_key: String::from_utf8(
-                self.root_ca_key
-                    .private_key_to_pem_pkcs8()
-                    .map_err(serde::ser::Error::custom)?,
-            )
-            .map_err(serde::ser::Error::custom)?,
-            root_ca_cert: String::from_utf8(
-                self.root_ca_cert
-                    .to_pem()
-                    .map_err(serde::ser::Error::custom)?,
-            )
-            .map_err(serde::ser::Error::custom)?,
-            ui: &self.ui,
-        }
-        .serialize(serializer)
-    }
-}
-
 fn parse_comma_separated(arg: &str, _: &ArgMatches) -> Result<BTreeSet<PackageId>, Error> {
    arg.split(',')
        .map(|s| s.trim().parse().map_err(Error::from))
@@ -125,28 +39,36 @@ fn parse_comma_separated(arg: &str, _: &ArgMatches) -> Result<BTreeSet<PackageId
 pub async fn backup_all(
    #[context] ctx: RpcContext,
    #[arg(rename = "target-id")] target_id: BackupTargetId,
-    #[arg(rename = "old-password", long = "old-password")] old_password: Option<String>,
+    #[arg(rename = "old-password", long = "old-password")] old_password: Option<
+        crate::auth::PasswordType,
+    >,
    #[arg(
        rename = "package-ids",
        long = "package-ids",
        parse(parse_comma_separated)
    )]
    package_ids: Option<BTreeSet<PackageId>>,
-    #[arg] password: String,
+    #[arg] password: crate::auth::PasswordType,
 ) -> Result<(), Error> {
    let mut db = ctx.db.handle();
+    let old_password_decrypted = old_password
+        .as_ref()
+        .unwrap_or(&password)
+        .clone()
+        .decrypt(&ctx)?;
+    let password = password.decrypt(&ctx)?;
    check_password_against_db(&mut ctx.secret_store.acquire().await?, &password).await?;
    let fs = target_id
        .load(&mut ctx.secret_store.acquire().await?)
        .await?;
    let mut backup_guard = BackupMountGuard::mount(
        TmpMountGuard::mount(&fs, ReadWrite).await?,
-        old_password.as_ref().unwrap_or(&password),
+        &old_password_decrypted,
    )
    .await?;
    let all_packages = crate::db::DatabaseModel::new()
        .package_data()
-        .get(&mut db, false)
+        .get(&mut db)
        .await?
        .0
        .keys()
@@ -286,10 +208,9 @@ async fn perform_backup<Db: DbHandle>(
    package_ids: &BTreeSet<PackageId>,
 ) -> Result<BTreeMap<PackageId, PackageBackupReport>, Error> {
    let mut backup_report = BTreeMap::new();
-
    for package_id in crate::db::DatabaseModel::new()
        .package_data()
-        .keys(&mut db, false)
+        .keys(&mut db)
        .await?
        .into_iter()
        .filter(|id| package_ids.contains(id))
@@ -309,7 +230,7 @@ async fn perform_backup<Db: DbHandle>(
        let main_status_model = installed_model.clone().status().main();

        main_status_model.lock(&mut tx, LockType::Write).await?;
-        let (started, health) = match main_status_model.get(&mut tx, true).await?.into_owned() {
+        let (started, health) = match main_status_model.get(&mut tx).await?.into_owned() {
            MainStatus::Starting { .. } => (Some(Utc::now()), Default::default()),
            MainStatus::Running { started, health } => (Some(started), health.clone()),
            MainStatus::Stopped | MainStatus::Stopping | MainStatus::Restarting => {
@@ -338,11 +259,7 @@ async fn perform_backup<Db: DbHandle>(
            .await?;
        tx.save().await?; // drop locks

-        let manifest = installed_model
-            .clone()
-            .manifest()
-            .get(&mut db, false)
-            .await?;
+        let manifest = installed_model.clone().manifest().get(&mut db).await?;

        ctx.managers
            .get(&(manifest.id.clone(), manifest.version.clone()))
@@ -418,11 +335,12 @@ async fn perform_backup<Db: DbHandle>(
        tx.save().await?;
    }

-    crate::db::DatabaseModel::new()
-        .lock(&mut db, LockType::Write)
-        .await?;
+    let ui = crate::db::DatabaseModel::new()
+        .ui()
+        .get(&mut db)
+        .await?
+        .into_owned();

-    let (root_ca_key, root_ca_cert) = ctx.net_controller.ssl.export_root_ca().await?;
    let mut os_backup_file = AtomicFile::new(
        backup_guard.as_ref().join("os-backup.cbor"),
        None::<PathBuf>,
@@ -430,18 +348,10 @@ async fn perform_backup<Db: DbHandle>(
    .await
    .with_kind(ErrorKind::Filesystem)?;
    os_backup_file
-        .write_all(
-            &IoFormat::Cbor.to_vec(&OsBackup {
-                tor_key: ctx.net_controller.tor.embassyd_tor_key().await,
-                root_ca_key,
-                root_ca_cert,
-                ui: crate::db::DatabaseModel::new()
-                    .ui()
-                    .get(&mut db, true)
-                    .await?
-                    .into_owned(),
-            })?,
-        )
+        .write_all(&IoFormat::Cbor.to_vec(&OsBackup {
+            account: ctx.account.read().await.clone(),
+            ui,
+        })?)
        .await?;
    os_backup_file
        .save()
--- a/backend/src/backup/mod.rs
+++ b/backend/src/backup/mod.rs
@@ -4,11 +4,11 @@ use std::path::{Path, PathBuf};
 use chrono::{DateTime, Utc};
 use color_eyre::eyre::eyre;
 use helpers::AtomicFile;
-use patch_db::{DbHandle, HasModel, LockType};
+use models::ImageId;
+use patch_db::{DbHandle, HasModel};
 use reqwest::Url;
 use rpc_toolkit::command;
 use serde::{Deserialize, Serialize};
-use sqlx::{Executor, Postgres};
 use tokio::fs::File;
 use tokio::io::AsyncWriteExt;
 use tracing::instrument;
@@ -16,18 +16,20 @@ use tracing::instrument;
 use self::target::PackageBackupInfo;
 use crate::context::RpcContext;
 use crate::dependencies::reconfigure_dependents_with_live_pointers;
-use crate::id::ImageId;
 use crate::install::PKG_ARCHIVE_DIR;
 use crate::net::interface::{InterfaceId, Interfaces};
+use crate::net::keys::Key;
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::{NoOutput, PackageProcedure, ProcedureName};
 use crate::s9pk::manifest::PackageId;
-use crate::util::serde::IoFormat;
+use crate::util::serde::{Base32, Base64, IoFormat};
 use crate::util::Version;
 use crate::version::{Current, VersionT};
 use crate::volume::{backup_dir, Volume, VolumeId, Volumes, BACKUP_DIR};
 use crate::{Error, ErrorKind, ResultExt};

 pub mod backup_bulk;
+pub mod os;
 pub mod restore;
 pub mod target;

@@ -61,7 +63,10 @@ pub fn package_backup() -> Result<(), Error> {
 #[derive(Deserialize, Serialize)]
 struct BackupMetadata {
    pub timestamp: DateTime<Utc>,
-    pub tor_keys: BTreeMap<InterfaceId, String>,
+    #[serde(default)]
+    pub network_keys: BTreeMap<InterfaceId, Base64<[u8; 32]>>,
+    #[serde(default)]
+    pub tor_keys: BTreeMap<InterfaceId, Base32<[u8; 64]>>, // DEPRECATED
    pub marketplace_url: Option<Url>,
 }

@@ -73,15 +78,16 @@ pub struct BackupActions {
 impl BackupActions {
    pub fn validate(
        &self,
+        container: &Option<DockerContainers>,
        eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
    ) -> Result<(), Error> {
        self.create
-            .validate(eos_version, volumes, image_ids, false)
+            .validate(container, eos_version, volumes, image_ids, false)
            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Backup Create"))?;
        self.restore
-            .validate(eos_version, volumes, image_ids, false)
+            .validate(container, eos_version, volumes, image_ids, false)
            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Backup Restore"))?;
        Ok(())
    }
@@ -111,23 +117,22 @@ impl BackupActions {
                ProcedureName::CreateBackup,
                &volumes,
                None,
-                false,
                None,
            )
            .await?
            .map_err(|e| eyre!("{}", e.1))
            .with_kind(crate::ErrorKind::Backup)?;
-        let tor_keys = interfaces
-            .tor_keys(&mut ctx.secret_store.acquire().await?, pkg_id)
+        let (network_keys, tor_keys) = Key::for_package(&ctx.secret_store, pkg_id)
            .await?
            .into_iter()
-            .map(|(id, key)| {
-                (
-                    id,
-                    base32::encode(base32::Alphabet::RFC4648 { padding: true }, &key.as_bytes()),
-                )
+            .filter_map(|k| {
+                let interface = k.interface().map(|(_, i)| i)?;
+                Some((
+                    (interface.clone(), Base64(k.as_bytes())),
+                    (interface, Base32(k.tor_key().as_bytes())),
+                ))
            })
-            .collect();
+            .unzip();
        let marketplace_url = crate::db::DatabaseModel::new()
            .package_data()
            .idx_model(pkg_id)
@@ -137,7 +142,7 @@ impl BackupActions {
            .expect(db)
            .await?
            .marketplace_url()
-            .get(db, true)
+            .get(db)
            .await?
            .into_owned();
        let tmp_path = Path::new(BACKUP_DIR)
@@ -170,6 +175,7 @@ impl BackupActions {
        outfile
            .write_all(&IoFormat::Cbor.to_vec(&BackupMetadata {
                timestamp,
+                network_keys,
                tor_keys,
                marketplace_url,
            })?)
@@ -183,20 +189,16 @@ impl BackupActions {
        })
    }

-    #[instrument(skip(ctx, db, secrets))]
-    pub async fn restore<Ex, Db: DbHandle>(
+    #[instrument(skip(ctx, db))]
+    pub async fn restore<Db: DbHandle>(
        &self,
        ctx: &RpcContext,
        db: &mut Db,
-        secrets: &mut Ex,
        pkg_id: &PackageId,
        pkg_version: &Version,
        interfaces: &Interfaces,
        volumes: &Volumes,
-    ) -> Result<(), Error>
-    where
-        for<'a> &'a mut Ex: Executor<'a, Database = Postgres>,
-    {
+    ) -> Result<(), Error> {
        let mut volumes = volumes.clone();
        volumes.insert(VolumeId::Backup, Volume::Backup { readonly: true });
        self.restore
@@ -207,7 +209,6 @@ impl BackupActions {
                ProcedureName::RestoreBackup,
                &volumes,
                None,
-                false,
                None,
            )
            .await?
@@ -222,27 +223,6 @@ impl BackupActions {
                )
            })?,
        )?;
-        for (iface, key) in metadata.tor_keys {
-            let key_vec = base32::decode(base32::Alphabet::RFC4648 { padding: true }, &key)
-                .ok_or_else(|| {
-                    Error::new(
-                        eyre!("invalid base32 string"),
-                        crate::ErrorKind::Deserialization,
-                    )
-                })?;
-            sqlx::query!(
-                "INSERT INTO tor (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO UPDATE SET key = $3",
-                **pkg_id,
-                *iface,
-                key_vec,
-            )
-            .execute(&mut *secrets)
-            .await?;
-        }
-        crate::db::DatabaseModel::new()
-            .package_data()
-            .lock(db, LockType::Write)
-            .await?;
        let pde = crate::db::DatabaseModel::new()
            .package_data()
            .idx_model(pkg_id)
@@ -251,10 +231,6 @@ impl BackupActions {
            .installed()
            .expect(db)
            .await?;
-        pde.clone()
-            .interface_addresses()
-            .put(db, &interfaces.install(&mut *secrets, pkg_id).await?)
-            .await?;
        pde.marketplace_url()
            .put(db, &metadata.marketplace_url)
            .await?;
@@ -267,7 +243,7 @@ impl BackupActions {
            .installed()
            .expect(db)
            .await?
-            .get(db, true)
+            .get(db)
            .await?;

        let receipts = crate::config::ConfigReceipts::new(db).await?;
--- a/backend/src/backup/os.rs
+++ b/backend/src/backup/os.rs
@@ -0,0 +1,121 @@
+use crate::account::AccountInfo;
+use crate::hostname::{generate_hostname, generate_id, Hostname};
+use crate::net::keys::Key;
+use crate::util::serde::Base64;
+use crate::Error;
+use openssl::pkey::PKey;
+use openssl::x509::X509;
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+
+pub struct OsBackup {
+    pub account: AccountInfo,
+    pub ui: Value,
+}
+impl<'de> Deserialize<'de> for OsBackup {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: serde::Deserializer<'de>,
+    {
+        let tagged = OsBackupSerDe::deserialize(deserializer)?;
+        match tagged.version {
+            0 => serde_json::from_value::<OsBackupV0>(tagged.rest)
+                .map_err(serde::de::Error::custom)?
+                .project()
+                .map_err(serde::de::Error::custom),
+            1 => serde_json::from_value::<OsBackupV1>(tagged.rest)
+                .map_err(serde::de::Error::custom)?
+                .project()
+                .map_err(serde::de::Error::custom),
+            v => Err(serde::de::Error::custom(&format!(
+                "Unknown backup version {v}"
+            ))),
+        }
+    }
+}
+impl Serialize for OsBackup {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        OsBackupSerDe {
+            version: 1,
+            rest: serde_json::to_value(
+                &OsBackupV1::unproject(self).map_err(serde::ser::Error::custom)?,
+            )
+            .map_err(serde::ser::Error::custom)?,
+        }
+        .serialize(serializer)
+    }
+}
+
+#[derive(Deserialize, Serialize)]
+struct OsBackupSerDe {
+    #[serde(default)]
+    version: usize,
+    #[serde(flatten)]
+    rest: Value,
+}
+
+/// V0
+#[derive(Deserialize)]
+#[serde(rename = "kebab-case")]
+struct OsBackupV0 {
+    // tor_key: Base32<[u8; 64]>,
+    root_ca_key: String,  // PEM Encoded OpenSSL Key
+    root_ca_cert: String, // PEM Encoded OpenSSL X509 Certificate
+    ui: Value,            // JSON Value
+}
+impl OsBackupV0 {
+    fn project(self) -> Result<OsBackup, Error> {
+        Ok(OsBackup {
+            account: AccountInfo {
+                server_id: generate_id(),
+                hostname: generate_hostname(),
+                password: Default::default(),
+                key: Key::new(None),
+                root_ca_key: PKey::private_key_from_pem(self.root_ca_key.as_bytes())?,
+                root_ca_cert: X509::from_pem(self.root_ca_cert.as_bytes())?,
+            },
+            ui: self.ui,
+        })
+    }
+}
+
+/// V1
+#[derive(Deserialize, Serialize)]
+#[serde(rename = "kebab-case")]
+struct OsBackupV1 {
+    server_id: String,         // uuidv4
+    hostname: String,          // embassy-<adjective>-<noun>
+    net_key: Base64<[u8; 32]>, // Ed25519 Secret Key
+    root_ca_key: String,       // PEM Encoded OpenSSL Key
+    root_ca_cert: String,      // PEM Encoded OpenSSL X509 Certificate
+    ui: Value,                 // JSON Value
+                               // TODO add more
+}
+impl OsBackupV1 {
+    fn project(self) -> Result<OsBackup, Error> {
+        Ok(OsBackup {
+            account: AccountInfo {
+                server_id: self.server_id,
+                hostname: Hostname(self.hostname),
+                password: Default::default(),
+                key: Key::from_bytes(None, self.net_key.0),
+                root_ca_key: PKey::private_key_from_pem(self.root_ca_key.as_bytes())?,
+                root_ca_cert: X509::from_pem(self.root_ca_cert.as_bytes())?,
+            },
+            ui: self.ui,
+        })
+    }
+    fn unproject(backup: &OsBackup) -> Result<Self, Error> {
+        Ok(Self {
+            server_id: backup.account.server_id.clone(),
+            hostname: backup.account.hostname.0.clone(),
+            net_key: Base64(backup.account.key.as_bytes()),
+            root_ca_key: String::from_utf8(backup.account.root_ca_key.private_key_to_pem_pkcs8()?)?,
+            root_ca_cert: String::from_utf8(backup.account.root_ca_cert.to_pem()?)?,
+            ui: backup.ui.clone(),
+        })
+    }
+}
--- a/backend/src/backup/restore.rs
+++ b/backend/src/backup/restore.rs
@@ -6,30 +6,33 @@ use std::time::Duration;

 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
-use futures::future::BoxFuture;
-use futures::FutureExt;
+use futures::{future::BoxFuture, stream};
+use futures::{FutureExt, StreamExt};
 use openssl::x509::X509;
 use patch_db::{DbHandle, PatchDbHandle};
 use rpc_toolkit::command;
+use sqlx::Connection;
 use tokio::fs::File;
-use tokio::task::JoinHandle;
 use torut::onion::OnionAddressV3;
 use tracing::instrument;

 use super::target::BackupTargetId;
-use crate::backup::backup_bulk::OsBackup;
+use crate::backup::os::OsBackup;
+use crate::backup::BackupMetadata;
+use crate::context::rpc::RpcContextConfig;
 use crate::context::{RpcContext, SetupContext};
 use crate::db::model::{PackageDataEntry, StaticFiles};
 use crate::disk::mount::backup::{BackupMountGuard, PackageBackupMountGuard};
-use crate::disk::mount::filesystem::ReadOnly;
+use crate::disk::mount::filesystem::ReadWrite;
 use crate::disk::mount::guard::TmpMountGuard;
+use crate::hostname::Hostname;
+use crate::init::init;
 use crate::install::progress::InstallProgress;
 use crate::install::{download_install_s9pk, PKG_PUBLIC_DIR};
-use crate::net::ssl::SslManager;
 use crate::notifications::NotificationLevel;
 use crate::s9pk::manifest::{Manifest, PackageId};
 use crate::s9pk::reader::S9pkReader;
-use crate::setup::RecoveryStatus;
+use crate::setup::SetupStatus;
 use crate::util::display_none;
 use crate::util::io::dir_size;
 use crate::util::serde::IoFormat;
@@ -55,57 +58,39 @@ pub async fn restore_packages_rpc(
        .load(&mut ctx.secret_store.acquire().await?)
        .await?;
    let backup_guard =
-        BackupMountGuard::mount(TmpMountGuard::mount(&fs, ReadOnly).await?, &password).await?;
+        BackupMountGuard::mount(TmpMountGuard::mount(&fs, ReadWrite).await?, &password).await?;

    let (backup_guard, tasks, _) = restore_packages(&ctx, &mut db, backup_guard, ids).await?;

    tokio::spawn(async move {
-        let res = futures::future::join_all(tasks).await;
-        for res in res {
-            match res.with_kind(crate::ErrorKind::Unknown) {
-                Ok((Ok(_), _)) => (),
-                Ok((Err(err), package_id)) => {
-                    if let Err(err) = ctx
-                        .notification_manager
-                        .notify(
-                            &mut db,
-                            Some(package_id.clone()),
-                            NotificationLevel::Error,
-                            "Restoration Failure".to_string(),
-                            format!("Error restoring package {}: {}", package_id, err),
-                            (),
-                            None,
-                        )
-                        .await
-                    {
-                        tracing::error!("Failed to notify: {}", err);
-                        tracing::debug!("{:?}", err);
-                    };
-                    tracing::error!("Error restoring package {}: {}", package_id, err);
-                    tracing::debug!("{:?}", err);
-                }
-                Err(e) => {
-                    if let Err(err) = ctx
-                        .notification_manager
-                        .notify(
-                            &mut db,
-                            None,
-                            NotificationLevel::Error,
-                            "Restoration Failure".to_string(),
-                            format!("Error during restoration: {}", e),
-                            (),
-                            None,
-                        )
-                        .await
-                    {
-                        tracing::error!("Failed to notify: {}", err);
+        stream::iter(tasks.into_iter().map(|x| (x, ctx.clone())))
+            .for_each_concurrent(5, |(res, ctx)| async move {
+                let mut db = ctx.db.handle();
+                match res.await {
+                    (Ok(_), _) => (),
+                    (Err(err), package_id) => {
+                        if let Err(err) = ctx
+                            .notification_manager
+                            .notify(
+                                &mut db,
+                                Some(package_id.clone()),
+                                NotificationLevel::Error,
+                                "Restoration Failure".to_string(),
+                                format!("Error restoring package {}: {}", package_id, err),
+                                (),
+                                None,
+                            )
+                            .await
+                        {
+                            tracing::error!("Failed to notify: {}", err);
+                            tracing::debug!("{:?}", err);
+                        };
+                        tracing::error!("Error restoring package {}: {}", package_id, err);
                        tracing::debug!("{:?}", err);
                    }
-                    tracing::error!("Error restoring packages: {}", e);
-                    tracing::debug!("{:?}", e);
                }
-            }
-        }
+            })
+            .await;
        if let Err(e) = backup_guard.unmount().await {
            tracing::error!("Error unmounting backup drive: {}", e);
            tracing::debug!("{:?}", e);
@@ -140,7 +125,7 @@ async fn approximate_progress_loop(
            tracing::error!("Failed to approximate restore progress: {}", e);
            tracing::debug!("{:?}", e);
        } else {
-            *ctx.recovery_status.write().await = Some(Ok(starting_info.flatten()));
+            *ctx.setup_status.write().await = Some(Ok(starting_info.flatten()));
        }
        tokio::time::sleep(Duration::from_secs(1)).await;
    }
@@ -153,7 +138,7 @@ struct ProgressInfo {
    target_volume_size: BTreeMap<PackageId, u64>,
 }
 impl ProgressInfo {
-    fn flatten(&self) -> RecoveryStatus {
+    fn flatten(&self) -> SetupStatus {
        let mut total_bytes = 0;
        let mut bytes_transferred = 0;

@@ -176,8 +161,8 @@ impl ProgressInfo {
            bytes_transferred = total_bytes;
        }

-        RecoveryStatus {
-            total_bytes,
+        SetupStatus {
+            total_bytes: Some(total_bytes),
            bytes_transferred,
            complete: false,
        }
@@ -191,7 +176,7 @@ pub async fn recover_full_embassy(
    embassy_password: String,
    recovery_source: TmpMountGuard,
    recovery_password: Option<String>,
-) -> Result<(OnionAddressV3, X509, BoxFuture<'static, Result<(), Error>>), Error> {
+) -> Result<(Arc<String>, Hostname, OnionAddressV3, X509), Error> {
    let backup_guard = BackupMountGuard::mount(
        recovery_source,
        recovery_password.as_deref().unwrap_or_default(),
@@ -199,7 +184,7 @@ pub async fn recover_full_embassy(
    .await?;

    let os_backup_path = backup_guard.as_ref().join("os-backup.cbor");
-    let os_backup: OsBackup =
+    let mut os_backup: OsBackup =
        IoFormat::Cbor.from_slice(&tokio::fs::read(&os_backup_path).await.with_ctx(|_| {
            (
                crate::ErrorKind::Filesystem,
@@ -207,92 +192,72 @@ pub async fn recover_full_embassy(
            )
        })?)?;

-    let password = argon2::hash_encoded(
+    os_backup.account.password = argon2::hash_encoded(
        embassy_password.as_bytes(),
        &rand::random::<[u8; 16]>()[..],
        &argon2::Config::default(),
    )
    .with_kind(crate::ErrorKind::PasswordHashGeneration)?;
-    let key_vec = os_backup.tor_key.as_bytes().to_vec();
-    let secret_store = ctx.secret_store().await?;
-    sqlx::query!(
-        "INSERT INTO account (id, password, tor_key) VALUES ($1, $2, $3) ON CONFLICT (id) DO UPDATE SET password = $2, tor_key = $3",
-        0,
-        password,
-        key_vec,
-    )
-    .execute(&mut secret_store.acquire().await?)
-    .await?;

-    SslManager::import_root_ca(
-        secret_store.clone(),
-        os_backup.root_ca_key,
-        os_backup.root_ca_cert.clone(),
-    )
-    .await?;
+    let secret_store = ctx.secret_store().await?;
+
+    os_backup.account.save(&secret_store).await?;
+
    secret_store.close().await;

-    Ok((
-        os_backup.tor_key.public().get_onion_address(),
-        os_backup.root_ca_cert,
-        async move {
-            let rpc_ctx = RpcContext::init(ctx.config_path.as_ref(), disk_guid).await?;
-            let mut db = rpc_ctx.db.handle();
+    let cfg = RpcContextConfig::load(ctx.config_path.clone()).await?;

-            let ids = backup_guard
-            .metadata
-            .package_backups
-            .keys()
-            .cloned()
-            .collect();
-            let (backup_guard, tasks, progress_info) = restore_packages(
-                &rpc_ctx,
-                &mut db,
-                backup_guard,
-                ids,
-            )
-            .await?;
+    init(&cfg).await?;

-            tokio::select! {
-                res = futures::future::join_all(tasks) => {
-                    for res in res {
-                        match res.with_kind(crate::ErrorKind::Unknown) {
-                            Ok((Ok(_), _)) => (),
-                            Ok((Err(err), package_id)) => {
-                                if let Err(err) = rpc_ctx.notification_manager.notify(
-                                    &mut db,
-                                    Some(package_id.clone()),
-                                    NotificationLevel::Error,
-                                    "Restoration Failure".to_string(), format!("Error restoring package {}: {}", package_id,err), (), None).await{
-                                    tracing::error!("Failed to notify: {}", err);
-                                    tracing::debug!("{:?}", err);
-                                    };
-                                tracing::error!("Error restoring package {}: {}", package_id, err);
+    let rpc_ctx = RpcContext::init(ctx.config_path.clone(), disk_guid.clone()).await?;
+
+    let mut db = rpc_ctx.db.handle();
+
+    let ids = backup_guard
+        .metadata
+        .package_backups
+        .keys()
+        .cloned()
+        .collect();
+    let (backup_guard, tasks, progress_info) =
+        restore_packages(&rpc_ctx, &mut db, backup_guard, ids).await?;
+    let task_consumer_rpc_ctx = rpc_ctx.clone();
+    tokio::select! {
+        _ = async move {
+            stream::iter(tasks.into_iter().map(|x| (x,  task_consumer_rpc_ctx.clone())))
+                .for_each_concurrent(5, |(res, ctx)| async move {
+                    let mut db = ctx.db.handle();
+                    match res.await {
+                        (Ok(_), _) => (),
+                        (Err(err), package_id) => {
+                            if let Err(err) = ctx.notification_manager.notify(
+                                &mut db,
+                                Some(package_id.clone()),
+                                NotificationLevel::Error,
+                                "Restoration Failure".to_string(), format!("Error restoring package {}: {}", package_id,err), (), None).await{
+                                tracing::error!("Failed to notify: {}", err);
                                tracing::debug!("{:?}", err);
-                            },
-                            Err(e) => {
-                                if let Err(err) = rpc_ctx.notification_manager.notify(
-                                    &mut db,
-                                    None,
-                                    NotificationLevel::Error,
-                                    "Restoration Failure".to_string(), format!("Error during restoration: {}", e), (), None).await {
-
-                                    tracing::error!("Failed to notify: {}", err);
-                                    tracing::debug!("{:?}", err);
-                                }
-                                tracing::error!("Error restoring packages: {}", e);
-                                tracing::debug!("{:?}", e);
-                            },
-
-                        }
+                                };
+                            tracing::error!("Error restoring package {}: {}", package_id, err);
+                            tracing::debug!("{:?}", err);
+                        },
                    }
-                },
-                _ = approximate_progress_loop(&ctx, &rpc_ctx, progress_info) => unreachable!(concat!(module_path!(), "::approximate_progress_loop should not terminate")),
-            }
+                }).await;

-            backup_guard.unmount().await?;
-            rpc_ctx.shutdown().await
-        }.boxed()
+        } => {
+
+        },
+        _ = approximate_progress_loop(&ctx, &rpc_ctx, progress_info) => unreachable!(concat!(module_path!(), "::approximate_progress_loop should not terminate")),
+    }
+
+    backup_guard.unmount().await?;
+    rpc_ctx.shutdown().await?;
+
+    Ok((
+        disk_guid,
+        os_backup.account.hostname,
+        os_backup.account.key.tor_address(),
+        os_backup.account.root_ca_cert,
    ))
 }

@@ -304,7 +269,7 @@ async fn restore_packages(
 ) -> Result<
    (
        BackupMountGuard<TmpMountGuard>,
-        Vec<JoinHandle<(Result<(), Error>, PackageId)>>,
+        Vec<BoxFuture<'static, (Result<(), Error>, PackageId)>>,
        ProgressInfo,
    ),
    Error,
@@ -323,7 +288,7 @@ async fn restore_packages(
            .insert(id.clone(), dir_size(backup_dir(&id)).await?);
        progress_info.target_volume_size.insert(id.clone(), 0);
        let package_id = id.clone();
-        tasks.push(tokio::spawn(
+        tasks.push(
            async move {
                if let Err(e) = task.await {
                    tracing::error!("Error restoring package {}: {}", id, e);
@@ -333,8 +298,9 @@ async fn restore_packages(
                    Ok(())
                }
            }
-            .map(|x| (x, package_id)),
-        ));
+            .map(|x| (x, package_id))
+            .boxed(),
+        );
    }

    Ok((backup_guard, tasks, progress_info))
@@ -416,9 +382,46 @@ async fn restore_package<'a>(
    manifest: Manifest,
    guard: PackageBackupMountGuard,
 ) -> Result<(Arc<InstallProgress>, BoxFuture<'static, Result<(), Error>>), Error> {
+    let id = manifest.id.clone();
    let s9pk_path = Path::new(BACKUP_DIR)
        .join(&manifest.id)
-        .join(format!("{}.s9pk", manifest.id));
+        .join(format!("{}.s9pk", id));
+
+    let metadata_path = Path::new(BACKUP_DIR).join(&id).join("metadata.cbor");
+    let metadata: BackupMetadata =
+        IoFormat::Cbor.from_slice(&tokio::fs::read(&metadata_path).await.with_ctx(|_| {
+            (
+                crate::ErrorKind::Filesystem,
+                metadata_path.display().to_string(),
+            )
+        })?)?;
+
+    let mut secrets = ctx.secret_store.acquire().await?;
+    let mut secrets_tx = secrets.begin().await?;
+    for (iface, key) in metadata.network_keys {
+        let k = key.0.as_slice();
+        sqlx::query!(
+            "INSERT INTO network_keys (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO NOTHING",
+            *id,
+            *iface,
+            k,
+        )
+        .execute(&mut secrets_tx).await?;
+    }
+    // DEPRECATED
+    for (iface, key) in metadata.tor_keys {
+        let k = key.0.as_slice();
+        sqlx::query!(
+            "INSERT INTO tor (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO NOTHING",
+            *id,
+            *iface,
+            k,
+        )
+        .execute(&mut secrets_tx).await?;
+    }
+    secrets_tx.commit().await?;
+    drop(secrets);
+
    let len = tokio::fs::metadata(&s9pk_path)
        .await
        .with_ctx(|_| {
--- a/backend/src/backup/target/mod.rs
+++ b/backend/src/backup/target/mod.rs
@@ -18,7 +18,7 @@ use crate::context::RpcContext;
 use crate::disk::mount::backup::BackupMountGuard;
 use crate::disk::mount::filesystem::block_dev::BlockDev;
 use crate::disk::mount::filesystem::cifs::Cifs;
-use crate::disk::mount::filesystem::{FileSystem, MountType, ReadOnly};
+use crate::disk::mount::filesystem::{FileSystem, MountType, ReadWrite};
 use crate::disk::mount::guard::TmpMountGuard;
 use crate::disk::util::PartitionInfo;
 use crate::s9pk::manifest::PackageId;
@@ -139,8 +139,10 @@ pub async fn list(
    #[context] ctx: RpcContext,
 ) -> Result<BTreeMap<BackupTargetId, BackupTarget>, Error> {
    let mut sql_handle = ctx.secret_store.acquire().await?;
-    let (disks_res, cifs) =
-        tokio::try_join!(crate::disk::util::list(), cifs::list(&mut sql_handle),)?;
+    let (disks_res, cifs) = tokio::try_join!(
+        crate::disk::util::list(&ctx.os_partitions),
+        cifs::list(&mut sql_handle),
+    )?;
    Ok(disks_res
        .into_iter()
        .flat_map(|mut disk| {
@@ -232,7 +234,7 @@ pub async fn info(
            &target_id
                .load(&mut ctx.secret_store.acquire().await?)
                .await?,
-            ReadOnly,
+            ReadWrite,
        )
        .await?,
        &password,
--- a/backend/src/bin/embassy-init.rs
+++ b/backend/src/bin/embassy-init.rs
@@ -1,74 +1,73 @@
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::time::Duration;

 use embassy::context::rpc::RpcContextConfig;
-use embassy::context::{DiagnosticContext, SetupContext};
+use embassy::context::{DiagnosticContext, InstallContext, SetupContext};
 use embassy::disk::fsck::RepairStrategy;
 use embassy::disk::main::DEFAULT_PASSWORD;
 use embassy::disk::REPAIR_DISK_PATH;
 use embassy::init::STANDBY_MODE_PATH;
-use embassy::middleware::cors::cors;
-use embassy::middleware::diagnostic::diagnostic;
-#[cfg(feature = "avahi")]
-use embassy::net::mdns::MdnsController;
+use embassy::net::web_server::WebServer;
 use embassy::shutdown::Shutdown;
 use embassy::sound::CHIME;
 use embassy::util::logger::EmbassyLogger;
 use embassy::util::Invoke;
-use embassy::{Error, ErrorKind, ResultExt};
-use http::StatusCode;
-use rpc_toolkit::rpc_server;
+use embassy::{Error, ErrorKind, ResultExt, IS_RASPBERRY_PI};
 use tokio::process::Command;
 use tracing::instrument;

-fn status_fn(_: i32) -> StatusCode {
-    StatusCode::OK
-}
-
 #[instrument]
-async fn setup_or_init(cfg_path: Option<&str>) -> Result<(), Error> {
-    if tokio::fs::metadata("/embassy-os/disk.guid").await.is_err() {
-        #[cfg(feature = "avahi")]
-        let _mdns = MdnsController::init();
-        tokio::fs::write(
-            "/etc/nginx/sites-available/default",
-            include_str!("../nginx/setup-wizard.conf"),
-        )
-        .await
-        .with_ctx(|_| {
-            (
-                embassy::ErrorKind::Filesystem,
-                "/etc/nginx/sites-available/default",
-            )
-        })?;
-        Command::new("systemctl")
-            .arg("reload")
-            .arg("nginx")
-            .invoke(embassy::ErrorKind::Nginx)
-            .await?;
-        let ctx = SetupContext::init(cfg_path).await?;
+async fn setup_or_init(cfg_path: Option<PathBuf>) -> Result<(), Error> {
+    if tokio::fs::metadata("/cdrom").await.is_ok() {
+        let ctx = InstallContext::init(cfg_path).await?;
+
+        let server = WebServer::install(([0, 0, 0, 0], 80).into(), ctx.clone()).await?;
+
        tokio::time::sleep(Duration::from_secs(1)).await; // let the record state that I hate this
        CHIME.play().await?;
-        rpc_server!({
-            command: embassy::setup_api,
-            context: ctx.clone(),
-            status: status_fn,
-            middleware: [
-                cors,
-            ]
-        })
-        .with_graceful_shutdown({
-            let mut shutdown = ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        })
+
+        ctx.shutdown
+            .subscribe()
+            .recv()
+            .await
+            .expect("context dropped");
+
+        server.shutdown().await;
+
+        Command::new("reboot")
+            .invoke(embassy::ErrorKind::Unknown)
+            .await?;
+    } else if tokio::fs::metadata("/media/embassy/config/disk.guid")
        .await
-        .with_kind(embassy::ErrorKind::Network)?;
+        .is_err()
+    {
+        let ctx = SetupContext::init(cfg_path).await?;
+
+        let server = WebServer::setup(([0, 0, 0, 0], 80).into(), ctx.clone()).await?;
+
+        tokio::time::sleep(Duration::from_secs(1)).await; // let the record state that I hate this
+        CHIME.play().await?;
+        ctx.shutdown
+            .subscribe()
+            .recv()
+            .await
+            .expect("context dropped");
+
+        server.shutdown().await;
+
+        tokio::task::yield_now().await;
+        if let Err(e) = Command::new("killall")
+            .arg("firefox-esr")
+            .invoke(ErrorKind::NotFound)
+            .await
+        {
+            tracing::error!("Failed to kill kiosk: {}", e);
+            tracing::debug!("{:?}", e);
+        }
    } else {
        let cfg = RpcContextConfig::load(cfg_path).await?;
-        let guid_string = tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
+        let guid_string = tokio::fs::read_to_string("/media/embassy/config/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
            .await?;
        let guid = guid_string.trim();
        let requires_reboot = embassy::disk::main::import(
@@ -119,8 +118,8 @@ async fn run_script_if_exists<P: AsRef<Path>>(path: P) {
 }

 #[instrument]
-async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
-    if tokio::fs::metadata(STANDBY_MODE_PATH).await.is_ok() {
+async fn inner_main(cfg_path: Option<PathBuf>) -> Result<Option<Shutdown>, Error> {
+    if *IS_RASPBERRY_PI && tokio::fs::metadata(STANDBY_MODE_PATH).await.is_ok() {
        tokio::fs::remove_file(STANDBY_MODE_PATH).await?;
        Command::new("sync").invoke(ErrorKind::Filesystem).await?;
        embassy::sound::SHUTDOWN.play().await?;
@@ -129,36 +128,22 @@ async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {

    embassy::sound::BEP.play().await?;

-    run_script_if_exists("/embassy-os/preinit.sh").await;
+    run_script_if_exists("/media/embassy/config/preinit.sh").await;

-    let res = if let Err(e) = setup_or_init(cfg_path).await {
-        async {
+    let res = if let Err(e) = setup_or_init(cfg_path.clone()).await {
+        async move {
            tracing::error!("{}", e.source);
            tracing::debug!("{}", e.source);
            embassy::sound::BEETHOVEN.play().await?;
-            #[cfg(feature = "avahi")]
-            let _mdns = MdnsController::init();
-            tokio::fs::write(
-                "/etc/nginx/sites-available/default",
-                include_str!("../nginx/diagnostic-ui.conf"),
-            )
-            .await
-            .with_ctx(|_| {
-                (
-                    embassy::ErrorKind::Filesystem,
-                    "/etc/nginx/sites-available/default",
-                )
-            })?;
-            Command::new("systemctl")
-                .arg("reload")
-                .arg("nginx")
-                .invoke(embassy::ErrorKind::Nginx)
-                .await?;
+
            let ctx = DiagnosticContext::init(
                cfg_path,
-                if tokio::fs::metadata("/embassy-os/disk.guid").await.is_ok() {
+                if tokio::fs::metadata("/media/embassy/config/disk.guid")
+                    .await
+                    .is_ok()
+                {
                    Some(Arc::new(
-                        tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
+                        tokio::fs::read_to_string("/media/embassy/config/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
                            .await?
                            .trim()
                            .to_owned(),
@@ -169,44 +154,27 @@ async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
                e,
            )
            .await?;
-            let mut shutdown_recv = ctx.shutdown.subscribe();
-            rpc_server!({
-                command: embassy::diagnostic_api,
-                context: ctx.clone(),
-                status: status_fn,
-                middleware: [
-                    cors,
-                    diagnostic,
-                ]
-            })
-            .with_graceful_shutdown({
-                let mut shutdown = ctx.shutdown.subscribe();
-                async move {
-                    shutdown.recv().await.expect("context dropped");
-                }
-            })
-            .await
-            .with_kind(embassy::ErrorKind::Network)?;

-            Ok::<_, Error>(
-                shutdown_recv
-                    .recv()
-                    .await
-                    .with_kind(embassy::ErrorKind::Network)?,
-            )
+            let server = WebServer::diagnostic(([0, 0, 0, 0], 80).into(), ctx.clone()).await?;
+
+            let shutdown = ctx.shutdown.subscribe().recv().await.unwrap();
+
+            server.shutdown().await;
+
+            Ok(shutdown)
        }
        .await
    } else {
        Ok(None)
    };

-    run_script_if_exists("/embassy-os/postinit.sh").await;
+    run_script_if_exists("/media/embassy/config/postinit.sh").await;

    res
 }

 fn main() {
-    let matches = clap::App::new("embassyd")
+    let matches = clap::App::new("embassy-init")
        .arg(
            clap::Arg::with_name("config")
                .short('c')
@@ -217,7 +185,7 @@ fn main() {

    EmbassyLogger::init();

-    let cfg_path = matches.value_of("config");
+    let cfg_path = matches.value_of("config").map(|p| Path::new(p).to_owned());
    let res = {
        let rt = tokio::runtime::Builder::new_multi_thread()
            .enable_all()
--- a/backend/src/bin/embassyd.rs
+++ b/backend/src/bin/embassyd.rs
@@ -1,56 +1,33 @@
+use std::path::{Path, PathBuf};
 use std::sync::Arc;
-use std::time::Duration;

 use color_eyre::eyre::eyre;
 use embassy::context::{DiagnosticContext, RpcContext};
-use embassy::core::rpc_continuations::RequestGuid;
-use embassy::db::subscribe;
-use embassy::middleware::auth::auth;
-use embassy::middleware::cors::cors;
-use embassy::middleware::db::db as db_middleware;
-use embassy::middleware::diagnostic::diagnostic;
-#[cfg(feature = "avahi")]
-use embassy::net::mdns::MdnsController;
-use embassy::net::tor::tor_health_check;
+use embassy::net::web_server::WebServer;
 use embassy::shutdown::Shutdown;
 use embassy::system::launch_metrics_task;
 use embassy::util::logger::EmbassyLogger;
-use embassy::util::{daemon, Invoke};
-use embassy::{static_server, Error, ErrorKind, ResultExt};
+use embassy::{Error, ErrorKind, ResultExt};
 use futures::{FutureExt, TryFutureExt};
-use reqwest::{Client, Proxy};
-use rpc_toolkit::hyper::{Body, Response, Server, StatusCode};
-use rpc_toolkit::rpc_server;
-use tokio::process::Command;
 use tokio::signal::unix::signal;
 use tracing::instrument;

-fn status_fn(_: i32) -> StatusCode {
-    StatusCode::OK
-}
-
-fn err_to_500(e: Error) -> Response<Body> {
-    tracing::error!("{}", e);
-    tracing::debug!("{:?}", e);
-    Response::builder()
-        .status(StatusCode::INTERNAL_SERVER_ERROR)
-        .body(Body::empty())
-        .unwrap()
-}
-
 #[instrument]
-async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
-    let (rpc_ctx, shutdown) = {
+async fn inner_main(cfg_path: Option<PathBuf>) -> Result<Option<Shutdown>, Error> {
+    let (rpc_ctx, server, shutdown) = {
        let rpc_ctx = RpcContext::init(
            cfg_path,
            Arc::new(
-                tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
+                tokio::fs::read_to_string("/media/embassy/config/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
                    .await?
                    .trim()
                    .to_owned(),
            ),
        )
        .await?;
+        embassy::hostname::sync_hostname(&*rpc_ctx.account.read().await).await?;
+        let server = WebServer::main(([0, 0, 0, 0], 80).into(), rpc_ctx.clone()).await?;
+
        let mut shutdown_recv = rpc_ctx.shutdown.subscribe();

        let sig_handler_ctx = rpc_ctx.clone();
@@ -66,7 +43,7 @@ async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
                .map(|s| {
                    async move {
                        signal(*s)
-                            .expect(&format!("register {:?} handler", s))
+                            .unwrap_or_else(|_| panic!("register {:?} handler", s))
                            .recv()
                            .await
                    }
@@ -81,32 +58,6 @@ async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
                .expect("send shutdown signal");
        });

-        let mut db = rpc_ctx.db.handle();
-        embassy::hostname::sync_hostname(&mut db).await?;
-        let receipts = embassy::context::rpc::RpcSetNginxReceipts::new(&mut db).await?;
-
-        rpc_ctx.set_nginx_conf(&mut db, receipts).await?;
-        drop(db);
-        let auth = auth(rpc_ctx.clone());
-        let db_middleware = db_middleware(rpc_ctx.clone());
-        let ctx = rpc_ctx.clone();
-        let server = rpc_server!({
-            command: embassy::main_api,
-            context: ctx,
-            status: status_fn,
-            middleware: [
-                cors,
-                auth,
-                db_middleware,
-            ]
-        })
-        .with_graceful_shutdown({
-            let mut shutdown = rpc_ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        });
-
        let metrics_ctx = rpc_ctx.clone();
        let metrics_task = tokio::spawn(async move {
            launch_metrics_task(&metrics_ctx.metrics_cache, || {
@@ -115,168 +66,32 @@ async fn inner_main(cfg_path: Option<&str>) -> Result<Option<Shutdown>, Error> {
            .await
        });

-        let ws_ctx = rpc_ctx.clone();
-        let ws_server = {
-            let builder = Server::bind(&ws_ctx.bind_ws);
-
-            let make_svc = ::rpc_toolkit::hyper::service::make_service_fn(move |_| {
-                let ctx = ws_ctx.clone();
-                async move {
-                    Ok::<_, ::rpc_toolkit::hyper::Error>(::rpc_toolkit::hyper::service::service_fn(
-                        move |req| {
-                            let ctx = ctx.clone();
-                            async move {
-                                tracing::debug!("Request to {}", req.uri().path());
-                                match req.uri().path() {
-                                    "/ws/db" => {
-                                        Ok(subscribe(ctx, req).await.unwrap_or_else(err_to_500))
-                                    }
-                                    path if path.starts_with("/ws/rpc/") => {
-                                        match RequestGuid::from(
-                                            path.strip_prefix("/ws/rpc/").unwrap(),
-                                        ) {
-                                            None => {
-                                                tracing::debug!("No Guid Path");
-                                                Response::builder()
-                                                    .status(StatusCode::BAD_REQUEST)
-                                                    .body(Body::empty())
-                                            }
-                                            Some(guid) => {
-                                                match ctx.get_ws_continuation_handler(&guid).await {
-                                                    Some(cont) => match cont(req).await {
-                                                        Ok(r) => Ok(r),
-                                                        Err(e) => Response::builder()
-                                                            .status(
-                                                                StatusCode::INTERNAL_SERVER_ERROR,
-                                                            )
-                                                            .body(Body::from(format!("{}", e))),
-                                                    },
-                                                    _ => Response::builder()
-                                                        .status(StatusCode::NOT_FOUND)
-                                                        .body(Body::empty()),
-                                                }
-                                            }
-                                        }
-                                    }
-                                    path if path.starts_with("/rest/rpc/") => {
-                                        match RequestGuid::from(
-                                            path.strip_prefix("/rest/rpc/").unwrap(),
-                                        ) {
-                                            None => {
-                                                tracing::debug!("No Guid Path");
-                                                Response::builder()
-                                                    .status(StatusCode::BAD_REQUEST)
-                                                    .body(Body::empty())
-                                            }
-                                            Some(guid) => {
-                                                match ctx.get_rest_continuation_handler(&guid).await
-                                                {
-                                                    None => Response::builder()
-                                                        .status(StatusCode::NOT_FOUND)
-                                                        .body(Body::empty()),
-                                                    Some(cont) => match cont(req).await {
-                                                        Ok(r) => Ok(r),
-                                                        Err(e) => Response::builder()
-                                                            .status(
-                                                                StatusCode::INTERNAL_SERVER_ERROR,
-                                                            )
-                                                            .body(Body::from(format!("{}", e))),
-                                                    },
-                                                }
-                                            }
-                                        }
-                                    }
-                                    _ => Response::builder()
-                                        .status(StatusCode::NOT_FOUND)
-                                        .body(Body::empty()),
-                                }
-                            }
-                        },
-                    ))
-                }
-            });
-            builder.serve(make_svc)
-        }
-        .with_graceful_shutdown({
-            let mut shutdown = rpc_ctx.shutdown.subscribe();
-            async move {
-                shutdown.recv().await.expect("context dropped");
-            }
-        });
-
-        let file_server_ctx = rpc_ctx.clone();
-        let file_server = {
-            static_server::init(file_server_ctx, {
-                let mut shutdown = rpc_ctx.shutdown.subscribe();
-                async move {
-                    shutdown.recv().await.expect("context dropped");
-                }
-            })
-        };
-
-        let tor_health_ctx = rpc_ctx.clone();
-        let tor_client = Client::builder()
-            .proxy(
-                Proxy::http(format!(
-                    "socks5h://{}:{}",
-                    rpc_ctx.tor_socks.ip(),
-                    rpc_ctx.tor_socks.port()
-                ))
-                .with_kind(crate::ErrorKind::Network)?,
-            )
-            .build()
-            .with_kind(crate::ErrorKind::Network)?;
-        let tor_health_daemon = daemon(
-            move || {
-                let ctx = tor_health_ctx.clone();
-                let client = tor_client.clone();
-                async move { tor_health_check(&client, &ctx.net_controller.tor).await }
-            },
-            Duration::from_secs(300),
-            rpc_ctx.shutdown.subscribe(),
-        );
-
        embassy::sound::CHIME.play().await?;

-        futures::try_join!(
-            server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("RPC Server Shutdown")),
-            metrics_task
-                .map_err(|e| Error::new(
+        metrics_task
+            .map_err(|e| {
+                Error::new(
                    eyre!("{}", e).wrap_err("Metrics daemon panicked!"),
-                    ErrorKind::Unknown
-                ))
-                .map_ok(|_| tracing::debug!("Metrics daemon Shutdown")),
-            ws_server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("WebSocket Server Shutdown")),
-            file_server
-                .map_err(|e| Error::new(e, ErrorKind::Network))
-                .map_ok(|_| tracing::debug!("Static File Server Shutdown")),
-            tor_health_daemon
-                .map_err(|e| Error::new(
-                    e.wrap_err("Tor Health daemon panicked!"),
-                    ErrorKind::Unknown
-                ))
-                .map_ok(|_| tracing::debug!("Tor Health daemon Shutdown")),
-        )?;
+                    ErrorKind::Unknown,
+                )
+            })
+            .map_ok(|_| tracing::debug!("Metrics daemon Shutdown"))
+            .await?;

-        let mut shutdown = shutdown_recv
+        let shutdown = shutdown_recv
            .recv()
            .await
            .with_kind(crate::ErrorKind::Unknown)?;

        sig_handler.abort();

-        if let Some(shutdown) = &mut shutdown {
-            drop(shutdown.db_handle.take());
-        }
-
-        (rpc_ctx, shutdown)
+        (rpc_ctx, server, shutdown)
    };
+    server.shutdown().await;
    rpc_ctx.shutdown().await?;

+    tracing::info!("RPC Context is dropped");
+
    Ok(shutdown)
 }

@@ -292,7 +107,7 @@ fn main() {

    EmbassyLogger::init();

-    let cfg_path = matches.value_of("config");
+    let cfg_path = matches.value_of("config").map(|p| Path::new(p).to_owned());

    let res = {
        let rt = tokio::runtime::Builder::new_multi_thread()
@@ -300,36 +115,21 @@ fn main() {
            .build()
            .expect("failed to initialize runtime");
        rt.block_on(async {
-            match inner_main(cfg_path).await {
+            match inner_main(cfg_path.clone()).await {
                Ok(a) => Ok(a),
                Err(e) => {
-                    (|| async {
+                    async {
                        tracing::error!("{}", e.source);
                        tracing::debug!("{:?}", e.source);
                        embassy::sound::BEETHOVEN.play().await?;
-                        #[cfg(feature = "avahi")]
-                        let _mdns = MdnsController::init();
-                        tokio::fs::write(
-                            "/etc/nginx/sites-available/default",
-                            include_str!("../nginx/diagnostic-ui.conf"),
-                        )
-                        .await
-                        .with_ctx(|_| {
-                            (
-                                embassy::ErrorKind::Filesystem,
-                                "/etc/nginx/sites-available/default",
-                            )
-                        })?;
-                        Command::new("systemctl")
-                            .arg("reload")
-                            .arg("nginx")
-                            .invoke(embassy::ErrorKind::Nginx)
-                            .await?;
                        let ctx = DiagnosticContext::init(
                            cfg_path,
-                            if tokio::fs::metadata("/embassy-os/disk.guid").await.is_ok() {
+                            if tokio::fs::metadata("/media/embassy/config/disk.guid")
+                                .await
+                                .is_ok()
+                            {
                                Some(Arc::new(
-                                    tokio::fs::read_to_string("/embassy-os/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
+                                    tokio::fs::read_to_string("/media/embassy/config/disk.guid") // unique identifier for volume group - keeps track of the disk that goes with your embassy
                                        .await?
                                        .trim()
                                        .to_owned(),
@@ -340,26 +140,19 @@ fn main() {
                            e,
                        )
                        .await?;
+
+                        let server =
+                            WebServer::diagnostic(([0, 0, 0, 0], 80).into(), ctx.clone()).await?;
+
                        let mut shutdown = ctx.shutdown.subscribe();
-                        rpc_server!({
-                            command: embassy::diagnostic_api,
-                            context: ctx.clone(),
-                            status: status_fn,
-                            middleware: [
-                                cors,
-                                diagnostic,
-                            ]
-                        })
-                        .with_graceful_shutdown({
-                            let mut shutdown = ctx.shutdown.subscribe();
-                            async move {
-                                shutdown.recv().await.expect("context dropped");
-                            }
-                        })
-                        .await
-                        .with_kind(embassy::ErrorKind::Network)?;
-                        Ok::<_, Error>(shutdown.recv().await.with_kind(crate::ErrorKind::Unknown)?)
-                    })()
+
+                        let shutdown =
+                            shutdown.recv().await.with_kind(crate::ErrorKind::Unknown)?;
+
+                        server.shutdown().await;
+
+                        Ok::<_, Error>(shutdown)
+                    }
                    .await
                }
            }
--- a/backend/src/config/action.rs
+++ b/backend/src/config/action.rs
@@ -1,6 +1,7 @@
 use std::collections::{BTreeMap, BTreeSet};

 use color_eyre::eyre::eyre;
+use models::ImageId;
 use nix::sys::signal::Signal;
 use patch_db::HasModel;
 use serde::{Deserialize, Serialize};
@@ -9,7 +10,7 @@ use tracing::instrument;
 use super::{Config, ConfigSpec};
 use crate::context::RpcContext;
 use crate::dependencies::Dependencies;
-use crate::id::ImageId;
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::{PackageProcedure, ProcedureName};
 use crate::s9pk::manifest::PackageId;
 use crate::status::health_check::HealthCheckId;
@@ -33,15 +34,16 @@ impl ConfigActions {
    #[instrument]
    pub fn validate(
        &self,
+        container: &Option<DockerContainers>,
        eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
    ) -> Result<(), Error> {
        self.get
-            .validate(eos_version, volumes, image_ids, true)
+            .validate(container, eos_version, volumes, image_ids, true)
            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Config Get"))?;
        self.set
-            .validate(eos_version, volumes, image_ids, true)
+            .validate(container, eos_version, volumes, image_ids, true)
            .with_ctx(|_| (crate::ErrorKind::ValidateS9pk, "Config Set"))?;
        Ok(())
    }
@@ -61,7 +63,6 @@ impl ConfigActions {
                ProcedureName::GetConfig,
                volumes,
                None::<()>,
-                false,
                None,
            )
            .await
@@ -89,7 +90,6 @@ impl ConfigActions {
                ProcedureName::SetConfig,
                volumes,
                Some(input),
-                false,
                None,
            )
            .await
--- a/backend/src/config/mod.rs
+++ b/backend/src/config/mod.rs
@@ -21,6 +21,7 @@ use crate::dependencies::{
    DependencyErrors, DependencyReceipt, TaggedDependencyError, TryHealReceipts,
 };
 use crate::install::cleanup::{remove_from_current_dependents_lists, UpdateDependencyReceipts};
+use crate::procedure::docker::DockerContainers;
 use crate::s9pk::manifest::{Manifest, PackageId};
 use crate::util::display_none;
 use crate::util::serde::{display_serializable, parse_stdin_deserializable, IoFormat};
@@ -274,6 +275,7 @@ pub struct ConfigReceipts {
    pub current_dependencies: LockReceipt<CurrentDependencies, String>,
    dependency_errors: LockReceipt<DependencyErrors, String>,
    manifest_dependencies_config: LockReceipt<DependencyConfig, (String, String)>,
+    docker_containers: LockReceipt<DockerContainers, String>,
 }

 impl ConfigReceipts {
@@ -378,6 +380,13 @@ impl ConfigReceipts {
            .and_then(|x| x.manifest().dependencies().star().config())
            .make_locker(LockType::Write)
            .add_to_keys(locks);
+        let docker_containers = crate::db::DatabaseModel::new()
+            .package_data()
+            .star()
+            .installed()
+            .and_then(|x| x.manifest().containers())
+            .make_locker(LockType::Write)
+            .add_to_keys(locks);

        move |skeleton_key| {
            Ok(Self {
@@ -397,6 +406,7 @@ impl ConfigReceipts {
                current_dependencies: current_dependencies.verify(skeleton_key)?,
                dependency_errors: dependency_errors.verify(skeleton_key)?,
                manifest_dependencies_config: manifest_dependencies_config.verify(skeleton_key)?,
+                docker_containers: docker_containers.verify(skeleton_key)?,
            })
        }
    }
@@ -671,6 +681,8 @@ pub fn configure_rec<'a, Db: DbHandle>(
            .unwrap_or_default();
        let next = Value::Object(config.clone());
        for (dependent, dep_info) in dependents.0.iter().filter(|(dep_id, _)| dep_id != &id) {
+            let dependent_container = receipts.docker_containers.get(db, &dependent).await?;
+            let dependent_container = &dependent_container;
            // check if config passes dependent check
            if let Some(cfg) = receipts
                .manifest_dependencies_config
@@ -685,6 +697,7 @@ pub fn configure_rec<'a, Db: DbHandle>(
                if let Err(error) = cfg
                    .check(
                        ctx,
+                        dependent_container,
                        dependent,
                        &manifest.version,
                        &manifest.volumes,
--- a/backend/src/config/spec.rs
+++ b/backend/src/config/spec.rs
@@ -25,6 +25,7 @@ use super::{Config, MatchError, NoMatchWithPath, TimeoutError, TypeOf};
 use crate::config::ConfigurationError;
 use crate::context::RpcContext;
 use crate::net::interface::InterfaceId;
+use crate::net::keys::Key;
 use crate::s9pk::manifest::{Manifest, PackageId};
 use crate::Error;

@@ -2059,22 +2060,19 @@ impl TorKeyPointer {
                ValueSpecPointer::Package(PackagePointerSpec::TorKey(self.clone())),
            ));
        }
-        let x = sqlx::query!(
-            "SELECT key FROM tor WHERE package = $1 AND interface = $2",
-            *self.package_id,
-            *self.interface
+        let key = Key::for_interface(
+            &mut secrets
+                .acquire()
+                .await
+                .map_err(|e| ConfigurationError::SystemError(e.into()))?,
+            Some((self.package_id.clone(), self.interface.clone())),
        )
-        .fetch_optional(secrets)
        .await
-        .map_err(|e| ConfigurationError::SystemError(e.into()))?;
-        if let Some(x) = x {
-            Ok(Value::String(base32::encode(
-                base32::Alphabet::RFC4648 { padding: false },
-                &x.key,
-            )))
-        } else {
-            Ok(Value::Null)
-        }
+        .map_err(ConfigurationError::SystemError)?;
+        Ok(Value::String(base32::encode(
+            base32::Alphabet::RFC4648 { padding: false },
+            &key.tor_key().as_bytes(),
+        )))
    }
 }
 impl fmt::Display for TorKeyPointer {
--- a/backend/src/context/cli.rs
+++ b/backend/src/context/cli.rs
@@ -1,12 +1,14 @@
 use std::fs::File;
 use std::io::BufReader;
-use std::net::{Ipv4Addr, SocketAddr};
+use std::net::Ipv4Addr;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;

 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
+use cookie::Cookie;
 use cookie_store::CookieStore;
+use josekit::jwk::Jwk;
 use reqwest::Proxy;
 use reqwest_cookie_store::CookieStoreMutex;
 use rpc_toolkit::reqwest::{Client, Url};
@@ -15,13 +17,15 @@ use rpc_toolkit::Context;
 use serde::Deserialize;
 use tracing::instrument;

+use crate::middleware::auth::LOCAL_AUTH_COOKIE_PATH;
 use crate::util::config::{load_config_from_paths, local_config_path};
 use crate::ResultExt;

+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct CliContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
    pub host: Option<Url>,
    #[serde(deserialize_with = "crate::util::serde::deserialize_from_str_opt")]
    #[serde(default)]
@@ -81,11 +85,7 @@ impl CliContext {
        } else if let Some(host) = base.host {
            host
        } else {
-            format!(
-                "http://{}",
-                base.bind_rpc.unwrap_or(([127, 0, 0, 1], 80).into())
-            )
-            .parse()?
+            "http://localhost".parse()?
        };
        let proxy = if let Some(proxy) = matches.value_of("proxy") {
            Some(proxy.parse()?)
@@ -102,9 +102,15 @@ impl CliContext {
                .join(".cookies.json")
        });
        let cookie_store = Arc::new(CookieStoreMutex::new(if cookie_path.exists() {
-            CookieStore::load_json(BufReader::new(File::open(&cookie_path)?))
+            let mut store = CookieStore::load_json(BufReader::new(File::open(&cookie_path)?))
                .map_err(|e| eyre!("{}", e))
-                .with_kind(crate::ErrorKind::Deserialization)?
+                .with_kind(crate::ErrorKind::Deserialization)?;
+            if let Ok(local) = std::fs::read_to_string(LOCAL_AUTH_COOKIE_PATH) {
+                store
+                    .insert_raw(&Cookie::new("local", local), &"http://localhost".parse()?)
+                    .with_kind(crate::ErrorKind::Network)?;
+            }
+            store
        } else {
            CookieStore::default()
        }));
@@ -131,6 +137,11 @@ impl CliContext {
        })))
    }
 }
+impl AsRef<Jwk> for CliContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
+    }
+}
 impl std::ops::Deref for CliContext {
    type Target = CliContextSeed;
    fn deref(&self) -> &Self::Target {
--- a/backend/src/context/diagnostic.rs
+++ b/backend/src/context/diagnostic.rs
@@ -1,4 +1,3 @@
-use std::net::{IpAddr, SocketAddr};
 use std::ops::Deref;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
@@ -6,38 +5,36 @@ use std::sync::Arc;
 use rpc_toolkit::yajrc::RpcError;
 use rpc_toolkit::Context;
 use serde::Deserialize;
-use tokio::fs::File;
 use tokio::sync::broadcast::Sender;
 use tracing::instrument;
-use url::Host;

 use crate::shutdown::Shutdown;
-use crate::util::io::from_toml_async_reader;
-use crate::util::AsyncFileExt;
-use crate::{Error, ResultExt};
+use crate::util::config::load_config_from_paths;
+use crate::Error;

 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct DiagnosticContextConfig {
-    pub bind_rpc: Option<SocketAddr>,
    pub datadir: Option<PathBuf>,
 }
 impl DiagnosticContextConfig {
    #[instrument(skip(path))]
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_toml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
+    pub async fn load<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        tokio::task::spawn_blocking(move || {
+            load_config_from_paths(
+                path.as_ref()
+                    .into_iter()
+                    .map(|p| p.as_ref())
+                    .chain(std::iter::once(Path::new(
+                        crate::util::config::DEVICE_CONFIG_PATH,
+                    )))
+                    .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
+            )
+        })
+        .await
+        .unwrap()
    }
+
    pub fn datadir(&self) -> &Path {
        self.datadir
            .as_deref()
@@ -46,7 +43,6 @@ impl DiagnosticContextConfig {
 }

 pub struct DiagnosticContextSeed {
-    pub bind_rpc: SocketAddr,
    pub datadir: PathBuf,
    pub shutdown: Sender<Option<Shutdown>>,
    pub error: Arc<RpcError>,
@@ -57,17 +53,19 @@ pub struct DiagnosticContextSeed {
 pub struct DiagnosticContext(Arc<DiagnosticContextSeed>);
 impl DiagnosticContext {
    #[instrument(skip(path))]
-    pub async fn init<P: AsRef<Path>>(
+    pub async fn init<P: AsRef<Path> + Send + 'static>(
        path: Option<P>,
        disk_guid: Option<Arc<String>>,
        error: Error,
    ) -> Result<Self, Error> {
+        tracing::error!("Error: {}: Starting diagnostic UI", error);
+        tracing::debug!("{:?}", error);
+
        let cfg = DiagnosticContextConfig::load(path).await?;

        let (shutdown, _) = tokio::sync::broadcast::channel(1);

        Ok(Self(Arc::new(DiagnosticContextSeed {
-            bind_rpc: cfg.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
            datadir: cfg.datadir().to_owned(),
            shutdown,
            disk_guid,
@@ -76,17 +74,7 @@ impl DiagnosticContext {
    }
 }

-impl Context for DiagnosticContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
-    }
-}
+impl Context for DiagnosticContext {}
 impl Deref for DiagnosticContext {
    type Target = DiagnosticContextSeed;
    fn deref(&self) -> &Self::Target {
--- a/backend/src/context/install.rs
+++ b/backend/src/context/install.rs
@@ -0,0 +1,58 @@
+use std::ops::Deref;
+use std::path::Path;
+use std::sync::Arc;
+
+use rpc_toolkit::Context;
+use serde::Deserialize;
+use tokio::sync::broadcast::Sender;
+use tracing::instrument;
+
+use crate::net::utils::find_eth_iface;
+use crate::util::config::load_config_from_paths;
+use crate::Error;
+
+#[derive(Debug, Default, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct InstallContextConfig {}
+impl InstallContextConfig {
+    #[instrument(skip(path))]
+    pub async fn load<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        tokio::task::spawn_blocking(move || {
+            load_config_from_paths(
+                path.as_ref()
+                    .into_iter()
+                    .map(|p| p.as_ref())
+                    .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
+            )
+        })
+        .await
+        .unwrap()
+    }
+}
+
+pub struct InstallContextSeed {
+    pub ethernet_interface: String,
+    pub shutdown: Sender<()>,
+}
+
+#[derive(Clone)]
+pub struct InstallContext(Arc<InstallContextSeed>);
+impl InstallContext {
+    #[instrument(skip(path))]
+    pub async fn init<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        let _cfg = InstallContextConfig::load(path.as_ref().map(|p| p.as_ref().to_owned())).await?;
+        let (shutdown, _) = tokio::sync::broadcast::channel(1);
+        Ok(Self(Arc::new(InstallContextSeed {
+            ethernet_interface: find_eth_iface().await?,
+            shutdown,
+        })))
+    }
+}
+
+impl Context for InstallContext {}
+impl Deref for InstallContext {
+    type Target = InstallContextSeed;
+    fn deref(&self) -> &Self::Target {
+        &*self.0
+    }
+}
--- a/backend/src/context/mod.rs
+++ b/backend/src/context/mod.rs
@@ -1,11 +1,13 @@
 pub mod cli;
 pub mod diagnostic;
+pub mod install;
 pub mod rpc;
 pub mod sdk;
 pub mod setup;

 pub use cli::CliContext;
 pub use diagnostic::DiagnosticContext;
+pub use install::InstallContext;
 pub use rpc::RpcContext;
 pub use sdk::SdkContext;
 pub use setup::SetupContext;
@@ -35,3 +37,8 @@ impl From<SetupContext> for () {
        ()
    }
 }
+impl From<InstallContext> for () {
+    fn from(_: InstallContext) -> Self {
+        ()
+    }
+}
--- a/backend/src/context/rpc.rs
+++ b/backend/src/context/rpc.rs
@@ -1,5 +1,5 @@
-use std::collections::{BTreeMap, VecDeque};
-use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4};
+use std::collections::BTreeMap;
+use std::net::{Ipv4Addr, SocketAddr, SocketAddrV4};
 use std::ops::Deref;
 use std::path::{Path, PathBuf};
 use std::sync::atomic::{AtomicBool, Ordering};
@@ -8,44 +8,45 @@ use std::time::Duration;

 use bollard::Docker;
 use helpers::to_tmp_path;
+use josekit::jwk::Jwk;
 use patch_db::json_ptr::JsonPointer;
-use patch_db::{DbHandle, LockReceipt, LockType, PatchDb, Revision};
+use patch_db::{DbHandle, LockReceipt, LockType, PatchDb};
 use reqwest::Url;
-use rpc_toolkit::url::Host;
 use rpc_toolkit::Context;
 use serde::Deserialize;
 use sqlx::postgres::PgConnectOptions;
 use sqlx::PgPool;
-use tokio::fs::File;
-use tokio::process::Command;
 use tokio::sync::{broadcast, oneshot, Mutex, RwLock};
 use tracing::instrument;

+use crate::account::AccountInfo;
 use crate::core::rpc_continuations::{RequestGuid, RestHandler, RpcContinuation};
 use crate::db::model::{Database, InstalledPackageDataEntry, PackageDataEntry};
+use crate::disk::OsPartitionInfo;
 use crate::init::{init_postgres, pgloader};
 use crate::install::cleanup::{cleanup_failed, uninstall, CleanupFailedReceipts};
 use crate::manager::ManagerMap;
 use crate::middleware::auth::HashSessionToken;
-use crate::net::tor::os_key;
+use crate::net::net_controller::NetController;
+use crate::net::ssl::SslManager;
 use crate::net::wifi::WpaCli;
-use crate::net::NetController;
 use crate::notifications::NotificationManager;
-use crate::setup::password_hash;
 use crate::shutdown::Shutdown;
 use crate::status::{MainStatus, Status};
-use crate::util::io::from_yaml_async_reader;
-use crate::util::{AsyncFileExt, Invoke};
+use crate::util::config::load_config_from_paths;
 use crate::{Error, ErrorKind, ResultExt};

+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct RpcContextConfig {
+    pub wifi_interface: Option<String>,
+    pub ethernet_interface: String,
+    pub os_partitions: OsPartitionInfo,
    pub migration_batch_rows: Option<usize>,
    pub migration_prefetch_rows: Option<usize>,
    pub bind_rpc: Option<SocketAddr>,
-    pub bind_ws: Option<SocketAddr>,
-    pub bind_static: Option<SocketAddr>,
    pub tor_control: Option<SocketAddr>,
    pub tor_socks: Option<SocketAddr>,
    pub dns_bind: Option<Vec<SocketAddr>>,
@@ -54,39 +55,34 @@ pub struct RpcContextConfig {
    pub log_server: Option<Url>,
 }
 impl RpcContextConfig {
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_yaml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
+    pub async fn load<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        tokio::task::spawn_blocking(move || {
+            load_config_from_paths(
+                path.as_ref()
+                    .into_iter()
+                    .map(|p| p.as_ref())
+                    .chain(std::iter::once(Path::new(
+                        crate::util::config::DEVICE_CONFIG_PATH,
+                    )))
+                    .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
+            )
+        })
+        .await
+        .unwrap()
    }
    pub fn datadir(&self) -> &Path {
        self.datadir
            .as_deref()
            .unwrap_or_else(|| Path::new("/embassy-data"))
    }
-    pub async fn db(&self, secret_store: &PgPool) -> Result<PatchDb, Error> {
+    pub async fn db(&self, account: &AccountInfo) -> Result<PatchDb, Error> {
        let db_path = self.datadir().join("main").join("embassy.db");
        let db = PatchDb::open(&db_path)
            .await
            .with_ctx(|_| (crate::ErrorKind::Filesystem, db_path.display().to_string()))?;
        if !db.exists(&<JsonPointer>::default()).await {
-            db.put(
-                &<JsonPointer>::default(),
-                &Database::init(
-                    &os_key(&mut secret_store.acquire().await?).await?,
-                    password_hash(&mut secret_store.acquire().await?).await?,
-                ),
-            )
-            .await?;
+            db.put(&<JsonPointer>::default(), &Database::init(account))
+                .await?;
        }
        Ok(db)
    }
@@ -115,25 +111,25 @@ impl RpcContextConfig {

 pub struct RpcContextSeed {
    is_closed: AtomicBool,
-    pub bind_rpc: SocketAddr,
-    pub bind_ws: SocketAddr,
-    pub bind_static: SocketAddr,
+    pub os_partitions: OsPartitionInfo,
+    pub wifi_interface: Option<String>,
+    pub ethernet_interface: String,
    pub datadir: PathBuf,
    pub disk_guid: Arc<String>,
    pub db: PatchDb,
    pub secret_store: PgPool,
+    pub account: RwLock<AccountInfo>,
    pub docker: Docker,
-    pub net_controller: NetController,
+    pub net_controller: Arc<NetController>,
    pub managers: ManagerMap,
-    pub revision_cache_size: usize,
-    pub revision_cache: RwLock<VecDeque<Arc<Revision>>>,
    pub metrics_cache: RwLock<Option<crate::system::Metrics>>,
    pub shutdown: broadcast::Sender<Option<Shutdown>>,
    pub tor_socks: SocketAddr,
    pub notification_manager: NotificationManager,
    pub open_authed_websockets: Mutex<BTreeMap<HashSessionToken, Vec<oneshot::Sender<()>>>>,
    pub rpc_stream_continuations: Mutex<BTreeMap<RequestGuid, RpcContinuation>>,
-    pub wifi_manager: Arc<RwLock<WpaCli>>,
+    pub wifi_manager: Option<Arc<RwLock<WpaCli>>>,
+    pub current_secret: Arc<Jwk>,
 }

 pub struct RpcCleanReceipts {
@@ -174,38 +170,11 @@ impl RpcCleanReceipts {
    }
 }

-pub struct RpcSetNginxReceipts {
-    server_info: LockReceipt<crate::db::model::ServerInfo, ()>,
-}
-
-impl RpcSetNginxReceipts {
-    pub async fn new(db: &'_ mut impl DbHandle) -> Result<Self, Error> {
-        let mut locks = Vec::new();
-
-        let setup = Self::setup(&mut locks);
-        Ok(setup(&db.lock_all(locks).await?)?)
-    }
-
-    pub fn setup(
-        locks: &mut Vec<patch_db::LockTargetId>,
-    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
-        let server_info = crate::db::DatabaseModel::new()
-            .server_info()
-            .make_locker(LockType::Read)
-            .add_to_keys(locks);
-        move |skeleton_key| {
-            Ok(Self {
-                server_info: server_info.verify(skeleton_key)?,
-            })
-        }
-    }
-}
-
 #[derive(Clone)]
 pub struct RpcContext(Arc<RpcContextSeed>);
 impl RpcContext {
    #[instrument(skip(cfg_path))]
-    pub async fn init<P: AsRef<Path>>(
+    pub async fn init<P: AsRef<Path> + Send + 'static>(
        cfg_path: Option<P>,
        disk_guid: Arc<String>,
    ) -> Result<Self, Error> {
@@ -218,25 +187,26 @@ impl RpcContext {
        let (shutdown, _) = tokio::sync::broadcast::channel(1);
        let secret_store = base.secret_store().await?;
        tracing::info!("Opened Pg DB");
-        let db = base.db(&secret_store).await?;
+        let account = AccountInfo::load(&secret_store).await?;
+        let db = base.db(&account).await?;
        tracing::info!("Opened PatchDB");
        let mut docker = Docker::connect_with_unix_defaults()?;
        docker.set_timeout(Duration::from_secs(600));
        tracing::info!("Connected to Docker");
-        let net_controller = NetController::init(
-            ([127, 0, 0, 1], 80).into(),
-            crate::net::tor::os_key(&mut secret_store.acquire().await?).await?,
-            base.tor_control
-                .unwrap_or(SocketAddr::from(([127, 0, 0, 1], 9051))),
-            base.dns_bind
-                .as_ref()
-                .map(|v| v.as_slice())
-                .unwrap_or(&[SocketAddr::from(([127, 0, 0, 1], 53))]),
-            secret_store.clone(),
-            None,
-            &mut db.handle(),
-        )
-        .await?;
+        let net_controller = Arc::new(
+            NetController::init(
+                base.tor_control
+                    .unwrap_or(SocketAddr::from(([127, 0, 0, 1], 9051))),
+                base.dns_bind
+                    .as_ref()
+                    .map(|v| v.as_slice())
+                    .unwrap_or(&[SocketAddr::from(([127, 0, 0, 1], 53))]),
+                SslManager::new(&account)?,
+                &account.hostname,
+                &account.key,
+            )
+            .await?,
+        );
        tracing::info!("Initialized Net Controller");
        let managers = ManagerMap::default();
        let metrics_cache = RwLock::new(None);
@@ -244,25 +214,36 @@ impl RpcContext {
        tracing::info!("Initialized Notification Manager");
        let seed = Arc::new(RpcContextSeed {
            is_closed: AtomicBool::new(false),
-            bind_rpc: base.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
-            bind_ws: base.bind_ws.unwrap_or(([127, 0, 0, 1], 5960).into()),
-            bind_static: base.bind_static.unwrap_or(([127, 0, 0, 1], 5961).into()),
            datadir: base.datadir().to_path_buf(),
+            os_partitions: base.os_partitions,
+            wifi_interface: base.wifi_interface.clone(),
+            ethernet_interface: base.ethernet_interface,
            disk_guid,
            db,
            secret_store,
+            account: RwLock::new(account),
            docker,
            net_controller,
            managers,
-            revision_cache_size: base.revision_cache_size.unwrap_or(512),
-            revision_cache: RwLock::new(VecDeque::new()),
            metrics_cache,
            shutdown,
            tor_socks: tor_proxy,
            notification_manager,
            open_authed_websockets: Mutex::new(BTreeMap::new()),
            rpc_stream_continuations: Mutex::new(BTreeMap::new()),
-            wifi_manager: Arc::new(RwLock::new(WpaCli::init("wlan0".to_string()))),
+            wifi_manager: base
+                .wifi_interface
+                .map(|i| Arc::new(RwLock::new(WpaCli::init(i)))),
+            current_secret: Arc::new(
+                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
+                    tracing::debug!("{:?}", e);
+                    tracing::error!("Couldn't generate ec key");
+                    Error::new(
+                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
+                        crate::ErrorKind::Unknown,
+                    )
+                })?,
+            ),
        });

        let res = Self(seed);
@@ -279,39 +260,13 @@ impl RpcContext {
        Ok(res)
    }

-    #[instrument(skip(self, db, receipts))]
-    pub async fn set_nginx_conf<Db: DbHandle>(
-        &self,
-        db: &mut Db,
-        receipts: RpcSetNginxReceipts,
-    ) -> Result<(), Error> {
-        tokio::fs::write("/etc/nginx/sites-available/default", {
-            let info = receipts.server_info.get(db).await?;
-            format!(
-                include_str!("../nginx/main-ui.conf.template"),
-                lan_hostname = info.lan_address.host_str().unwrap(),
-                tor_hostname = info.tor_address.host_str().unwrap(),
-            )
-        })
-        .await
-        .with_ctx(|_| {
-            (
-                crate::ErrorKind::Filesystem,
-                "/etc/nginx/sites-available/default",
-            )
-        })?;
-        Command::new("systemctl")
-            .arg("reload")
-            .arg("nginx")
-            .invoke(crate::ErrorKind::Nginx)
-            .await?;
-        Ok(())
-    }
    #[instrument(skip(self))]
    pub async fn shutdown(self) -> Result<(), Error> {
        self.managers.empty().await?;
        self.secret_store.close().await;
        self.is_closed.store(true, Ordering::SeqCst);
+        tracing::info!("RPC Context is shutdown");
+        // TODO: shutdown http servers
        Ok(())
    }

@@ -445,17 +400,12 @@ impl RpcContext {
        }
    }
 }
-impl Context for RpcContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
+impl AsRef<Jwk> for RpcContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
    }
 }
+impl Context for RpcContext {}
 impl Deref for RpcContext {
    type Target = RpcContextSeed;
    fn deref(&self) -> &Self::Target {
--- a/backend/src/context/setup.rs
+++ b/backend/src/context/setup.rs
@@ -1,4 +1,3 @@
-use std::net::{IpAddr, SocketAddr};
 use std::ops::Deref;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
@@ -11,20 +10,26 @@ use rpc_toolkit::Context;
 use serde::{Deserialize, Serialize};
 use sqlx::postgres::PgConnectOptions;
 use sqlx::PgPool;
-use tokio::fs::File;
 use tokio::sync::broadcast::Sender;
 use tokio::sync::RwLock;
 use tracing::instrument;
-use url::Host;

+use crate::account::AccountInfo;
 use crate::db::model::Database;
+use crate::disk::OsPartitionInfo;
 use crate::init::{init_postgres, pgloader};
-use crate::net::tor::os_key;
-use crate::setup::{password_hash, RecoveryStatus};
-use crate::util::io::from_yaml_async_reader;
-use crate::util::AsyncFileExt;
+use crate::setup::SetupStatus;
+use crate::util::config::load_config_from_paths;
 use crate::{Error, ResultExt};

+lazy_static::lazy_static! {
+    pub static ref CURRENT_SECRET: Jwk = Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).unwrap_or_else(|e| {
+        tracing::debug!("{:?}", e);
+        tracing::error!("Couldn't generate ec key");
+        panic!("Couldn't generate ec key")
+    });
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct SetupResult {
@@ -36,26 +41,27 @@ pub struct SetupResult {
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct SetupContextConfig {
+    pub os_partitions: OsPartitionInfo,
    pub migration_batch_rows: Option<usize>,
    pub migration_prefetch_rows: Option<usize>,
-    pub bind_rpc: Option<SocketAddr>,
    pub datadir: Option<PathBuf>,
 }
 impl SetupContextConfig {
    #[instrument(skip(path))]
-    pub async fn load<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg_path = path
-            .as_ref()
-            .map(|p| p.as_ref())
-            .unwrap_or(Path::new(crate::util::config::CONFIG_PATH));
-        if let Some(f) = File::maybe_open(cfg_path)
-            .await
-            .with_ctx(|_| (crate::ErrorKind::Filesystem, cfg_path.display().to_string()))?
-        {
-            from_yaml_async_reader(f).await
-        } else {
-            Ok(Self::default())
-        }
+    pub async fn load<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        tokio::task::spawn_blocking(move || {
+            load_config_from_paths(
+                path.as_ref()
+                    .into_iter()
+                    .map(|p| p.as_ref())
+                    .chain(std::iter::once(Path::new(
+                        crate::util::config::DEVICE_CONFIG_PATH,
+                    )))
+                    .chain(std::iter::once(Path::new(crate::util::config::CONFIG_PATH))),
+            )
+        })
+        .await
+        .unwrap()
    }
    pub fn datadir(&self) -> &Path {
        self.datadir
@@ -65,24 +71,21 @@ impl SetupContextConfig {
 }

 pub struct SetupContextSeed {
+    pub os_partitions: OsPartitionInfo,
    pub config_path: Option<PathBuf>,
    pub migration_batch_rows: usize,
    pub migration_prefetch_rows: usize,
-    pub bind_rpc: SocketAddr,
    pub shutdown: Sender<()>,
    pub datadir: PathBuf,
-    /// Used to encrypt for hidding from snoopers for setups create password
-    /// Set via path
-    pub current_secret: Arc<Jwk>,
    pub selected_v2_drive: RwLock<Option<PathBuf>>,
    pub cached_product_key: RwLock<Option<Arc<String>>>,
-    pub recovery_status: RwLock<Option<Result<RecoveryStatus, RpcError>>>,
+    pub setup_status: RwLock<Option<Result<SetupStatus, RpcError>>>,
    pub setup_result: RwLock<Option<(Arc<String>, SetupResult)>>,
 }

 impl AsRef<Jwk> for SetupContextSeed {
    fn as_ref(&self) -> &Jwk {
-        &self.current_secret
+        &*CURRENT_SECRET
    }
 }

@@ -90,48 +93,32 @@ impl AsRef<Jwk> for SetupContextSeed {
 pub struct SetupContext(Arc<SetupContextSeed>);
 impl SetupContext {
    #[instrument(skip(path))]
-    pub async fn init<P: AsRef<Path>>(path: Option<P>) -> Result<Self, Error> {
-        let cfg = SetupContextConfig::load(path.as_ref()).await?;
+    pub async fn init<P: AsRef<Path> + Send + 'static>(path: Option<P>) -> Result<Self, Error> {
+        let cfg = SetupContextConfig::load(path.as_ref().map(|p| p.as_ref().to_owned())).await?;
        let (shutdown, _) = tokio::sync::broadcast::channel(1);
        let datadir = cfg.datadir().to_owned();
        Ok(Self(Arc::new(SetupContextSeed {
+            os_partitions: cfg.os_partitions,
            config_path: path.as_ref().map(|p| p.as_ref().to_owned()),
            migration_batch_rows: cfg.migration_batch_rows.unwrap_or(25000),
            migration_prefetch_rows: cfg.migration_prefetch_rows.unwrap_or(100_000),
-            bind_rpc: cfg.bind_rpc.unwrap_or(([127, 0, 0, 1], 5959).into()),
            shutdown,
            datadir,
-            current_secret: Arc::new(
-                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
-                    tracing::debug!("{:?}", e);
-                    tracing::error!("Couldn't generate ec key");
-                    Error::new(
-                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
-                        crate::ErrorKind::Unknown,
-                    )
-                })?,
-            ),
            selected_v2_drive: RwLock::new(None),
            cached_product_key: RwLock::new(None),
-            recovery_status: RwLock::new(None),
+            setup_status: RwLock::new(None),
            setup_result: RwLock::new(None),
        })))
    }
    #[instrument(skip(self))]
-    pub async fn db(&self, secret_store: &PgPool) -> Result<PatchDb, Error> {
+    pub async fn db(&self, account: &AccountInfo) -> Result<PatchDb, Error> {
        let db_path = self.datadir.join("main").join("embassy.db");
        let db = PatchDb::open(&db_path)
            .await
            .with_ctx(|_| (crate::ErrorKind::Filesystem, db_path.display().to_string()))?;
        if !db.exists(&<JsonPointer>::default()).await {
-            db.put(
-                &<JsonPointer>::default(),
-                &Database::init(
-                    &os_key(&mut secret_store.acquire().await?).await?,
-                    password_hash(&mut secret_store.acquire().await?).await?,
-                ),
-            )
-            .await?;
+            db.put(&<JsonPointer>::default(), &Database::init(account))
+                .await?;
        }
        Ok(db)
    }
@@ -158,17 +145,7 @@ impl SetupContext {
    }
 }

-impl Context for SetupContext {
-    fn host(&self) -> Host<&str> {
-        match self.0.bind_rpc.ip() {
-            IpAddr::V4(a) => Host::Ipv4(a),
-            IpAddr::V6(a) => Host::Ipv6(a),
-        }
-    }
-    fn port(&self) -> u16 {
-        self.0.bind_rpc.port()
-    }
-}
+impl Context for SetupContext {}
 impl Deref for SetupContext {
    type Target = SetupContextSeed;
    fn deref(&self) -> &Self::Target {
--- a/backend/src/control.rs
+++ b/backend/src/control.rs
@@ -121,13 +121,14 @@ impl StopReceipts {
 }

 #[instrument(skip(db))]
-async fn stop_common<Db: DbHandle>(
+pub async fn stop_common<Db: DbHandle>(
    db: &mut Db,
    id: &PackageId,
    breakages: &mut BTreeMap<PackageId, TaggedDependencyError>,
-) -> Result<(), Error> {
+) -> Result<MainStatus, Error> {
    let mut tx = db.begin().await?;
    let receipts = StopReceipts::new(&mut tx, id).await?;
+    let last_status = receipts.status.get(&mut tx).await?;
    receipts.status.set(&mut tx, MainStatus::Stopping).await?;

    tx.save().await?;
@@ -140,7 +141,7 @@ async fn stop_common<Db: DbHandle>(
    )
    .await?;

-    Ok(())
+    Ok(last_status)
 }

 #[command(
@@ -170,15 +171,15 @@ pub async fn stop_dry(
 }

 #[instrument(skip(ctx))]
-pub async fn stop_impl(ctx: RpcContext, id: PackageId) -> Result<(), Error> {
+pub async fn stop_impl(ctx: RpcContext, id: PackageId) -> Result<MainStatus, Error> {
    let mut db = ctx.db.handle();
    let mut tx = db.begin().await?;

-    stop_common(&mut tx, &id, &mut BTreeMap::new()).await?;
+    let last_statuts = stop_common(&mut tx, &id, &mut BTreeMap::new()).await?;

    tx.commit().await?;

-    Ok(())
+    Ok(last_statuts)
 }

 #[command(display(display_none), metadata(sync_db = true))]
--- a/backend/src/db/mod.rs
+++ b/backend/src/db/mod.rs
@@ -132,7 +132,7 @@ pub async fn subscribe(ctx: RpcContext, req: Request<Body>) -> Result<Response<B
    let (parts, body) = req.into_parts();
    let session = match async {
        let token = HashSessionToken::from_request_parts(&parts)?;
-        let session = HasValidSession::from_session(&token, &ctx).await?;
+        let session = HasValidSession::from_request_parts(&parts, &ctx).await?;
        Ok::<_, Error>((session, token))
    }
    .await
--- a/backend/src/db/model.rs
+++ b/backend/src/db/model.rs
@@ -1,25 +1,31 @@
 use std::collections::{BTreeMap, BTreeSet};
+use std::net::{Ipv4Addr, Ipv6Addr};
 use std::sync::Arc;

 use chrono::{DateTime, Utc};
 use emver::VersionRange;
+use ipnet::{Ipv4Net, Ipv6Net};
 use isocountry::CountryCode;
+use itertools::Itertools;
+use openssl::hash::MessageDigest;
 use patch_db::json_ptr::JsonPointer;
 use patch_db::{HasModel, Map, MapModel, OptionModel};
 use reqwest::Url;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
-use torut::onion::TorSecretKeyV3;
+use ssh_key::public::Ed25519PublicKey;

+use crate::account::AccountInfo;
 use crate::config::spec::{PackagePointerSpec, SystemPointerSpec};
-use crate::hostname::{generate_hostname, generate_id};
 use crate::install::progress::InstallProgress;
 use crate::net::interface::InterfaceId;
+use crate::net::utils::{get_iface_ipv4_addr, get_iface_ipv6_addr};
 use crate::s9pk::manifest::{Manifest, ManifestModel, PackageId};
 use crate::status::health_check::HealthCheckId;
 use crate::status::Status;
 use crate::util::Version;
 use crate::version::{Current, VersionT};
+use crate::Error;

 #[derive(Debug, Deserialize, Serialize, HasModel)]
 #[serde(rename_all = "kebab-case")]
@@ -28,28 +34,25 @@ pub struct Database {
    pub server_info: ServerInfo,
    #[model]
    pub package_data: AllPackageData,
-    #[model]
-    pub recovered_packages: BTreeMap<PackageId, RecoveredPackageInfo>,
    pub ui: Value,
 }
 impl Database {
-    pub fn init(tor_key: &TorSecretKeyV3, password_hash: String) -> Self {
-        let id = generate_id();
-        let my_hostname = generate_hostname();
-        let lan_address = my_hostname.lan_address().parse().unwrap();
+    pub fn init(account: &AccountInfo) -> Self {
+        let lan_address = account.hostname.lan_address().parse().unwrap();
        // TODO
        Database {
            server_info: ServerInfo {
-                id,
+                id: account.server_id.clone(),
                version: Current::new().semver().into(),
-                hostname: Some(my_hostname.0),
+                hostname: Some(account.hostname.no_dot_host_name()),
                last_backup: None,
                last_wifi_region: None,
                eos_version_compat: Current::new().compat().clone(),
                lan_address,
-                tor_address: format!("http://{}", tor_key.public().get_onion_address())
+                tor_address: format!("http://{}", account.key.tor_address())
                    .parse()
                    .unwrap(),
+                ip_info: BTreeMap::new(),
                status_info: ServerStatus {
                    backup_progress: None,
                    updated: false,
@@ -65,10 +68,20 @@ impl Database {
                    tor: Vec::new(),
                    clearnet: Vec::new(),
                },
-                password_hash,
+                password_hash: account.password.clone(),
+                pubkey: ssh_key::PublicKey::from(Ed25519PublicKey::from(&account.key.ssh_key()))
+                    .to_openssh()
+                    .unwrap(),
+                ca_fingerprint: account
+                    .root_ca_cert
+                    .digest(MessageDigest::sha256())
+                    .unwrap()
+                    .iter()
+                    .map(|x| format!("{x:X}"))
+                    .join(":"),
+                system_start_time: Utc::now().to_rfc3339(),
            },
            package_data: AllPackageData::default(),
-            recovered_packages: BTreeMap::new(),
            ui: serde_json::from_str(include_str!("../../../frontend/patchdb-ui-seed.json"))
                .unwrap(),
        }
@@ -93,12 +106,38 @@ pub struct ServerInfo {
    pub lan_address: Url,
    pub tor_address: Url,
    #[model]
+    pub ip_info: BTreeMap<String, IpInfo>,
+    #[model]
    #[serde(default)]
    pub status_info: ServerStatus,
    pub wifi: WifiInfo,
    pub unread_notification_count: u64,
    pub connection_addresses: ConnectionAddresses,
    pub password_hash: String,
+    pub pubkey: String,
+    pub ca_fingerprint: String,
+    pub system_start_time: String,
+}
+
+#[derive(Debug, Deserialize, Serialize, HasModel)]
+#[serde(rename_all = "kebab-case")]
+pub struct IpInfo {
+    pub ipv4_range: Option<Ipv4Net>,
+    pub ipv4: Option<Ipv4Addr>,
+    pub ipv6_range: Option<Ipv6Net>,
+    pub ipv6: Option<Ipv6Addr>,
+}
+impl IpInfo {
+    pub async fn for_interface(iface: &str) -> Result<Self, Error> {
+        let (ipv4, ipv4_range) = get_iface_ipv4_addr(iface).await?.unzip();
+        let (ipv6, ipv6_range) = get_iface_ipv6_addr(iface).await?.unzip();
+        Ok(Self {
+            ipv4_range,
+            ipv4,
+            ipv6_range,
+            ipv6,
+        })
+    }
 }

 #[derive(Debug, Default, Deserialize, Serialize, HasModel)]
@@ -240,6 +279,15 @@ impl PackageDataEntry {
            PackageDataEntry::Installed { manifest, .. } => manifest,
        }
    }
+    pub fn manifest_borrow(&self) -> &Manifest {
+        match self {
+            PackageDataEntry::Installing { manifest, .. } => manifest,
+            PackageDataEntry::Updating { manifest, .. } => manifest,
+            PackageDataEntry::Restoring { manifest, .. } => manifest,
+            PackageDataEntry::Removing { manifest, .. } => manifest,
+            PackageDataEntry::Installed { manifest, .. } => manifest,
+        }
+    }
 }
 impl PackageDataEntryModel {
    pub fn installed(self) -> OptionModel<InstalledPackageDataEntry> {
--- a/backend/src/dependencies.rs
+++ b/backend/src/dependencies.rs
@@ -19,6 +19,7 @@ use crate::config::spec::PackagePointerSpec;
 use crate::config::{not_found, Config, ConfigReceipts, ConfigSpec};
 use crate::context::RpcContext;
 use crate::db::model::{CurrentDependencies, CurrentDependents, InstalledPackageDataEntry};
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::{NoOutput, PackageProcedure, ProcedureName};
 use crate::s9pk::manifest::{Manifest, PackageId};
 use crate::status::health_check::{HealthCheckId, HealthCheckResult};
@@ -63,6 +64,7 @@ pub struct TryHealReceipts {
    manifest_version: LockReceipt<Version, String>,
    current_dependencies: LockReceipt<CurrentDependencies, String>,
    dependency_errors: LockReceipt<DependencyErrors, String>,
+    docker_containers: LockReceipt<DockerContainers, String>,
 }

 impl TryHealReceipts {
@@ -110,6 +112,13 @@ impl TryHealReceipts {
            .map(|x| x.status().dependency_errors())
            .make_locker(LockType::Write)
            .add_to_keys(locks);
+        let docker_containers = crate::db::DatabaseModel::new()
+            .package_data()
+            .star()
+            .installed()
+            .and_then(|x| x.manifest().containers())
+            .make_locker(LockType::Write)
+            .add_to_keys(locks);
        move |skeleton_key| {
            Ok(Self {
                status: status.verify(skeleton_key)?,
@@ -117,6 +126,7 @@ impl TryHealReceipts {
                current_dependencies: current_dependencies.verify(skeleton_key)?,
                manifest: manifest.verify(skeleton_key)?,
                dependency_errors: dependency_errors.verify(skeleton_key)?,
+                docker_containers: docker_containers.verify(skeleton_key)?,
            })
        }
    }
@@ -193,6 +203,7 @@ impl DependencyError {
        receipts: &'a TryHealReceipts,
    ) -> BoxFuture<'a, Result<Option<Self>, Error>> {
        async move {
+            let container = receipts.docker_containers.get(db, id).await?;
            Ok(match self {
                DependencyError::NotInstalled => {
                    if receipts.status.get(db, dependency).await?.is_some() {
@@ -254,6 +265,7 @@ impl DependencyError {
                        if let Err(error) = cfg_req
                            .check(
                                ctx,
+                                &container,
                                id,
                                &dependent_manifest.version,
                                &dependent_manifest.volumes,
@@ -494,6 +506,7 @@ impl DependencyConfig {
    pub async fn check(
        &self,
        ctx: &RpcContext,
+        container: &Option<DockerContainers>,
        dependent_id: &PackageId,
        dependent_version: &Version,
        dependent_volumes: &Volumes,
@@ -503,6 +516,7 @@ impl DependencyConfig {
        Ok(self
            .check
            .sandboxed(
+                container,
                ctx,
                dependent_id,
                dependent_version,
@@ -517,6 +531,7 @@ impl DependencyConfig {
    pub async fn auto_configure(
        &self,
        ctx: &RpcContext,
+        container: &Option<DockerContainers>,
        dependent_id: &PackageId,
        dependent_version: &Version,
        dependent_volumes: &Volumes,
@@ -524,6 +539,7 @@ impl DependencyConfig {
    ) -> Result<Config, Error> {
        self.auto_configure
            .sandboxed(
+                container,
                ctx,
                dependent_id,
                dependent_version,
@@ -545,6 +561,7 @@ pub struct DependencyConfigReceipts {
    dependency_config_action: LockReceipt<ConfigActions, ()>,
    package_volumes: LockReceipt<Volumes, ()>,
    package_version: LockReceipt<Version, ()>,
+    docker_containers: LockReceipt<DockerContainers, String>,
 }

 impl DependencyConfigReceipts {
@@ -607,6 +624,13 @@ impl DependencyConfigReceipts {
            .map(|x| x.manifest().version())
            .make_locker(LockType::Write)
            .add_to_keys(locks);
+        let docker_containers = crate::db::DatabaseModel::new()
+            .package_data()
+            .star()
+            .installed()
+            .and_then(|x| x.manifest().containers())
+            .make_locker(LockType::Write)
+            .add_to_keys(locks);
        move |skeleton_key| {
            Ok(Self {
                config: config(skeleton_key)?,
@@ -616,6 +640,7 @@ impl DependencyConfigReceipts {
                dependency_config_action: dependency_config_action.verify(&skeleton_key)?,
                package_volumes: package_volumes.verify(&skeleton_key)?,
                package_version: package_version.verify(&skeleton_key)?,
+                docker_containers: docker_containers.verify(&skeleton_key)?,
            })
        }
    }
@@ -690,6 +715,7 @@ pub async fn configure_logic(
    let dependency_version = receipts.dependency_version.get(db).await?;
    let dependency_volumes = receipts.dependency_volumes.get(db).await?;
    let dependencies = receipts.dependencies.get(db).await?;
+    let pkg_docker_container = receipts.docker_containers.get(db, &*pkg_id).await?;

    let dependency = dependencies
        .0
@@ -740,6 +766,7 @@ pub async fn configure_logic(
    let new_config = dependency
        .auto_configure
        .sandboxed(
+            &pkg_docker_container,
            &ctx,
            &pkg_id,
            &pkg_version,
--- a/backend/src/diagnostic.rs
+++ b/backend/src/diagnostic.rs
@@ -6,6 +6,7 @@ use rpc_toolkit::yajrc::RpcError;

 use crate::context::DiagnosticContext;
 use crate::disk::repair;
+use crate::init::SYSTEM_REBUILD_PATH;
 use crate::logs::{fetch_logs, LogResponse, LogSource};
 use crate::shutdown::Shutdown;
 use crate::util::display_none;
@@ -13,7 +14,7 @@ use crate::Error;

 pub const SYSTEMD_UNIT: &'static str = "embassy-init";

-#[command(subcommands(error, logs, exit, restart, forget_disk, disk))]
+#[command(subcommands(error, logs, exit, restart, forget_disk, disk, rebuild))]
 pub fn diagnostic() -> Result<(), Error> {
    Ok(())
 }
@@ -44,13 +45,18 @@ pub fn restart(#[context] ctx: DiagnosticContext) -> Result<(), Error> {
        .send(Some(Shutdown {
            datadir: ctx.datadir.clone(),
            disk_guid: ctx.disk_guid.clone(),
-            db_handle: None,
            restart: true,
        }))
        .expect("receiver dropped");
    Ok(())
 }

+#[command(display(display_none))]
+pub async fn rebuild(#[context] ctx: DiagnosticContext) -> Result<(), Error> {
+    tokio::fs::write(SYSTEM_REBUILD_PATH, b"").await?;
+    restart(ctx)
+}
+
 #[command(subcommands(forget_disk, repair))]
 pub fn disk() -> Result<(), Error> {
    Ok(())
@@ -58,7 +64,7 @@ pub fn disk() -> Result<(), Error> {

 #[command(rename = "forget", display(display_none))]
 pub async fn forget_disk() -> Result<(), Error> {
-    let disk_guid = Path::new("/embassy-os/disk.guid");
+    let disk_guid = Path::new("/media/embassy/config/disk.guid");
    if tokio::fs::metadata(disk_guid).await.is_ok() {
        tokio::fs::remove_file(disk_guid).await?;
    }
--- a/backend/src/disk/fsck.rs
+++ b/backend/src/disk/fsck.rs
@@ -63,7 +63,7 @@ fn backup_existing_undo_file<'a>(path: &'a Path) -> BoxFuture<'a, Result<(), Err
 pub async fn e2fsck_aggressive(
    logicalname: impl AsRef<Path> + std::fmt::Debug,
 ) -> Result<RequiresReboot, Error> {
-    let undo_path = Path::new("/embassy-os")
+    let undo_path = Path::new("/media/embassy/config")
        .join(
            logicalname
                .as_ref()
--- a/backend/src/disk/mod.rs
+++ b/backend/src/disk/mod.rs
@@ -1,6 +1,10 @@
+use std::path::{Path, PathBuf};
+
 use clap::ArgMatches;
 use rpc_toolkit::command;
+use serde::{Deserialize, Serialize};

+use crate::context::RpcContext;
 use crate::disk::util::DiskInfo;
 use crate::util::display_none;
 use crate::util::serde::{display_serializable, IoFormat};
@@ -12,7 +16,25 @@ pub mod mount;
 pub mod util;

 pub const BOOT_RW_PATH: &str = "/media/boot-rw";
-pub const REPAIR_DISK_PATH: &str = "/embassy-os/repair-disk";
+pub const REPAIR_DISK_PATH: &str = "/media/embassy/config/repair-disk";
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct OsPartitionInfo {
+    pub efi: Option<PathBuf>,
+    pub boot: PathBuf,
+    pub root: PathBuf,
+}
+impl OsPartitionInfo {
+    pub fn contains(&self, logicalname: impl AsRef<Path>) -> bool {
+        self.efi
+            .as_ref()
+            .map(|p| p == logicalname.as_ref())
+            .unwrap_or(false)
+            || &*self.boot == logicalname.as_ref()
+            || &*self.root == logicalname.as_ref()
+    }
+}

 #[command(subcommands(list, repair))]
 pub fn disk() -> Result<(), Error> {
@@ -75,11 +97,12 @@ fn display_disk_info(info: Vec<DiskInfo>, matches: &ArgMatches) {

 #[command(display(display_disk_info))]
 pub async fn list(
+    #[context] ctx: RpcContext,
    #[allow(unused_variables)]
    #[arg]
    format: Option<IoFormat>,
 ) -> Result<Vec<DiskInfo>, Error> {
-    crate::disk::util::list().await
+    crate::disk::util::list(&ctx.os_partitions).await
 }

 #[command(display(display_none))]
--- a/backend/src/disk/mount/filesystem/bind.rs
+++ b/backend/src/disk/mount/filesystem/bind.rs
@@ -0,0 +1,54 @@
+use std::os::unix::ffi::OsStrExt;
+use std::path::Path;
+
+use async_trait::async_trait;
+use digest::generic_array::GenericArray;
+use digest::{Digest, OutputSizeUser};
+use sha2::Sha256;
+
+use super::{FileSystem, MountType, ReadOnly};
+use crate::disk::mount::util::bind;
+use crate::{Error, ResultExt};
+
+pub struct Bind<SrcDir: AsRef<Path>> {
+    src_dir: SrcDir,
+}
+impl<SrcDir: AsRef<Path>> Bind<SrcDir> {
+    pub fn new(src_dir: SrcDir) -> Self {
+        Self { src_dir }
+    }
+}
+#[async_trait]
+impl<SrcDir: AsRef<Path> + Send + Sync> FileSystem for Bind<SrcDir> {
+    async fn mount<P: AsRef<Path> + Send + Sync>(
+        &self,
+        mountpoint: P,
+        mount_type: MountType,
+    ) -> Result<(), Error> {
+        bind(
+            self.src_dir.as_ref(),
+            mountpoint,
+            matches!(mount_type, ReadOnly),
+        )
+        .await
+    }
+    async fn source_hash(
+        &self,
+    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
+        let mut sha = Sha256::new();
+        sha.update("Bind");
+        sha.update(
+            tokio::fs::canonicalize(self.src_dir.as_ref())
+                .await
+                .with_ctx(|_| {
+                    (
+                        crate::ErrorKind::Filesystem,
+                        self.src_dir.as_ref().display().to_string(),
+                    )
+                })?
+                .as_os_str()
+                .as_bytes(),
+        );
+        Ok(sha.finalize())
+    }
+}
--- a/backend/src/disk/mount/filesystem/efivarfs.rs
+++ b/backend/src/disk/mount/filesystem/efivarfs.rs
@@ -0,0 +1,40 @@
+use std::os::unix::ffi::OsStrExt;
+use std::path::Path;
+
+use async_trait::async_trait;
+use digest::generic_array::GenericArray;
+use digest::{Digest, OutputSizeUser};
+use sha2::Sha256;
+
+use super::{FileSystem, MountType, ReadOnly};
+use crate::util::Invoke;
+use crate::{Error, ResultExt};
+
+pub struct EfiVarFs;
+#[async_trait]
+impl FileSystem for EfiVarFs {
+    async fn mount<P: AsRef<Path> + Send + Sync>(
+        &self,
+        mountpoint: P,
+        mount_type: MountType,
+    ) -> Result<(), Error> {
+        tokio::fs::create_dir_all(mountpoint.as_ref()).await?;
+        let mut cmd = tokio::process::Command::new("mount");
+        cmd.arg("-t")
+            .arg("efivarfs")
+            .arg("efivarfs")
+            .arg(mountpoint.as_ref());
+        if mount_type == ReadOnly {
+            cmd.arg("-o").arg("ro");
+        }
+        cmd.invoke(crate::ErrorKind::Filesystem).await?;
+        Ok(())
+    }
+    async fn source_hash(
+        &self,
+    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
+        let mut sha = Sha256::new();
+        sha.update("EfiVarFs");
+        Ok(sha.finalize())
+    }
+}
--- a/backend/src/disk/mount/filesystem/httpdirfs.rs
+++ b/backend/src/disk/mount/filesystem/httpdirfs.rs
@@ -0,0 +1,52 @@
+use std::path::Path;
+
+use async_trait::async_trait;
+use digest::generic_array::GenericArray;
+use digest::{Digest, OutputSizeUser};
+use reqwest::Url;
+use serde::{Deserialize, Serialize};
+use sha2::Sha256;
+
+use super::{FileSystem, MountType};
+use crate::util::Invoke;
+use crate::Error;
+
+pub async fn mount_httpdirfs(url: &Url, mountpoint: impl AsRef<Path>) -> Result<(), Error> {
+    tokio::fs::create_dir_all(mountpoint.as_ref()).await?;
+    let mut cmd = tokio::process::Command::new("httpdirfs");
+    cmd.arg("--cache")
+        .arg("--single-file-mode")
+        .arg(url.as_str())
+        .arg(mountpoint.as_ref());
+    cmd.invoke(crate::ErrorKind::Filesystem).await?;
+    Ok(())
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct HttpDirFS {
+    url: Url,
+}
+impl HttpDirFS {
+    pub fn new(url: Url) -> Self {
+        HttpDirFS { url }
+    }
+}
+#[async_trait]
+impl FileSystem for HttpDirFS {
+    async fn mount<P: AsRef<Path> + Send + Sync>(
+        &self,
+        mountpoint: P,
+        _mount_type: MountType,
+    ) -> Result<(), Error> {
+        mount_httpdirfs(&self.url, mountpoint).await
+    }
+    async fn source_hash(
+        &self,
+    ) -> Result<GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>, Error> {
+        let mut sha = Sha256::new();
+        sha.update("HttpDirFS");
+        sha.update(self.url.as_str());
+        Ok(sha.finalize())
+    }
+}
--- a/backend/src/disk/mount/filesystem/mod.rs
+++ b/backend/src/disk/mount/filesystem/mod.rs
@@ -7,9 +7,12 @@ use sha2::Sha256;

 use crate::Error;

+pub mod bind;
 pub mod block_dev;
 pub mod cifs;
 pub mod ecryptfs;
+pub mod efivarfs;
+pub mod httpdirfs;
 pub mod label;

 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
--- a/backend/src/disk/mount/guard.rs
+++ b/backend/src/disk/mount/guard.rs
@@ -3,6 +3,7 @@ use std::path::{Path, PathBuf};
 use std::sync::{Arc, Weak};

 use lazy_static::lazy_static;
+use models::ResultExt;
 use tokio::sync::Mutex;
 use tracing::instrument;

@@ -11,7 +12,7 @@ use super::util::unmount;
 use crate::util::Invoke;
 use crate::Error;

-pub const TMP_MOUNTPOINT: &'static str = "/media/embassy-os/tmp";
+pub const TMP_MOUNTPOINT: &'static str = "/media/embassy/tmp";

 #[async_trait::async_trait]
 pub trait GenericMountGuard: AsRef<Path> + std::fmt::Debug + Send + Sync + 'static {
@@ -36,9 +37,21 @@ impl MountGuard {
            mounted: true,
        })
    }
-    pub async fn unmount(mut self) -> Result<(), Error> {
+    pub async fn unmount(mut self, delete_mountpoint: bool) -> Result<(), Error> {
        if self.mounted {
            unmount(&self.mountpoint).await?;
+            if delete_mountpoint {
+                match tokio::fs::remove_dir(&self.mountpoint).await {
+                    Err(e) if e.raw_os_error() == Some(39) => Ok(()), // directory not empty
+                    a => a,
+                }
+                .with_ctx(|_| {
+                    (
+                        crate::ErrorKind::Filesystem,
+                        format!("rm {}", self.mountpoint.display()),
+                    )
+                })?;
+            }
            self.mounted = false;
        }
        Ok(())
@@ -60,7 +73,7 @@ impl Drop for MountGuard {
 #[async_trait::async_trait]
 impl GenericMountGuard for MountGuard {
    async fn unmount(mut self) -> Result<(), Error> {
-        MountGuard::unmount(self).await
+        MountGuard::unmount(self, false).await
    }
 }

@@ -111,7 +124,7 @@ impl TmpMountGuard {
    }
    pub async fn unmount(self) -> Result<(), Error> {
        if let Ok(guard) = Arc::try_unwrap(self.guard) {
-            guard.unmount().await?;
+            guard.unmount(true).await?;
        }
        Ok(())
    }
--- a/backend/src/disk/mount/util.rs
+++ b/backend/src/disk/mount/util.rs
@@ -48,15 +48,5 @@ pub async fn unmount<P: AsRef<Path>>(mountpoint: P) -> Result<(), Error> {
        .arg(mountpoint.as_ref())
        .invoke(crate::ErrorKind::Filesystem)
        .await?;
-    match tokio::fs::remove_dir(mountpoint.as_ref()).await {
-        Err(e) if e.raw_os_error() == Some(39) => Ok(()), // directory not empty
-        a => a,
-    }
-    .with_ctx(|_| {
-        (
-            crate::ErrorKind::Filesystem,
-            format!("rm {}", mountpoint.as_ref().display()),
-        )
-    })?;
    Ok(())
 }
--- a/backend/src/disk/util.rs
+++ b/backend/src/disk/util.rs
@@ -12,22 +12,29 @@ use nom::sequence::{pair, preceded, terminated};
 use nom::IResult;
 use regex::Regex;
 use serde::{Deserialize, Serialize};
-use tokio::fs::File;
 use tokio::process::Command;
 use tracing::instrument;

 use super::mount::filesystem::block_dev::BlockDev;
 use super::mount::filesystem::ReadOnly;
 use super::mount::guard::TmpMountGuard;
-use crate::util::io::from_yaml_async_reader;
+use crate::disk::OsPartitionInfo;
 use crate::util::serde::IoFormat;
 use crate::util::{Invoke, Version};
 use crate::{Error, ResultExt as _};

+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum PartitionTable {
+    Mbr,
+    Gpt,
+}
+
 #[derive(Clone, Debug, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct DiskInfo {
    pub logicalname: PathBuf,
+    pub partition_table: Option<PartitionTable>,
    pub vendor: Option<String>,
    pub model: Option<String>,
    pub partitions: Vec<PartitionInfo>,
@@ -43,6 +50,7 @@ pub struct PartitionInfo {
    pub capacity: u64,
    pub used: Option<u64>,
    pub embassy_os: Option<EmbassyOsRecoveryInfo>,
+    pub guid: Option<String>,
 }

 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
@@ -61,6 +69,24 @@ lazy_static::lazy_static! {
    static ref PARTITION_REGEX: Regex = Regex::new("-part[0-9]+$").unwrap();
 }

+#[instrument(skip(path))]
+pub async fn get_partition_table<P: AsRef<Path>>(path: P) -> Result<Option<PartitionTable>, Error> {
+    Ok(String::from_utf8(
+        Command::new("fdisk")
+            .arg("-l")
+            .arg(path.as_ref())
+            .invoke(crate::ErrorKind::BlockDevice)
+            .await?,
+    )?
+    .lines()
+    .find_map(|l| l.strip_prefix("Disklabel type:"))
+    .and_then(|t| match t.trim() {
+        "dos" => Some(PartitionTable::Mbr),
+        "gpt" => Some(PartitionTable::Gpt),
+        _ => None,
+    }))
+}
+
 #[instrument(skip(path))]
 pub async fn get_vendor<P: AsRef<Path>>(path: P) -> Result<Option<String>, Error> {
    let vendor = tokio::fs::read_to_string(
@@ -218,21 +244,16 @@ pub async fn recovery_info(
            )?,
        ));
    }
-    let version_path = mountpoint.as_ref().join("root/appmgr/version");
-    if tokio::fs::metadata(&version_path).await.is_ok() {
-        return Ok(Some(EmbassyOsRecoveryInfo {
-            version: from_yaml_async_reader(File::open(&version_path).await?).await?,
-            full: true,
-            password_hash: None,
-            wrapped_key: None,
-        }));
-    }

    Ok(None)
 }

 #[instrument]
-pub async fn list() -> Result<Vec<DiskInfo>, Error> {
+pub async fn list(os: &OsPartitionInfo) -> Result<Vec<DiskInfo>, Error> {
+    struct DiskIndex {
+        parts: IndexSet<PathBuf>,
+        internal: bool,
+    }
    let disk_guids = pvscan().await?;
    let disks = tokio_stream::wrappers::ReadDirStream::new(
        tokio::fs::read_dir(DISK_PATH)
@@ -245,127 +266,173 @@ pub async fn list() -> Result<Vec<DiskInfo>, Error> {
            crate::ErrorKind::Filesystem,
        )
    })
-    .try_fold(BTreeMap::new(), |mut disks, dir_entry| async move {
-        if let Some(disk_path) = dir_entry.path().file_name().and_then(|s| s.to_str()) {
-            let (disk_path, part_path) = if let Some(end) = PARTITION_REGEX.find(disk_path) {
-                (
-                    disk_path.strip_suffix(end.as_str()).unwrap_or_default(),
-                    Some(disk_path),
-                )
-            } else {
-                (disk_path, None)
-            };
-            let disk_path = Path::new(DISK_PATH).join(disk_path);
-            let disk = tokio::fs::canonicalize(&disk_path).await.with_ctx(|_| {
-                (
-                    crate::ErrorKind::Filesystem,
-                    disk_path.display().to_string(),
-                )
-            })?;
-            if &*disk == Path::new("/dev/mmcblk0") {
-                return Ok(disks);
-            }
-            if !disks.contains_key(&disk) {
-                disks.insert(disk.clone(), IndexSet::new());
-            }
-            if let Some(part_path) = part_path {
-                let part_path = Path::new(DISK_PATH).join(part_path);
-                let part = tokio::fs::canonicalize(&part_path).await.with_ctx(|_| {
+    .try_fold(
+        BTreeMap::<PathBuf, DiskIndex>::new(),
+        |mut disks, dir_entry| async move {
+            if let Some(disk_path) = dir_entry.path().file_name().and_then(|s| s.to_str()) {
+                let (disk_path, part_path) = if let Some(end) = PARTITION_REGEX.find(disk_path) {
+                    (
+                        disk_path.strip_suffix(end.as_str()).unwrap_or_default(),
+                        Some(disk_path),
+                    )
+                } else {
+                    (disk_path, None)
+                };
+                let disk_path = Path::new(DISK_PATH).join(disk_path);
+                let disk = tokio::fs::canonicalize(&disk_path).await.with_ctx(|_| {
                    (
                        crate::ErrorKind::Filesystem,
-                        part_path.display().to_string(),
+                        disk_path.display().to_string(),
                    )
                })?;
-                disks.get_mut(&disk).unwrap().insert(part);
+                let part = if let Some(part_path) = part_path {
+                    let part_path = Path::new(DISK_PATH).join(part_path);
+                    let part = tokio::fs::canonicalize(&part_path).await.with_ctx(|_| {
+                        (
+                            crate::ErrorKind::Filesystem,
+                            part_path.display().to_string(),
+                        )
+                    })?;
+                    Some(part)
+                } else {
+                    None
+                };
+                if !disks.contains_key(&disk) {
+                    disks.insert(
+                        disk.clone(),
+                        DiskIndex {
+                            parts: IndexSet::new(),
+                            internal: false,
+                        },
+                    );
+                }
+                if let Some(part) = part {
+                    if os.contains(&part) {
+                        disks.get_mut(&disk).unwrap().internal = true;
+                    } else {
+                        disks.get_mut(&disk).unwrap().parts.insert(part);
+                    }
+                }
            }
-        }
-        Ok(disks)
-    })
+            Ok(disks)
+        },
+    )
    .await?;

    let mut res = Vec::with_capacity(disks.len());
-    for (disk, parts) in disks {
-        let mut guid: Option<String> = None;
-        let mut partitions = Vec::with_capacity(parts.len());
-        let vendor = get_vendor(&disk)
-            .await
-            .map_err(|e| tracing::warn!("Could not get vendor of {}: {}", disk.display(), e.source))
-            .unwrap_or_default();
-        let model = get_model(&disk)
-            .await
-            .map_err(|e| tracing::warn!("Could not get model of {}: {}", disk.display(), e.source))
-            .unwrap_or_default();
-        let capacity = get_capacity(&disk)
-            .await
-            .map_err(|e| {
-                tracing::warn!("Could not get capacity of {}: {}", disk.display(), e.source)
-            })
-            .unwrap_or_default();
-        if let Some(g) = disk_guids.get(&disk) {
-            guid = g.clone();
-        } else {
-            for part in parts {
-                let mut embassy_os = None;
-                let label = get_label(&part).await?;
-                let capacity = get_capacity(&part)
-                    .await
-                    .map_err(|e| {
-                        tracing::warn!("Could not get capacity of {}: {}", part.display(), e.source)
-                    })
-                    .unwrap_or_default();
-                let mut used = None;
-
-                match TmpMountGuard::mount(&BlockDev::new(&part), ReadOnly).await {
-                    Err(e) => tracing::warn!("Could not collect usage information: {}", e.source),
-                    Ok(mount_guard) => {
-                        used = get_used(&mount_guard)
-                            .await
-                            .map_err(|e| {
-                                tracing::warn!(
-                                    "Could not get usage of {}: {}",
-                                    part.display(),
-                                    e.source
-                                )
-                            })
-                            .ok();
-                        if let Some(recovery_info) = match recovery_info(&mount_guard).await {
-                            Ok(a) => a,
-                            Err(e) => {
-                                tracing::error!(
-                                    "Error fetching unencrypted backup metadata: {}",
-                                    e
-                                );
-                                None
-                            }
-                        } {
-                            embassy_os = Some(recovery_info)
-                        }
-                        mount_guard.unmount().await?;
-                    }
+    for (disk, index) in disks {
+        if index.internal {
+            for part in index.parts {
+                let mut disk_info = disk_info(disk.clone()).await;
+                disk_info.logicalname = part;
+                if let Some(g) = disk_guids.get(&disk_info.logicalname) {
+                    disk_info.guid = g.clone();
+                } else {
+                    disk_info.partitions = vec![part_info(disk_info.logicalname.clone()).await];
                }
-
-                partitions.push(PartitionInfo {
-                    logicalname: part,
-                    label,
-                    capacity,
-                    used,
-                    embassy_os,
-                });
+                res.push(disk_info);
            }
+        } else {
+            let mut disk_info = disk_info(disk).await;
+            disk_info.partitions = Vec::with_capacity(index.parts.len());
+            if let Some(g) = disk_guids.get(&disk_info.logicalname) {
+                disk_info.guid = g.clone();
+            } else {
+                for part in index.parts {
+                    let mut part_info = part_info(part).await;
+                    if let Some(g) = disk_guids.get(&part_info.logicalname) {
+                        part_info.guid = g.clone();
+                    }
+                    disk_info.partitions.push(part_info);
+                }
+            }
+            res.push(disk_info);
        }
-        res.push(DiskInfo {
-            logicalname: disk,
-            vendor,
-            model,
-            partitions,
-            capacity,
-            guid,
-        })
    }

    Ok(res)
 }

+async fn disk_info(disk: PathBuf) -> DiskInfo {
+    let partition_table = get_partition_table(&disk)
+        .await
+        .map_err(|e| {
+            tracing::warn!(
+                "Could not get partition table of {}: {}",
+                disk.display(),
+                e.source
+            )
+        })
+        .unwrap_or_default();
+    let vendor = get_vendor(&disk)
+        .await
+        .map_err(|e| tracing::warn!("Could not get vendor of {}: {}", disk.display(), e.source))
+        .unwrap_or_default();
+    let model = get_model(&disk)
+        .await
+        .map_err(|e| tracing::warn!("Could not get model of {}: {}", disk.display(), e.source))
+        .unwrap_or_default();
+    let capacity = get_capacity(&disk)
+        .await
+        .map_err(|e| tracing::warn!("Could not get capacity of {}: {}", disk.display(), e.source))
+        .unwrap_or_default();
+    DiskInfo {
+        logicalname: disk,
+        partition_table,
+        vendor,
+        model,
+        partitions: Vec::new(),
+        capacity,
+        guid: None,
+    }
+}
+
+async fn part_info(part: PathBuf) -> PartitionInfo {
+    let mut embassy_os = None;
+    let label = get_label(&part)
+        .await
+        .map_err(|e| tracing::warn!("Could not get label of {}: {}", part.display(), e.source))
+        .unwrap_or_default();
+    let capacity = get_capacity(&part)
+        .await
+        .map_err(|e| tracing::warn!("Could not get capacity of {}: {}", part.display(), e.source))
+        .unwrap_or_default();
+    let mut used = None;
+
+    match TmpMountGuard::mount(&BlockDev::new(&part), ReadOnly).await {
+        Err(e) => tracing::warn!("Could not collect usage information: {}", e.source),
+        Ok(mount_guard) => {
+            used = get_used(&mount_guard)
+                .await
+                .map_err(|e| {
+                    tracing::warn!("Could not get usage of {}: {}", part.display(), e.source)
+                })
+                .ok();
+            if let Some(recovery_info) = match recovery_info(&mount_guard).await {
+                Ok(a) => a,
+                Err(e) => {
+                    tracing::error!("Error fetching unencrypted backup metadata: {}", e);
+                    None
+                }
+            } {
+                embassy_os = Some(recovery_info)
+            }
+            if let Err(e) = mount_guard.unmount().await {
+                tracing::error!("Error unmounting partition {}: {}", part.display(), e);
+            }
+        }
+    }
+
+    PartitionInfo {
+        logicalname: part,
+        label,
+        capacity,
+        used,
+        embassy_os,
+        guid: None,
+    }
+}
+
 fn parse_pvscan_output(pvscan_output: &str) -> BTreeMap<PathBuf, Option<String>> {
    fn parse_line(line: &str) -> IResult<&str, (&str, Option<&str>)> {
        let pv_parse = preceded(
--- a/backend/src/error.rs
+++ b/backend/src/error.rs
@@ -1,274 +1,5 @@
-use std::fmt::Display;
-
 use color_eyre::eyre::eyre;
-use models::InvalidId;
-use patch_db::Revision;
-use rpc_toolkit::yajrc::RpcError;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum ErrorKind {
-    Unknown = 1,
-    Filesystem = 2,
-    Docker = 3,
-    ConfigSpecViolation = 4,
-    ConfigRulesViolation = 5,
-    NotFound = 6,
-    IncorrectPassword = 7,
-    VersionIncompatible = 8,
-    Network = 9,
-    Registry = 10,
-    Serialization = 11,
-    Deserialization = 12,
-    Utf8 = 13,
-    ParseVersion = 14,
-    IncorrectDisk = 15,
-    Nginx = 16,
-    Dependency = 17,
-    ParseS9pk = 18,
-    ParseUrl = 19,
-    DiskNotAvailable = 20,
-    BlockDevice = 21,
-    InvalidOnionAddress = 22,
-    Pack = 23,
-    ValidateS9pk = 24,
-    DiskCorrupted = 25, // Remove
-    Tor = 26,
-    ConfigGen = 27,
-    ParseNumber = 28,
-    Database = 29,
-    InvalidPackageId = 30,
-    InvalidSignature = 31,
-    Backup = 32,
-    Restore = 33,
-    Authorization = 34,
-    AutoConfigure = 35,
-    Action = 36,
-    RateLimited = 37,
-    InvalidRequest = 38,
-    MigrationFailed = 39,
-    Uninitialized = 40,
-    ParseNetAddress = 41,
-    ParseSshKey = 42,
-    SoundError = 43,
-    ParseTimestamp = 44,
-    ParseSysInfo = 45,
-    Wifi = 46,
-    Journald = 47,
-    DiskManagement = 48,
-    OpenSsl = 49,
-    PasswordHashGeneration = 50,
-    DiagnosticMode = 51,
-    ParseDbField = 52,
-    Duplicate = 53,
-    MultipleErrors = 54,
-    Incoherent = 55,
-    InvalidBackupTargetId = 56,
-    ProductKeyMismatch = 57,
-    LanPortConflict = 58,
-    Javascript = 59,
-    Pem = 60,
-    TLSInit = 61,
-    HttpRange = 62,
-    ContentLength = 63,
-    BytesError = 64
-}
-impl ErrorKind {
-    pub fn as_str(&self) -> &'static str {
-        use ErrorKind::*;
-        match self {
-            Unknown => "Unknown Error",
-            Filesystem => "Filesystem I/O Error",
-            Docker => "Docker Error",
-            ConfigSpecViolation => "Config Spec Violation",
-            ConfigRulesViolation => "Config Rules Violation",
-            NotFound => "Not Found",
-            IncorrectPassword => "Incorrect Password",
-            VersionIncompatible => "Version Incompatible",
-            Network => "Network Error",
-            Registry => "Registry Error",
-            Serialization => "Serialization Error",
-            Deserialization => "Deserialization Error",
-            Utf8 => "UTF-8 Parse Error",
-            ParseVersion => "Version Parsing Error",
-            IncorrectDisk => "Incorrect Disk",
-            Nginx => "Nginx Error",
-            Dependency => "Dependency Error",
-            ParseS9pk => "S9PK Parsing Error",
-            ParseUrl => "URL Parsing Error",
-            DiskNotAvailable => "Disk Not Available",
-            BlockDevice => "Block Device Error",
-            InvalidOnionAddress => "Invalid Onion Address",
-            Pack => "Pack Error",
-            ValidateS9pk => "S9PK Validation Error",
-            DiskCorrupted => "Disk Corrupted", // Remove
-            Tor => "Tor Daemon Error",
-            ConfigGen => "Config Generation Error",
-            ParseNumber => "Number Parsing Error",
-            Database => "Database Error",
-            InvalidPackageId => "Invalid Package ID",
-            InvalidSignature => "Invalid Signature",
-            Backup => "Backup Error",
-            Restore => "Restore Error",
-            Authorization => "Unauthorized",
-            AutoConfigure => "Auto-Configure Error",
-            Action => "Action Failed",
-            RateLimited => "Rate Limited",
-            InvalidRequest => "Invalid Request",
-            MigrationFailed => "Migration Failed",
-            Uninitialized => "Uninitialized",
-            ParseNetAddress => "Net Address Parsing Error",
-            ParseSshKey => "SSH Key Parsing Error",
-            SoundError => "Sound Interface Error",
-            ParseTimestamp => "Timestamp Parsing Error",
-            ParseSysInfo => "System Info Parsing Error",
-            Wifi => "WiFi Internal Error",
-            Journald => "Journald Error",
-            DiskManagement => "Disk Management Error",
-            OpenSsl => "OpenSSL Internal Error",
-            PasswordHashGeneration => "Password Hash Generation Error",
-            DiagnosticMode => "Embassy is in Diagnostic Mode",
-            ParseDbField => "Database Field Parse Error",
-            Duplicate => "Duplication Error",
-            MultipleErrors => "Multiple Errors",
-            Incoherent => "Incoherent",
-            InvalidBackupTargetId => "Invalid Backup Target ID",
-            ProductKeyMismatch => "Incompatible Product Keys",
-            LanPortConflict => "Incompatible LAN Port Configuration",
-            Javascript => "Javascript Engine Error",
-            Pem => "PEM Encoding Error",
-            TLSInit => "TLS Backend Initialize Error",
-            HttpRange => "No Support for Web Server HTTP Ranges",
-            ContentLength => "Request has no content length header",
-            BytesError => "Could not get the bytes for this request"
-        }
-    }
-}
-impl Display for ErrorKind {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}", self.as_str())
-    }
-}
-
-#[derive(Debug)]
-pub struct Error {
-    pub source: color_eyre::eyre::Error,
-    pub kind: ErrorKind,
-    pub revision: Option<Revision>,
-}
-
-impl Display for Error {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}: {}", self.kind.as_str(), self.source)
-    }
-}
-impl Error {
-    pub fn new<E: Into<color_eyre::eyre::Error>>(source: E, kind: ErrorKind) -> Self {
-        Error {
-            source: source.into(),
-            kind,
-            revision: None,
-        }
-    }
-}
-impl From<InvalidId> for Error {
-    fn from(err: InvalidId) -> Self {
-        Error::new(err, crate::error::ErrorKind::InvalidPackageId)
-    }
-}
-impl From<std::io::Error> for Error {
-    fn from(e: std::io::Error) -> Self {
-        Error::new(e, ErrorKind::Filesystem)
-    }
-}
-impl From<std::str::Utf8Error> for Error {
-    fn from(e: std::str::Utf8Error) -> Self {
-        Error::new(e, ErrorKind::Utf8)
-    }
-}
-impl From<std::string::FromUtf8Error> for Error {
-    fn from(e: std::string::FromUtf8Error) -> Self {
-        Error::new(e, ErrorKind::Utf8)
-    }
-}
-impl From<emver::ParseError> for Error {
-    fn from(e: emver::ParseError) -> Self {
-        Error::new(e, ErrorKind::ParseVersion)
-    }
-}
-impl From<rpc_toolkit::url::ParseError> for Error {
-    fn from(e: rpc_toolkit::url::ParseError) -> Self {
-        Error::new(e, ErrorKind::ParseUrl)
-    }
-}
-impl From<std::num::ParseIntError> for Error {
-    fn from(e: std::num::ParseIntError) -> Self {
-        Error::new(e, ErrorKind::ParseNumber)
-    }
-}
-impl From<std::num::ParseFloatError> for Error {
-    fn from(e: std::num::ParseFloatError) -> Self {
-        Error::new(e, ErrorKind::ParseNumber)
-    }
-}
-impl From<patch_db::Error> for Error {
-    fn from(e: patch_db::Error) -> Self {
-        Error::new(e, ErrorKind::Database)
-    }
-}
-impl From<sqlx::Error> for Error {
-    fn from(e: sqlx::Error) -> Self {
-        Error::new(e, ErrorKind::Database)
-    }
-}
-impl From<ed25519_dalek::SignatureError> for Error {
-    fn from(e: ed25519_dalek::SignatureError) -> Self {
-        Error::new(e, ErrorKind::InvalidSignature)
-    }
-}
-impl From<bollard::errors::Error> for Error {
-    fn from(e: bollard::errors::Error) -> Self {
-        Error::new(e, ErrorKind::Docker)
-    }
-}
-impl From<torut::control::ConnError> for Error {
-    fn from(e: torut::control::ConnError) -> Self {
-        Error::new(eyre!("{:?}", e), ErrorKind::Tor)
-    }
-}
-impl From<std::net::AddrParseError> for Error {
-    fn from(e: std::net::AddrParseError) -> Self {
-        Error::new(e, ErrorKind::ParseNetAddress)
-    }
-}
-impl From<openssl::error::ErrorStack> for Error {
-    fn from(e: openssl::error::ErrorStack) -> Self {
-        Error::new(eyre!("OpenSSL ERROR:\n{}", e), ErrorKind::OpenSsl)
-    }
-
-
-}
-impl From<Error> for RpcError {
-    fn from(e: Error) -> Self {
-        let mut data_object = serde_json::Map::with_capacity(3);
-        data_object.insert("details".to_owned(), format!("{}", e.source).into());
-        data_object.insert("debug".to_owned(), format!("{:?}", e.source).into());
-        data_object.insert(
-            "revision".to_owned(),
-            match serde_json::to_value(&e.revision) {
-                Ok(a) => a,
-                Err(e) => {
-                    tracing::warn!("Error serializing revision for Error object: {}", e);
-                    serde_json::Value::Null
-                }
-            },
-        );
-        RpcError {
-            code: e.kind as i32,
-            message: e.kind.as_str().into(),
-            data: Some(data_object.into()),
-        }
-    }
-}
+pub use models::{Error, ErrorKind, ResultExt};

 #[derive(Debug, Default)]
 pub struct ErrorCollection(Vec<Error>);
@@ -319,46 +50,6 @@ impl std::fmt::Display for ErrorCollection {
    }
 }

-pub trait ResultExt<T, E>
-where
-    Self: Sized,
-{
-    fn with_kind(self, kind: ErrorKind) -> Result<T, Error>;
-    fn with_ctx<F: FnOnce(&E) -> (ErrorKind, D), D: Display + Send + Sync + 'static>(
-        self,
-        f: F,
-    ) -> Result<T, Error>;
-}
-impl<T, E> ResultExt<T, E> for Result<T, E>
-where
-    color_eyre::eyre::Error: From<E>,
-{
-    fn with_kind(self, kind: ErrorKind) -> Result<T, Error> {
-        self.map_err(|e| Error {
-            source: e.into(),
-            kind,
-            revision: None,
-        })
-    }
-
-    fn with_ctx<F: FnOnce(&E) -> (ErrorKind, D), D: Display + Send + Sync + 'static>(
-        self,
-        f: F,
-    ) -> Result<T, Error> {
-        self.map_err(|e| {
-            let (kind, ctx) = f(&e);
-            let source = color_eyre::eyre::Error::from(e);
-            let ctx = format!("{}: {}", ctx, source);
-            let source = source.wrap_err(ctx);
-            Error {
-                kind,
-                source: source.into(),
-                revision: None,
-            }
-        })
-    }
-}
-
 #[macro_export]
 macro_rules! ensure_code {
    ($x:expr, $c:expr, $fmt:expr $(, $arg:expr)*) => {
--- a/backend/src/hostname.rs
+++ b/backend/src/hostname.rs
@@ -3,6 +3,7 @@ use rand::{thread_rng, Rng};
 use tokio::process::Command;
 use tracing::instrument;

+use crate::account::AccountInfo;
 use crate::util::Invoke;
 use crate::{Error, ErrorKind};
 #[derive(Clone, serde::Deserialize, serde::Serialize, Debug)]
@@ -22,13 +23,20 @@ impl Hostname {
    pub fn lan_address(&self) -> String {
        format!("https://{}.local", self.0)
    }
+
+    pub fn local_domain_name(&self) -> String {
+        format!("{}.local", self.0)
+    }
+    pub fn no_dot_host_name(&self) -> String {
+        self.0.to_owned()
+    }
 }

 pub fn generate_hostname() -> Hostname {
    let mut rng = thread_rng();
    let adjective = &ADJECTIVES[rng.gen_range(0..ADJECTIVES.len())];
    let noun = &NOUNS[rng.gen_range(0..NOUNS.len())];
-    Hostname(format!("embassy-{adjective}-{noun}"))
+    Hostname(format!("{adjective}-{noun}"))
 }

 pub fn generate_id() -> String {
@@ -56,36 +64,9 @@ pub async fn set_hostname(hostname: &Hostname) -> Result<(), Error> {
    Ok(())
 }

-#[instrument(skip(handle))]
-pub async fn get_id<Db: DbHandle>(handle: &mut Db) -> Result<String, Error> {
-    let id = crate::db::DatabaseModel::new()
-        .server_info()
-        .id()
-        .get(handle, false)
-        .await?;
-    Ok(id.to_string())
-}
-
-pub async fn get_hostname<Db: DbHandle>(handle: &mut Db) -> Result<Hostname, Error> {
-    if let Ok(hostname) = crate::db::DatabaseModel::new()
-        .server_info()
-        .hostname()
-        .get(handle, false)
-        .await
-    {
-        if let Some(hostname) = hostname.to_owned() {
-            return Ok(Hostname(hostname));
-        }
-    }
-    let id = get_id(handle).await?;
-    if id.len() != 8 {
-        return Ok(generate_hostname());
-    }
-    return Ok(Hostname(format!("embassy-{}", id)));
-}
-#[instrument(skip(handle))]
-pub async fn sync_hostname<Db: DbHandle>(handle: &mut Db) -> Result<(), Error> {
-    set_hostname(&get_hostname(handle).await?).await?;
+#[instrument]
+pub async fn sync_hostname(account: &AccountInfo) -> Result<(), Error> {
+    set_hostname(&account.hostname).await?;
    Command::new("systemctl")
        .arg("restart")
        .arg("avahi-daemon")
--- a/backend/src/init.rs
+++ b/backend/src/init.rs
@@ -1,24 +1,30 @@
-use std::collections::HashMap;
+use std::collections::{BTreeMap, HashMap};
+use std::fs::Permissions;
+use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::process::Stdio;
 use std::time::Duration;

 use color_eyre::eyre::eyre;
 use helpers::NonDetachingJoinHandle;
+use models::ResultExt;
 use patch_db::{DbHandle, LockReceipt, LockType};
+use rand::random;
+use sqlx::{Pool, Postgres};
 use tokio::process::Command;

-use crate::config::util::MergeWith;
+use crate::account::AccountInfo;
 use crate::context::rpc::RpcContextConfig;
-use crate::db::model::ServerStatus;
-use crate::install::PKG_DOCKER_DIR;
-use crate::sound::CIRCLE_OF_5THS_SHORT;
+use crate::db::model::{IpInfo, ServerStatus};
+use crate::install::PKG_ARCHIVE_DIR;
+use crate::middleware::auth::LOCAL_AUTH_COOKIE_PATH;
+use crate::sound::BEP;
+use crate::system::time;
 use crate::util::Invoke;
-use crate::version::VersionT;
-use crate::Error;
+use crate::{Error, ARCH};

-pub const SYSTEM_REBUILD_PATH: &str = "/embassy-os/system-rebuild";
-pub const STANDBY_MODE_PATH: &str = "/embassy-os/standby";
+pub const SYSTEM_REBUILD_PATH: &str = "/media/embassy/config/system-rebuild";
+pub const STANDBY_MODE_PATH: &str = "/media/embassy/config/standby";

 pub async fn check_time_is_synchronized() -> Result<bool, Error> {
    Ok(String::from_utf8(
@@ -38,6 +44,8 @@ pub struct InitReceipts {
    pub version_range: LockReceipt<emver::VersionRange, ()>,
    pub last_wifi_region: LockReceipt<Option<isocountry::CountryCode>, ()>,
    pub status_info: LockReceipt<ServerStatus, ()>,
+    pub ip_info: LockReceipt<BTreeMap<String, IpInfo>, ()>,
+    pub system_start_time: LockReceipt<String, ()>,
 }
 impl InitReceipts {
    pub async fn new(db: &mut impl DbHandle) -> Result<Self, Error> {
@@ -58,19 +66,31 @@ impl InitReceipts {
            .last_wifi_region()
            .make_locker(LockType::Write)
            .add_to_keys(&mut locks);
+        let ip_info = crate::db::DatabaseModel::new()
+            .server_info()
+            .ip_info()
+            .make_locker(LockType::Write)
+            .add_to_keys(&mut locks);
        let status_info = crate::db::DatabaseModel::new()
            .server_info()
            .status_info()
            .into_model()
            .make_locker(LockType::Write)
            .add_to_keys(&mut locks);
+        let system_start_time = crate::db::DatabaseModel::new()
+            .server_info()
+            .system_start_time()
+            .make_locker(LockType::Write)
+            .add_to_keys(&mut locks);

        let skeleton_key = db.lock_all(locks).await?;
        Ok(Self {
            server_version: server_version.verify(&skeleton_key)?,
            version_range: version_range.verify(&skeleton_key)?,
+            ip_info: ip_info.verify(&skeleton_key)?,
            status_info: status_info.verify(&skeleton_key)?,
            last_wifi_region: last_wifi_region.verify(&skeleton_key)?,
+            system_start_time: system_start_time.verify(&skeleton_key)?,
        })
    }
 }
@@ -192,47 +212,82 @@ pub async fn init_postgres(datadir: impl AsRef<Path>) -> Result<(), Error> {
 }

 pub struct InitResult {
+    pub secret_store: Pool<Postgres>,
    pub db: patch_db::PatchDb,
 }

 pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
+    tokio::fs::create_dir_all("/run/embassy")
+        .await
+        .with_ctx(|_| (crate::ErrorKind::Filesystem, "mkdir -p /run/embassy"))?;
+    if tokio::fs::metadata(LOCAL_AUTH_COOKIE_PATH).await.is_err() {
+        tokio::fs::write(
+            LOCAL_AUTH_COOKIE_PATH,
+            base64::encode(random::<[u8; 32]>()).as_bytes(),
+        )
+        .await
+        .with_ctx(|_| {
+            (
+                crate::ErrorKind::Filesystem,
+                format!("write {}", LOCAL_AUTH_COOKIE_PATH),
+            )
+        })?;
+        tokio::fs::set_permissions(LOCAL_AUTH_COOKIE_PATH, Permissions::from_mode(0o046)).await?;
+        Command::new("chown")
+            .arg("root:embassy")
+            .arg(LOCAL_AUTH_COOKIE_PATH)
+            .invoke(crate::ErrorKind::Filesystem)
+            .await?;
+    }
+
    let secret_store = cfg.secret_store().await?;
-    let db = cfg.db(&secret_store).await?;
+    tracing::info!("Opened Postgres");
+
+    crate::ssh::sync_keys_from_db(&secret_store, "/home/start9/.ssh/authorized_keys").await?;
+    tracing::info!("Synced SSH Keys");
+
+    let account = AccountInfo::load(&secret_store).await?;
+    let db = cfg.db(&account).await?;
+    tracing::info!("Opened PatchDB");
    let mut handle = db.handle();
    crate::db::DatabaseModel::new()
        .server_info()
        .lock(&mut handle, LockType::Write)
        .await?;
-
-    let defaults: serde_json::Value =
-        serde_json::from_str(include_str!("../../frontend/patchdb-ui-seed.json")).map_err(|x| {
-            Error::new(
-                eyre!("Deserialization error {:?}", x),
-                crate::ErrorKind::Deserialization,
-            )
-        })?;
-    let mut ui = crate::db::DatabaseModel::new()
-        .ui()
-        .get(&mut handle, false)
-        .await?
-        .clone();
-    ui.merge_with(&defaults);
-    crate::db::DatabaseModel::new()
-        .ui()
-        .put(&mut handle, &ui)
-        .await?;
-
    let receipts = InitReceipts::new(&mut handle).await?;

+    // write to ca cert store
+    tokio::fs::write(
+        "/usr/local/share/ca-certificates/embassy-root-ca.crt",
+        account.root_ca_cert.to_pem()?,
+    )
+    .await?;
+    Command::new("update-ca-certificates")
+        .invoke(crate::ErrorKind::OpenSsl)
+        .await?;
+
+    if let Some(wifi_interface) = &cfg.wifi_interface {
+        crate::net::wifi::synchronize_wpa_supplicant_conf(
+            &cfg.datadir().join("main"),
+            wifi_interface,
+            &receipts.last_wifi_region.get(&mut handle).await?,
+        )
+        .await?;
+        tracing::info!("Synchronized WiFi");
+    }
+
    let should_rebuild = tokio::fs::metadata(SYSTEM_REBUILD_PATH).await.is_ok()
-        || &*receipts.server_version.get(&mut handle).await?
-            < &crate::version::Current::new().semver();
+        || &*receipts.server_version.get(&mut handle).await? < &emver::Version::new(0, 3, 2, 0)
+        || (*ARCH == "x86_64"
+            && &*receipts.server_version.get(&mut handle).await?
+                < &emver::Version::new(0, 3, 4, 0));

    let song = if should_rebuild {
        Some(NonDetachingJoinHandle::from(tokio::spawn(async {
            loop {
-                CIRCLE_OF_5THS_SHORT.play().await.unwrap();
-                tokio::time::sleep(Duration::from_secs(10)).await;
+                BEP.play().await.unwrap();
+                BEP.play().await.unwrap();
+                tokio::time::sleep(Duration::from_secs(60)).await;
            }
        })))
    } else {
@@ -243,6 +298,13 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
    if tokio::fs::metadata(&log_dir).await.is_err() {
        tokio::fs::create_dir_all(&log_dir).await?;
    }
+    let current_machine_id = tokio::fs::read_to_string("/etc/machine-id").await?;
+    let mut machine_ids = tokio::fs::read_dir(&log_dir).await?;
+    while let Some(machine_id) = machine_ids.next_entry().await? {
+        if machine_id.file_name().to_string_lossy().trim() != current_machine_id.trim() {
+            tokio::fs::remove_dir_all(machine_id.path()).await?;
+        }
+    }
    crate::disk::mount::util::bind(&log_dir, "/var/log/journal", false).await?;
    Command::new("systemctl")
        .arg("restart")
@@ -250,22 +312,15 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
        .invoke(crate::ErrorKind::Journald)
        .await?;
    tracing::info!("Mounted Logs");
+
    let tmp_dir = cfg.datadir().join("package-data/tmp");
    if tokio::fs::metadata(&tmp_dir).await.is_err() {
        tokio::fs::create_dir_all(&tmp_dir).await?;
    }
    let tmp_docker = cfg.datadir().join("package-data/tmp/docker");
    let tmp_docker_exists = tokio::fs::metadata(&tmp_docker).await.is_ok();
-    if should_rebuild || !tmp_docker_exists {
-        if tmp_docker_exists {
-            tokio::fs::remove_dir_all(&tmp_docker).await?;
-        }
-        Command::new("cp")
-            .arg("-ra")
-            .arg("/var/lib/docker")
-            .arg(&tmp_docker)
-            .invoke(crate::ErrorKind::Filesystem)
-            .await?;
+    if should_rebuild && tmp_docker_exists {
+        tokio::fs::remove_dir_all(&tmp_docker).await?;
    }
    Command::new("systemctl")
        .arg("stop")
@@ -309,11 +364,11 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
        tracing::info!("Created Docker Network");

        tracing::info!("Loading System Docker Images");
-        crate::install::load_images("/var/lib/embassy/system-images").await?;
+        crate::install::load_images("/usr/lib/embassy/system-images").await?;
        tracing::info!("Loaded System Docker Images");

        tracing::info!("Loading Package Docker Images");
-        crate::install::load_images(cfg.datadir().join(PKG_DOCKER_DIR)).await?;
+        crate::install::load_images(cfg.datadir().join(PKG_ARCHIVE_DIR)).await?;
        tracing::info!("Loaded Package Docker Images");
    }

@@ -329,27 +384,6 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
        .await?;
    tracing::info!("Enabled Docker QEMU Emulation");

-    crate::ssh::sync_keys_from_db(&secret_store, "/home/start9/.ssh/authorized_keys").await?;
-    tracing::info!("Synced SSH Keys");
-
-    crate::net::wifi::synchronize_wpa_supplicant_conf(
-        &cfg.datadir().join("main"),
-        &receipts.last_wifi_region.get(&mut handle).await?,
-    )
-    .await?;
-    tracing::info!("Synchronized wpa_supplicant.conf");
-    receipts
-        .status_info
-        .set(
-            &mut handle,
-            ServerStatus {
-                updated: false,
-                update_progress: None,
-                backup_progress: None,
-            },
-        )
-        .await?;
-
    let mut warn_time_not_synced = true;
    for _ in 0..60 {
        if check_time_is_synchronized().await? {
@@ -364,7 +398,34 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {
        tracing::info!("Syncronized system clock");
    }

-    crate::version::init(&mut handle, &receipts).await?;
+    Command::new("systemctl")
+        .arg("start")
+        .arg("tor")
+        .invoke(crate::ErrorKind::Tor)
+        .await?;
+
+    receipts
+        .ip_info
+        .set(&mut handle, crate::net::dhcp::init_ips().await?)
+        .await?;
+    receipts
+        .status_info
+        .set(
+            &mut handle,
+            ServerStatus {
+                updated: false,
+                update_progress: None,
+                backup_progress: None,
+            },
+        )
+        .await?;
+
+    receipts
+        .system_start_time
+        .set(&mut handle, time().await?)
+        .await?;
+
+    crate::version::init(&mut handle, &secret_store, &receipts).await?;

    if should_rebuild {
        match tokio::fs::remove_file(SYSTEM_REBUILD_PATH).await {
@@ -378,5 +439,5 @@ pub async fn init(cfg: &RpcContextConfig) -> Result<InitResult, Error> {

    tracing::info!("System initialized.");

-    Ok(InitResult { db })
+    Ok(InitResult { secret_store, db })
 }
--- a/backend/src/install/cleanup.rs
+++ b/backend/src/install/cleanup.rs
@@ -1,11 +1,13 @@
 use std::collections::HashMap;
+use std::path::PathBuf;
+use std::sync::Arc;

-use bollard::image::ListImagesOptions;
+use bollard::image::{ListImagesOptions, RemoveImageOptions};
 use patch_db::{DbHandle, LockReceipt, LockTargetId, LockType, PatchDbHandle, Verifier};
 use sqlx::{Executor, Postgres};
 use tracing::instrument;

-use super::{PKG_ARCHIVE_DIR, PKG_DOCKER_DIR};
+use super::PKG_ARCHIVE_DIR;
 use crate::config::{not_found, ConfigReceipts};
 use crate::context::RpcContext;
 use crate::db::model::{
@@ -130,7 +132,16 @@ pub async fn cleanup(ctx: &RpcContext, id: &PackageId, version: &Version) -> Res
                })
                .map(|tag| async {
                    let tag = tag; // move into future
-                    ctx.docker.remove_image(&tag, None, None).await
+                    ctx.docker
+                        .remove_image(
+                            &tag,
+                            Some(RemoveImageOptions {
+                                force: true,
+                                noprune: false,
+                            }),
+                            None,
+                        )
+                        .await
                }),
        )
        .await,
@@ -145,16 +156,6 @@ pub async fn cleanup(ctx: &RpcContext, id: &PackageId, version: &Version) -> Res
            .await
            .apply(|res| errors.handle(res));
    }
-    let docker_path = ctx
-        .datadir
-        .join(PKG_DOCKER_DIR)
-        .join(id)
-        .join(version.as_str());
-    if tokio::fs::metadata(&docker_path).await.is_ok() {
-        tokio::fs::remove_dir_all(&docker_path)
-            .await
-            .apply(|res| errors.handle(res));
-    }
    let assets_path = asset_dir(&ctx.datadir, id, version);
    if tokio::fs::metadata(&assets_path).await.is_ok() {
        tokio::fs::remove_dir_all(&assets_path)
@@ -350,6 +351,11 @@ where
    for<'a> &'a mut Ex: Executor<'a, Database = Postgres>,
 {
    let mut tx = db.begin().await?;
+    crate::db::DatabaseModel::new()
+        .package_data()
+        .idx_model(&id)
+        .lock(&mut tx, LockType::Write)
+        .await?;
    let receipts = UninstallReceipts::new(&mut tx, id).await?;
    let entry = receipts.removing.get(&mut tx).await?;
    cleanup(ctx, &entry.manifest.id, &entry.manifest.version).await?;
@@ -359,6 +365,14 @@ where
        packages.0.remove(id);
        packages
    };
+    let dependents_paths: Vec<PathBuf> = entry
+        .current_dependents
+        .0
+        .keys()
+        .flat_map(|x| packages.0.get(x))
+        .flat_map(|x| x.manifest_borrow().volumes.values())
+        .flat_map(|x| x.pointer_path(&ctx.datadir))
+        .collect();
    receipts.packages.set(&mut tx, packages).await?;
    // once we have removed the package entry, we can change all the dependent pointers to null
    reconfigure_dependents_with_live_pointers(ctx, &mut tx, &receipts.config, &entry).await?;
@@ -382,11 +396,11 @@ where
        .datadir
        .join(crate::volume::PKG_VOLUME_DIR)
        .join(&entry.manifest.id);
-    if tokio::fs::metadata(&volumes).await.is_ok() {
-        tokio::fs::remove_dir_all(&volumes).await?;
-    }
-    tx.commit().await?;
+
+    tracing::debug!("Cleaning up {:?} at {:?}", volumes, dependents_paths);
+    cleanup_folder(volumes, Arc::new(dependents_paths)).await;
    remove_tor_keys(secrets, &entry.manifest.id).await?;
+    tx.commit().await?;
    Ok(())
 }

@@ -401,3 +415,42 @@ where
        .await?;
    Ok(())
 }
+
+/// Needed to remove, without removing the folders that are mounted in the other docker containers
+pub fn cleanup_folder(
+    path: PathBuf,
+    dependents_volumes: Arc<Vec<PathBuf>>,
+) -> futures::future::BoxFuture<'static, ()> {
+    Box::pin(async move {
+        let meta_data = match tokio::fs::metadata(&path).await {
+            Ok(a) => a,
+            Err(_e) => {
+                return;
+            }
+        };
+        if !meta_data.is_dir() {
+            tracing::error!("is_not dir, remove {:?}", path);
+            let _ = tokio::fs::remove_file(&path).await;
+            return;
+        }
+        if !dependents_volumes
+            .iter()
+            .any(|v| v.starts_with(&path) || v == &path)
+        {
+            tracing::error!("No parents, remove {:?}", path);
+            let _ = tokio::fs::remove_dir_all(&path).await;
+            return;
+        }
+        let mut read_dir = match tokio::fs::read_dir(&path).await {
+            Ok(a) => a,
+            Err(_e) => {
+                return;
+            }
+        };
+        tracing::error!("Parents, recurse {:?}", path);
+        while let Some(entry) = read_dir.next_entry().await.ok().flatten() {
+            let entry_path = entry.path();
+            cleanup_folder(entry_path, dependents_volumes.clone()).await;
+        }
+    })
+}
--- a/backend/src/install/mod.rs
+++ b/backend/src/install/mod.rs
@@ -14,7 +14,7 @@ use futures::{FutureExt, StreamExt, TryStreamExt};
 use http::header::CONTENT_LENGTH;
 use http::{Request, Response, StatusCode};
 use hyper::Body;
-use patch_db::{DbHandle, LockReceipt, LockType};
+use patch_db::{DbHandle, LockType};
 use reqwest::Url;
 use rpc_toolkit::command;
 use rpc_toolkit::yajrc::RpcError;
@@ -30,7 +30,7 @@ use crate::context::{CliContext, RpcContext};
 use crate::core::rpc_continuations::{RequestGuid, RpcContinuation};
 use crate::db::model::{
    CurrentDependencies, CurrentDependencyInfo, CurrentDependents, InstalledPackageDataEntry,
-    PackageDataEntry, RecoveredPackageInfo, StaticDependencyInfo, StaticFiles,
+    PackageDataEntry, StaticDependencyInfo, StaticFiles,
 };
 use crate::dependencies::{
    add_dependent_to_current_dependents_lists, break_all_dependents_transitive,
@@ -45,7 +45,7 @@ use crate::s9pk::reader::S9pkReader;
 use crate::status::{MainStatus, Status};
 use crate::util::io::{copy_and_shutdown, response_to_reader};
 use crate::util::serde::{display_serializable, Port};
-use crate::util::{display_none, AsyncFileExt, Version};
+use crate::util::{assure_send, display_none, AsyncFileExt, Version};
 use crate::version::{Current, VersionT};
 use crate::volume::{asset_dir, script_dir};
 use crate::{Error, ErrorKind, ResultExt};
@@ -56,7 +56,6 @@ pub mod update;

 pub const PKG_ARCHIVE_DIR: &str = "package-data/archive";
 pub const PKG_PUBLIC_DIR: &str = "package-data/public";
-pub const PKG_DOCKER_DIR: &str = "package-data/docker";
 pub const PKG_WASM_DIR: &str = "package-data/wasm";

 #[command(display(display_serializable))]
@@ -64,7 +63,7 @@ pub async fn list(#[context] ctx: RpcContext) -> Result<Vec<(PackageId, Version)
    let mut hdl = ctx.db.handle();
    let package_data = crate::db::DatabaseModel::new()
        .package_data()
-        .get(&mut hdl, true)
+        .get(&mut hdl)
        .await?;

    Ok(package_data
@@ -602,6 +601,11 @@ pub async fn uninstall_dry(
 pub async fn uninstall_impl(ctx: RpcContext, id: PackageId) -> Result<(), Error> {
    let mut handle = ctx.db.handle();
    let mut tx = handle.begin().await?;
+    crate::db::DatabaseModel::new()
+        .package_data()
+        .idx_model(&id)
+        .lock(&mut tx, LockType::Write)
+        .await?;

    let mut pde = crate::db::DatabaseModel::new()
        .package_data()
@@ -667,43 +671,6 @@ pub async fn uninstall_impl(ctx: RpcContext, id: PackageId) -> Result<(), Error>
    Ok(())
 }

-#[command(
-    rename = "delete-recovered",
-    display(display_none),
-    metadata(sync_db = true)
-)]
-pub async fn delete_recovered(
-    #[context] ctx: RpcContext,
-    #[arg] id: PackageId,
-) -> Result<(), Error> {
-    let mut handle = ctx.db.handle();
-    let mut tx = handle.begin().await?;
-    let mut sql_tx = ctx.secret_store.begin().await?;
-
-    let mut recovered_packages = crate::db::DatabaseModel::new()
-        .recovered_packages()
-        .get_mut(&mut tx)
-        .await?;
-    recovered_packages.remove(&id).ok_or_else(|| {
-        Error::new(
-            eyre!("{} not in recovered-packages", id),
-            crate::ErrorKind::NotFound,
-        )
-    })?;
-    recovered_packages.save(&mut tx).await?;
-
-    let volumes = ctx.datadir.join(crate::volume::PKG_VOLUME_DIR).join(&id);
-    if tokio::fs::metadata(&volumes).await.is_ok() {
-        tokio::fs::remove_dir_all(&volumes).await?;
-    }
-    cleanup::remove_tor_keys(&mut sql_tx, &id).await?;
-
-    tx.commit().await?;
-    sql_tx.commit().await?;
-
-    Ok(())
-}
-
 pub struct DownloadInstallReceipts {
    package_receipts: crate::db::package::PackageReceipts,
    manifest_receipts: crate::db::package::ManifestReceipts,
@@ -743,8 +710,21 @@ pub async fn download_install_s9pk(
 ) -> Result<(), Error> {
    let pkg_id = &temp_manifest.id;
    let version = &temp_manifest.version;
+    let mut previous_state: Option<MainStatus> = None;

    if let Err(e) = async {
+        if crate::db::DatabaseModel::new()
+            .package_data()
+            .idx_model(&pkg_id)
+            .and_then(|x| x.installed())
+            .exists(&mut ctx.db.handle())
+            .await
+            .unwrap_or(false)
+        {
+            previous_state = crate::control::stop_impl(ctx.clone(), pkg_id.clone())
+                .await
+                .ok();
+        }
        let mut db_handle = ctx.db.handle();
        let mut tx = db_handle.begin().await?;
        let receipts = DownloadInstallReceipts::new(&mut tx, &pkg_id).await?;
@@ -846,6 +826,10 @@ pub async fn download_install_s9pk(
    }
    .await
    {
+        if previous_state.map(|x| x.running()).unwrap_or(false) {
+            crate::control::start(ctx.clone(), pkg_id.clone()).await?;
+        }
+
        let mut handle = ctx.db.handle();
        let mut tx = handle.begin().await?;
        let receipts = cleanup::CleanupFailedReceipts::new(&mut tx).await?;
@@ -858,14 +842,15 @@ pub async fn download_install_s9pk(
        }
        Err(e)
    } else {
+        if previous_state.map(|x| x.running()).unwrap_or(false) {
+            crate::control::start(ctx.clone(), pkg_id.clone()).await?;
+        }
        Ok(())
    }
 }

 pub struct InstallS9Receipts {
    config: ConfigReceipts,
-
-    recovered_packages: LockReceipt<BTreeMap<PackageId, RecoveredPackageInfo>, ()>,
 }

 impl InstallS9Receipts {
@@ -880,23 +865,16 @@ impl InstallS9Receipts {
        locks: &mut Vec<patch_db::LockTargetId>,
    ) -> impl FnOnce(&patch_db::Verifier) -> Result<Self, Error> {
        let config = ConfigReceipts::setup(locks);
-
-        let recovered_packages = crate::db::DatabaseModel::new()
-            .recovered_packages()
-            .make_locker(LockType::Write)
-            .add_to_keys(locks);
-
        move |skeleton_key| {
            Ok(Self {
                config: config(skeleton_key)?,
-                recovered_packages: recovered_packages.verify(skeleton_key)?,
            })
        }
    }
 }

 #[instrument(skip(ctx, rdr))]
-pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
+pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin + Send + Sync>(
    ctx: &RpcContext,
    pkg_id: &PackageId,
    version: &Version,
@@ -926,7 +904,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
            .package_data()
            .idx_model(dep)
            .map::<_, Manifest>(|pde| pde.manifest())
-            .get(&mut ctx.db.handle(), false)
+            .get(&mut ctx.db.handle())
            .await?
            .into_owned()
        {
@@ -1060,44 +1038,11 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
    tracing::info!("Install {}@{}: Unpacking Docker Images", pkg_id, version);
    progress
        .track_read_during(progress_model.clone(), &ctx.db, || async {
-            let image_tar_dir = ctx
-                .datadir
-                .join(PKG_DOCKER_DIR)
-                .join(pkg_id)
-                .join(version.as_str());
-            if tokio::fs::metadata(&image_tar_dir).await.is_err() {
-                tokio::fs::create_dir_all(&image_tar_dir)
-                    .await
-                    .with_ctx(|_| {
-                        (
-                            crate::ErrorKind::Filesystem,
-                            image_tar_dir.display().to_string(),
-                        )
-                    })?;
-            }
-            let image_tar_path = image_tar_dir.join("image.tar");
-            let mut tee = Command::new("tee")
-                .arg(&image_tar_path)
-                .stdin(Stdio::piped())
-                .stdout(Stdio::piped())
-                .spawn()?;
            let mut load = Command::new("docker")
                .arg("load")
                .stdin(Stdio::piped())
                .stderr(Stdio::piped())
                .spawn()?;
-            let tee_in = tee.stdin.take().ok_or_else(|| {
-                Error::new(
-                    eyre!("Could not write to stdin of tee"),
-                    crate::ErrorKind::Docker,
-                )
-            })?;
-            let mut tee_out = tee.stdout.take().ok_or_else(|| {
-                Error::new(
-                    eyre!("Could not read from stdout of tee"),
-                    crate::ErrorKind::Docker,
-                )
-            })?;
            let load_in = load.stdin.take().ok_or_else(|| {
                Error::new(
                    eyre!("Could not write to stdin of docker load"),
@@ -1105,10 +1050,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
                )
            })?;
            let mut docker_rdr = rdr.docker_images().await?;
-            tokio::try_join!(
-                copy_and_shutdown(&mut docker_rdr, tee_in),
-                copy_and_shutdown(&mut tee_out, load_in),
-            )?;
+            copy_and_shutdown(&mut docker_rdr, load_in).await?;
            let res = load.wait_with_output().await?;
            if !res.status.success() {
                Err(Error::new(
@@ -1174,13 +1116,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
    tracing::info!("Install {}@{}: Installed interfaces", pkg_id, version);

    tracing::info!("Install {}@{}: Creating manager", pkg_id, version);
-    ctx.managers
-        .add(
-            ctx.clone(),
-            manifest.clone(),
-            manifest.interfaces.tor_keys(&mut sql_tx, pkg_id).await?,
-        )
-        .await?;
+    ctx.managers.add(ctx.clone(), manifest.clone()).await?;
    tracing::info!("Install {}@{}: Created manager", pkg_id, version);

    let static_files = StaticFiles::local(pkg_id, version, manifest.assets.icon_type());
@@ -1202,7 +1138,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
        let mut deps = BTreeMap::new();
        for package in crate::db::DatabaseModel::new()
            .package_data()
-            .keys(&mut tx, true)
+            .keys(&mut tx)
            .await?
        {
            // update dependency_info on dependents
@@ -1236,7 +1172,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
                .await?
                .installed()
                .and_then(|i| i.current_dependencies().idx_model(pkg_id))
-                .get(&mut tx, true)
+                .get(&mut tx)
                .await?
                .to_owned()
            {
@@ -1328,6 +1264,7 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
        let migration = manifest
            .migrations
            .from(
+                &manifest.containers,
                ctx,
                &prev.manifest.version,
                pkg_id,
@@ -1413,7 +1350,6 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
            .restore(
                ctx,
                &mut tx,
-                &mut sql_tx,
                pkg_id,
                version,
                &manifest.interfaces,
@@ -1435,38 +1371,6 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
            &receipts.config.update_dependency_receipts,
        )
        .await?;
-    } else if let Some(recovered) = {
-        receipts
-            .recovered_packages
-            .get(&mut tx)
-            .await?
-            .remove(pkg_id)
-    } {
-        handle_recovered_package(
-            recovered,
-            manifest,
-            ctx,
-            pkg_id,
-            version,
-            &mut tx,
-            &receipts.config,
-        )
-        .await?;
-        add_dependent_to_current_dependents_lists(
-            &mut tx,
-            pkg_id,
-            &current_dependencies,
-            &receipts.config.current_dependents,
-        )
-        .await?;
-        update_dependency_errors_of_dependents(
-            ctx,
-            &mut tx,
-            pkg_id,
-            &current_dependents,
-            &receipts.config.update_dependency_receipts,
-        )
-        .await?;
    } else {
        add_dependent_to_current_dependents_lists(
            &mut tx,
@@ -1485,16 +1389,6 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
        .await?;
    }

-    let recovered_packages = {
-        let mut r = receipts.recovered_packages.get(&mut tx).await?;
-        r.remove(pkg_id);
-        r
-    };
-    receipts
-        .recovered_packages
-        .set(&mut tx, recovered_packages)
-        .await?;
-
    if let Some(installed) = pde.installed() {
        reconfigure_dependents_with_live_pointers(ctx, &mut tx, &receipts.config, installed)
            .await?;
@@ -1508,43 +1402,6 @@ pub async fn install_s9pk<R: AsyncRead + AsyncSeek + Unpin>(
    Ok(())
 }

-#[instrument(skip(ctx, tx, receipts))]
-async fn handle_recovered_package(
-    recovered: RecoveredPackageInfo,
-    manifest: Manifest,
-    ctx: &RpcContext,
-    pkg_id: &PackageId,
-    version: &Version,
-    tx: &mut patch_db::Transaction<&mut patch_db::PatchDbHandle>,
-    receipts: &ConfigReceipts,
-) -> Result<(), Error> {
-    let configured = if let Some(migration) =
-        manifest
-            .migrations
-            .from(ctx, &recovered.version, pkg_id, version, &manifest.volumes)
-    {
-        migration.await?.configured
-    } else {
-        false
-    };
-    if configured && manifest.config.is_some() {
-        crate::config::configure(
-            ctx,
-            tx,
-            pkg_id,
-            None,
-            &None,
-            false,
-            &mut BTreeMap::new(),
-            &mut BTreeMap::new(),
-            &receipts,
-        )
-        .await?;
-    }
-
-    Ok(())
-}
-
 #[instrument(skip(datadir))]
 pub fn load_images<'a, P: AsRef<Path> + 'a + Send + Sync>(
    datadir: P,
@@ -1559,7 +1416,9 @@ pub fn load_images<'a, P: AsRef<Path> + 'a + Send + Sync>(
                .try_for_each(|entry| async move {
                    let m = entry.metadata().await?;
                    if m.is_file() {
-                        if entry.path().extension().and_then(|ext| ext.to_str()) == Some("tar") {
+                        let path = entry.path();
+                        let ext = path.extension().and_then(|ext| ext.to_str());
+                        if ext == Some("tar") || ext == Some("s9pk") {
                            let mut load = Command::new("docker")
                                .arg("load")
                                .stdin(Stdio::piped())
@@ -1571,8 +1430,24 @@ pub fn load_images<'a, P: AsRef<Path> + 'a + Send + Sync>(
                                    crate::ErrorKind::Docker,
                                )
                            })?;
-                            let mut docker_rdr = File::open(&entry.path()).await?;
-                            copy_and_shutdown(&mut docker_rdr, load_in).await?;
+                            match ext {
+                                Some("tar") => {
+                                    copy_and_shutdown(&mut File::open(&path).await?, load_in)
+                                        .await?
+                                }
+                                Some("s9pk") => {
+                                    copy_and_shutdown(
+                                        &mut S9pkReader::open(&path, false)
+                                            .await?
+                                            .docker_images()
+                                            .await?,
+                                        load_in,
+                                    )
+                                    .await?
+                                }
+                                _ => unreachable!(),
+                            };
+
                            let res = load.wait_with_output().await?;
                            if !res.status.success() {
                                Err(Error::new(
--- a/backend/src/install/progress.rs
+++ b/backend/src/install/progress.rs
@@ -113,6 +113,7 @@ impl InstallProgress {
 }

 #[pin_project::pin_project]
+#[derive(Debug)]
 pub struct InstallProgressTracker<RW> {
    #[pin]
    inner: RW,
--- a/backend/src/lib.rs
+++ b/backend/src/lib.rs
@@ -1,4 +1,7 @@
+#![recursion_limit = "256"]
+
 pub const DEFAULT_MARKETPLACE: &str = "https://registry.start9.com";
+// pub const COMMUNITY_MARKETPLACE: &str = "https://community-registry.start9.com";
 pub const BUFFER_SIZE: usize = 1024;
 pub const HOST_IP: [u8; 4] = [172, 18, 0, 1];
 pub const TARGET: &str = current_platform::CURRENT_PLATFORM;
@@ -7,8 +10,12 @@ lazy_static::lazy_static! {
        let (arch, _) = TARGET.split_once("-").unwrap();
        arch
    };
+    pub static ref IS_RASPBERRY_PI: bool = {
+        *ARCH == "aarch64"
+    };
 }

+pub mod account;
 pub mod action;
 pub mod auth;
 pub mod backup;
@@ -23,7 +30,6 @@ pub mod diagnostic;
 pub mod disk;
 pub mod error;
 pub mod hostname;
-pub mod id;
 pub mod init;
 pub mod inspect;
 pub mod install;
@@ -34,6 +40,7 @@ pub mod middleware;
 pub mod migration;
 pub mod net;
 pub mod notifications;
+pub mod os_install;
 pub mod procedure;
 pub mod properties;
 pub mod s9pk;
@@ -41,7 +48,6 @@ pub mod setup;
 pub mod shutdown;
 pub mod sound;
 pub mod ssh;
-pub mod static_server;
 pub mod status;
 pub mod system;
 pub mod update;
@@ -80,6 +86,7 @@ pub fn main_api() -> Result<(), RpcError> {
 }

 #[command(subcommands(
+    system::time,
    system::logs,
    system::kernel_logs,
    system::metrics,
@@ -97,7 +104,6 @@ pub fn server() -> Result<(), RpcError> {
    install::install,
    install::sideload,
    install::uninstall,
-    install::delete_recovered,
    install::list,
    install::update::update,
    config::config,
@@ -133,3 +139,8 @@ pub fn diagnostic_api() -> Result<(), RpcError> {
 pub fn setup_api() -> Result<(), RpcError> {
    Ok(())
 }
+
+#[command(subcommands(version::git_info, echo, os_install::install))]
+pub fn install_api() -> Result<(), RpcError> {
+    Ok(())
+}
--- a/backend/src/logs.rs
+++ b/backend/src/logs.rs
@@ -86,9 +86,10 @@ async fn ws_handler<
            .with_kind(ErrorKind::Network)?;
    }

+    let mut ws_closed = false;
    while let Some(entry) = tokio::select! {
        a = logs.try_next() => Some(a?),
-        a = stream.try_next() => { a.with_kind(crate::ErrorKind::Network)?; None }
+        a = stream.try_next() => { a.with_kind(crate::ErrorKind::Network)?; ws_closed = true; None }
    } {
        if let Some(entry) = entry {
            let (_, log_entry) = entry.log_entry()?;
@@ -101,13 +102,15 @@ async fn ws_handler<
        }
    }

-    stream
-        .close(Some(CloseFrame {
-            code: CloseCode::Normal,
-            reason: "Log Stream Finished".into(),
-        }))
-        .await
-        .with_kind(ErrorKind::Network)?;
+    if !ws_closed {
+        stream
+            .close(Some(CloseFrame {
+                code: CloseCode::Normal,
+                reason: "Log Stream Finished".into(),
+            }))
+            .await
+            .with_kind(ErrorKind::Network)?;
+    }

    Ok(())
 }
--- a/backend/src/manager/health.rs
+++ b/backend/src/manager/health.rs
@@ -113,7 +113,14 @@ pub async fn check<Db: DbHandle>(
    let health_results = if let Some(started) = started {
        manifest
            .health_checks
-            .check_all(ctx, started, id, &manifest.version, &manifest.volumes)
+            .check_all(
+                ctx,
+                &manifest.containers,
+                started,
+                id,
+                &manifest.version,
+                &manifest.volumes,
+            )
            .await?
    } else {
        return Ok(());
--- a/backend/src/manager/mod.rs
+++ b/backend/src/manager/mod.rs
--- a/backend/src/manager/sync.rs
+++ b/backend/src/manager/sync.rs
@@ -1,6 +1,4 @@
 use std::collections::BTreeMap;
-use std::convert::TryInto;
-use std::sync::atomic::Ordering;
 use std::time::Duration;

 use chrono::Utc;
@@ -11,10 +9,10 @@ use crate::Error;

 /// Allocates a db handle. DO NOT CALL with a db handle already in scope
 async fn synchronize_once(shared: &ManagerSharedState) -> Result<Status, Error> {
-    let mut db = shared.ctx.db.handle();
+    let mut db = shared.seed.ctx.db.handle();
    let mut status = crate::db::DatabaseModel::new()
        .package_data()
-        .idx_model(&shared.manifest.id)
+        .idx_model(&shared.seed.manifest.id)
        .expect(&mut db)
        .await?
        .installed()
@@ -24,7 +22,7 @@ async fn synchronize_once(shared: &ManagerSharedState) -> Result<Status, Error>
        .main()
        .get_mut(&mut db)
        .await?;
-    let manager_status = shared.status.load(Ordering::SeqCst).try_into().unwrap();
+    let manager_status = *shared.status.1.borrow();
    match manager_status {
        Status::Stopped => match &mut *status {
            MainStatus::Stopped => (),
@@ -83,17 +81,19 @@ async fn synchronize_once(shared: &ManagerSharedState) -> Result<Status, Error>
 }

 pub async fn synchronizer(shared: &ManagerSharedState) {
+    let mut status_recv = shared.status.0.subscribe();
    loop {
        tokio::select! {
            _ = tokio::time::sleep(Duration::from_secs(5)) => (),
            _ = shared.synchronize_now.notified() => (),
+            _ = status_recv.changed() => (),
        }
        let status = match synchronize_once(shared).await {
            Err(e) => {
                tracing::error!(
                    "Synchronizer for {}@{} failed: {}",
-                    shared.manifest.id,
-                    shared.manifest.version,
+                    shared.seed.manifest.id,
+                    shared.seed.manifest.version,
                    e
                );
                tracing::debug!("{:?}", e);
@@ -101,7 +101,7 @@ pub async fn synchronizer(shared: &ManagerSharedState) {
            }
            Ok(status) => status,
        };
-        tracing::trace!("{} status synchronized", shared.manifest.id);
+        tracing::trace!("{} status synchronized", shared.seed.manifest.id);
        shared.synchronized.notify_waiters();
        match status {
            Status::Shutdown => {
--- a/backend/src/middleware/auth.rs
+++ b/backend/src/middleware/auth.rs
@@ -23,6 +23,9 @@ use tokio::sync::Mutex;

 use crate::context::RpcContext;
 use crate::{Error, ResultExt};
+
+pub const LOCAL_AUTH_COOKIE_PATH: &str = "/run/embassy/rpc.authcookie";
+
 pub trait AsLogoutSessionId {
    fn as_logout_session_id(self) -> String;
 }
@@ -63,7 +66,29 @@ impl HasValidSession {
        request_parts: &RequestParts,
        ctx: &RpcContext,
    ) -> Result<Self, Error> {
-        Self::from_session(&HashSessionToken::from_request_parts(request_parts)?, ctx).await
+        if let Some(cookie_header) = request_parts.headers.get(COOKIE) {
+            let cookies = Cookie::parse(
+                cookie_header
+                    .to_str()
+                    .with_kind(crate::ErrorKind::Authorization)?,
+            )
+            .with_kind(crate::ErrorKind::Authorization)?;
+            if let Some(cookie) = cookies.iter().find(|c| c.get_name() == "local") {
+                if let Ok(s) = Self::from_local(cookie).await {
+                    return Ok(s);
+                }
+            }
+            if let Some(cookie) = cookies.iter().find(|c| c.get_name() == "session") {
+                if let Ok(s) = Self::from_session(&HashSessionToken::from_cookie(cookie), ctx).await
+                {
+                    return Ok(s);
+                }
+            }
+        }
+        Err(Error::new(
+            eyre!("UNAUTHORIZED"),
+            crate::ErrorKind::Authorization,
+        ))
    }

    pub async fn from_session(session: &HashSessionToken, ctx: &RpcContext) -> Result<Self, Error> {
@@ -79,6 +104,18 @@ impl HasValidSession {
        }
        Ok(Self(()))
    }
+
+    pub async fn from_local(local: &Cookie<'_>) -> Result<Self, Error> {
+        let token = tokio::fs::read_to_string(LOCAL_AUTH_COOKIE_PATH).await?;
+        if local.get_value() == &*token {
+            Ok(Self(()))
+        } else {
+            Err(Error::new(
+                eyre!("UNAUTHORIZED"),
+                crate::ErrorKind::Authorization,
+            ))
+        }
+    }
 }

 /// When we have a need to create a new session,
--- a/backend/src/middleware/db.rs
+++ b/backend/src/middleware/db.rs
@@ -59,12 +59,10 @@ pub fn db<M: Metadata>(ctx: RpcContext) -> DynMiddleware<M> {
                                            .append("X-Patch-Updates", HeaderValue::from_str(&a)?),
                                        Err(e) => res.headers.append(
                                            "X-Patch-Error",
-                                            HeaderValue::from_str(
-                                                &base64::encode_config(
-                                                    &e.to_string(),
-                                                    base64::URL_SAFE,
-                                                ),
-                                            )?,
+                                            HeaderValue::from_str(&base64::encode_config(
+                                                &e.to_string(),
+                                                base64::URL_SAFE,
+                                            ))?,
                                        ),
                                    };
                                }
--- a/backend/src/middleware/encrypt.rs
+++ b/backend/src/middleware/encrypt.rs
@@ -1,11 +1,7 @@
-use std::sync::Arc;
-
 use aes::cipher::{CipherKey, NewCipher, Nonce, StreamCipher};
 use aes::Aes256Ctr;
-use futures::Stream;
 use hmac::Hmac;
 use josekit::jwk::Jwk;
-use rpc_toolkit::hyper::{self, Body};
 use serde::{Deserialize, Serialize};
 use sha2::Sha256;
 use tracing::instrument;
@@ -113,6 +109,6 @@ fn test_gen_awk() {
      }"#).unwrap();
    assert_eq!(
        "testing12345",
-        &encrypted.decrypt(Arc::new(private_key)).unwrap()
+        &encrypted.decrypt(std::sync::Arc::new(private_key)).unwrap()
    );
 }
--- a/backend/src/migration.rs
+++ b/backend/src/migration.rs
@@ -4,12 +4,13 @@ use color_eyre::eyre::eyre;
 use emver::VersionRange;
 use futures::{Future, FutureExt};
 use indexmap::IndexMap;
+use models::ImageId;
 use patch_db::HasModel;
 use serde::{Deserialize, Serialize};
 use tracing::instrument;

 use crate::context::RpcContext;
-use crate::id::ImageId;
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::{PackageProcedure, ProcedureName};
 use crate::s9pk::manifest::PackageId;
 use crate::util::Version;
@@ -26,13 +27,14 @@ impl Migrations {
    #[instrument]
    pub fn validate(
        &self,
+        container: &Option<DockerContainers>,
        eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
    ) -> Result<(), Error> {
        for (version, migration) in &self.from {
            migration
-                .validate(eos_version, volumes, image_ids, true)
+                .validate(container, eos_version, volumes, image_ids, true)
                .with_ctx(|_| {
                    (
                        crate::ErrorKind::ValidateS9pk,
@@ -42,7 +44,7 @@ impl Migrations {
        }
        for (version, migration) in &self.to {
            migration
-                .validate(eos_version, volumes, image_ids, true)
+                .validate(container, eos_version, volumes, image_ids, true)
                .with_ctx(|_| {
                    (
                        crate::ErrorKind::ValidateS9pk,
@@ -56,6 +58,7 @@ impl Migrations {
    #[instrument(skip(ctx))]
    pub fn from<'a>(
        &'a self,
+        container: &'a Option<DockerContainers>,
        ctx: &'a RpcContext,
        version: &'a Version,
        pkg_id: &'a PackageId,
@@ -67,7 +70,7 @@ impl Migrations {
            .iter()
            .find(|(range, _)| version.satisfies(*range))
        {
-            Some(
+            Some(async move {
                migration
                    .execute(
                        ctx,
@@ -76,7 +79,6 @@ impl Migrations {
                        ProcedureName::Migration, // Migrations cannot be executed concurrently
                        volumes,
                        Some(version),
-                        false,
                        None,
                    )
                    .map(|r| {
@@ -85,8 +87,9 @@ impl Migrations {
                                Error::new(eyre!("{}", e.1), crate::ErrorKind::MigrationFailed)
                            })
                        })
-                    }),
-            )
+                    })
+                    .await
+            })
        } else {
            None
        }
@@ -102,7 +105,7 @@ impl Migrations {
        volumes: &'a Volumes,
    ) -> Option<impl Future<Output = Result<MigrationRes, Error>> + 'a> {
        if let Some((_, migration)) = self.to.iter().find(|(range, _)| version.satisfies(*range)) {
-            Some(
+            Some(async move {
                migration
                    .execute(
                        ctx,
@@ -111,7 +114,6 @@ impl Migrations {
                        ProcedureName::Migration,
                        volumes,
                        Some(version),
-                        false,
                        None,
                    )
                    .map(|r| {
@@ -120,8 +122,9 @@ impl Migrations {
                                Error::new(eyre!("{}", e.1), crate::ErrorKind::MigrationFailed)
                            })
                        })
-                    }),
-            )
+                    })
+                    .await
+            })
        } else {
            None
        }
--- a/backend/src/net/dhcp.rs
+++ b/backend/src/net/dhcp.rs
@@ -0,0 +1,79 @@
+use std::collections::{BTreeMap, BTreeSet};
+use std::net::IpAddr;
+
+use futures::TryStreamExt;
+use rpc_toolkit::command;
+use tokio::sync::RwLock;
+
+use crate::context::RpcContext;
+use crate::db::model::IpInfo;
+use crate::net::utils::{iface_is_physical, list_interfaces};
+use crate::util::display_none;
+use crate::Error;
+
+lazy_static::lazy_static! {
+    static ref CACHED_IPS: RwLock<BTreeSet<IpAddr>> = RwLock::new(BTreeSet::new());
+}
+
+async fn _ips() -> Result<BTreeSet<IpAddr>, Error> {
+    Ok(init_ips()
+        .await?
+        .values()
+        .flat_map(|i| {
+            std::iter::empty()
+                .chain(i.ipv4.map(IpAddr::from))
+                .chain(i.ipv6.map(IpAddr::from))
+        })
+        .collect())
+}
+
+pub async fn ips() -> Result<BTreeSet<IpAddr>, Error> {
+    let ips = CACHED_IPS.read().await.clone();
+    if !ips.is_empty() {
+        return Ok(ips);
+    }
+    let ips = _ips().await?;
+    *CACHED_IPS.write().await = ips.clone();
+    Ok(ips)
+}
+
+pub async fn init_ips() -> Result<BTreeMap<String, IpInfo>, Error> {
+    let mut res = BTreeMap::new();
+    let mut ifaces = list_interfaces();
+    while let Some(iface) = ifaces.try_next().await? {
+        if iface_is_physical(&iface).await {
+            let ip_info = IpInfo::for_interface(&iface).await?;
+            res.insert(iface, ip_info);
+        }
+    }
+    Ok(res)
+}
+
+#[command(subcommands(update))]
+pub async fn dhcp() -> Result<(), Error> {
+    Ok(())
+}
+
+#[command(display(display_none))]
+pub async fn update(#[context] ctx: RpcContext, #[arg] interface: String) -> Result<(), Error> {
+    if iface_is_physical(&interface).await {
+        let ip_info = IpInfo::for_interface(&interface).await?;
+        crate::db::DatabaseModel::new()
+            .server_info()
+            .ip_info()
+            .idx_model(&interface)
+            .put(&mut ctx.db.handle(), &ip_info)
+            .await?;
+        let mut cached = CACHED_IPS.write().await;
+        if cached.is_empty() {
+            *cached = _ips().await?;
+        } else {
+            cached.extend(
+                std::iter::empty()
+                    .chain(ip_info.ipv4.map(IpAddr::from))
+                    .chain(ip_info.ipv6.map(IpAddr::from)),
+            );
+        }
+    }
+    Ok(())
+}
--- a/backend/src/net/dns.rs
+++ b/backend/src/net/dns.rs
@@ -1,9 +1,10 @@
 use std::borrow::Borrow;
-use std::collections::{BTreeMap, BTreeSet};
+use std::collections::BTreeMap;
 use std::net::{Ipv4Addr, SocketAddr};
-use std::sync::Arc;
+use std::sync::{Arc, Weak};
 use std::time::Duration;

+use color_eyre::eyre::eyre;
 use futures::TryFutureExt;
 use helpers::NonDetachingJoinHandle;
 use models::PackageId;
@@ -17,34 +18,48 @@ use trust_dns_server::server::{Request, RequestHandler, ResponseHandler, Respons
 use trust_dns_server::ServerFuture;

 use crate::util::Invoke;
-use crate::{Error, ErrorKind, ResultExt, HOST_IP};
+use crate::{Error, ErrorKind, ResultExt};

 pub struct DnsController {
-    services: Arc<RwLock<BTreeMap<PackageId, BTreeSet<Ipv4Addr>>>>,
+    services: Weak<RwLock<BTreeMap<Option<PackageId>, BTreeMap<Ipv4Addr, Weak<()>>>>>,
    #[allow(dead_code)]
    dns_server: NonDetachingJoinHandle<Result<(), Error>>,
 }

 struct Resolver {
-    services: Arc<RwLock<BTreeMap<PackageId, BTreeSet<Ipv4Addr>>>>,
+    services: Arc<RwLock<BTreeMap<Option<PackageId>, BTreeMap<Ipv4Addr, Weak<()>>>>>,
 }
 impl Resolver {
    async fn resolve(&self, name: &Name) -> Option<Vec<Ipv4Addr>> {
        match name.iter().next_back() {
            Some(b"embassy") => {
                if let Some(pkg) = name.iter().rev().skip(1).next() {
-                    if let Some(ip) = self
-                        .services
-                        .read()
-                        .await
-                        .get(std::str::from_utf8(pkg).unwrap_or_default())
-                    {
-                        Some(ip.iter().copied().collect())
+                    if let Some(ip) = self.services.read().await.get(&Some(
+                        std::str::from_utf8(pkg)
+                            .unwrap_or_default()
+                            .parse()
+                            .unwrap_or_default(),
+                    )) {
+                        Some(
+                            ip.iter()
+                                .filter(|(_, rc)| rc.strong_count() > 0)
+                                .map(|(ip, _)| *ip)
+                                .collect(),
+                        )
                    } else {
                        None
                    }
                } else {
-                    Some(vec![HOST_IP.into()])
+                    if let Some(ip) = self.services.read().await.get(&None) {
+                        Some(
+                            ip.iter()
+                                .filter(|(_, rc)| rc.strong_count() > 0)
+                                .map(|(ip, _)| *ip)
+                                .collect(),
+                        )
+                    } else {
+                        None
+                    }
                }
            }
            _ => None,
@@ -61,32 +76,51 @@ impl RequestHandler for Resolver {
    ) -> ResponseInfo {
        let query = request.request_info().query;
        if let Some(ip) = self.resolve(query.name().borrow()).await {
-            if query.query_type() != RecordType::A {
-                tracing::warn!(
-                    "Non A-Record requested for {}: {:?}",
-                    query.name(),
-                    query.query_type()
-                );
+            match query.query_type() {
+                RecordType::A => {
+                    response_handle
+                        .send_response(
+                            MessageResponseBuilder::from_message_request(&*request).build(
+                                Header::response_from_request(request.header()),
+                                &ip.into_iter()
+                                    .map(|ip| {
+                                        Record::from_rdata(
+                                            request.request_info().query.name().to_owned().into(),
+                                            0,
+                                            trust_dns_server::client::rr::RData::A(ip),
+                                        )
+                                    })
+                                    .collect::<Vec<_>>(),
+                                [],
+                                [],
+                                [],
+                            ),
+                        )
+                        .await
+                }
+                a => {
+                    if a != RecordType::AAAA {
+                        tracing::warn!(
+                            "Non A-Record requested for {}: {:?}",
+                            query.name(),
+                            query.query_type()
+                        );
+                    }
+                    let mut res = Header::response_from_request(request.header());
+                    res.set_response_code(ResponseCode::NXDomain);
+                    response_handle
+                        .send_response(
+                            MessageResponseBuilder::from_message_request(&*request).build(
+                                res.into(),
+                                [],
+                                [],
+                                [],
+                                [],
+                            ),
+                        )
+                        .await
+                }
            }
-            response_handle
-                .send_response(
-                    MessageResponseBuilder::from_message_request(&*request).build(
-                        Header::response_from_request(request.header()),
-                        &ip.into_iter()
-                            .map(|ip| {
-                                Record::from_rdata(
-                                    request.request_info().query.name().to_owned().into(),
-                                    0,
-                                    trust_dns_server::client::rr::RData::A(ip),
-                                )
-                            })
-                            .collect::<Vec<_>>(),
-                        [],
-                        [],
-                        [],
-                    ),
-                )
-                .await
        } else {
            let mut res = Header::response_from_request(request.header());
            res.set_response_code(ResponseCode::NXDomain);
@@ -142,24 +176,47 @@ impl DnsController {
        .into();

        Ok(Self {
-            services,
+            services: Arc::downgrade(&services),
            dns_server,
        })
    }

-    pub async fn add(&self, pkg_id: &PackageId, ip: Ipv4Addr) {
-        let mut writable = self.services.write().await;
-        let mut ips = writable.remove(pkg_id).unwrap_or_default();
-        ips.insert(ip);
-        writable.insert(pkg_id.clone(), ips);
+    pub async fn add(&self, pkg_id: Option<PackageId>, ip: Ipv4Addr) -> Result<Arc<()>, Error> {
+        if let Some(services) = Weak::upgrade(&self.services) {
+            let mut writable = services.write().await;
+            let mut ips = writable.remove(&pkg_id).unwrap_or_default();
+            let rc = if let Some(rc) = Weak::upgrade(&ips.remove(&ip).unwrap_or_default()) {
+                rc
+            } else {
+                Arc::new(())
+            };
+            ips.insert(ip, Arc::downgrade(&rc));
+            writable.insert(pkg_id, ips);
+            Ok(rc)
+        } else {
+            Err(Error::new(
+                eyre!("DNS Server Thread has exited"),
+                crate::ErrorKind::Network,
+            ))
+        }
    }

-    pub async fn remove(&self, pkg_id: &PackageId, ip: Ipv4Addr) {
-        let mut writable = self.services.write().await;
-        let mut ips = writable.remove(pkg_id).unwrap_or_default();
-        ips.remove(&ip);
-        if !ips.is_empty() {
-            writable.insert(pkg_id.clone(), ips);
+    pub async fn gc(&self, pkg_id: Option<PackageId>, ip: Ipv4Addr) -> Result<(), Error> {
+        if let Some(services) = Weak::upgrade(&self.services) {
+            let mut writable = services.write().await;
+            let mut ips = writable.remove(&pkg_id).unwrap_or_default();
+            if let Some(rc) = Weak::upgrade(&ips.remove(&ip).unwrap_or_default()) {
+                ips.insert(ip, Arc::downgrade(&rc));
+            }
+            if !ips.is_empty() {
+                writable.insert(pkg_id, ips);
+            }
+            Ok(())
+        } else {
+            Err(Error::new(
+                eyre!("DNS Server Thread has exited"),
+                crate::ErrorKind::Network,
+            ))
        }
    }
 }
--- a/backend/src/net/interface.rs
+++ b/backend/src/net/interface.rs
@@ -1,9 +1,6 @@
 use std::collections::BTreeMap;

-use color_eyre::eyre::eyre;
-use futures::TryStreamExt;
 use indexmap::IndexSet;
-use itertools::Either;
 pub use models::InterfaceId;
 use serde::{Deserialize, Deserializer, Serialize};
 use sqlx::{Executor, Postgres};
@@ -11,7 +8,6 @@ use torut::onion::TorSecretKeyV3;
 use tracing::instrument;

 use crate::db::model::{InterfaceAddressMap, InterfaceAddresses};
-use crate::id::Id;
 use crate::s9pk::manifest::PackageId;
 use crate::util::serde::Port;
 use crate::{Error, ResultExt};
@@ -81,36 +77,6 @@ impl Interfaces {
        }
        Ok(interface_addresses)
    }
-
-    #[instrument(skip(secrets))]
-    pub async fn tor_keys<Ex>(
-        &self,
-        secrets: &mut Ex,
-        package_id: &PackageId,
-    ) -> Result<BTreeMap<InterfaceId, TorSecretKeyV3>, Error>
-    where
-        for<'a> &'a mut Ex: Executor<'a, Database = Postgres>,
-    {
-        Ok(sqlx::query!(
-            "SELECT interface, key FROM tor WHERE package = $1",
-            **package_id
-        )
-        .fetch_many(secrets)
-        .map_err(Error::from)
-        .try_filter_map(|qr| async move {
-            Ok(if let Either::Right(r) = qr {
-                let mut buf = [0; 64];
-                buf.clone_from_slice(r.key.get(0..64).ok_or_else(|| {
-                    Error::new(eyre!("Invalid Tor Key Length"), crate::ErrorKind::Database)
-                })?);
-                Some((InterfaceId::from(Id::try_from(r.interface)?), buf.into()))
-            } else {
-                None
-            })
-        })
-        .try_collect()
-        .await?)
-    }
 }

 #[derive(Clone, Debug, Deserialize, Serialize)]
--- a/backend/src/net/keys.rs
+++ b/backend/src/net/keys.rs
@@ -0,0 +1,272 @@
+use color_eyre::eyre::eyre;
+use ed25519_dalek::{ExpandedSecretKey, SecretKey};
+use models::{Id, InterfaceId, PackageId};
+use openssl::pkey::{PKey, Private};
+use openssl::sha::Sha256;
+use openssl::x509::X509;
+use p256::elliptic_curve::pkcs8::EncodePrivateKey;
+use sqlx::PgExecutor;
+use ssh_key::private::Ed25519PrivateKey;
+use torut::onion::{OnionAddressV3, TorSecretKeyV3};
+use zeroize::Zeroize;
+
+use crate::net::ssl::CertPair;
+use crate::Error;
+
+// TODO: delete once we may change tor addresses
+async fn compat(
+    secrets: impl PgExecutor<'_>,
+    interface: &Option<(PackageId, InterfaceId)>,
+) -> Result<Option<ExpandedSecretKey>, Error> {
+    if let Some((package, interface)) = interface {
+        if let Some(r) = sqlx::query!(
+            "SELECT key FROM tor WHERE package = $1 AND interface = $2",
+            **package,
+            **interface
+        )
+        .fetch_optional(secrets)
+        .await?
+        {
+            Ok(Some(ExpandedSecretKey::from_bytes(&r.key)?))
+        } else {
+            Ok(None)
+        }
+    } else {
+        if let Some(key) = sqlx::query!("SELECT tor_key FROM account WHERE id = 0")
+            .fetch_one(secrets)
+            .await?
+            .tor_key
+        {
+            Ok(Some(ExpandedSecretKey::from_bytes(&key)?))
+        } else {
+            Ok(None)
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct Key {
+    interface: Option<(PackageId, InterfaceId)>,
+    base: [u8; 32],
+    tor_key: [u8; 64], // Does NOT necessarily match base
+}
+impl Key {
+    pub fn interface(&self) -> Option<(PackageId, InterfaceId)> {
+        self.interface.clone()
+    }
+    pub fn as_bytes(&self) -> [u8; 32] {
+        self.base
+    }
+    pub fn internal_address(&self) -> String {
+        self.interface
+            .as_ref()
+            .map(|(pkg_id, _)| format!("{}.embassy", pkg_id))
+            .unwrap_or_else(|| "embassy".to_owned())
+    }
+    pub fn tor_key(&self) -> TorSecretKeyV3 {
+        ed25519_dalek::ExpandedSecretKey::from_bytes(&self.tor_key)
+            .unwrap()
+            .to_bytes()
+            .into()
+    }
+    pub fn tor_address(&self) -> OnionAddressV3 {
+        self.tor_key().public().get_onion_address()
+    }
+    pub fn base_address(&self) -> String {
+        self.tor_key()
+            .public()
+            .get_onion_address()
+            .get_address_without_dot_onion()
+    }
+    pub fn local_address(&self) -> String {
+        self.base_address() + ".local"
+    }
+    pub fn openssl_key_ed25519(&self) -> PKey<Private> {
+        PKey::private_key_from_raw_bytes(&self.base, openssl::pkey::Id::ED25519).unwrap()
+    }
+    pub fn openssl_key_nistp256(&self) -> PKey<Private> {
+        let mut buf = self.base;
+        loop {
+            if let Ok(k) = p256::SecretKey::from_be_bytes(&buf) {
+                return PKey::private_key_from_pkcs8(&*k.to_pkcs8_der().unwrap().as_bytes())
+                    .unwrap();
+            }
+            let mut sha = Sha256::new();
+            sha.update(&buf);
+            buf = sha.finish();
+        }
+    }
+    pub fn ssh_key(&self) -> Ed25519PrivateKey {
+        Ed25519PrivateKey::from_bytes(&self.base)
+    }
+    pub(crate) fn from_pair(
+        interface: Option<(PackageId, InterfaceId)>,
+        bytes: [u8; 32],
+        tor_key: [u8; 64],
+    ) -> Self {
+        Self {
+            interface,
+            tor_key,
+            base: bytes,
+        }
+    }
+    pub fn from_bytes(interface: Option<(PackageId, InterfaceId)>, bytes: [u8; 32]) -> Self {
+        Self::from_pair(
+            interface,
+            bytes,
+            ExpandedSecretKey::from(&SecretKey::from_bytes(&bytes).unwrap()).to_bytes(),
+        )
+    }
+    pub fn new(interface: Option<(PackageId, InterfaceId)>) -> Self {
+        Self::from_bytes(interface, rand::random())
+    }
+    pub(super) fn with_certs(self, certs: CertPair, int: X509, root: X509) -> KeyInfo {
+        KeyInfo {
+            key: self,
+            certs,
+            int,
+            root,
+        }
+    }
+    pub async fn for_package(
+        secrets: impl PgExecutor<'_>,
+        package: &PackageId,
+    ) -> Result<Vec<Self>, Error> {
+        sqlx::query!(
+            r#"
+                SELECT
+                    network_keys.package,
+                    network_keys.interface,
+                    network_keys.key,
+                    tor.key AS "tor_key?"
+                FROM
+                    network_keys
+                LEFT JOIN
+                    tor
+                ON
+                    network_keys.package = tor.package
+                AND
+                    network_keys.interface = tor.interface
+                WHERE
+                    network_keys.package = $1
+            "#,
+            **package
+        )
+        .fetch_all(secrets)
+        .await?
+        .into_iter()
+        .map(|row| {
+            let interface = Some((
+                package.clone(),
+                InterfaceId::from(Id::try_from(row.interface)?),
+            ));
+            let bytes = row.key.try_into().map_err(|e: Vec<u8>| {
+                Error::new(
+                    eyre!("Invalid length for network key {} expected 32", e.len()),
+                    crate::ErrorKind::Database,
+                )
+            })?;
+            Ok(match row.tor_key {
+                Some(tor_key) => Key::from_pair(
+                    interface,
+                    bytes,
+                    tor_key.try_into().map_err(|e: Vec<u8>| {
+                        Error::new(
+                            eyre!("Invalid length for tor key {} expected 64", e.len()),
+                            crate::ErrorKind::Database,
+                        )
+                    })?,
+                ),
+                None => Key::from_bytes(interface, bytes),
+            })
+        })
+        .collect()
+    }
+    pub async fn for_interface<Ex>(
+        secrets: &mut Ex,
+        interface: Option<(PackageId, InterfaceId)>,
+    ) -> Result<Self, Error>
+    where
+        for<'a> &'a mut Ex: PgExecutor<'a>,
+    {
+        let tentative = rand::random::<[u8; 32]>();
+        let actual = if let Some((pkg, iface)) = &interface {
+            let k = tentative.as_slice();
+            let actual = sqlx::query!(
+                "INSERT INTO network_keys (package, interface, key) VALUES ($1, $2, $3) ON CONFLICT (package, interface) DO UPDATE SET package = EXCLUDED.package RETURNING key",
+                **pkg,
+                **iface,
+                k,
+            )
+            .fetch_one(&mut *secrets)
+            .await?.key;
+            let mut bytes = tentative;
+            bytes.clone_from_slice(actual.get(0..32).ok_or_else(|| {
+                Error::new(
+                    eyre!("Invalid key size returned from DB"),
+                    crate::ErrorKind::Database,
+                )
+            })?);
+            bytes
+        } else {
+            let actual = sqlx::query!("SELECT network_key FROM account WHERE id = 0")
+                .fetch_one(&mut *secrets)
+                .await?
+                .network_key;
+            let mut bytes = tentative;
+            bytes.clone_from_slice(actual.get(0..32).ok_or_else(|| {
+                Error::new(
+                    eyre!("Invalid key size returned from DB"),
+                    crate::ErrorKind::Database,
+                )
+            })?);
+            bytes
+        };
+        let mut res = Self::from_bytes(interface, actual);
+        if let Some(tor_key) = compat(secrets, &res.interface).await? {
+            res.tor_key = tor_key.to_bytes();
+        }
+        Ok(res)
+    }
+}
+impl Drop for Key {
+    fn drop(&mut self) {
+        self.base.zeroize();
+        self.tor_key.zeroize();
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
+pub struct KeyInfo {
+    key: Key,
+    certs: CertPair,
+    int: X509,
+    root: X509,
+}
+impl KeyInfo {
+    pub fn key(&self) -> &Key {
+        &self.key
+    }
+    pub fn certs(&self) -> &CertPair {
+        &self.certs
+    }
+    pub fn int_ca(&self) -> &X509 {
+        &self.int
+    }
+    pub fn root_ca(&self) -> &X509 {
+        &self.root
+    }
+    pub fn fullchain_ed25519(&self) -> Vec<&X509> {
+        vec![&self.certs.ed25519, &self.int, &self.root]
+    }
+    pub fn fullchain_nistp256(&self) -> Vec<&X509> {
+        vec![&self.certs.nistp256, &self.int, &self.root]
+    }
+}
+
+#[test]
+pub fn test_keygen() {
+    let key = Key::new(None);
+    key.tor_key();
+    key.openssl_key_nistp256();
+}
--- a/backend/src/net/mdns.rs
+++ b/backend/src/net/mdns.rs
@@ -1,13 +1,11 @@
 use std::collections::BTreeMap;
 use std::net::Ipv4Addr;
+use std::sync::{Arc, Weak};

 use color_eyre::eyre::eyre;
 use tokio::process::{Child, Command};
 use tokio::sync::Mutex;
-use torut::onion::TorSecretKeyV3;

-use super::interface::InterfaceId;
-use crate::s9pk::manifest::PackageId;
 use crate::util::Invoke;
 use crate::{Error, ResultExt};

@@ -39,25 +37,17 @@ impl MdnsController {
            MdnsControllerInner::init().await?,
        )))
    }
-    pub async fn add<'a, I: IntoIterator<Item = (InterfaceId, TorSecretKeyV3)>>(
-        &self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.0.lock().await.add(pkg_id, interfaces).await
+    pub async fn add(&self, alias: String) -> Result<Arc<()>, Error> {
+        self.0.lock().await.add(alias).await
    }
-    pub async fn remove<I: IntoIterator<Item = InterfaceId>>(
-        &self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.0.lock().await.remove(pkg_id, interfaces).await
+    pub async fn gc(&self, alias: String) -> Result<(), Error> {
+        self.0.lock().await.gc(alias).await
    }
 }

 pub struct MdnsControllerInner {
    alias_cmd: Option<Child>,
-    services: BTreeMap<(PackageId, InterfaceId), TorSecretKeyV3>,
+    services: BTreeMap<String, Weak<()>>,
 }

 impl MdnsControllerInner {
@@ -76,35 +66,30 @@ impl MdnsControllerInner {
        self.alias_cmd = Some(
            Command::new("avahi-alias")
                .kill_on_drop(true)
-                .args(self.services.iter().map(|(_, key)| {
-                    key.public()
-                        .get_onion_address()
-                        .get_address_without_dot_onion()
-                }))
+                .args(
+                    self.services
+                        .iter()
+                        .filter(|(_, rc)| rc.strong_count() > 0)
+                        .map(|(s, _)| s),
+                )
                .spawn()?,
        );
        Ok(())
    }
-    async fn add<'a, I: IntoIterator<Item = (InterfaceId, TorSecretKeyV3)>>(
-        &mut self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.services.extend(
-            interfaces
-                .into_iter()
-                .map(|(interface_id, key)| ((pkg_id.clone(), interface_id), key)),
-        );
+    async fn add(&mut self, alias: String) -> Result<Arc<()>, Error> {
+        let rc = if let Some(rc) = Weak::upgrade(&self.services.remove(&alias).unwrap_or_default())
+        {
+            rc
+        } else {
+            Arc::new(())
+        };
+        self.services.insert(alias, Arc::downgrade(&rc));
        self.sync().await?;
-        Ok(())
+        Ok(rc)
    }
-    async fn remove<I: IntoIterator<Item = InterfaceId>>(
-        &mut self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        for interface_id in interfaces {
-            self.services.remove(&(pkg_id.clone(), interface_id));
+    async fn gc(&mut self, alias: String) -> Result<(), Error> {
+        if let Some(rc) = Weak::upgrade(&self.services.remove(&alias).unwrap_or_default()) {
+            self.services.insert(alias, Arc::downgrade(&rc));
        }
        self.sync().await?;
        Ok(())
--- a/backend/src/net/mod.rs
+++ b/backend/src/net/mod.rs
@@ -1,196 +1,33 @@
-use std::net::{Ipv4Addr, SocketAddr};
-use std::path::PathBuf;
+use std::sync::Arc;

-use openssl::pkey::{PKey, Private};
-use openssl::x509::X509;
-use patch_db::DbHandle;
+use futures::future::BoxFuture;
+use hyper::{Body, Error as HyperError, Request, Response};
 use rpc_toolkit::command;
-use sqlx::PgPool;
-use torut::onion::{OnionAddressV3, TorSecretKeyV3};
-use tracing::instrument;

-use self::interface::{Interface, InterfaceId};
-#[cfg(feature = "avahi")]
-use self::mdns::MdnsController;
-use self::nginx::NginxController;
-use self::ssl::SslManager;
-use self::tor::TorController;
-use crate::hostname::get_hostname;
-use crate::net::dns::DnsController;
-use crate::net::interface::TorConfig;
-use crate::net::nginx::InterfaceMetadata;
-use crate::s9pk::manifest::PackageId;
 use crate::Error;

+pub mod dhcp;
 pub mod dns;
 pub mod interface;
+pub mod keys;
 #[cfg(feature = "avahi")]
 pub mod mdns;
-pub mod nginx;
+pub mod net_controller;
 pub mod ssl;
+pub mod static_server;
 pub mod tor;
+pub mod utils;
+pub mod vhost;
+pub mod web_server;
 pub mod wifi;

-const PACKAGE_CERT_PATH: &str = "/var/lib/embassy/ssl";
+pub const PACKAGE_CERT_PATH: &str = "/var/lib/embassy/ssl";

-#[command(subcommands(tor::tor))]
+#[command(subcommands(tor::tor, dhcp::dhcp))]
 pub fn net() -> Result<(), Error> {
    Ok(())
 }

-/// Indicates that the net controller has created the
-/// SSL keys
-#[derive(Clone, Copy)]
-pub struct GeneratedCertificateMountPoint(());
-
-pub struct NetController {
-    pub tor: TorController,
-    #[cfg(feature = "avahi")]
-    pub mdns: MdnsController,
-    pub nginx: NginxController,
-    pub ssl: SslManager,
-    pub dns: DnsController,
-}
-impl NetController {
-    #[instrument(skip(db, handle))]
-    pub async fn init<Db: DbHandle>(
-        embassyd_addr: SocketAddr,
-        embassyd_tor_key: TorSecretKeyV3,
-        tor_control: SocketAddr,
-        dns_bind: &[SocketAddr],
-        db: PgPool,
-        import_root_ca: Option<(PKey<Private>, X509)>,
-        handle: &mut Db,
-    ) -> Result<Self, Error> {
-        let ssl = match import_root_ca {
-            None => SslManager::init(db, handle).await,
-            Some(a) => SslManager::import_root_ca(db, a.0, a.1).await,
-        }?;
-        let hostname = get_hostname(handle).await?;
-        Ok(Self {
-            tor: TorController::init(embassyd_addr, embassyd_tor_key, tor_control).await?,
-            #[cfg(feature = "avahi")]
-            mdns: MdnsController::init().await?,
-            nginx: NginxController::init(PathBuf::from("/etc/nginx"), &ssl, &hostname).await?,
-            ssl,
-            dns: DnsController::init(dns_bind).await?,
-        })
-    }
-
-    pub fn ssl_directory_for(pkg_id: &PackageId) -> PathBuf {
-        PathBuf::from(format!("{}/{}", PACKAGE_CERT_PATH, pkg_id))
-    }
-
-    #[instrument(skip(self, interfaces, _generated_certificate))]
-    pub async fn add<'a, I>(
-        &self,
-        pkg_id: &PackageId,
-        ip: Ipv4Addr,
-        interfaces: I,
-        _generated_certificate: GeneratedCertificateMountPoint,
-    ) -> Result<(), Error>
-    where
-        I: IntoIterator<Item = (InterfaceId, &'a Interface, TorSecretKeyV3)> + Clone,
-        for<'b> &'b I: IntoIterator<Item = &'b (InterfaceId, &'a Interface, TorSecretKeyV3)>,
-    {
-        let interfaces_tor = interfaces
-            .clone()
-            .into_iter()
-            .filter_map(|i| match i.1.tor_config.clone() {
-                None => None,
-                Some(cfg) => Some((i.0, cfg, i.2)),
-            })
-            .collect::<Vec<(InterfaceId, TorConfig, TorSecretKeyV3)>>();
-        let (tor_res, _, nginx_res, _) = tokio::join!(
-            self.tor.add(pkg_id, ip, interfaces_tor),
-            {
-                #[cfg(feature = "avahi")]
-                let mdns_fut = self.mdns.add(
-                    pkg_id,
-                    interfaces
-                        .clone()
-                        .into_iter()
-                        .map(|(interface_id, _, key)| (interface_id, key)),
-                );
-                #[cfg(not(feature = "avahi"))]
-                let mdns_fut = futures::future::ready(());
-                mdns_fut
-            },
-            {
-                let interfaces = interfaces
-                    .into_iter()
-                    .filter_map(|(id, interface, tor_key)| match &interface.lan_config {
-                        None => None,
-                        Some(cfg) => Some((
-                            id,
-                            InterfaceMetadata {
-                                dns_base: OnionAddressV3::from(&tor_key.public())
-                                    .get_address_without_dot_onion(),
-                                lan_config: cfg.clone(),
-                                protocols: interface.protocols.clone(),
-                            },
-                        )),
-                    });
-                self.nginx.add(&self.ssl, pkg_id.clone(), ip, interfaces)
-            },
-            self.dns.add(pkg_id, ip),
-        );
-        tor_res?;
-        nginx_res?;
-
-        Ok(())
-    }
-
-    #[instrument(skip(self, interfaces))]
-    pub async fn remove<I: IntoIterator<Item = InterfaceId> + Clone>(
-        &self,
-        pkg_id: &PackageId,
-        ip: Ipv4Addr,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        let (tor_res, _, nginx_res, _) = tokio::join!(
-            self.tor.remove(pkg_id, interfaces.clone()),
-            {
-                #[cfg(feature = "avahi")]
-                let mdns_fut = self.mdns.remove(pkg_id, interfaces);
-                #[cfg(not(feature = "avahi"))]
-                let mdns_fut = futures::future::ready(());
-                mdns_fut
-            },
-            self.nginx.remove(pkg_id),
-            self.dns.remove(pkg_id, ip),
-        );
-        tor_res?;
-        nginx_res?;
-        Ok(())
-    }
-
-    pub async fn generate_certificate_mountpoint<'a, I>(
-        &self,
-        pkg_id: &PackageId,
-        interfaces: &I,
-    ) -> Result<GeneratedCertificateMountPoint, Error>
-    where
-        I: IntoIterator<Item = (InterfaceId, &'a Interface, TorSecretKeyV3)> + Clone,
-        for<'b> &'b I: IntoIterator<Item = &'b (InterfaceId, &'a Interface, TorSecretKeyV3)>,
-    {
-        tracing::info!("Generating SSL Certificate mountpoints for {}", pkg_id);
-        let package_path = PathBuf::from(PACKAGE_CERT_PATH).join(pkg_id);
-        tokio::fs::create_dir_all(&package_path).await?;
-        for (id, _, key) in interfaces {
-            let dns_base = OnionAddressV3::from(&key.public()).get_address_without_dot_onion();
-            let ssl_path_key = package_path.join(format!("{}.key.pem", id));
-            let ssl_path_cert = package_path.join(format!("{}.cert.pem", id));
-            let (key, chain) = self.ssl.certificate_for(&dns_base, pkg_id).await?;
-            tokio::try_join!(
-                crate::net::ssl::export_key(&key, &ssl_path_key),
-                crate::net::ssl::export_cert(&chain, &ssl_path_cert)
-            )?;
-        }
-        Ok(GeneratedCertificateMountPoint(()))
-    }
-
-    pub async fn export_root_ca(&self) -> Result<(PKey<Private>, X509), Error> {
-        self.ssl.export_root_ca().await
-    }
-}
+pub type HttpHandler = Arc<
+    dyn Fn(Request<Body>) -> BoxFuture<'static, Result<Response<Body>, HyperError>> + Send + Sync,
+>;
--- a/backend/src/net/net_controller.rs
+++ b/backend/src/net/net_controller.rs
@@ -0,0 +1,361 @@
+use std::collections::BTreeMap;
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::sync::{Arc, Weak};
+
+use color_eyre::eyre::eyre;
+use models::InterfaceId;
+use sqlx::PgExecutor;
+use tracing::instrument;
+
+use crate::error::ErrorCollection;
+use crate::hostname::Hostname;
+use crate::net::dns::DnsController;
+use crate::net::keys::Key;
+#[cfg(feature = "avahi")]
+use crate::net::mdns::MdnsController;
+use crate::net::ssl::{export_cert, export_key, SslManager};
+use crate::net::tor::TorController;
+use crate::net::vhost::VHostController;
+use crate::s9pk::manifest::PackageId;
+use crate::volume::cert_dir;
+use crate::{Error, HOST_IP};
+
+pub struct NetController {
+    pub(super) tor: TorController,
+    #[cfg(feature = "avahi")]
+    pub(super) mdns: MdnsController,
+    pub(super) vhost: VHostController,
+    pub(super) dns: DnsController,
+    pub(super) ssl: Arc<SslManager>,
+    pub(super) os_bindings: Vec<Arc<()>>,
+}
+
+impl NetController {
+    #[instrument]
+    pub async fn init(
+        tor_control: SocketAddr,
+        dns_bind: &[SocketAddr],
+        ssl: SslManager,
+        hostname: &Hostname,
+        os_key: &Key,
+    ) -> Result<Self, Error> {
+        let ssl = Arc::new(ssl);
+        let mut res = Self {
+            tor: TorController::init(tor_control).await?,
+            #[cfg(feature = "avahi")]
+            mdns: MdnsController::init().await?,
+            vhost: VHostController::new(ssl.clone()),
+            dns: DnsController::init(dns_bind).await?,
+            ssl,
+            os_bindings: Vec::new(),
+        };
+        res.add_os_bindings(hostname, os_key).await?;
+        Ok(res)
+    }
+
+    async fn add_os_bindings(&mut self, hostname: &Hostname, key: &Key) -> Result<(), Error> {
+        // Internal DNS
+        self.vhost
+            .add(
+                key.clone(),
+                Some("embassy".into()),
+                443,
+                ([127, 0, 0, 1], 80).into(),
+                false,
+            )
+            .await?;
+        self.os_bindings
+            .push(self.dns.add(None, HOST_IP.into()).await?);
+
+        // LAN IP
+        self.os_bindings.push(
+            self.vhost
+                .add(key.clone(), None, 443, ([127, 0, 0, 1], 80).into(), false)
+                .await?,
+        );
+
+        // localhost
+        self.os_bindings.push(
+            self.vhost
+                .add(
+                    key.clone(),
+                    Some("localhost".into()),
+                    443,
+                    ([127, 0, 0, 1], 80).into(),
+                    false,
+                )
+                .await?,
+        );
+        self.os_bindings.push(
+            self.vhost
+                .add(
+                    key.clone(),
+                    Some(hostname.no_dot_host_name()),
+                    443,
+                    ([127, 0, 0, 1], 80).into(),
+                    false,
+                )
+                .await?,
+        );
+
+        // LAN mDNS
+        self.os_bindings.push(
+            self.vhost
+                .add(
+                    key.clone(),
+                    Some(hostname.local_domain_name()),
+                    443,
+                    ([127, 0, 0, 1], 80).into(),
+                    false,
+                )
+                .await?,
+        );
+
+        // Tor (http)
+        self.os_bindings.push(
+            self.tor
+                .add(&key.tor_key(), 80, ([127, 0, 0, 1], 80).into())
+                .await?,
+        );
+
+        // Tor (https)
+        self.os_bindings.push(
+            self.vhost
+                .add(
+                    key.clone(),
+                    Some(key.tor_address().to_string()),
+                    443,
+                    ([127, 0, 0, 1], 80).into(),
+                    false,
+                )
+                .await?,
+        );
+        self.os_bindings.push(
+            self.tor
+                .add(&key.tor_key(), 443, ([127, 0, 0, 1], 443).into())
+                .await?,
+        );
+
+        Ok(())
+    }
+
+    #[instrument(skip(self))]
+    pub async fn create_service(
+        self: &Arc<Self>,
+        package: PackageId,
+        ip: Ipv4Addr,
+    ) -> Result<NetService, Error> {
+        let dns = self.dns.add(Some(package.clone()), ip).await?;
+
+        Ok(NetService {
+            id: package,
+            ip,
+            dns,
+            controller: Arc::downgrade(self),
+            tor: BTreeMap::new(),
+            lan: BTreeMap::new(),
+        })
+    }
+
+    async fn add_tor(
+        &self,
+        key: &Key,
+        external: u16,
+        target: SocketAddr,
+    ) -> Result<Vec<Arc<()>>, Error> {
+        let mut rcs = Vec::with_capacity(1);
+        rcs.push(self.tor.add(&key.tor_key(), external, target).await?);
+        Ok(rcs)
+    }
+
+    async fn remove_tor(&self, key: &Key, external: u16, rcs: Vec<Arc<()>>) -> Result<(), Error> {
+        drop(rcs);
+        self.tor.gc(&key.tor_key(), external).await
+    }
+
+    async fn add_lan(
+        &self,
+        key: Key,
+        external: u16,
+        target: SocketAddr,
+        connect_ssl: bool,
+    ) -> Result<Vec<Arc<()>>, Error> {
+        let mut rcs = Vec::with_capacity(2);
+        rcs.push(
+            self.vhost
+                .add(
+                    key.clone(),
+                    Some(key.local_address()),
+                    external,
+                    target.into(),
+                    connect_ssl,
+                )
+                .await?,
+        );
+        #[cfg(feature = "avahi")]
+        rcs.push(self.mdns.add(key.base_address()).await?);
+        Ok(rcs)
+    }
+
+    async fn remove_lan(&self, key: &Key, external: u16, rcs: Vec<Arc<()>>) -> Result<(), Error> {
+        drop(rcs);
+        #[cfg(feature = "avahi")]
+        self.mdns.gc(key.base_address()).await?;
+        self.vhost.gc(Some(key.local_address()), external).await
+    }
+}
+
+pub struct NetService {
+    id: PackageId,
+    ip: Ipv4Addr,
+    dns: Arc<()>,
+    controller: Weak<NetController>,
+    tor: BTreeMap<(InterfaceId, u16), (Key, Vec<Arc<()>>)>,
+    lan: BTreeMap<(InterfaceId, u16), (Key, Vec<Arc<()>>)>,
+}
+impl NetService {
+    fn net_controller(&self) -> Result<Arc<NetController>, Error> {
+        Weak::upgrade(&self.controller).ok_or_else(|| {
+            Error::new(
+                eyre!("NetController is shutdown"),
+                crate::ErrorKind::Network,
+            )
+        })
+    }
+    pub async fn add_tor<Ex>(
+        &mut self,
+        secrets: &mut Ex,
+        id: InterfaceId,
+        external: u16,
+        internal: u16,
+    ) -> Result<(), Error>
+    where
+        for<'a> &'a mut Ex: PgExecutor<'a>,
+    {
+        let key = Key::for_interface(secrets, Some((self.id.clone(), id.clone()))).await?;
+        let ctrl = self.net_controller()?;
+        let tor_idx = (id, external);
+        let mut tor = self
+            .tor
+            .remove(&tor_idx)
+            .unwrap_or_else(|| (key.clone(), Vec::new()));
+        tor.1.append(
+            &mut ctrl
+                .add_tor(&key, external, SocketAddr::new(self.ip.into(), internal))
+                .await?,
+        );
+        self.tor.insert(tor_idx, tor);
+        Ok(())
+    }
+    pub async fn remove_tor(&mut self, id: InterfaceId, external: u16) -> Result<(), Error> {
+        let ctrl = self.net_controller()?;
+        if let Some((key, rcs)) = self.tor.remove(&(id, external)) {
+            ctrl.remove_tor(&key, external, rcs).await?;
+        }
+        Ok(())
+    }
+    pub async fn add_lan<Ex>(
+        &mut self,
+        secrets: &mut Ex,
+        id: InterfaceId,
+        external: u16,
+        internal: u16,
+        connect_ssl: bool,
+    ) -> Result<(), Error>
+    where
+        for<'a> &'a mut Ex: PgExecutor<'a>,
+    {
+        let key = Key::for_interface(secrets, Some((self.id.clone(), id.clone()))).await?;
+        let ctrl = self.net_controller()?;
+        let lan_idx = (id, external);
+        let mut lan = self
+            .lan
+            .remove(&lan_idx)
+            .unwrap_or_else(|| (key.clone(), Vec::new()));
+        lan.1.append(
+            &mut ctrl
+                .add_lan(
+                    key,
+                    external,
+                    SocketAddr::new(self.ip.into(), internal),
+                    connect_ssl,
+                )
+                .await?,
+        );
+        self.lan.insert(lan_idx, lan);
+        Ok(())
+    }
+    pub async fn remove_lan(&mut self, id: InterfaceId, external: u16) -> Result<(), Error> {
+        let ctrl = self.net_controller()?;
+        if let Some((key, rcs)) = self.lan.remove(&(id, external)) {
+            ctrl.remove_lan(&key, external, rcs).await?;
+        }
+        Ok(())
+    }
+    pub async fn export_cert<Ex>(
+        &self,
+        secrets: &mut Ex,
+        id: &InterfaceId,
+        ip: IpAddr,
+    ) -> Result<(), Error>
+    where
+        for<'a> &'a mut Ex: PgExecutor<'a>,
+    {
+        let key = Key::for_interface(secrets, Some((self.id.clone(), id.clone()))).await?;
+        let ctrl = self.net_controller()?;
+        let cert = ctrl.ssl.with_certs(key, ip).await?;
+        let cert_dir = cert_dir(&self.id, id);
+        tokio::fs::create_dir_all(&cert_dir).await?;
+        export_key(
+            &cert.key().openssl_key_nistp256(),
+            &cert_dir.join(format!("{id}.key.pem")),
+        )
+        .await?;
+        export_cert(
+            &cert.fullchain_nistp256(),
+            &cert_dir.join(format!("{id}.cert.pem")),
+        )
+        .await?; // TODO: can upgrade to ed25519?
+        Ok(())
+    }
+    pub async fn remove_all(mut self) -> Result<(), Error> {
+        let mut errors = ErrorCollection::new();
+        if let Some(ctrl) = Weak::upgrade(&self.controller) {
+            for ((_, external), (key, rcs)) in std::mem::take(&mut self.lan) {
+                errors.handle(ctrl.remove_lan(&key, external, rcs).await);
+            }
+            for ((_, external), (key, rcs)) in std::mem::take(&mut self.tor) {
+                errors.handle(ctrl.remove_tor(&key, external, rcs).await);
+            }
+            std::mem::take(&mut self.dns);
+            errors.handle(ctrl.dns.gc(Some(self.id.clone()), self.ip).await);
+            self.ip = Ipv4Addr::new(0, 0, 0, 0);
+            errors.into_result()
+        } else {
+            Err(Error::new(
+                eyre!("NetController is shutdown"),
+                crate::ErrorKind::Network,
+            ))
+        }
+    }
+}
+
+impl Drop for NetService {
+    fn drop(&mut self) {
+        if self.ip != Ipv4Addr::new(0, 0, 0, 0) {
+            tracing::debug!("Dropping NetService for {}", self.id);
+            let svc = std::mem::replace(
+                self,
+                NetService {
+                    id: Default::default(),
+                    ip: Ipv4Addr::new(0, 0, 0, 0),
+                    dns: Default::default(),
+                    controller: Default::default(),
+                    tor: Default::default(),
+                    lan: Default::default(),
+                },
+            );
+            tokio::spawn(async move { svc.remove_all().await.unwrap() });
+        }
+    }
+}
--- a/backend/src/net/nginx.conf.template
+++ b/backend/src/net/nginx.conf.template
@@ -1,19 +0,0 @@
-server {{
-    listen {listen_args};
-    listen [::]:{listen_args_ipv6};
-    server_name .{hostname}.local;
-    {ssl_certificate_line}
-    {ssl_certificate_key_line}
-    location / {{
-        proxy_pass http://{app_ip}:{internal_port}/;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        client_max_body_size 0;
-        proxy_request_buffering off;
-        proxy_buffering off;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-        {proxy_redirect_directive}
-    }}
-}}
--- a/backend/src/net/nginx.rs
+++ b/backend/src/net/nginx.rs
@@ -1,254 +0,0 @@
-use std::collections::BTreeMap;
-use std::net::Ipv4Addr;
-use std::path::{Path, PathBuf};
-
-use futures::FutureExt;
-use indexmap::IndexSet;
-use tokio::sync::Mutex;
-use tracing::instrument;
-
-use super::interface::{InterfaceId, LanPortConfig};
-use super::ssl::SslManager;
-use crate::hostname::Hostname;
-use crate::s9pk::manifest::PackageId;
-use crate::util::serde::Port;
-use crate::util::Invoke;
-use crate::{Error, ErrorKind, ResultExt};
-
-pub struct NginxController {
-    pub nginx_root: PathBuf,
-    inner: Mutex<NginxControllerInner>,
-}
-impl NginxController {
-    pub async fn init(
-        nginx_root: PathBuf,
-        ssl_manager: &SslManager,
-        host_name: &Hostname,
-    ) -> Result<Self, Error> {
-        Ok(NginxController {
-            inner: Mutex::new(
-                NginxControllerInner::init(&nginx_root, ssl_manager, host_name).await?,
-            ),
-            nginx_root,
-        })
-    }
-    pub async fn add<I: IntoIterator<Item = (InterfaceId, InterfaceMetadata)>>(
-        &self,
-        ssl_manager: &SslManager,
-        package: PackageId,
-        ipv4: Ipv4Addr,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.inner
-            .lock()
-            .await
-            .add(&self.nginx_root, ssl_manager, package, ipv4, interfaces)
-            .await
-    }
-    pub async fn remove(&self, package: &PackageId) -> Result<(), Error> {
-        self.inner
-            .lock()
-            .await
-            .remove(&self.nginx_root, package)
-            .await
-    }
-}
-
-pub struct NginxControllerInner {
-    interfaces: BTreeMap<PackageId, PackageNetInfo>,
-}
-impl NginxControllerInner {
-    #[instrument]
-    async fn init(
-        nginx_root: &Path,
-        ssl_manager: &SslManager,
-        host_name: &Hostname,
-    ) -> Result<Self, Error> {
-        let inner = NginxControllerInner {
-            interfaces: BTreeMap::new(),
-        };
-        // write main ssl key/cert to fs location
-        let (key, cert) = ssl_manager
-            .certificate_for(host_name.as_ref(), &"embassy".parse().unwrap())
-            .await?;
-        let ssl_path_key = nginx_root.join(format!("ssl/embassy_main.key.pem"));
-        let ssl_path_cert = nginx_root.join(format!("ssl/embassy_main.cert.pem"));
-        tokio::try_join!(
-            crate::net::ssl::export_key(&key, &ssl_path_key),
-            crate::net::ssl::export_cert(&cert, &ssl_path_cert),
-        )?;
-        Ok(inner)
-    }
-    #[instrument(skip(self, interfaces))]
-    async fn add<I: IntoIterator<Item = (InterfaceId, InterfaceMetadata)>>(
-        &mut self,
-        nginx_root: &Path,
-        ssl_manager: &SslManager,
-        package: PackageId,
-        ipv4: Ipv4Addr,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        let interface_map = interfaces
-            .into_iter()
-            .filter(|(_, meta)| {
-                // don't add nginx stuff for anything we can't connect to over some flavor of http
-                (meta.protocols.contains("http") || meta.protocols.contains("https"))
-                // also don't add nginx unless it has at least one exposed port
-                        && meta.lan_config.len() > 0
-            })
-            .collect::<BTreeMap<InterfaceId, InterfaceMetadata>>();
-
-        for (id, meta) in interface_map.iter() {
-            for (port, lan_port_config) in meta.lan_config.iter() {
-                // get ssl certificate chain
-                let (
-                    listen_args,
-                    ssl_certificate_line,
-                    ssl_certificate_key_line,
-                    proxy_redirect_directive,
-                ) = if lan_port_config.ssl {
-                    // these have already been written by the net controller
-                    let package_path = nginx_root.join(format!("ssl/{}", package));
-                    if tokio::fs::metadata(&package_path).await.is_err() {
-                        tokio::fs::create_dir_all(&package_path)
-                            .await
-                            .with_ctx(|_| {
-                                (ErrorKind::Filesystem, package_path.display().to_string())
-                            })?;
-                    }
-                    let ssl_path_key = package_path.join(format!("{}.key.pem", id));
-                    let ssl_path_cert = package_path.join(format!("{}.cert.pem", id));
-                    let (key, chain) = ssl_manager
-                        .certificate_for(&meta.dns_base, &package)
-                        .await?;
-                    tokio::try_join!(
-                        crate::net::ssl::export_key(&key, &ssl_path_key),
-                        crate::net::ssl::export_cert(&chain, &ssl_path_cert)
-                    )?;
-                    (
-                        format!("{} ssl", port.0),
-                        format!("ssl_certificate {};", ssl_path_cert.to_str().unwrap()),
-                        format!("ssl_certificate_key {};", ssl_path_key.to_str().unwrap()),
-                        format!("proxy_redirect http://$host/ https://$host/;"),
-                    )
-                } else {
-                    (
-                        format!("{}", port.0),
-                        String::from(""),
-                        String::from(""),
-                        String::from(""),
-                    )
-                };
-                // write nginx configs
-                let nginx_conf_path = nginx_root.join(format!(
-                    "sites-available/{}_{}_{}.conf",
-                    package, id, port.0
-                ));
-                tokio::fs::write(
-                    &nginx_conf_path,
-                    format!(
-                        include_str!("nginx.conf.template"),
-                        listen_args = listen_args,
-                        listen_args_ipv6 = listen_args,
-                        hostname = meta.dns_base,
-                        ssl_certificate_line = ssl_certificate_line,
-                        ssl_certificate_key_line = ssl_certificate_key_line,
-                        app_ip = ipv4,
-                        internal_port = lan_port_config.internal,
-                        proxy_redirect_directive = proxy_redirect_directive,
-                    ),
-                )
-                .await
-                .with_ctx(|_| (ErrorKind::Filesystem, nginx_conf_path.display().to_string()))?;
-                let sites_enabled_link_path =
-                    nginx_root.join(format!("sites-enabled/{}_{}_{}.conf", package, id, port.0));
-                if tokio::fs::metadata(&sites_enabled_link_path).await.is_ok() {
-                    tokio::fs::remove_file(&sites_enabled_link_path).await?;
-                }
-                tokio::fs::symlink(&nginx_conf_path, &sites_enabled_link_path)
-                    .await
-                    .with_ctx(|_| (ErrorKind::Filesystem, nginx_conf_path.display().to_string()))?;
-            }
-        }
-        match self.interfaces.get_mut(&package) {
-            None => {
-                let info = PackageNetInfo {
-                    interfaces: interface_map,
-                };
-                self.interfaces.insert(package, info);
-            }
-            Some(p) => {
-                p.interfaces.extend(interface_map);
-            }
-        };
-
-        self.hup().await?;
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    async fn remove(&mut self, nginx_root: &Path, package: &PackageId) -> Result<(), Error> {
-        let removed = self.interfaces.remove(package);
-        if let Some(net_info) = removed {
-            for (id, meta) in net_info.interfaces {
-                for (port, _lan_port_config) in meta.lan_config.iter() {
-                    // remove ssl certificates and nginx configs
-                    let package_path = nginx_root.join(format!("ssl/{}", package));
-                    let enabled_path = nginx_root
-                        .join(format!("sites-enabled/{}_{}_{}.conf", package, id, port.0));
-                    let available_path = nginx_root.join(format!(
-                        "sites-available/{}_{}_{}.conf",
-                        package, id, port.0
-                    ));
-                    let _ = tokio::try_join!(
-                        async {
-                            if tokio::fs::metadata(&package_path).await.is_ok() {
-                                tokio::fs::remove_dir_all(&package_path)
-                                    .map(|res| {
-                                        res.with_ctx(|_| {
-                                            (
-                                                ErrorKind::Filesystem,
-                                                package_path.display().to_string(),
-                                            )
-                                        })
-                                    })
-                                    .await?;
-                                Ok(())
-                            } else {
-                                Ok(())
-                            }
-                        },
-                        tokio::fs::remove_file(&enabled_path).map(|res| res.with_ctx(|_| (
-                            ErrorKind::Filesystem,
-                            enabled_path.display().to_string()
-                        ))),
-                        tokio::fs::remove_file(&available_path).map(|res| res.with_ctx(|_| (
-                            ErrorKind::Filesystem,
-                            available_path.display().to_string()
-                        ))),
-                    )?;
-                }
-            }
-        }
-        self.hup().await?;
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    async fn hup(&self) -> Result<(), Error> {
-        let _ = tokio::process::Command::new("systemctl")
-            .arg("reload")
-            .arg("nginx")
-            .invoke(ErrorKind::Nginx)
-            .await?;
-        Ok(())
-    }
-}
-struct PackageNetInfo {
-    interfaces: BTreeMap<InterfaceId, InterfaceMetadata>,
-}
-pub struct InterfaceMetadata {
-    pub dns_base: String,
-    pub lan_config: BTreeMap<Port, LanPortConfig>,
-    pub protocols: IndexSet<String>,
-}
--- a/backend/src/net/ssl.rs
+++ b/backend/src/net/ssl.rs
@@ -1,7 +1,9 @@
 use std::cmp::Ordering;
+use std::collections::{BTreeMap, BTreeSet};
+use std::net::IpAddr;
 use std::path::Path;
+use std::time::{SystemTime, UNIX_EPOCH};

-use color_eyre::eyre::eyre;
 use futures::FutureExt;
 use openssl::asn1::{Asn1Integer, Asn1Time};
 use openssl::bn::{BigNum, MsbOption};
@@ -11,147 +13,109 @@ use openssl::nid::Nid;
 use openssl::pkey::{PKey, Private};
 use openssl::x509::{X509Builder, X509Extension, X509NameBuilder, X509};
 use openssl::*;
-use patch_db::DbHandle;
-use sqlx::PgPool;
-use tokio::process::Command;
-use tokio::sync::Mutex;
+use tokio::sync::{Mutex, RwLock};
 use tracing::instrument;

-use crate::s9pk::manifest::PackageId;
-use crate::util::Invoke;
+use crate::account::AccountInfo;
+use crate::hostname::Hostname;
+use crate::net::dhcp::ips;
+use crate::net::keys::{Key, KeyInfo};
 use crate::{Error, ErrorKind, ResultExt};

 static CERTIFICATE_VERSION: i32 = 2; // X509 version 3 is actually encoded as '2' in the cert because fuck you.
-pub const ROOT_CA_STATIC_PATH: &str = "/var/lib/embassy/ssl/root-ca.crt";
+
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
+pub struct CertPair {
+    pub ed25519: X509,
+    pub nistp256: X509,
+}
+impl CertPair {
+    fn updated(
+        pair: Option<&Self>,
+        hostname: &Hostname,
+        signer: (&PKey<Private>, &X509),
+        applicant: &Key,
+        ip: BTreeSet<IpAddr>,
+    ) -> Result<(Self, bool), Error> {
+        let mut updated = false;
+        let mut updated_cert = |cert: Option<&X509>, osk: PKey<Private>| -> Result<X509, Error> {
+            let mut ips = BTreeSet::new();
+            if let Some(cert) = cert {
+                ips.extend(
+                    cert.subject_alt_names()
+                        .iter()
+                        .flatten()
+                        .filter_map(|a| a.ipaddress())
+                        .filter_map(|a| match a.len() {
+                            4 => Some::<IpAddr>(<[u8; 4]>::try_from(a).unwrap().into()),
+                            16 => Some::<IpAddr>(<[u8; 16]>::try_from(a).unwrap().into()),
+                            _ => None,
+                        }),
+                );
+                if cert
+                    .not_after()
+                    .compare(Asn1Time::days_from_now(30)?.as_ref())?
+                    == Ordering::Greater
+                    && ips.is_superset(&ip)
+                {
+                    return Ok(cert.clone());
+                }
+            }
+            ips.extend(ip.iter().copied());
+            updated = true;
+            make_leaf_cert(signer, (&osk, &SANInfo::new(&applicant, hostname, ips)))
+        };
+        Ok((
+            Self {
+                ed25519: updated_cert(pair.map(|c| &c.ed25519), applicant.openssl_key_ed25519())?,
+                nistp256: updated_cert(
+                    pair.map(|c| &c.nistp256),
+                    applicant.openssl_key_nistp256(),
+                )?,
+            },
+            updated,
+        ))
+    }
+}

 #[derive(Debug)]
 pub struct SslManager {
-    store: SslStore,
+    hostname: Hostname,
    root_cert: X509,
    int_key: PKey<Private>,
    int_cert: X509,
+    cert_cache: RwLock<BTreeMap<Key, CertPair>>,
 }
+impl SslManager {
+    pub fn new(account: &AccountInfo) -> Result<Self, Error> {
+        let int_key = generate_key()?;
+        let int_cert = make_int_cert((&account.root_ca_key, &account.root_ca_cert), &int_key)?;
+        Ok(Self {
+            hostname: account.hostname.clone(),
+            root_cert: account.root_ca_cert.clone(),
+            int_key,
+            int_cert,
+            cert_cache: RwLock::new(BTreeMap::new()),
+        })
+    }
+    pub async fn with_certs(&self, key: Key, ip: IpAddr) -> Result<KeyInfo, Error> {
+        let mut ips = ips().await?;
+        ips.insert(ip);
+        let (pair, updated) = CertPair::updated(
+            self.cert_cache.read().await.get(&key),
+            &self.hostname,
+            (&self.int_key, &self.int_cert),
+            &key,
+            ips,
+        )?;
+        if updated {
+            self.cert_cache
+                .write()
+                .await
+                .insert(key.clone(), pair.clone());
+        }

-#[derive(Debug)]
-struct SslStore {
-    secret_store: PgPool,
-}
-impl SslStore {
-    fn new(db: PgPool) -> Result<Self, Error> {
-        Ok(SslStore { secret_store: db })
-    }
-    #[instrument(skip(self))]
-    async fn save_root_certificate(&self, key: &PKey<Private>, cert: &X509) -> Result<(), Error> {
-        let key_str = String::from_utf8(key.private_key_to_pem_pkcs8()?)?;
-        let cert_str = String::from_utf8(cert.to_pem()?)?;
-        let _n = sqlx::query!("INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (0, $1, $2, NULL, now(), now())", key_str, cert_str).execute(&self.secret_store).await?;
-        Ok(())
-    }
-    #[instrument(skip(self))]
-    async fn load_root_certificate(&self) -> Result<Option<(PKey<Private>, X509)>, Error> {
-        let m_row =
-            sqlx::query!("SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 0;")
-                .fetch_optional(&self.secret_store)
-                .await?;
-        match m_row {
-            None => Ok(None),
-            Some(row) => {
-                let priv_key = PKey::private_key_from_pem(&row.priv_key_pem.into_bytes())?;
-                let certificate = X509::from_pem(&row.certificate_pem.into_bytes())?;
-                Ok(Some((priv_key, certificate)))
-            }
-        }
-    }
-    #[instrument(skip(self))]
-    async fn save_intermediate_certificate(
-        &self,
-        key: &PKey<Private>,
-        cert: &X509,
-    ) -> Result<(), Error> {
-        let key_str = String::from_utf8(key.private_key_to_pem_pkcs8()?)?;
-        let cert_str = String::from_utf8(cert.to_pem()?)?;
-        let _n = sqlx::query!("INSERT INTO certificates (id, priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES (1, $1, $2, NULL, now(), now())", key_str, cert_str).execute(&self.secret_store).await?;
-        Ok(())
-    }
-    async fn load_intermediate_certificate(&self) -> Result<Option<(PKey<Private>, X509)>, Error> {
-        let m_row =
-            sqlx::query!("SELECT priv_key_pem, certificate_pem FROM certificates WHERE id = 1;")
-                .fetch_optional(&self.secret_store)
-                .await?;
-        match m_row {
-            None => Ok(None),
-            Some(row) => {
-                let priv_key = PKey::private_key_from_pem(&row.priv_key_pem.into_bytes())?;
-                let certificate = X509::from_pem(&row.certificate_pem.into_bytes())?;
-                Ok(Some((priv_key, certificate)))
-            }
-        }
-    }
-    #[instrument(skip(self))]
-    async fn import_root_certificate(
-        &self,
-        root_key: &PKey<Private>,
-        root_cert: &X509,
-    ) -> Result<(), Error> {
-        // remove records for both root and intermediate CA
-        sqlx::query!("DELETE FROM certificates WHERE id = 0 OR id = 1;")
-            .execute(&self.secret_store)
-            .await?;
-        self.save_root_certificate(root_key, root_cert).await?;
-        Ok(())
-    }
-    #[instrument(skip(self))]
-    async fn save_certificate(
-        &self,
-        key: &PKey<Private>,
-        cert: &X509,
-        lookup_string: &str,
-    ) -> Result<(), Error> {
-        let key_str = String::from_utf8(key.private_key_to_pem_pkcs8()?)?;
-        let cert_str = String::from_utf8(cert.to_pem()?)?;
-        let _n = sqlx::query!("INSERT INTO certificates (priv_key_pem, certificate_pem, lookup_string, created_at, updated_at) VALUES ($1, $2, $3, now(), now())", key_str, cert_str, lookup_string).execute(&self.secret_store).await?;
-        Ok(())
-    }
-    async fn load_certificate(
-        &self,
-        lookup_string: &str,
-    ) -> Result<Option<(PKey<Private>, X509)>, Error> {
-        let m_row = sqlx::query!(
-            "SELECT priv_key_pem, certificate_pem FROM certificates WHERE lookup_string = $1",
-            lookup_string
-        )
-        .fetch_optional(&self.secret_store)
-        .await?;
-        match m_row {
-            None => Ok(None),
-            Some(row) => {
-                let priv_key = PKey::private_key_from_pem(&row.priv_key_pem.into_bytes())?;
-                let certificate = X509::from_pem(&row.certificate_pem.into_bytes())?;
-                Ok(Some((priv_key, certificate)))
-            }
-        }
-    }
-    #[instrument(skip(self))]
-    async fn update_certificate(
-        &self,
-        key: &PKey<Private>,
-        cert: &X509,
-        lookup_string: &str,
-    ) -> Result<(), Error> {
-        let key_str = String::from_utf8(key.private_key_to_pem_pkcs8()?)?;
-        let cert_str = String::from_utf8(cert.to_pem()?)?;
-        let n = sqlx::query!("UPDATE certificates SET priv_key_pem = $1, certificate_pem = $2, updated_at = now() WHERE lookup_string = $3", key_str, cert_str, lookup_string)
-            .execute(&self.secret_store).await?;
-        if n.rows_affected() == 0 {
-            return Err(Error::new(
-                eyre!(
-                    "Attempted to update non-existent certificate: {}",
-                    lookup_string
-                ),
-                ErrorKind::OpenSsl,
-            ));
-        }
-        Ok(())
+        Ok(key.with_certs(pair, self.int_cert.clone(), self.root_cert.clone()))
    }
 }

@@ -161,149 +125,13 @@ lazy_static::lazy_static! {
    static ref SSL_MUTEX: Mutex<()> = Mutex::new(()); // TODO: make thread safe
 }

-impl SslManager {
-    #[instrument(skip(db, handle))]
-    pub async fn init<Db: DbHandle>(db: PgPool, handle: &mut Db) -> Result<Self, Error> {
-        let store = SslStore::new(db)?;
-        let id = crate::hostname::get_id(handle).await?;
-        let (root_key, root_cert) = match store.load_root_certificate().await? {
-            None => {
-                let root_key = generate_key()?;
-                let server_id = id;
-                let root_cert = make_root_cert(&root_key, &server_id)?;
-                store.save_root_certificate(&root_key, &root_cert).await?;
-                Ok::<_, Error>((root_key, root_cert))
-            }
-            Some((key, cert)) => Ok((key, cert)),
-        }?;
-        // generate static file for download, this will get blown up on embassy restart so it's good to write it on
-        // every ssl manager init
-        tokio::fs::create_dir_all(
-            Path::new(ROOT_CA_STATIC_PATH)
-                .parent()
-                .unwrap_or(Path::new("/")),
-        )
-        .await?;
-        tokio::fs::write(ROOT_CA_STATIC_PATH, root_cert.to_pem()?).await?;
-
-        // write to ca cert store
-        tokio::fs::write(
-            "/usr/local/share/ca-certificates/embassy-root-ca.crt",
-            root_cert.to_pem()?,
-        )
-        .await?;
-        Command::new("update-ca-certificates")
-            .invoke(crate::ErrorKind::OpenSsl)
-            .await?;
-
-        let (int_key, int_cert) = match store.load_intermediate_certificate().await? {
-            None => {
-                let int_key = generate_key()?;
-                let int_cert = make_int_cert((&root_key, &root_cert), &int_key)?;
-                store
-                    .save_intermediate_certificate(&int_key, &int_cert)
-                    .await?;
-                Ok::<_, Error>((int_key, int_cert))
-            }
-            Some((key, cert)) => Ok((key, cert)),
-        }?;
-
-        sqlx::query!("SELECT setval('certificates_id_seq', GREATEST(MAX(id) + 1, nextval('certificates_id_seq') - 1)) FROM certificates")
-            .fetch_one(&store.secret_store).await?;
-
-        Ok(SslManager {
-            store,
-            root_cert,
-            int_key,
-            int_cert,
-        })
-    }
-
-    // TODO: currently the burden of proof is on the caller to ensure that all of the arguments to this function are
-    // consistent. The following properties are assumed and not verified:
-    // 1. `root_cert` is self-signed and contains the public key that matches the private key `root_key`
-    // 2. certificate is not past its expiration date
-    // Warning: If this function ever fails, you must either call it again or regenerate your certificates from scratch
-    // since it is possible for it to fail after successfully saving the root certificate but before successfully saving
-    // the intermediate certificate
-    #[instrument(skip(db))]
-    pub async fn import_root_ca(
-        db: PgPool,
-        root_key: PKey<Private>,
-        root_cert: X509,
-    ) -> Result<Self, Error> {
-        let store = SslStore::new(db)?;
-        store.import_root_certificate(&root_key, &root_cert).await?;
-        let int_key = generate_key()?;
-        let int_cert = make_int_cert((&root_key, &root_cert), &int_key)?;
-        store
-            .save_intermediate_certificate(&int_key, &int_cert)
-            .await?;
-        Ok(SslManager {
-            store,
-            root_cert,
-            int_key,
-            int_cert,
-        })
-    }
-
-    #[instrument(skip(self))]
-    pub async fn export_root_ca(&self) -> Result<(PKey<Private>, X509), Error> {
-        match self.store.load_root_certificate().await? {
-            None => Err(Error::new(
-                eyre!("Failed to export root certificate: root certificate has not been generated"),
-                ErrorKind::OpenSsl,
-            )),
-            Some(a) => Ok(a),
-        }
-    }
-
-    #[instrument(skip(self))]
-    pub async fn certificate_for(
-        &self,
-        dns_base: &str,
-        package_id: &PackageId,
-    ) -> Result<(PKey<Private>, Vec<X509>), Error> {
-        let (key, cert) = match self.store.load_certificate(dns_base).await? {
-            None => {
-                let key = generate_key()?;
-                let cert = make_leaf_cert(
-                    (&self.int_key, &self.int_cert),
-                    (&key, dns_base, package_id),
-                )?;
-                self.store.save_certificate(&key, &cert, dns_base).await?;
-                Ok::<_, Error>((key, cert))
-            }
-            Some((key, cert)) => {
-                let window_end = Asn1Time::days_from_now(30)?;
-                let expiration = cert.not_after();
-                if expiration.compare(&window_end)? == Ordering::Less {
-                    let key = generate_key()?;
-                    let cert = make_leaf_cert(
-                        (&self.int_key, &self.int_cert),
-                        (&key, dns_base, package_id),
-                    )?;
-                    self.store.update_certificate(&key, &cert, dns_base).await?;
-                    Ok((key, cert))
-                } else {
-                    Ok((key, cert))
-                }
-            }
-        }?;
-        Ok((
-            key,
-            vec![cert, self.int_cert.clone(), self.root_cert.clone()],
-        ))
-    }
-}
-
 pub async fn export_key(key: &PKey<Private>, target: &Path) -> Result<(), Error> {
    tokio::fs::write(target, key.private_key_to_pem_pkcs8()?)
        .map(|res| res.with_ctx(|_| (ErrorKind::Filesystem, target.display().to_string())))
        .await?;
    Ok(())
 }
-pub async fn export_cert(chain: &Vec<X509>, target: &Path) -> Result<(), Error> {
+pub async fn export_cert(chain: &[&X509], target: &Path) -> Result<(), Error> {
    tokio::fs::write(
        target,
        chain
@@ -314,6 +142,7 @@ pub async fn export_cert(chain: &Vec<X509>, target: &Path) -> Result<(), Error>
    .await?;
    Ok(())
 }
+
 #[instrument]
 fn rand_serial() -> Result<Asn1Integer, Error> {
    let mut bn = BigNum::new()?;
@@ -322,13 +151,14 @@ fn rand_serial() -> Result<Asn1Integer, Error> {
    Ok(asn1)
 }
 #[instrument]
-fn generate_key() -> Result<PKey<Private>, Error> {
+pub fn generate_key() -> Result<PKey<Private>, Error> {
    let new_key = EcKey::generate(EC_GROUP.as_ref())?;
    let key = PKey::from_ec_key(new_key)?;
    Ok(key)
 }
+
 #[instrument]
-fn make_root_cert(root_key: &PKey<Private>, server_id: &str) -> Result<X509, Error> {
+pub fn make_root_cert(root_key: &PKey<Private>, hostname: &Hostname) -> Result<X509, Error> {
    let mut builder = X509Builder::new()?;
    builder.set_version(CERTIFICATE_VERSION)?;

@@ -341,8 +171,7 @@ fn make_root_cert(root_key: &PKey<Private>, server_id: &str) -> Result<X509, Err
    builder.set_serial_number(&*rand_serial()?)?;

    let mut subject_name_builder = X509NameBuilder::new()?;
-    subject_name_builder
-        .append_entry_by_text("CN", &format!("Embassy Local Root CA ({})", server_id))?;
+    subject_name_builder.append_entry_by_text("CN", &format!("{} Local Root CA", &*hostname.0))?;
    subject_name_builder.append_entry_by_text("O", "Start9")?;
    subject_name_builder.append_entry_by_text("OU", "Embassy")?;
    let subject_name = subject_name_builder.build();
@@ -380,7 +209,7 @@ fn make_root_cert(root_key: &PKey<Private>, server_id: &str) -> Result<X509, Err
    Ok(cert)
 }
 #[instrument]
-fn make_int_cert(
+pub fn make_int_cert(
    signer: (&PKey<Private>, &X509),
    applicant: &PKey<Private>,
 ) -> Result<X509, Error> {
@@ -441,15 +270,86 @@ fn make_int_cert(
    Ok(cert)
 }

+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord)]
+pub enum MaybeWildcard {
+    WithWildcard(String),
+    WithoutWildcard(String),
+}
+impl MaybeWildcard {
+    pub fn as_str(&self) -> &str {
+        match self {
+            MaybeWildcard::WithWildcard(s) => s.as_str(),
+            MaybeWildcard::WithoutWildcard(s) => s.as_str(),
+        }
+    }
+}
+impl std::fmt::Display for MaybeWildcard {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            MaybeWildcard::WithWildcard(dns) => write!(f, "DNS:{dns},DNS:*.{dns}"),
+            MaybeWildcard::WithoutWildcard(dns) => write!(f, "DNS:{dns}"),
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct SANInfo {
+    pub dns: BTreeSet<MaybeWildcard>,
+    pub ips: BTreeSet<IpAddr>,
+}
+impl SANInfo {
+    pub fn new(key: &Key, hostname: &Hostname, ips: BTreeSet<IpAddr>) -> Self {
+        let mut dns = BTreeSet::new();
+        if let Some((id, _)) = key.interface() {
+            dns.insert(MaybeWildcard::WithWildcard(format!("{id}.embassy")));
+            dns.insert(MaybeWildcard::WithWildcard(key.local_address().to_string()));
+        } else {
+            dns.insert(MaybeWildcard::WithoutWildcard("embassy".to_owned()));
+            dns.insert(MaybeWildcard::WithWildcard(hostname.local_domain_name()));
+            dns.insert(MaybeWildcard::WithoutWildcard(hostname.no_dot_host_name()));
+            dns.insert(MaybeWildcard::WithoutWildcard("localhost".to_owned()));
+        }
+        dns.insert(MaybeWildcard::WithWildcard(key.tor_address().to_string()));
+        Self { dns, ips }
+    }
+}
+impl std::fmt::Display for SANInfo {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut written = false;
+        for dns in &self.dns {
+            if written {
+                write!(f, ",")?;
+            }
+            written = true;
+            write!(f, "{dns}")?;
+        }
+        for ip in &self.ips {
+            if written {
+                write!(f, ",")?;
+            }
+            written = true;
+            write!(f, "IP:{ip}")?;
+        }
+        Ok(())
+    }
+}
+
 #[instrument]
-fn make_leaf_cert(
+pub fn make_leaf_cert(
    signer: (&PKey<Private>, &X509),
-    applicant: (&PKey<Private>, &str, &PackageId),
+    applicant: (&PKey<Private>, &SANInfo),
 ) -> Result<X509, Error> {
    let mut builder = X509Builder::new()?;
    builder.set_version(CERTIFICATE_VERSION)?;

-    let embargo = Asn1Time::days_from_now(0)?;
+    let embargo = Asn1Time::from_unix(
+        SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .map(|d| d.as_secs() as i64)
+            .or_else(|_| UNIX_EPOCH.elapsed().map(|d| -(d.as_secs() as i64)))
+            .unwrap_or_default()
+            - 86400,
+    )?;
    builder.set_not_before(&embargo)?;

    // Google Apple and Mozilla reject certificate horizons longer than 397 days
@@ -460,7 +360,15 @@ fn make_leaf_cert(
    builder.set_serial_number(&*rand_serial()?)?;

    let mut subject_name_builder = X509NameBuilder::new()?;
-    subject_name_builder.append_entry_by_text("CN", &format!("{}.local", &applicant.1))?;
+    subject_name_builder.append_entry_by_text(
+        "CN",
+        applicant
+            .1
+            .dns
+            .first()
+            .map(MaybeWildcard::as_str)
+            .unwrap_or("localhost"),
+    )?;
    subject_name_builder.append_entry_by_text("O", "Start9")?;
    subject_name_builder.append_entry_by_text("OU", "Embassy")?;
    let subject_name = subject_name_builder.build();
@@ -492,15 +400,9 @@ fn make_leaf_cert(
        "critical,digitalSignature,keyEncipherment",
    )?;

-    let subject_alt_name = X509Extension::new_nid(
-        Some(&cfg),
-        Some(&ctx),
-        Nid::SUBJECT_ALT_NAME,
-        &format!(
-            "DNS:{}.local,DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion,DNS:{}.embassy,DNS:*.{}.embassy",
-            &applicant.1, &applicant.1, &applicant.1, &applicant.1, &applicant.2, &applicant.2,
-        ),
-    )?;
+    let san_string = applicant.1.to_string();
+    let subject_alt_name =
+        X509Extension::new_nid(Some(&cfg), Some(&ctx), Nid::SUBJECT_ALT_NAME, &san_string)?;
    builder.append_extension(subject_key_identifier)?;
    builder.append_extension(authority_key_identifier)?;
    builder.append_extension(subject_alt_name)?;
@@ -512,57 +414,3 @@ fn make_leaf_cert(
    let cert = builder.build();
    Ok(cert)
 }
-
-// #[tokio::test]
-// async fn ca_details_persist() -> Result<(), Error> {
-//     let pool = sqlx::Pool::<sqlx::Postgres>::connect("postgres::memory:").await?;
-//     sqlx::migrate!()
-//         .run(&pool)
-//         .await
-//         .with_kind(crate::ErrorKind::Database)?;
-//     let mgr = SslManager::init(pool.clone()).await?;
-//     let root_cert0 = mgr.root_cert;
-//     let int_key0 = mgr.int_key;
-//     let int_cert0 = mgr.int_cert;
-//     let mgr = SslManager::init(pool).await?;
-//     let root_cert1 = mgr.root_cert;
-//     let int_key1 = mgr.int_key;
-//     let int_cert1 = mgr.int_cert;
-// 
-//     assert_eq!(root_cert0.to_pem()?, root_cert1.to_pem()?);
-//     assert_eq!(
-//         int_key0.private_key_to_pem_pkcs8()?,
-//         int_key1.private_key_to_pem_pkcs8()?
-//     );
-//     assert_eq!(int_cert0.to_pem()?, int_cert1.to_pem()?);
-//     Ok(())
-// }
-// 
-// #[tokio::test]
-// async fn certificate_details_persist() -> Result<(), Error> {
-//     let pool = sqlx::Pool::<sqlx::Postgres>::connect("postgres::memory:").await?;
-//     sqlx::migrate!()
-//         .run(&pool)
-//         .await
-//         .with_kind(crate::ErrorKind::Database)?;
-//     let mgr = SslManager::init(pool.clone()).await?;
-//     let package_id = "bitcoind".parse().unwrap();
-//     let (key0, cert_chain0) = mgr.certificate_for("start9", &package_id).await?;
-//     let (key1, cert_chain1) = mgr.certificate_for("start9", &package_id).await?;
-// 
-//     assert_eq!(
-//         key0.private_key_to_pem_pkcs8()?,
-//         key1.private_key_to_pem_pkcs8()?
-//     );
-//     assert_eq!(
-//         cert_chain0
-//             .iter()
-//             .map(|cert| cert.to_pem().unwrap())
-//             .collect::<Vec<Vec<u8>>>(),
-//         cert_chain1
-//             .iter()
-//             .map(|cert| cert.to_pem().unwrap())
-//             .collect::<Vec<Vec<u8>>>()
-//     );
-//     Ok(())
-// }
--- a/backend/src/net/static_server.rs
+++ b/backend/src/net/static_server.rs
@@ -0,0 +1,526 @@
+use std::fs::Metadata;
+use std::path::Path;
+use std::sync::Arc;
+use std::time::UNIX_EPOCH;
+
+use async_compression::tokio::bufread::BrotliEncoder;
+use async_compression::tokio::bufread::GzipEncoder;
+use color_eyre::eyre::eyre;
+use digest::Digest;
+use futures::FutureExt;
+use http::header::ACCEPT_ENCODING;
+use http::header::CONTENT_ENCODING;
+use http::request::Parts as RequestParts;
+use http::response::Builder;
+use hyper::{Body, Method, Request, Response, StatusCode};
+use openssl::hash::MessageDigest;
+use openssl::x509::X509;
+use rpc_toolkit::rpc_handler;
+use tokio::fs::File;
+use tokio::io::BufReader;
+use tokio_util::io::ReaderStream;
+
+use crate::context::{DiagnosticContext, InstallContext, RpcContext, SetupContext};
+use crate::core::rpc_continuations::RequestGuid;
+use crate::db::subscribe;
+use crate::install::PKG_PUBLIC_DIR;
+use crate::middleware::auth::{auth as auth_middleware, HasValidSession};
+use crate::middleware::cors::cors;
+use crate::middleware::db::db as db_middleware;
+use crate::middleware::diagnostic::diagnostic as diagnostic_middleware;
+use crate::net::HttpHandler;
+use crate::{diagnostic_api, install_api, main_api, setup_api, Error, ErrorKind, ResultExt};
+
+static NOT_FOUND: &[u8] = b"Not Found";
+static METHOD_NOT_ALLOWED: &[u8] = b"Method Not Allowed";
+static NOT_AUTHORIZED: &[u8] = b"Not Authorized";
+
+pub const MAIN_UI_WWW_DIR: &str = "/var/www/html/main";
+pub const SETUP_UI_WWW_DIR: &str = "/var/www/html/setup";
+pub const DIAG_UI_WWW_DIR: &str = "/var/www/html/diagnostic";
+pub const INSTALL_UI_WWW_DIR: &str = "/var/www/html/install";
+
+fn status_fn(_: i32) -> StatusCode {
+    StatusCode::OK
+}
+
+#[derive(Clone)]
+pub enum UiMode {
+    Setup,
+    Diag,
+    Install,
+    Main,
+}
+
+pub async fn setup_ui_file_router(ctx: SetupContext) -> Result<HttpHandler, Error> {
+    let handler: HttpHandler = Arc::new(move |req| {
+        let ctx = ctx.clone();
+
+        let ui_mode = UiMode::Setup;
+        async move {
+            let res = match req.uri().path() {
+                path if path.starts_with("/rpc/") => {
+                    let rpc_handler = rpc_handler!({
+                        command: setup_api,
+                        context: ctx,
+                        status: status_fn,
+                        middleware: [
+                            cors,
+                        ]
+                    });
+
+                    rpc_handler(req)
+                        .await
+                        .map_err(|err| Error::new(eyre!("{}", err), crate::ErrorKind::Network))
+                }
+                _ => alt_ui(req, ui_mode).await,
+            };
+
+            match res {
+                Ok(data) => Ok(data),
+                Err(err) => Ok(server_error(err)),
+            }
+        }
+        .boxed()
+    });
+
+    Ok(handler)
+}
+
+pub async fn diag_ui_file_router(ctx: DiagnosticContext) -> Result<HttpHandler, Error> {
+    let handler: HttpHandler = Arc::new(move |req| {
+        let ctx = ctx.clone();
+        let ui_mode = UiMode::Diag;
+        async move {
+            let res = match req.uri().path() {
+                path if path.starts_with("/rpc/") => {
+                    let rpc_handler = rpc_handler!({
+                        command: diagnostic_api,
+                        context: ctx,
+                        status: status_fn,
+                        middleware: [
+                            cors,
+                            diagnostic_middleware,
+                        ]
+                    });
+
+                    rpc_handler(req)
+                        .await
+                        .map_err(|err| Error::new(eyre!("{}", err), crate::ErrorKind::Network))
+                }
+                _ => alt_ui(req, ui_mode).await,
+            };
+
+            match res {
+                Ok(data) => Ok(data),
+                Err(err) => Ok(server_error(err)),
+            }
+        }
+        .boxed()
+    });
+
+    Ok(handler)
+}
+
+pub async fn install_ui_file_router(ctx: InstallContext) -> Result<HttpHandler, Error> {
+    let handler: HttpHandler = Arc::new(move |req| {
+        let ctx = ctx.clone();
+        let ui_mode = UiMode::Install;
+        async move {
+            let res = match req.uri().path() {
+                path if path.starts_with("/rpc/") => {
+                    let rpc_handler = rpc_handler!({
+                        command: install_api,
+                        context: ctx,
+                        status: status_fn,
+                        middleware: [
+                            cors,
+                        ]
+                    });
+
+                    rpc_handler(req)
+                        .await
+                        .map_err(|err| Error::new(eyre!("{}", err), crate::ErrorKind::Network))
+                }
+                _ => alt_ui(req, ui_mode).await,
+            };
+
+            match res {
+                Ok(data) => Ok(data),
+                Err(err) => Ok(server_error(err)),
+            }
+        }
+        .boxed()
+    });
+
+    Ok(handler)
+}
+
+pub async fn main_ui_server_router(ctx: RpcContext) -> Result<HttpHandler, Error> {
+    let handler: HttpHandler = Arc::new(move |req| {
+        let ctx = ctx.clone();
+
+        async move {
+            let res = match req.uri().path() {
+                path if path.starts_with("/rpc/") => {
+                    let auth_middleware = auth_middleware(ctx.clone());
+                    let db_middleware = db_middleware(ctx.clone());
+                    let rpc_handler = rpc_handler!({
+                        command: main_api,
+                        context: ctx,
+                        status: status_fn,
+                        middleware: [
+                            cors,
+                            auth_middleware,
+                            db_middleware,
+                        ]
+                    });
+
+                    rpc_handler(req)
+                        .await
+                        .map_err(|err| Error::new(eyre!("{}", err), crate::ErrorKind::Network))
+                }
+                "/ws/db" => subscribe(ctx, req).await,
+                path if path.starts_with("/ws/rpc/") => {
+                    match RequestGuid::from(path.strip_prefix("/ws/rpc/").unwrap()) {
+                        None => {
+                            tracing::debug!("No Guid Path");
+                            Ok::<_, Error>(bad_request())
+                        }
+                        Some(guid) => match ctx.get_ws_continuation_handler(&guid).await {
+                            Some(cont) => match cont(req).await {
+                                Ok::<_, Error>(r) => Ok::<_, Error>(r),
+                                Err(err) => Ok::<_, Error>(server_error(err)),
+                            },
+                            _ => Ok::<_, Error>(not_found()),
+                        },
+                    }
+                }
+                path if path.starts_with("/rest/rpc/") => {
+                    match RequestGuid::from(path.strip_prefix("/rest/rpc/").unwrap()) {
+                        None => {
+                            tracing::debug!("No Guid Path");
+                            Ok::<_, Error>(bad_request())
+                        }
+                        Some(guid) => match ctx.get_rest_continuation_handler(&guid).await {
+                            None => Ok::<_, Error>(not_found()),
+                            Some(cont) => match cont(req).await {
+                                Ok::<_, Error>(r) => Ok::<_, Error>(r),
+                                Err(e) => Ok::<_, Error>(server_error(e)),
+                            },
+                        },
+                    }
+                }
+                _ => main_embassy_ui(req, ctx).await,
+            };
+
+            match res {
+                Ok(data) => Ok(data),
+                Err(err) => Ok(server_error(err)),
+            }
+        }
+        .boxed()
+    });
+
+    Ok(handler)
+}
+
+async fn alt_ui(req: Request<Body>, ui_mode: UiMode) -> Result<Response<Body>, Error> {
+    let selected_root_dir = match ui_mode {
+        UiMode::Setup => SETUP_UI_WWW_DIR,
+        UiMode::Diag => DIAG_UI_WWW_DIR,
+        UiMode::Install => INSTALL_UI_WWW_DIR,
+        UiMode::Main => MAIN_UI_WWW_DIR,
+    };
+
+    let (request_parts, _body) = req.into_parts();
+    let accept_encoding = request_parts
+        .headers
+        .get_all(ACCEPT_ENCODING)
+        .into_iter()
+        .filter_map(|h| h.to_str().ok())
+        .flat_map(|s| s.split(","))
+        .filter_map(|s| s.split(";").next())
+        .map(|s| s.trim())
+        .collect::<Vec<_>>();
+    match &request_parts.method {
+        &Method::GET => {
+            let uri_path = request_parts
+                .uri
+                .path()
+                .strip_prefix('/')
+                .unwrap_or(request_parts.uri.path());
+
+            let full_path = Path::new(selected_root_dir).join(uri_path);
+            file_send(
+                &request_parts,
+                if tokio::fs::metadata(&full_path)
+                    .await
+                    .ok()
+                    .map(|f| f.is_file())
+                    .unwrap_or(false)
+                {
+                    full_path
+                } else {
+                    Path::new(selected_root_dir).join("index.html")
+                },
+                &accept_encoding,
+            )
+            .await
+        }
+        _ => Ok(method_not_allowed()),
+    }
+}
+
+async fn main_embassy_ui(req: Request<Body>, ctx: RpcContext) -> Result<Response<Body>, Error> {
+    let selected_root_dir = MAIN_UI_WWW_DIR;
+
+    let (request_parts, _body) = req.into_parts();
+    let accept_encoding = request_parts
+        .headers
+        .get_all(ACCEPT_ENCODING)
+        .into_iter()
+        .filter_map(|h| h.to_str().ok())
+        .flat_map(|s| s.split(","))
+        .filter_map(|s| s.split(";").next())
+        .map(|s| s.trim())
+        .collect::<Vec<_>>();
+    match (
+        &request_parts.method,
+        request_parts
+            .uri
+            .path()
+            .strip_prefix('/')
+            .unwrap_or(request_parts.uri.path())
+            .split_once('/'),
+    ) {
+        (&Method::GET, Some(("public", path))) => {
+            match HasValidSession::from_request_parts(&request_parts, &ctx).await {
+                Ok(_) => {
+                    let sub_path = Path::new(path);
+                    if let Ok(rest) = sub_path.strip_prefix("package-data") {
+                        file_send(
+                            &request_parts,
+                            ctx.datadir.join(PKG_PUBLIC_DIR).join(rest),
+                            &accept_encoding,
+                        )
+                        .await
+                    } else if let Ok(rest) = sub_path.strip_prefix("eos") {
+                        match rest.to_str() {
+                            Some("local.crt") => cert_send(&ctx.account.read().await.root_ca_cert),
+                            None => Ok(bad_request()),
+                            _ => Ok(not_found()),
+                        }
+                    } else {
+                        Ok(not_found())
+                    }
+                }
+                Err(e) => un_authorized(e, &format!("public/{path}")),
+            }
+        }
+        (&Method::GET, Some(("eos", "local.crt"))) => {
+            match HasValidSession::from_request_parts(&request_parts, &ctx).await {
+                Ok(_) => cert_send(&ctx.account.read().await.root_ca_cert),
+                Err(e) => un_authorized(e, "eos/local.crt"),
+            }
+        }
+        (&Method::GET, _) => {
+            let uri_path = request_parts
+                .uri
+                .path()
+                .strip_prefix('/')
+                .unwrap_or(request_parts.uri.path());
+
+            let full_path = Path::new(selected_root_dir).join(uri_path);
+            file_send(
+                &request_parts,
+                if tokio::fs::metadata(&full_path)
+                    .await
+                    .ok()
+                    .map(|f| f.is_file())
+                    .unwrap_or(false)
+                {
+                    full_path
+                } else {
+                    Path::new(selected_root_dir).join("index.html")
+                },
+                &accept_encoding,
+            )
+            .await
+        }
+        _ => Ok(method_not_allowed()),
+    }
+}
+
+fn un_authorized(err: Error, path: &str) -> Result<Response<Body>, Error> {
+    tracing::warn!("unauthorized for {} @{:?}", err, path);
+    tracing::debug!("{:?}", err);
+    Ok(Response::builder()
+        .status(StatusCode::UNAUTHORIZED)
+        .body(NOT_AUTHORIZED.into())
+        .unwrap())
+}
+
+/// HTTP status code 404
+fn not_found() -> Response<Body> {
+    Response::builder()
+        .status(StatusCode::NOT_FOUND)
+        .body(NOT_FOUND.into())
+        .unwrap()
+}
+
+/// HTTP status code 405
+fn method_not_allowed() -> Response<Body> {
+    Response::builder()
+        .status(StatusCode::METHOD_NOT_ALLOWED)
+        .body(METHOD_NOT_ALLOWED.into())
+        .unwrap()
+}
+
+fn server_error(err: Error) -> Response<Body> {
+    Response::builder()
+        .status(StatusCode::INTERNAL_SERVER_ERROR)
+        .body(err.to_string().into())
+        .unwrap()
+}
+
+fn bad_request() -> Response<Body> {
+    Response::builder()
+        .status(StatusCode::BAD_REQUEST)
+        .body(Body::empty())
+        .unwrap()
+}
+
+fn cert_send(cert: &X509) -> Result<Response<Body>, Error> {
+    let pem = cert.to_pem()?;
+    Response::builder()
+        .status(StatusCode::OK)
+        .header(
+            http::header::ETAG,
+            base32::encode(
+                base32::Alphabet::RFC4648 { padding: false },
+                &*cert.digest(MessageDigest::sha256())?,
+            )
+            .to_lowercase(),
+        )
+        .header(http::header::CONTENT_TYPE, "application/x-pem-file")
+        .header(http::header::CONTENT_LENGTH, pem.len())
+        .body(Body::from(pem))
+        .with_kind(ErrorKind::Network)
+}
+
+async fn file_send(
+    req: &RequestParts,
+    path: impl AsRef<Path>,
+    accept_encoding: &[&str],
+) -> Result<Response<Body>, Error> {
+    // Serve a file by asynchronously reading it by chunks using tokio-util crate.
+
+    let path = path.as_ref();
+
+    let file = File::open(path)
+        .await
+        .with_ctx(|_| (ErrorKind::Filesystem, path.display().to_string()))?;
+    let metadata = file
+        .metadata()
+        .await
+        .with_ctx(|_| (ErrorKind::Filesystem, path.display().to_string()))?;
+
+    let e_tag = e_tag(path, &metadata)?;
+
+    let mut builder = Response::builder();
+    builder = with_content_type(path, builder);
+    builder = builder.header(http::header::ETAG, &e_tag);
+    builder = builder.header(
+        http::header::CACHE_CONTROL,
+        "public, max-age=21000000, immutable",
+    );
+
+    if req
+        .headers
+        .get_all(http::header::CONNECTION)
+        .iter()
+        .flat_map(|s| s.to_str().ok())
+        .flat_map(|s| s.split(","))
+        .any(|s| s.trim() == "keep-alive")
+    {
+        builder = builder.header(http::header::CONNECTION, "keep-alive");
+    }
+
+    if req
+        .headers
+        .get("if-none-match")
+        .and_then(|h| h.to_str().ok())
+        == Some(e_tag.as_str())
+    {
+        builder = builder.status(StatusCode::NOT_MODIFIED);
+        builder.body(Body::empty())
+    } else {
+        let body = if false && accept_encoding.contains(&"br") && metadata.len() > u16::MAX as u64 {
+            builder = builder.header(CONTENT_ENCODING, "br");
+            Body::wrap_stream(ReaderStream::new(BrotliEncoder::new(BufReader::new(file))))
+        } else if accept_encoding.contains(&"gzip") && metadata.len() > u16::MAX as u64 {
+            builder = builder.header(CONTENT_ENCODING, "gzip");
+            Body::wrap_stream(ReaderStream::new(GzipEncoder::new(BufReader::new(file))))
+        } else {
+            builder = with_content_length(&metadata, builder);
+            Body::wrap_stream(ReaderStream::new(file))
+        };
+        builder.body(body)
+    }
+    .with_kind(ErrorKind::Network)
+}
+
+fn e_tag(path: &Path, metadata: &Metadata) -> Result<String, Error> {
+    let modified = metadata.modified().with_kind(ErrorKind::Filesystem)?;
+    let mut hasher = sha2::Sha256::new();
+    hasher.update(format!("{:?}", path).as_bytes());
+    hasher.update(
+        format!(
+            "{}",
+            modified
+                .duration_since(UNIX_EPOCH)
+                .unwrap_or_default()
+                .as_secs()
+        )
+        .as_bytes(),
+    );
+    let res = hasher.finalize();
+    Ok(format!(
+        "\"{}\"",
+        base32::encode(base32::Alphabet::RFC4648 { padding: false }, res.as_slice()).to_lowercase()
+    ))
+}
+
+///https://en.wikipedia.org/wiki/Media_type
+fn with_content_type(path: &Path, builder: Builder) -> Builder {
+    let content_type = match path.extension() {
+        Some(os_str) => match os_str.to_str() {
+            Some("apng") => "image/apng",
+            Some("avif") => "image/avif",
+            Some("flif") => "image/flif",
+            Some("gif") => "image/gif",
+            Some("jpg") | Some("jpeg") | Some("jfif") | Some("pjpeg") | Some("pjp") => "image/jpeg",
+            Some("jxl") => "image/jxl",
+            Some("png") => "image/png",
+            Some("svg") => "image/svg+xml",
+            Some("webp") => "image/webp",
+            Some("mng") | Some("x-mng") => "image/x-mng",
+            Some("css") => "text/css",
+            Some("csv") => "text/csv",
+            Some("html") => "text/html",
+            Some("php") => "text/php",
+            Some("plain") | Some("md") | Some("txt") => "text/plain",
+            Some("xml") => "text/xml",
+            Some("js") => "text/javascript",
+            Some("wasm") => "application/wasm",
+            None | Some(_) => "text/plain",
+        },
+        None => "text/plain",
+    };
+    builder.header(http::header::CONTENT_TYPE, content_type)
+}
+
+fn with_content_length(metadata: &Metadata, builder: Builder) -> Builder {
+    builder.header(http::header::CONTENT_LENGTH, metadata.len())
+}
--- a/backend/src/net/tor.rs
+++ b/backend/src/net/tor.rs
@@ -1,30 +1,25 @@
 use std::collections::BTreeMap;
-use std::net::{Ipv4Addr, SocketAddr};
-use std::time::Duration;
+use std::net::SocketAddr;
+use std::sync::{Arc, Weak};

 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use futures::future::BoxFuture;
 use futures::FutureExt;
-use reqwest::Client;
 use rpc_toolkit::command;
-use serde_json::json;
-use sqlx::{Executor, Postgres};
 use tokio::net::TcpStream;
 use tokio::sync::Mutex;
 use torut::control::{AsyncEvent, AuthenticatedConn, ConnError};
 use torut::onion::{OnionAddressV3, TorSecretKeyV3};
 use tracing::instrument;

-use super::interface::{InterfaceId, TorConfig};
 use crate::context::RpcContext;
-use crate::s9pk::manifest::PackageId;
 use crate::util::serde::{display_serializable, IoFormat};
 use crate::{Error, ErrorKind, ResultExt as _};

 #[test]
 fn random_key() {
-    println!("x'{}'", hex::encode(TorSecretKeyV3::generate().as_bytes()));
+    println!("x'{}'", hex::encode(rand::random::<[u8; 32]>()));
 }

 #[command(subcommands(list_services))]
@@ -57,68 +52,29 @@ pub async fn list_services(
    ctx.net_controller.tor.list_services().await
 }

-#[instrument(skip(secrets))]
-pub async fn os_key<Ex>(secrets: &mut Ex) -> Result<TorSecretKeyV3, Error>
-where
-    for<'a> &'a mut Ex: Executor<'a, Database = Postgres>,
-{
-    let key = sqlx::query!("SELECT tor_key FROM account")
-        .fetch_one(secrets)
-        .await?
-        .tor_key;
-
-    let mut buf = [0; 64];
-    buf.clone_from_slice(
-        key.get(0..64).ok_or_else(|| {
-            Error::new(eyre!("Invalid Tor Key Length"), crate::ErrorKind::Database)
-        })?,
-    );
-    Ok(buf.into())
-}
-
 fn event_handler(_event: AsyncEvent<'static>) -> BoxFuture<'static, Result<(), ConnError>> {
    async move { Ok(()) }.boxed()
 }

 pub struct TorController(Mutex<TorControllerInner>);
 impl TorController {
-    pub async fn init(
-        embassyd_addr: SocketAddr,
-        embassyd_tor_key: TorSecretKeyV3,
-        tor_control: SocketAddr,
-    ) -> Result<Self, Error> {
+    pub async fn init(tor_control: SocketAddr) -> Result<Self, Error> {
        Ok(TorController(Mutex::new(
-            TorControllerInner::init(embassyd_addr, embassyd_tor_key, tor_control).await?,
+            TorControllerInner::init(tor_control).await?,
        )))
    }

-    pub async fn add<I: IntoIterator<Item = (InterfaceId, TorConfig, TorSecretKeyV3)> + Clone>(
+    pub async fn add(
        &self,
-        pkg_id: &PackageId,
-        ip: Ipv4Addr,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.0.lock().await.add(pkg_id, ip, interfaces).await
+        key: &TorSecretKeyV3,
+        external: u16,
+        target: SocketAddr,
+    ) -> Result<Arc<()>, Error> {
+        self.0.lock().await.add(key, external, target).await
    }

-    pub async fn remove<I: IntoIterator<Item = InterfaceId> + Clone>(
-        &self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        self.0.lock().await.remove(pkg_id, interfaces).await
-    }
-
-    pub async fn replace(&self) -> Result<bool, Error> {
-        self.0.lock().await.replace().await
-    }
-
-    pub async fn embassyd_tor_key(&self) -> TorSecretKeyV3 {
-        self.0.lock().await.embassyd_tor_key.clone()
-    }
-
-    pub async fn embassyd_onion(&self) -> OnionAddressV3 {
-        self.0.lock().await.embassyd_onion()
+    pub async fn gc(&self, key: &TorSecretKeyV3, external: u16) -> Result<(), Error> {
+        self.0.lock().await.gc(key, external).await
    }

    pub async fn list_services(&self) -> Result<Vec<OnionAddressV3>, Error> {
@@ -131,92 +87,95 @@ type AuthenticatedConnection = AuthenticatedConn<
    fn(AsyncEvent<'static>) -> BoxFuture<'static, Result<(), ConnError>>,
 >;

-#[derive(Clone, Debug, PartialEq, Eq)]
-struct HiddenServiceConfig {
-    ip: Ipv4Addr,
-    cfg: TorConfig,
-}
-
 pub struct TorControllerInner {
-    embassyd_addr: SocketAddr,
-    embassyd_tor_key: TorSecretKeyV3,
    control_addr: SocketAddr,
-    connection: Option<AuthenticatedConnection>,
-    services: BTreeMap<(PackageId, InterfaceId), (TorSecretKeyV3, TorConfig, Ipv4Addr)>,
+    connection: AuthenticatedConnection,
+    services: BTreeMap<String, BTreeMap<u16, BTreeMap<SocketAddr, Weak<()>>>>,
 }
 impl TorControllerInner {
-    #[instrument(skip(self, interfaces))]
-    async fn add<'a, I: IntoIterator<Item = (InterfaceId, TorConfig, TorSecretKeyV3)>>(
+    #[instrument(skip(self))]
+    async fn add(
        &mut self,
-        pkg_id: &PackageId,
-        ip: Ipv4Addr,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        for (interface_id, tor_cfg, key) in interfaces {
-            let id = (pkg_id.clone(), interface_id);
-            match self.services.get(&id) {
-                Some(k) if k.0 != key => {
-                    self.remove(pkg_id, std::iter::once(id.1.clone())).await?;
-                }
-                Some(_) => continue,
-                None => (),
-            }
-            self.connection
-                .as_mut()
-                .ok_or_else(|| {
-                    Error::new(eyre!("Missing Tor Control Connection"), ErrorKind::Unknown)
-                })?
-                .add_onion_v3(
-                    &key,
-                    false,
-                    false,
-                    false,
-                    None,
-                    &mut tor_cfg
-                        .port_mapping
-                        .iter()
-                        .map(|(external, internal)| {
-                            (external.0, SocketAddr::from((ip, internal.0)))
-                        })
-                        .collect::<Vec<_>>()
-                        .iter(),
-                )
-                .await?;
-            self.services.insert(id, (key, tor_cfg, ip));
-        }
-        Ok(())
+        key: &TorSecretKeyV3,
+        external: u16,
+        target: SocketAddr,
+    ) -> Result<Arc<()>, Error> {
+        let mut rm_res = Ok(());
+        let onion_base = key
+            .public()
+            .get_onion_address()
+            .get_address_without_dot_onion();
+        let mut service = if let Some(service) = self.services.remove(&onion_base) {
+            rm_res = self.connection.del_onion(&onion_base).await;
+            service
+        } else {
+            BTreeMap::new()
+        };
+        let mut binding = service.remove(&external).unwrap_or_default();
+        let rc = if let Some(rc) = Weak::upgrade(&binding.remove(&target).unwrap_or_default()) {
+            rc
+        } else {
+            Arc::new(())
+        };
+        binding.insert(target, Arc::downgrade(&rc));
+        service.insert(external, binding);
+        let bindings = service
+            .iter()
+            .flat_map(|(ext, int)| {
+                int.iter()
+                    .find(|(_, rc)| rc.strong_count() > 0)
+                    .map(|(addr, _)| (*ext, SocketAddr::from(*addr)))
+            })
+            .collect::<Vec<_>>();
+        self.services.insert(onion_base, service);
+        rm_res?;
+        self.connection
+            .add_onion_v3(key, false, false, false, None, &mut bindings.iter())
+            .await?;
+        Ok(rc)
    }

-    #[instrument(skip(self, interfaces))]
-    async fn remove<I: IntoIterator<Item = InterfaceId>>(
-        &mut self,
-        pkg_id: &PackageId,
-        interfaces: I,
-    ) -> Result<(), Error> {
-        for interface_id in interfaces {
-            if let Some((key, _cfg, _ip)) = self.services.remove(&(pkg_id.clone(), interface_id)) {
+    #[instrument(skip(self))]
+    async fn gc(&mut self, key: &TorSecretKeyV3, external: u16) -> Result<(), Error> {
+        let onion_base = key
+            .public()
+            .get_onion_address()
+            .get_address_without_dot_onion();
+        if let Some(mut service) = self.services.remove(&onion_base) {
+            if let Some(mut binding) = service.remove(&external) {
+                binding = binding
+                    .into_iter()
+                    .filter(|(_, rc)| rc.strong_count() > 0)
+                    .collect();
+                if !binding.is_empty() {
+                    service.insert(external, binding);
+                }
+            }
+            let rm_res = self.connection.del_onion(&onion_base).await;
+            if !service.is_empty() {
+                let bindings = service
+                    .iter()
+                    .flat_map(|(ext, int)| {
+                        int.iter()
+                            .find(|(_, rc)| rc.strong_count() > 0)
+                            .map(|(addr, _)| (*ext, SocketAddr::from(*addr)))
+                    })
+                    .collect::<Vec<_>>();
+                self.services.insert(onion_base, service);
+                rm_res?;
                self.connection
-                    .as_mut()
-                    .ok_or_else(|| {
-                        Error::new(eyre!("Missing Tor Control Connection"), ErrorKind::Tor)
-                    })?
-                    .del_onion(
-                        &key.public()
-                            .get_onion_address()
-                            .get_address_without_dot_onion(),
-                    )
+                    .add_onion_v3(&key, false, false, false, None, &mut bindings.iter())
                    .await?;
+            } else {
+                rm_res?;
            }
        }
+
        Ok(())
    }

    #[instrument]
-    async fn init(
-        embassyd_addr: SocketAddr,
-        embassyd_tor_key: TorSecretKeyV3,
-        tor_control: SocketAddr,
-    ) -> Result<Self, Error> {
+    async fn init(tor_control: SocketAddr) -> Result<Self, Error> {
        let mut conn = torut::control::UnauthenticatedConn::new(
            TcpStream::connect(tor_control).await?, // TODO
        );
@@ -230,124 +189,16 @@ impl TorControllerInner {
        let mut connection: AuthenticatedConnection = conn.into_authenticated().await;
        connection.set_async_event_handler(Some(event_handler));

-        let mut controller = TorControllerInner {
-            embassyd_addr,
-            embassyd_tor_key,
+        Ok(Self {
            control_addr: tor_control,
-            connection: Some(connection),
+            connection,
            services: BTreeMap::new(),
-        };
-        controller.add_embassyd_onion().await?;
-        Ok(controller)
-    }
-
-    #[instrument(skip(self))]
-    async fn add_embassyd_onion(&mut self) -> Result<(), Error> {
-        tracing::info!(
-            "Registering Main Tor Service: {}",
-            self.embassyd_tor_key.public().get_onion_address()
-        );
-        self.connection
-            .as_mut()
-            .ok_or_else(|| Error::new(eyre!("Missing Tor Control Connection"), ErrorKind::Tor))?
-            .add_onion_v3(
-                &self.embassyd_tor_key,
-                false,
-                false,
-                false,
-                None,
-                &mut std::iter::once(&(self.embassyd_addr.port(), self.embassyd_addr)),
-            )
-            .await?;
-        tracing::info!(
-            "Registered Main Tor Service: {}",
-            self.embassyd_tor_key.public().get_onion_address()
-        );
-        Ok(())
-    }
-
-    #[instrument(skip(self))]
-    async fn replace(&mut self) -> Result<bool, Error> {
-        let connection = self.connection.take();
-        let uptime = if let Some(mut c) = connection {
-            // this should be unreachable because the only time when this should be none is for the duration of tor's
-            // restart lower down in this method, which is held behind a Mutex
-            let uptime = c.get_info("uptime").await?.parse::<u64>()?;
-            // we never want to restart the tor daemon if it hasn't been up for at least a half hour
-            if uptime < 1800 {
-                self.connection = Some(c); // put it back
-                return Ok(false);
-            }
-            // when connection closes below, tor daemon is restarted
-            c.take_ownership().await?;
-            // this should close the connection
-            drop(c);
-            Some(uptime)
-        } else {
-            None
-        };
-
-        // attempt to reconnect to the control socket, not clear how long this should take
-        let mut new_connection: AuthenticatedConnection;
-        loop {
-            match TcpStream::connect(self.control_addr).await {
-                Ok(stream) => {
-                    let mut new_conn = torut::control::UnauthenticatedConn::new(stream);
-                    let auth = new_conn
-                        .load_protocol_info()
-                        .await?
-                        .make_auth_data()?
-                        .ok_or_else(|| eyre!("Cookie Auth Not Available"))
-                        .with_kind(crate::ErrorKind::Tor)?;
-                    new_conn.authenticate(&auth).await?;
-                    new_connection = new_conn.into_authenticated().await;
-                    let uptime_new = new_connection.get_info("uptime").await?.parse::<u64>()?;
-                    // if the new uptime exceeds the one we got at the beginning, it's the same tor daemon, do not proceed
-                    match uptime {
-                        Some(uptime) if uptime_new > uptime => (),
-                        _ => {
-                            new_connection.set_async_event_handler(Some(event_handler));
-                            break;
-                        }
-                    }
-                }
-                Err(e) => {
-                    tracing::info!("Failed to reconnect to tor control socket: {}", e);
-                }
-            }
-            tokio::time::sleep(Duration::from_secs(1)).await;
-        }
-        // replace the connection object here on the new copy of the tor daemon
-        self.connection.replace(new_connection);
-
-        // swap empty map for owned old service map
-        let old_services = std::mem::replace(&mut self.services, BTreeMap::new());
-
-        // re add all of the services on the new control socket
-        for ((package_id, interface_id), (tor_key, tor_cfg, ipv4)) in old_services {
-            self.add(
-                &package_id,
-                ipv4,
-                std::iter::once((interface_id, tor_cfg, tor_key)),
-            )
-            .await?;
-        }
-
-        // add embassyd hidden service again
-        self.add_embassyd_onion().await?;
-
-        Ok(true)
-    }
-
-    fn embassyd_onion(&self) -> OnionAddressV3 {
-        self.embassyd_tor_key.public().get_onion_address()
+        })
    }

    #[instrument(skip(self))]
    async fn list_services(&mut self) -> Result<Vec<OnionAddressV3>, Error> {
        self.connection
-            .as_mut()
-            .ok_or_else(|| Error::new(eyre!("Missing Tor Control Connection"), ErrorKind::Tor))?
            .get_info("onions/current")
            .await?
            .lines()
@@ -358,51 +209,6 @@ impl TorControllerInner {
    }
 }

-pub async fn tor_health_check(client: &Client, tor_controller: &TorController) {
-    tracing::debug!("Attempting to self-check tor address");
-    let onion = tor_controller.embassyd_onion().await;
-    let result = client
-        .post(format!("http://{}/rpc/v1", onion))
-        .body(
-            json!({
-                "jsonrpc": "2.0",
-                "method": "echo",
-                "params": { "message": "Follow the orange rabbit" },
-            })
-            .to_string()
-            .into_bytes(),
-        )
-        .send()
-        .await;
-    match result {
-        // if success, do nothing
-        Ok(_) => {
-            tracing::debug!(
-                "Successfully verified main tor address liveness at {}",
-                onion
-            )
-        }
-        // if failure, disconnect tor control port, and restart tor controller
-        Err(e) => {
-            tracing::error!("Unable to reach self over tor: {}", e);
-            loop {
-                match tor_controller.replace().await {
-                    Ok(restarted) => {
-                        if restarted {
-                            tracing::error!("Tor has been recently restarted, refusing to restart");
-                        }
-                        break;
-                    }
-                    Err(e) => {
-                        tracing::error!("Unable to restart tor: {}", e);
-                        tracing::debug!("{:?}", e);
-                    }
-                }
-            }
-        }
-    }
-}
-
 #[tokio::test]
 async fn test() {
    let mut conn = torut::control::UnauthenticatedConn::new(
@@ -425,7 +231,7 @@ async fn test() {
        fn(AsyncEvent<'static>) -> BoxFuture<'static, Result<(), ConnError>>,
    > = conn.into_authenticated().await;
    let tor_key = torut::onion::TorSecretKeyV3::generate();
-    dbg!(connection.get_conf("SocksPort").await.unwrap());
+    connection.get_conf("SocksPort").await.unwrap();
    connection
        .add_onion_v3(
            &tor_key,
@@ -437,6 +243,15 @@ async fn test() {
        )
        .await
        .unwrap();
+    connection
+        .del_onion(
+            &tor_key
+                .public()
+                .get_onion_address()
+                .get_address_without_dot_onion(),
+        )
+        .await
+        .unwrap();
    connection
        .add_onion_v3(
            &tor_key,
--- a/backend/src/net/utils.rs
+++ b/backend/src/net/utils.rs
@@ -0,0 +1,123 @@
+use std::convert::Infallible;
+use std::net::{Ipv4Addr, Ipv6Addr};
+use std::path::Path;
+
+use async_stream::try_stream;
+use color_eyre::eyre::eyre;
+use futures::stream::BoxStream;
+use futures::{StreamExt, TryStreamExt};
+use ipnet::{Ipv4Net, Ipv6Net};
+use tokio::process::Command;
+
+use crate::util::Invoke;
+use crate::Error;
+
+fn parse_iface_ip(output: &str) -> Result<Option<&str>, Error> {
+    let output = output.trim();
+    if output.is_empty() {
+        return Ok(None);
+    }
+    if let Some(ip) = output.split_ascii_whitespace().nth(3) {
+        Ok(Some(ip))
+    } else {
+        Err(Error::new(
+            eyre!("malformed output from `ip`"),
+            crate::ErrorKind::Network,
+        ))
+    }
+}
+
+pub async fn get_iface_ipv4_addr(iface: &str) -> Result<Option<(Ipv4Addr, Ipv4Net)>, Error> {
+    Ok(parse_iface_ip(&String::from_utf8(
+        Command::new("ip")
+            .arg("-4")
+            .arg("-o")
+            .arg("addr")
+            .arg("show")
+            .arg(iface)
+            .invoke(crate::ErrorKind::Network)
+            .await?,
+    )?)?
+    .map(|s| Ok::<_, Error>((s.split("/").next().unwrap().parse()?, s.parse()?)))
+    .transpose()?)
+}
+
+pub async fn get_iface_ipv6_addr(iface: &str) -> Result<Option<(Ipv6Addr, Ipv6Net)>, Error> {
+    Ok(parse_iface_ip(&String::from_utf8(
+        Command::new("ip")
+            .arg("-6")
+            .arg("-o")
+            .arg("addr")
+            .arg("show")
+            .arg(iface)
+            .invoke(crate::ErrorKind::Network)
+            .await?,
+    )?)?
+    .map(|s| Ok::<_, Error>((s.split("/").next().unwrap().parse()?, s.parse()?)))
+    .transpose()?)
+}
+
+pub async fn iface_is_physical(iface: &str) -> bool {
+    tokio::fs::metadata(Path::new("/sys/class/net").join(iface).join("device"))
+        .await
+        .is_ok()
+}
+
+pub async fn iface_is_wireless(iface: &str) -> bool {
+    tokio::fs::metadata(Path::new("/sys/class/net").join(iface).join("wireless"))
+        .await
+        .is_ok()
+}
+
+pub fn list_interfaces() -> BoxStream<'static, Result<String, Error>> {
+    try_stream! {
+        let mut ifaces = tokio::fs::read_dir("/sys/class/net").await?;
+        while let Some(iface) = ifaces.next_entry().await? {
+            if let Some(iface) = iface.file_name().into_string().ok() {
+                yield iface;
+            }
+        }
+    }
+    .boxed()
+}
+
+pub async fn find_wifi_iface() -> Result<Option<String>, Error> {
+    let mut ifaces = list_interfaces();
+    while let Some(iface) = ifaces.try_next().await? {
+        if iface_is_wireless(&iface).await {
+            return Ok(Some(iface));
+        }
+    }
+    Ok(None)
+}
+
+pub async fn find_eth_iface() -> Result<String, Error> {
+    let mut ifaces = list_interfaces();
+    while let Some(iface) = ifaces.try_next().await? {
+        if iface_is_physical(&iface).await && !iface_is_wireless(&iface).await {
+            return Ok(iface);
+        }
+    }
+    Err(Error::new(
+        eyre!("Could not detect ethernet interface"),
+        crate::ErrorKind::Network,
+    ))
+}
+
+#[pin_project::pin_project]
+pub struct SingleAccept<T>(Option<T>);
+impl<T> SingleAccept<T> {
+    pub fn new(conn: T) -> Self {
+        Self(Some(conn))
+    }
+}
+impl<T> hyper::server::accept::Accept for SingleAccept<T> {
+    type Conn = T;
+    type Error = Infallible;
+    fn poll_accept(
+        self: std::pin::Pin<&mut Self>,
+        _cx: &mut std::task::Context<'_>,
+    ) -> std::task::Poll<Option<Result<Self::Conn, Self::Error>>> {
+        std::task::Poll::Ready(self.project().0.take().map(Ok))
+    }
+}
--- a/backend/src/net/vhost.rs
+++ b/backend/src/net/vhost.rs
@@ -0,0 +1,329 @@
+use std::collections::BTreeMap;
+use std::convert::Infallible;
+use std::net::{IpAddr, SocketAddr};
+use std::str::FromStr;
+use std::sync::{Arc, Weak};
+
+use color_eyre::eyre::eyre;
+use helpers::NonDetachingJoinHandle;
+use http::{Response, Uri};
+use hyper::service::{make_service_fn, service_fn};
+use hyper::Body;
+use models::ResultExt;
+use tokio::net::{TcpListener, TcpStream};
+use tokio::sync::{Mutex, RwLock};
+use tokio_rustls::rustls::server::Acceptor;
+use tokio_rustls::rustls::{RootCertStore, ServerConfig};
+use tokio_rustls::{LazyConfigAcceptor, TlsConnector};
+
+use crate::net::keys::Key;
+use crate::net::ssl::SslManager;
+use crate::net::utils::SingleAccept;
+use crate::util::io::BackTrackingReader;
+use crate::Error;
+
+// not allowed: <=1024, >=32768, 5355, 5432, 9050, 6010, 9051, 5353
+
+pub struct VHostController {
+    ssl: Arc<SslManager>,
+    servers: Mutex<BTreeMap<u16, VHostServer>>,
+}
+impl VHostController {
+    pub fn new(ssl: Arc<SslManager>) -> Self {
+        Self {
+            ssl,
+            servers: Mutex::new(BTreeMap::new()),
+        }
+    }
+    pub async fn add(
+        &self,
+        key: Key,
+        hostname: Option<String>,
+        external: u16,
+        target: SocketAddr,
+        connect_ssl: bool,
+    ) -> Result<Arc<()>, Error> {
+        let mut writable = self.servers.lock().await;
+        let server = if let Some(server) = writable.remove(&external) {
+            server
+        } else {
+            VHostServer::new(external, self.ssl.clone()).await?
+        };
+        let rc = server
+            .add(
+                hostname,
+                TargetInfo {
+                    addr: target,
+                    connect_ssl,
+                    key,
+                },
+            )
+            .await;
+        writable.insert(external, server);
+        Ok(rc?)
+    }
+    pub async fn gc(&self, hostname: Option<String>, external: u16) -> Result<(), Error> {
+        let mut writable = self.servers.lock().await;
+        if let Some(server) = writable.remove(&external) {
+            server.gc(hostname).await?;
+            if !server.is_empty().await? {
+                writable.insert(external, server);
+            }
+        }
+        Ok(())
+    }
+}
+
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord)]
+struct TargetInfo {
+    addr: SocketAddr,
+    connect_ssl: bool,
+    key: Key,
+}
+
+struct VHostServer {
+    mapping: Weak<RwLock<BTreeMap<Option<String>, BTreeMap<TargetInfo, Weak<()>>>>>,
+    _thread: NonDetachingJoinHandle<()>,
+}
+impl VHostServer {
+    async fn new(port: u16, ssl: Arc<SslManager>) -> Result<Self, Error> {
+        // check if port allowed
+        let listener = TcpListener::bind(SocketAddr::new([0, 0, 0, 0].into(), port))
+            .await
+            .with_kind(crate::ErrorKind::Network)?;
+        let mapping = Arc::new(RwLock::new(BTreeMap::new()));
+        Ok(Self {
+            mapping: Arc::downgrade(&mapping),
+            _thread: tokio::spawn(async move {
+                loop {
+                    match listener.accept().await {
+                        Ok((stream, _)) => {
+                            let mut stream = BackTrackingReader::new(stream);
+                            stream.start_buffering();
+                            let mapping = mapping.clone();
+                            let ssl = ssl.clone();
+                            tokio::spawn(async move {
+                                if let Err(e) = async {
+                                    let mid = match LazyConfigAcceptor::new(
+                                        Acceptor::default(),
+                                        &mut stream,
+                                    )
+                                    .await
+                                    {
+                                        Ok(a) => a,
+                                        Err(_) => {
+                                            stream.rewind();
+                                            return hyper::server::Server::builder(
+                                                SingleAccept::new(stream),
+                                            )
+                                            .serve(make_service_fn(|_| async {
+                                                Ok::<_, Infallible>(service_fn(|req| async move {
+                                                    let host = req
+                                                        .headers()
+                                                        .get(http::header::HOST)
+                                                        .and_then(|host| host.to_str().ok());
+                                                    let uri = Uri::from_parts({
+                                                        let mut parts =
+                                                            req.uri().to_owned().into_parts();
+                                                        parts.authority = host
+                                                            .map(FromStr::from_str)
+                                                            .transpose()?;
+                                                        parts
+                                                    })?;
+                                                    Response::builder()
+                                                        .status(
+                                                            http::StatusCode::TEMPORARY_REDIRECT,
+                                                        )
+                                                        .header(
+                                                            http::header::LOCATION,
+                                                            uri.to_string(),
+                                                        )
+                                                        .body(Body::default())
+                                                }))
+                                            }))
+                                            .await
+                                            .with_kind(crate::ErrorKind::Network);
+                                        }
+                                    };
+                                    let target_name =
+                                        mid.client_hello().server_name().map(|s| s.to_owned());
+                                    let target = {
+                                        let mapping = mapping.read().await;
+                                        mapping
+                                            .get(&target_name)
+                                            .into_iter()
+                                            .flatten()
+                                            .find(|(_, rc)| rc.strong_count() > 0)
+                                            .or_else(|| {
+                                                if target_name
+                                                    .map(|s| s.parse::<IpAddr>().is_ok())
+                                                    .unwrap_or(true)
+                                                {
+                                                    mapping
+                                                        .get(&None)
+                                                        .into_iter()
+                                                        .flatten()
+                                                        .find(|(_, rc)| rc.strong_count() > 0)
+                                                } else {
+                                                    None
+                                                }
+                                            })
+                                            .map(|(target, _)| target.clone())
+                                    };
+                                    if let Some(target) = target {
+                                        let mut tcp_stream =
+                                            TcpStream::connect(target.addr).await?;
+                                        let key =
+                                            ssl.with_certs(target.key, target.addr.ip()).await?;
+                                        let cfg = ServerConfig::builder()
+                                            .with_safe_defaults()
+                                            .with_no_client_auth();
+                                        let cfg =
+                                            if mid.client_hello().signature_schemes().contains(
+                                                &tokio_rustls::rustls::SignatureScheme::ED25519,
+                                            ) {
+                                                cfg.with_single_cert(
+                                                    key.fullchain_ed25519()
+                                                        .into_iter()
+                                                        .map(|c| {
+                                                            Ok(tokio_rustls::rustls::Certificate(
+                                                                c.to_der()?,
+                                                            ))
+                                                        })
+                                                        .collect::<Result<_, Error>>()?,
+                                                    tokio_rustls::rustls::PrivateKey(
+                                                        key.key()
+                                                            .openssl_key_ed25519()
+                                                            .private_key_to_der()?,
+                                                    ),
+                                                )
+                                            } else {
+                                                cfg.with_single_cert(
+                                                    key.fullchain_nistp256()
+                                                        .into_iter()
+                                                        .map(|c| {
+                                                            Ok(tokio_rustls::rustls::Certificate(
+                                                                c.to_der()?,
+                                                            ))
+                                                        })
+                                                        .collect::<Result<_, Error>>()?,
+                                                    tokio_rustls::rustls::PrivateKey(
+                                                        key.key()
+                                                            .openssl_key_nistp256()
+                                                            .private_key_to_der()?,
+                                                    ),
+                                                )
+                                            };
+                                        let mut tls_stream = mid
+                                            .into_stream(Arc::new(
+                                                cfg.with_kind(crate::ErrorKind::OpenSsl)?,
+                                            ))
+                                            .await?;
+                                        tls_stream.get_mut().0.stop_buffering();
+                                        if target.connect_ssl {
+                                            tokio::io::copy_bidirectional(
+                                                &mut tls_stream,
+                                                &mut TlsConnector::from(Arc::new(
+                                                    tokio_rustls::rustls::ClientConfig::builder()
+                                                        .with_safe_defaults()
+                                                        .with_root_certificates({
+                                                            let mut store = RootCertStore::empty();
+                                                            store.add(
+                                                                &tokio_rustls::rustls::Certificate(
+                                                                    key.root_ca().to_der()?,
+                                                                ),
+                                                            ).with_kind(crate::ErrorKind::OpenSsl)?;
+                                                            store
+                                                        })
+                                                        .with_no_client_auth(),
+                                                ))
+                                                .connect(
+                                                    key.key()
+                                                        .internal_address()
+                                                        .as_str()
+                                                        .try_into()
+                                                        .with_kind(crate::ErrorKind::OpenSsl)?,
+                                                    tcp_stream,
+                                                )
+                                                .await
+                                                .with_kind(crate::ErrorKind::OpenSsl)?,
+                                            )
+                                            .await?;
+                                        } else {
+                                            tokio::io::copy_bidirectional(
+                                                &mut tls_stream,
+                                                &mut tcp_stream,
+                                            )
+                                            .await?;
+                                        }
+                                    } else {
+                                        // 503
+                                    }
+                                    Ok::<_, Error>(())
+                                }
+                                .await
+                                {
+                                    tracing::error!("Error in VHostController on port {port}: {e}");
+                                    tracing::debug!("{e:?}")
+                                }
+                            });
+                        }
+                        Err(e) => {
+                            tracing::error!("Error in VHostController on port {port}: {e}");
+                            tracing::debug!("{e:?}");
+                        }
+                    }
+                }
+            })
+            .into(),
+        })
+    }
+    async fn add(&self, hostname: Option<String>, target: TargetInfo) -> Result<Arc<()>, Error> {
+        if let Some(mapping) = Weak::upgrade(&self.mapping) {
+            let mut writable = mapping.write().await;
+            let mut targets = writable.remove(&hostname).unwrap_or_default();
+            let rc = if let Some(rc) = Weak::upgrade(&targets.remove(&target).unwrap_or_default()) {
+                rc
+            } else {
+                Arc::new(())
+            };
+            targets.insert(target, Arc::downgrade(&rc));
+            writable.insert(hostname, targets);
+            Ok(rc)
+        } else {
+            Err(Error::new(
+                eyre!("VHost Service Thread has exited"),
+                crate::ErrorKind::Network,
+            ))
+        }
+    }
+    async fn gc(&self, hostname: Option<String>) -> Result<(), Error> {
+        if let Some(mapping) = Weak::upgrade(&self.mapping) {
+            let mut writable = mapping.write().await;
+            let mut targets = writable.remove(&hostname).unwrap_or_default();
+            targets = targets
+                .into_iter()
+                .filter(|(_, rc)| rc.strong_count() > 0)
+                .collect();
+            if !targets.is_empty() {
+                writable.insert(hostname, targets);
+            }
+            Ok(())
+        } else {
+            Err(Error::new(
+                eyre!("VHost Service Thread has exited"),
+                crate::ErrorKind::Network,
+            ))
+        }
+    }
+    async fn is_empty(&self) -> Result<bool, Error> {
+        if let Some(mapping) = Weak::upgrade(&self.mapping) {
+            Ok(mapping.read().await.is_empty())
+        } else {
+            Err(Error::new(
+                eyre!("VHost Service Thread has exited"),
+                crate::ErrorKind::Network,
+            ))
+        }
+    }
+}
--- a/backend/src/net/web_server.rs
+++ b/backend/src/net/web_server.rs
@@ -0,0 +1,61 @@
+use std::convert::Infallible;
+use std::net::SocketAddr;
+
+use futures::future::ready;
+use futures::FutureExt;
+use helpers::NonDetachingJoinHandle;
+use hyper::service::{make_service_fn, service_fn};
+use hyper::Server;
+use tokio::sync::oneshot;
+
+use crate::context::{DiagnosticContext, InstallContext, RpcContext, SetupContext};
+use crate::net::static_server::{
+    diag_ui_file_router, install_ui_file_router, main_ui_server_router, setup_ui_file_router,
+};
+use crate::net::HttpHandler;
+use crate::Error;
+
+pub struct WebServer {
+    shutdown: oneshot::Sender<()>,
+    thread: NonDetachingJoinHandle<()>,
+}
+impl WebServer {
+    pub fn new(bind: SocketAddr, router: HttpHandler) -> Self {
+        let (shutdown, shutdown_recv) = oneshot::channel();
+        let thread = NonDetachingJoinHandle::from(tokio::spawn(async move {
+            let server = Server::bind(&bind)
+                .http1_preserve_header_case(true)
+                .http1_title_case_headers(true)
+                .serve(make_service_fn(move |_| {
+                    let router = router.clone();
+                    ready(Ok::<_, Infallible>(service_fn(move |req| router(req))))
+                }))
+                .with_graceful_shutdown(shutdown_recv.map(|_| ()));
+            if let Err(e) = server.await {
+                tracing::error!("Spawning hyper server error: {}", e);
+            }
+        }));
+        Self { shutdown, thread }
+    }
+
+    pub async fn shutdown(self) {
+        self.shutdown.send(()).unwrap_or_default();
+        self.thread.await.unwrap()
+    }
+
+    pub async fn main(bind: SocketAddr, ctx: RpcContext) -> Result<Self, Error> {
+        Ok(Self::new(bind, main_ui_server_router(ctx).await?))
+    }
+
+    pub async fn setup(bind: SocketAddr, ctx: SetupContext) -> Result<Self, Error> {
+        Ok(Self::new(bind, setup_ui_file_router(ctx).await?))
+    }
+
+    pub async fn diagnostic(bind: SocketAddr, ctx: DiagnosticContext) -> Result<Self, Error> {
+        Ok(Self::new(bind, diag_ui_file_router(ctx).await?))
+    }
+
+    pub async fn install(bind: SocketAddr, ctx: InstallContext) -> Result<Self, Error> {
+        Ok(Self::new(bind, install_ui_file_router(ctx).await?))
+    }
+}
--- a/backend/src/net/wifi.rs
+++ b/backend/src/net/wifi.rs
@@ -18,6 +18,19 @@ use crate::util::serde::{display_serializable, IoFormat};
 use crate::util::{display_none, Invoke};
 use crate::{Error, ErrorKind};

+type WifiManager = Arc<RwLock<WpaCli>>;
+
+pub fn wifi_manager(ctx: &RpcContext) -> Result<&WifiManager, Error> {
+    if let Some(wifi_manager) = ctx.wifi_manager.as_ref() {
+        Ok(wifi_manager)
+    } else {
+        Err(Error::new(
+            color_eyre::eyre::eyre!("No WiFi interface available"),
+            ErrorKind::Wifi,
+        ))
+    }
+}
+
 #[command(subcommands(add, connect, delete, get, country, available))]
 pub async fn wifi() -> Result<(), Error> {
    Ok(())
@@ -42,6 +55,7 @@ pub async fn add(
    #[arg] priority: isize,
    #[arg] connect: bool,
 ) -> Result<(), Error> {
+    let wifi_manager = wifi_manager(&ctx)?;
    if !ssid.is_ascii() {
        return Err(Error::new(
            color_eyre::eyre::eyre!("SSID may not have special characters"),
@@ -56,7 +70,7 @@ pub async fn add(
    }
    async fn add_procedure(
        db: impl DbHandle,
-        wifi_manager: Arc<RwLock<WpaCli>>,
+        wifi_manager: WifiManager,
        ssid: &Ssid,
        password: &Psk,
        priority: isize,
@@ -71,7 +85,7 @@ pub async fn add(
    }
    if let Err(err) = add_procedure(
        &mut ctx.db.handle(),
-        ctx.wifi_manager.clone(),
+        wifi_manager.clone(),
        &Ssid(ssid.clone()),
        &Psk(password.clone()),
        priority,
@@ -91,6 +105,7 @@ pub async fn add(
 #[command(display(display_none))]
 #[instrument(skip(ctx))]
 pub async fn connect(#[context] ctx: RpcContext, #[arg] ssid: String) -> Result<(), Error> {
+    let wifi_manager = wifi_manager(&ctx)?;
    if !ssid.is_ascii() {
        return Err(Error::new(
            color_eyre::eyre::eyre!("SSID may not have special characters"),
@@ -99,7 +114,7 @@ pub async fn connect(#[context] ctx: RpcContext, #[arg] ssid: String) -> Result<
    }
    async fn connect_procedure(
        mut db: impl DbHandle,
-        wifi_manager: Arc<RwLock<WpaCli>>,
+        wifi_manager: WifiManager,
        ssid: &Ssid,
    ) -> Result<(), Error> {
        let wpa_supplicant = wifi_manager.read().await;
@@ -125,7 +140,7 @@ pub async fn connect(#[context] ctx: RpcContext, #[arg] ssid: String) -> Result<

    if let Err(err) = connect_procedure(
        &mut ctx.db.handle(),
-        ctx.wifi_manager.clone(),
+        wifi_manager.clone(),
        &Ssid(ssid.clone()),
    )
    .await
@@ -142,20 +157,21 @@ pub async fn connect(#[context] ctx: RpcContext, #[arg] ssid: String) -> Result<
 #[command(display(display_none))]
 #[instrument(skip(ctx))]
 pub async fn delete(#[context] ctx: RpcContext, #[arg] ssid: String) -> Result<(), Error> {
+    let wifi_manager = wifi_manager(&ctx)?;
    if !ssid.is_ascii() {
        return Err(Error::new(
            color_eyre::eyre::eyre!("SSID may not have special characters"),
            ErrorKind::Wifi,
        ));
    }
-    let wpa_supplicant = ctx.wifi_manager.read().await;
+    let wpa_supplicant = wifi_manager.read().await;
    let current = wpa_supplicant.get_current_network().await?;
    drop(wpa_supplicant);
-    let mut wpa_supplicant = ctx.wifi_manager.write().await;
+    let mut wpa_supplicant = wifi_manager.write().await;
    let ssid = Ssid(ssid);
    let is_current_being_removed = matches!(current, Some(current) if current == ssid);
    let is_current_removed_and_no_hardwire =
-        is_current_being_removed && !interface_connected("eth0").await?;
+        is_current_being_removed && !interface_connected(&ctx.ethernet_interface).await?;
    if is_current_removed_and_no_hardwire {
        return Err(Error::new(color_eyre::eyre::eyre!("Forbidden: Deleting this Network would make your Embassy Unreachable. Either connect to ethernet or connect to a different WiFi network to remedy this."), ErrorKind::Wifi));
    }
@@ -284,12 +300,13 @@ pub async fn get(
    #[arg(long = "format")]
    format: Option<IoFormat>,
 ) -> Result<WiFiInfo, Error> {
-    let wpa_supplicant = ctx.wifi_manager.read().await;
+    let wifi_manager = wifi_manager(&ctx)?;
+    let wpa_supplicant = wifi_manager.read().await;
    let (list_networks, current_res, country_res, ethernet_res, signal_strengths) = tokio::join!(
        wpa_supplicant.list_networks_low(),
        wpa_supplicant.get_current_network(),
        wpa_supplicant.get_country_low(),
-        interface_connected("eth0"), // TODO: pull from config
+        interface_connected(&ctx.ethernet_interface),
        wpa_supplicant.list_wifi_low()
    );
    let signal_strengths = signal_strengths?;
@@ -337,7 +354,8 @@ pub async fn get_available(
    #[arg(long = "format")]
    format: Option<IoFormat>,
 ) -> Result<Vec<WifiListOut>, Error> {
-    let wpa_supplicant = ctx.wifi_manager.read().await;
+    let wifi_manager = wifi_manager(&ctx)?;
+    let wpa_supplicant = wifi_manager.read().await;
    let (wifi_list, network_list) = tokio::join!(
        wpa_supplicant.list_wifi_low(),
        wpa_supplicant.list_networks_low()
@@ -365,13 +383,14 @@ pub async fn set_country(
    #[context] ctx: RpcContext,
    #[arg(parse(country_code_parse))] country: CountryCode,
 ) -> Result<(), Error> {
-    if !interface_connected("eth0").await? {
+    let wifi_manager = wifi_manager(&ctx)?;
+    if !interface_connected(&ctx.ethernet_interface).await? {
        return Err(Error::new(
            color_eyre::eyre::eyre!("Won't change country without hardwire connection"),
            crate::ErrorKind::Wifi,
        ));
    }
-    let mut wpa_supplicant = ctx.wifi_manager.write().await;
+    let mut wpa_supplicant = wifi_manager.write().await;
    wpa_supplicant.set_country_low(country.alpha2()).await?;
    for (network_id, _wifi_info) in wpa_supplicant.list_networks_low().await? {
        wpa_supplicant.remove_network_low(network_id).await?;
@@ -776,6 +795,7 @@ pub fn country_code_parse(code: &str, _matches: &ArgMatches) -> Result<CountryCo
 #[instrument(skip(main_datadir))]
 pub async fn synchronize_wpa_supplicant_conf<P: AsRef<Path>>(
    main_datadir: P,
+    wifi_iface: &str,
    last_country_code: &Option<CountryCode>,
 ) -> Result<(), Error> {
    let persistent = main_datadir.as_ref().join("system-connections");
@@ -797,7 +817,7 @@ pub async fn synchronize_wpa_supplicant_conf<P: AsRef<Path>>(
        .invoke(ErrorKind::Wifi)
        .await?;
    Command::new("ifconfig")
-        .arg("wlan0")
+        .arg(wifi_iface)
        .arg("up")
        .invoke(ErrorKind::Wifi)
        .await?;
--- a/backend/src/net/ws_server.rs
+++ b/backend/src/net/ws_server.rs
@@ -0,0 +1,94 @@
+use crate::context::RpcContext;
+
+pub async fn ws_server_handle(rpc_ctx: RpcContext) {
+
+    let ws_ctx = rpc_ctx.clone();
+    let ws_server_handle = {
+        let builder = Server::bind(&ws_ctx.bind_ws);
+
+        let make_svc = ::rpc_toolkit::hyper::service::make_service_fn(move |_| {
+            let ctx = ws_ctx.clone();
+            async move {
+                Ok::<_, ::rpc_toolkit::hyper::Error>(::rpc_toolkit::hyper::service::service_fn(
+                    move |req| {
+                        let ctx = ctx.clone();
+                        async move {
+                            tracing::debug!("Request to {}", req.uri().path());
+                            match req.uri().path() {
+                                "/ws/db" => {
+                                    Ok(subscribe(ctx, req).await.unwrap_or_else(err_to_500))
+                                }
+                                path if path.starts_with("/ws/rpc/") => {
+                                     match RequestGuid::from(
+                                        path.strip_prefix("/ws/rpc/").unwrap(),
+                                    ) {
+                                        None => {
+                                            tracing::debug!("No Guid Path");
+                                            Response::builder()
+                                                .status(StatusCode::BAD_REQUEST)
+                                                .body(Body::empty())
+                                        }
+                                        Some(guid) => {
+                                            match ctx.get_ws_continuation_handler(&guid).await {
+                                                Some(cont) => match cont(req).await {
+                                                    Ok(r) => Ok(r),
+                                                    Err(e) => Response::builder()
+                                                        .status(
+                                                            StatusCode::INTERNAL_SERVER_ERROR,
+                                                        )
+                                                        .body(Body::from(format!("{}", e))),
+                                                },
+                                                _ => Response::builder()
+                                                    .status(StatusCode::NOT_FOUND)
+                                                    .body(Body::empty()),
+                                            }
+                                        }
+                                    }
+                                }
+                                path if path.starts_with("/rest/rpc/") => {
+                                    match RequestGuid::from(
+                                        path.strip_prefix("/rest/rpc/").unwrap(),
+                                    ) {
+                                        None => {
+                                            tracing::debug!("No Guid Path");
+                                            Response::builder()
+                                                .status(StatusCode::BAD_REQUEST)
+                                                .body(Body::empty())
+                                        }
+                                        Some(guid) => {
+                                            match ctx.get_rest_continuation_handler(&guid).await
+                                            {
+                                                None => Response::builder()
+                                                    .status(StatusCode::NOT_FOUND)
+                                                    .body(Body::empty()),
+                                                Some(cont) => match cont(req).await {
+                                                    Ok(r) => Ok(r),
+                                                    Err(e) => Response::builder()
+                                                        .status(
+                                                            StatusCode::INTERNAL_SERVER_ERROR,
+                                                        )
+                                                        .body(Body::from(format!("{}", e))),
+                                                },
+                                            }
+                                        }
+                                    }
+                                }
+                                _ => Response::builder()
+                                    .status(StatusCode::NOT_FOUND)
+                                    .body(Body::empty()),
+                            }
+                        }
+                    },
+                ))
+            }
+        });
+        builder.serve(make_svc)
+    }
+    .with_graceful_shutdown({
+        let mut shutdown = rpc_ctx.shutdown.subscribe();
+        async move {
+            shutdown.recv().await.expect("context dropped");
+        }
+    });
+
+}
--- a/backend/src/nginx/diagnostic-ui.conf
+++ b/backend/src/nginx/diagnostic-ui.conf
@@ -1,35 +0,0 @@
-
-map $http_upgrade $connection_upgrade {
-        default upgrade;
-        '' $http_connection;
-}
-
-server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        root /var/www/html/diagnostic;
-
-        index index.html index.htm index.nginx-debian.html;
-
-        server_name _;
-
-        proxy_buffering off;
-        proxy_request_buffering off;
-        proxy_socket_keepalive on;
-        proxy_http_version 1.1;
-        proxy_read_timeout 1800;
-
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1024;
-        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
-
-        location /rpc/ {
-                proxy_pass http://127.0.0.1:5959/;
-        }
-
-        location / {
-                try_files $uri $uri/ =404;
-        }
-}
--- a/backend/src/nginx/main-ui.conf.template
+++ b/backend/src/nginx/main-ui.conf.template
@@ -1,119 +0,0 @@
-
-map $http_upgrade $connection_upgrade {{
-        default upgrade;
-        '' $http_connection;
-}}
-
-server {{
-        listen 443 ssl default_server;
-        listen [::]:443 ssl default_server;
-        ssl_certificate /etc/nginx/ssl/embassy_main.cert.pem;
-        ssl_certificate_key /etc/nginx/ssl/embassy_main.key.pem;
-
-        root /var/www/html/main;
-
-        index index.html index.htm index.nginx-debian.html;
-
-        server_name .{lan_hostname};
-
-        proxy_buffers 4 512k;
-        proxy_buffer_size 512k;
-        proxy_buffering off;
-        proxy_request_buffering off;
-        proxy_socket_keepalive on;
-        proxy_http_version 1.1;
-        proxy_read_timeout 1800;
-
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1024;
-        gzip_types text/plain text/css text/xml text/javascript application/javascript image/svg+xml font/tts font/otf font/eot font/openttype application/x-javascript application/xml;
-
-
-        location /rpc/ {{
-                proxy_pass http://127.0.0.1:5959/;
-        }}
-
-        location /ws/ {{
-                proxy_pass http://127.0.0.1:5960$request_uri;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-        }}
-
-        location /rest/ {{
-                proxy_pass http://127.0.0.1:5960$request_uri;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                client_max_body_size 0;
-        }}
-
-        location /public/ {{
-                proxy_pass http://127.0.0.1:5961/;
-        }}
-
-        location / {{
-                try_files $uri $uri/ =404;
-        }}
-}}
-server {{
-    listen 80;
-    listen [::]:80;
-    server_name .{lan_hostname};
-    return 301 https://$host$request_uri;
-}}
-server {{
-        listen 80 default_server;
-        listen [::]:80 default_server;
-        ssl_certificate /etc/nginx/ssl/embassy_main.cert.pem;
-        ssl_certificate_key /etc/nginx/ssl/embassy_main.key.pem;
-
-        root /var/www/html/main;
-
-        index index.html index.htm index.nginx-debian.html;
-
-        server_name .{tor_hostname};
-
-        proxy_buffers 4 512k;
-        proxy_buffer_size 512k;
-        proxy_buffering off;
-        proxy_request_buffering off;
-        proxy_socket_keepalive on;
-        proxy_http_version 1.1;
-        proxy_read_timeout 1800;
-
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1024;
-        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
-
-        location /rpc/ {{
-                proxy_pass http://127.0.0.1:5959/;
-        }}
-
-        location /ws/ {{
-                proxy_pass http://127.0.0.1:5960$request_uri;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-        }}
-
-        location /rest/ {{
-                proxy_pass http://127.0.0.1:5960$request_uri;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                client_max_body_size 0;
-        }}
-
-        location /public/ {{
-                proxy_pass http://127.0.0.1:5961/;
-        }}
-
-        location / {{
-                try_files $uri $uri/ =404;
-        }}
-}}
-server {{
-    listen 443 ssl;
-    listen [::]:443;
-    server_name .{tor_hostname};
-    return 301 http://$host$request_uri;
-}}
--- a/backend/src/nginx/setup-wizard.conf
+++ b/backend/src/nginx/setup-wizard.conf
@@ -1,29 +0,0 @@
-server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-
-        root /var/www/html/setup;
-
-        index index.html index.htm index.nginx-debian.html;
-
-        server_name _;
-
-        proxy_buffering off;
-        proxy_request_buffering off;
-        proxy_socket_keepalive on;
-        proxy_http_version 1.1;
-        proxy_read_timeout 1800;
-
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1024;
-        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
-
-        location /rpc/ {
-                proxy_pass http://127.0.0.1:5959/;
-        }
-
-        location / {
-                try_files $uri $uri/ =404;
-        }
-}
--- a/backend/src/notifications.rs
+++ b/backend/src/notifications.rs
@@ -254,7 +254,7 @@ impl NotificationManager {
            .unread_notification_count()
            .get_mut(db)
            .await?;
-        let sql_package_id = package_id.map::<String, _>(|p| p.into());
+        let sql_package_id = package_id.as_ref().map(|p| &**p);
        let sql_code = T::CODE;
        let sql_level = format!("{}", level);
        let sql_data =
--- a/backend/src/os_install/fstab.template
+++ b/backend/src/os_install/fstab.template
@@ -0,0 +1,3 @@
+{boot}  /boot       vfat    umask=0077  0   2
+{efi}   /boot/efi   vfat    umask=0077  0   1
+{root}  /           ext4    defaults    0   1
--- a/backend/src/os_install/gpt.rs
+++ b/backend/src/os_install/gpt.rs
@@ -0,0 +1,122 @@
+use color_eyre::eyre::eyre;
+use gpt::disk::LogicalBlockSize;
+use gpt::GptConfig;
+
+use crate::disk::util::DiskInfo;
+use crate::disk::OsPartitionInfo;
+use crate::os_install::partition_for;
+use crate::Error;
+
+pub async fn partition(disk: &DiskInfo, overwrite: bool) -> Result<OsPartitionInfo, Error> {
+    {
+        let disk = disk.clone();
+        tokio::task::spawn_blocking(move || {
+            let mut device = Box::new(
+                std::fs::File::options()
+                    .read(true)
+                    .write(true)
+                    .open(&disk.logicalname)?,
+            );
+            let (mut gpt, guid_part) = if overwrite {
+                let mbr = gpt::mbr::ProtectiveMBR::with_lb_size(
+                    u32::try_from((disk.capacity / 512) - 1).unwrap_or(0xFF_FF_FF_FF),
+                );
+                mbr.overwrite_lba0(&mut device)?;
+                (
+                    GptConfig::new()
+                        .writable(true)
+                        .initialized(false)
+                        .logical_block_size(LogicalBlockSize::Lb512)
+                        .create_from_device(device, None)?,
+                    None,
+                )
+            } else {
+                let gpt = GptConfig::new()
+                    .writable(true)
+                    .initialized(true)
+                    .logical_block_size(LogicalBlockSize::Lb512)
+                    .open_from_device(device)?;
+                let mut guid_part = None;
+                for (idx, part_info) in disk
+                    .partitions
+                    .iter()
+                    .enumerate()
+                    .map(|(idx, x)| (idx + 1, x))
+                {
+                    if let Some(entry) = gpt.partitions().get(&(idx as u32)) {
+                        if entry.first_lba >= 33556480 {
+                            if idx < 3 {
+                                guid_part = Some(entry.clone())
+                            }
+                            break;
+                        }
+                        if part_info.guid.is_some() {
+                            return Err(Error::new(
+                                eyre!("Not enough space before embassy data"),
+                                crate::ErrorKind::InvalidRequest,
+                            ));
+                        }
+                    }
+                }
+                (gpt, guid_part)
+            };
+
+            gpt.update_partitions(Default::default())?;
+
+            gpt.add_partition("efi", 100 * 1024 * 1024, gpt::partition_types::EFI, 0, None)?;
+            gpt.add_partition(
+                "boot",
+                1024 * 1024 * 1024,
+                gpt::partition_types::LINUX_FS,
+                0,
+                None,
+            )?;
+            gpt.add_partition(
+                "root",
+                15 * 1024 * 1024 * 1024,
+                match *crate::ARCH {
+                    "x86_64" => gpt::partition_types::LINUX_ROOT_X64,
+                    "aarch64" => gpt::partition_types::LINUX_ROOT_ARM_64,
+                    _ => gpt::partition_types::LINUX_FS,
+                },
+                0,
+                None,
+            )?;
+
+            if overwrite {
+                gpt.add_partition(
+                    "data",
+                    gpt.find_free_sectors()
+                        .iter()
+                        .map(|(_, size)| *size * u64::from(*gpt.logical_block_size()))
+                        .max()
+                        .ok_or_else(|| {
+                            Error::new(
+                                eyre!("No free space left on device"),
+                                crate::ErrorKind::BlockDevice,
+                            )
+                        })?,
+                    gpt::partition_types::LINUX_LVM,
+                    0,
+                    None,
+                )?;
+            } else if let Some(guid_part) = guid_part {
+                let mut parts = gpt.partitions().clone();
+                parts.insert(gpt.find_next_partition_id(), guid_part);
+                gpt.update_partitions(parts)?;
+            }
+
+            gpt.write()?;
+
+            Ok(())
+        })
+        .await
+        .unwrap()?;
+    }
+
+    Ok(OsPartitionInfo {
+        efi: Some(partition_for(&disk.logicalname, 1)),
+        boot: partition_for(&disk.logicalname, 2),
+        root: partition_for(&disk.logicalname, 3),
+    })
+}
--- a/backend/src/os_install/mbr.rs
+++ b/backend/src/os_install/mbr.rs
@@ -0,0 +1,91 @@
+use color_eyre::eyre::eyre;
+use mbrman::{MBRPartitionEntry, CHS, MBR};
+
+use crate::disk::util::DiskInfo;
+use crate::disk::OsPartitionInfo;
+use crate::os_install::partition_for;
+use crate::Error;
+
+pub async fn partition(disk: &DiskInfo, overwrite: bool) -> Result<OsPartitionInfo, Error> {
+    {
+        let sectors = (disk.capacity / 512) as u32;
+        let disk = disk.clone();
+        tokio::task::spawn_blocking(move || {
+            let mut file = std::fs::File::options()
+                .read(true)
+                .write(true)
+                .open(&disk.logicalname)?;
+            let (mut mbr, guid_part) = if overwrite {
+                (MBR::new_from(&mut file, 512, rand::random())?, None)
+            } else {
+                let mut mbr = MBR::read_from(&mut file, 512)?;
+                let mut guid_part = None;
+                for (idx, part_info) in disk
+                    .partitions
+                    .iter()
+                    .enumerate()
+                    .map(|(idx, x)| (idx + 1, x))
+                {
+                    if let Some(entry) = mbr.get_mut(idx) {
+                        if entry.starting_lba >= 33556480 {
+                            if idx < 3 {
+                                guid_part =
+                                    Some(std::mem::replace(entry, MBRPartitionEntry::empty()))
+                            }
+                            break;
+                        }
+                        if part_info.guid.is_some() {
+                            return Err(Error::new(
+                                eyre!("Not enough space before embassy data"),
+                                crate::ErrorKind::InvalidRequest,
+                            ));
+                        }
+                        *entry = MBRPartitionEntry::empty();
+                    }
+                }
+                (mbr, guid_part)
+            };
+
+            mbr[1] = MBRPartitionEntry {
+                boot: 0x80,
+                first_chs: CHS::empty(),
+                sys: 0x0b,
+                last_chs: CHS::empty(),
+                starting_lba: 2048,
+                sectors: 2099200 - 2048,
+            };
+            mbr[2] = MBRPartitionEntry {
+                boot: 0,
+                first_chs: CHS::empty(),
+                sys: 0x83,
+                last_chs: CHS::empty(),
+                starting_lba: 2099200,
+                sectors: 33556480 - 2099200,
+            };
+
+            if overwrite {
+                mbr[3] = MBRPartitionEntry {
+                    boot: 0,
+                    first_chs: CHS::empty(),
+                    sys: 0x8e,
+                    last_chs: CHS::empty(),
+                    starting_lba: 33556480,
+                    sectors: sectors - 33556480,
+                }
+            } else if let Some(guid_part) = guid_part {
+                mbr[3] = guid_part;
+            }
+            mbr.write_into(&mut file)?;
+
+            Ok(())
+        })
+        .await
+        .unwrap()?;
+    }
+
+    Ok(OsPartitionInfo {
+        efi: None,
+        boot: partition_for(&disk.logicalname, 1),
+        root: partition_for(&disk.logicalname, 2),
+    })
+}
--- a/backend/src/os_install/mod.rs
+++ b/backend/src/os_install/mod.rs
@@ -0,0 +1,292 @@
+use std::path::{Path, PathBuf};
+
+use color_eyre::eyre::eyre;
+use models::Error;
+use rpc_toolkit::command;
+use serde::{Deserialize, Serialize};
+use tokio::process::Command;
+
+use crate::context::InstallContext;
+use crate::disk::mount::filesystem::bind::Bind;
+use crate::disk::mount::filesystem::block_dev::BlockDev;
+use crate::disk::mount::filesystem::efivarfs::EfiVarFs;
+use crate::disk::mount::filesystem::ReadWrite;
+use crate::disk::mount::guard::{MountGuard, TmpMountGuard};
+use crate::disk::util::{DiskInfo, PartitionTable};
+use crate::disk::OsPartitionInfo;
+use crate::net::utils::{find_eth_iface, find_wifi_iface};
+use crate::util::serde::IoFormat;
+use crate::util::{display_none, Invoke};
+use crate::ARCH;
+
+mod gpt;
+mod mbr;
+
+#[derive(Debug, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct PostInstallConfig {
+    os_partitions: OsPartitionInfo,
+    ethernet_interface: String,
+    wifi_interface: Option<String>,
+}
+
+#[command(subcommands(disk, execute, reboot))]
+pub fn install() -> Result<(), Error> {
+    Ok(())
+}
+
+#[command(subcommands(list))]
+pub fn disk() -> Result<(), Error> {
+    Ok(())
+}
+
+#[command(display(display_none))]
+pub async fn list() -> Result<Vec<DiskInfo>, Error> {
+    let skip = match async {
+        Ok::<_, Error>(
+            Path::new(
+                &String::from_utf8(
+                    Command::new("grub-probe-default")
+                        .arg("-t")
+                        .arg("disk")
+                        .arg("/cdrom")
+                        .invoke(crate::ErrorKind::Grub)
+                        .await?,
+                )?
+                .trim(),
+            )
+            .to_owned(),
+        )
+    }
+    .await
+    {
+        Ok(a) => Some(a),
+        Err(e) => {
+            tracing::error!("Could not determine live usb device: {}", e);
+            tracing::debug!("{:?}", e);
+            None
+        }
+    };
+    Ok(crate::disk::util::list(&Default::default())
+        .await?
+        .into_iter()
+        .filter(|i| Some(&*i.logicalname) != skip.as_deref())
+        .collect())
+}
+
+pub fn partition_for(disk: impl AsRef<Path>, idx: usize) -> PathBuf {
+    let disk_path = disk.as_ref();
+    let (root, leaf) = if let (Some(root), Some(leaf)) = (
+        disk_path.parent(),
+        disk_path.file_name().and_then(|s| s.to_str()),
+    ) {
+        (root, leaf)
+    } else {
+        return Default::default();
+    };
+    if leaf.ends_with(|c: char| c.is_ascii_digit()) {
+        root.join(format!("{}p{}", leaf, idx))
+    } else {
+        root.join(format!("{}{}", leaf, idx))
+    }
+}
+
+async fn partition(disk: &mut DiskInfo, overwrite: bool) -> Result<OsPartitionInfo, Error> {
+    let partition_type = match (overwrite, disk.partition_table) {
+        (true, _) | (_, None) => {
+            if tokio::fs::metadata("/sys/firmware/efi").await.is_ok() {
+                PartitionTable::Gpt
+            } else {
+                PartitionTable::Mbr
+            }
+        }
+        (_, Some(t)) => t,
+    };
+    disk.partition_table = Some(partition_type);
+    match partition_type {
+        PartitionTable::Gpt => gpt::partition(disk, overwrite).await,
+        PartitionTable::Mbr => mbr::partition(disk, overwrite).await,
+    }
+}
+
+#[command(display(display_none))]
+pub async fn execute(
+    #[arg] logicalname: PathBuf,
+    #[arg(short = 'o')] mut overwrite: bool,
+) -> Result<(), Error> {
+    let mut disk = crate::disk::util::list(&Default::default())
+        .await?
+        .into_iter()
+        .find(|d| &d.logicalname == &logicalname)
+        .ok_or_else(|| {
+            Error::new(
+                eyre!("Unknown disk {}", logicalname.display()),
+                crate::ErrorKind::DiskManagement,
+            )
+        })?;
+    let eth_iface = find_eth_iface().await?;
+    let wifi_iface = find_wifi_iface().await?;
+
+    overwrite |= disk.guid.is_none() && disk.partitions.iter().all(|p| p.guid.is_none());
+
+    let part_info = partition(&mut disk, overwrite).await?;
+
+    if let Some(efi) = &part_info.efi {
+        Command::new("mkfs.vfat")
+            .arg(efi)
+            .invoke(crate::ErrorKind::DiskManagement)
+            .await?;
+        Command::new("fatlabel")
+            .arg(efi)
+            .arg("efi")
+            .invoke(crate::ErrorKind::DiskManagement)
+            .await?;
+    }
+
+    Command::new("mkfs.vfat")
+        .arg(&part_info.boot)
+        .invoke(crate::ErrorKind::DiskManagement)
+        .await?;
+    Command::new("fatlabel")
+        .arg(&part_info.boot)
+        .arg("boot")
+        .invoke(crate::ErrorKind::DiskManagement)
+        .await?;
+
+    Command::new("mkfs.ext4")
+        .arg(&part_info.root)
+        .invoke(crate::ErrorKind::DiskManagement)
+        .await?;
+    Command::new("e2label")
+        .arg(&part_info.root)
+        .arg("rootfs")
+        .invoke(crate::ErrorKind::DiskManagement)
+        .await?;
+
+    let rootfs = TmpMountGuard::mount(&BlockDev::new(&part_info.root), ReadWrite).await?;
+    tokio::fs::create_dir(rootfs.as_ref().join("config")).await?;
+    tokio::fs::create_dir(rootfs.as_ref().join("next")).await?;
+    let current = rootfs.as_ref().join("current");
+    tokio::fs::create_dir(&current).await?;
+
+    tokio::fs::create_dir(current.join("boot")).await?;
+    let boot = MountGuard::mount(
+        &BlockDev::new(&part_info.boot),
+        current.join("boot"),
+        ReadWrite,
+    )
+    .await?;
+
+    let efi = if let Some(efi) = &part_info.efi {
+        Some(MountGuard::mount(&BlockDev::new(efi), current.join("boot/efi"), ReadWrite).await?)
+    } else {
+        None
+    };
+
+    Command::new("unsquashfs")
+        .arg("-n")
+        .arg("-f")
+        .arg("-d")
+        .arg(&current)
+        .arg("/cdrom/casper/filesystem.squashfs")
+        .invoke(crate::ErrorKind::Filesystem)
+        .await?;
+
+    tokio::fs::write(
+        rootfs.as_ref().join("config/config.yaml"),
+        IoFormat::Yaml.to_vec(&PostInstallConfig {
+            os_partitions: part_info.clone(),
+            ethernet_interface: eth_iface,
+            wifi_interface: wifi_iface,
+        })?,
+    )
+    .await?;
+
+    tokio::fs::write(
+        current.join("etc/fstab"),
+        format!(
+            include_str!("fstab.template"),
+            boot = part_info.boot.display(),
+            efi = part_info
+                .efi
+                .as_ref()
+                .map(|p| p.display().to_string())
+                .unwrap_or_else(|| "# N/A".to_owned()),
+            root = part_info.root.display(),
+        ),
+    )
+    .await?;
+
+    Command::new("chroot")
+        .arg(&current)
+        .arg("systemd-machine-id-setup")
+        .invoke(crate::ErrorKind::Systemd)
+        .await?;
+
+    Command::new("chroot")
+        .arg(&current)
+        .arg("ssh-keygen")
+        .arg("-A")
+        .invoke(crate::ErrorKind::OpenSsh)
+        .await?;
+
+    let dev = MountGuard::mount(&Bind::new("/dev"), current.join("dev"), ReadWrite).await?;
+    let proc = MountGuard::mount(&Bind::new("/proc"), current.join("proc"), ReadWrite).await?;
+    let sys = MountGuard::mount(&Bind::new("/sys"), current.join("sys"), ReadWrite).await?;
+    let efivarfs = if let Some(efi) = &part_info.efi {
+        Some(
+            MountGuard::mount(
+                &EfiVarFs,
+                current.join("sys/firmware/efi/efivars"),
+                ReadWrite,
+            )
+            .await?,
+        )
+    } else {
+        None
+    };
+
+    Command::new("chroot")
+        .arg(&current)
+        .arg("update-grub")
+        .invoke(crate::ErrorKind::Grub)
+        .await?;
+    let mut install = Command::new("chroot");
+    install.arg(&current).arg("grub-install");
+    if part_info.efi.is_none() {
+        install.arg("--target=i386-pc");
+    } else {
+        match *ARCH {
+            "x86_64" => install.arg("--target=x86_64-efi"),
+            "aarch64" => install.arg("--target=arm64-efi"),
+            _ => &mut install,
+        };
+    }
+    install
+        .arg(&disk.logicalname)
+        .invoke(crate::ErrorKind::Grub)
+        .await?;
+
+    dev.unmount(false).await?;
+    if let Some(efivarfs) = efivarfs {
+        efivarfs.unmount(false).await?;
+    }
+    sys.unmount(false).await?;
+    proc.unmount(false).await?;
+    if let Some(efi) = efi {
+        efi.unmount(false).await?;
+    }
+    boot.unmount(false).await?;
+    rootfs.unmount().await?;
+
+    Ok(())
+}
+
+#[command(display(display_none))]
+pub async fn reboot(#[context] ctx: InstallContext) -> Result<(), Error> {
+    Command::new("sync")
+        .invoke(crate::ErrorKind::Filesystem)
+        .await?;
+    ctx.shutdown.send(()).unwrap();
+    Ok(())
+}
--- a/backend/src/procedure/docker.rs
+++ b/backend/src/procedure/docker.rs
@@ -2,7 +2,7 @@ use std::borrow::Cow;
 use std::collections::{BTreeMap, BTreeSet, VecDeque};
 use std::ffi::{OsStr, OsString};
 use std::net::Ipv4Addr;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::time::Duration;

 use async_stream::stream;
@@ -11,17 +11,21 @@ use color_eyre::eyre::eyre;
 use color_eyre::Report;
 use futures::future::Either as EitherFuture;
 use futures::TryStreamExt;
-use helpers::NonDetachingJoinHandle;
+use helpers::{NonDetachingJoinHandle, UnixRpcClient};
+use models::{Id, ImageId};
 use nix::sys::signal;
 use nix::unistd::Pid;
+use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
-use tokio::io::{AsyncBufRead, AsyncBufReadExt, BufReader};
+use tokio::{
+    io::{AsyncBufRead, AsyncBufReadExt, BufReader},
+    time::timeout,
+};
 use tracing::instrument;

 use super::ProcedureName;
 use crate::context::RpcContext;
-use crate::id::{Id, ImageId};
 use crate::s9pk::manifest::{PackageId, SYSTEM_PACKAGE_ID};
 use crate::util::serde::{Duration as SerdeDuration, IoFormat};
 use crate::util::Version;
@@ -41,6 +45,96 @@ lazy_static::lazy_static! {
    };
 }

+#[derive(Clone, Debug, Deserialize, Serialize, patch_db::HasModel)]
+#[serde(rename_all = "kebab-case")]
+pub struct DockerContainers {
+    pub main: DockerContainer,
+    // #[serde(default)]
+    // pub aux: BTreeMap<String, DockerContainer>,
+}
+
+/// This is like the docker procedures of the past designs,
+/// but this time all the entrypoints and args are not
+/// part of this struct by choice. Used for the times that we are creating our own entry points
+#[derive(Clone, Debug, Deserialize, Serialize, patch_db::HasModel)]
+#[serde(rename_all = "kebab-case")]
+pub struct DockerContainer {
+    pub image: ImageId,
+    #[serde(default)]
+    pub mounts: BTreeMap<VolumeId, PathBuf>,
+    #[serde(default)]
+    pub shm_size_mb: Option<usize>, // TODO: use postfix sizing? like 1k vs 1m vs 1g
+    #[serde(default)]
+    pub sigterm_timeout: Option<SerdeDuration>,
+    #[serde(default)]
+    pub system: bool,
+}
+
+impl DockerContainer {
+    /// We created a new exec runner, where we are going to be passing the commands for it to run.
+    /// Idea is that we are going to send it command and get the inputs be filtered back from the manager.
+    /// Then we could in theory run commands without the cost of running the docker exec which is known to have
+    /// a dely of > 200ms which is not acceptable.
+    #[instrument(skip(ctx))]
+    pub async fn long_running_execute(
+        &self,
+        ctx: &RpcContext,
+        pkg_id: &PackageId,
+        pkg_version: &Version,
+        volumes: &Volumes,
+    ) -> Result<(LongRunning, UnixRpcClient), Error> {
+        let container_name = DockerProcedure::container_name(pkg_id, None);
+
+        let socket_path =
+            Path::new("/tmp/embassy/containers").join(format!("{pkg_id}_{pkg_version}"));
+        if tokio::fs::metadata(&socket_path).await.is_ok() {
+            tokio::fs::remove_dir_all(&socket_path).await?;
+        }
+        tokio::fs::create_dir_all(&socket_path).await?;
+
+        let mut cmd = LongRunning::setup_long_running_docker_cmd(
+            self,
+            ctx,
+            &container_name,
+            volumes,
+            pkg_id,
+            pkg_version,
+            &socket_path,
+        )
+        .await?;
+
+        let mut handle = cmd.spawn().with_kind(crate::ErrorKind::Docker)?;
+
+        let client = UnixRpcClient::new(socket_path.join("rpc.sock"));
+
+        let running_output = NonDetachingJoinHandle::from(tokio::spawn(async move {
+            if let Err(err) = handle
+                .wait()
+                .await
+                .map_err(|e| eyre!("Runtime error: {e:?}"))
+            {
+                tracing::error!("{}", err);
+                tracing::debug!("{:?}", err);
+            }
+        }));
+
+        {
+            let socket = socket_path.join("rpc.sock");
+            if let Err(_err) = timeout(Duration::from_secs(1), async move {
+                while tokio::fs::metadata(&socket).await.is_err() {
+                    tokio::time::sleep(Duration::from_millis(10)).await;
+                }
+            })
+            .await
+            {
+                tracing::error!("Timed out waiting for init to create socket");
+            }
+        }
+
+        Ok((LongRunning { running_output }, client))
+    }
+}
+
 #[derive(Clone, Debug, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct DockerProcedure {
@@ -51,20 +145,51 @@ pub struct DockerProcedure {
    #[serde(default)]
    pub args: Vec<String>,
    #[serde(default)]
+    pub inject: bool,
+    #[serde(default)]
    pub mounts: BTreeMap<VolumeId, PathBuf>,
    #[serde(default)]
    pub io_format: Option<IoFormat>,
    #[serde(default)]
-    pub inject: bool,
+    pub sigterm_timeout: Option<SerdeDuration>,
    #[serde(default)]
    pub shm_size_mb: Option<usize>, // TODO: use postfix sizing? like 1k vs 1m vs 1g
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize, Default)]
+#[serde(rename_all = "kebab-case")]
+pub struct DockerInject {
+    #[serde(default)]
+    pub system: bool,
+    pub entrypoint: String,
+    #[serde(default)]
+    pub args: Vec<String>,
+    #[serde(default)]
+    pub io_format: Option<IoFormat>,
    #[serde(default)]
    pub sigterm_timeout: Option<SerdeDuration>,
 }
 impl DockerProcedure {
+    pub fn main_docker_procedure(
+        container: &DockerContainer,
+        injectable: &DockerInject,
+    ) -> DockerProcedure {
+        DockerProcedure {
+            image: container.image.clone(),
+            system: injectable.system,
+            entrypoint: injectable.entrypoint.clone(),
+            args: injectable.args.clone(),
+            inject: false,
+            mounts: container.mounts.clone(),
+            io_format: injectable.io_format,
+            sigterm_timeout: injectable.sigterm_timeout,
+            shm_size_mb: container.shm_size_mb,
+        }
+    }
+
    pub fn validate(
        &self,
-        eos_version: &Version,
+        _eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
        expected_io: bool,
@@ -78,25 +203,17 @@ impl DockerProcedure {
            if !SYSTEM_IMAGES.contains(&self.image) {
                color_eyre::eyre::bail!("unknown system image: {}", self.image);
            }
-        } else {
-            if !image_ids.contains(&self.image) {
-                color_eyre::eyre::bail!("image for {} not contained in package", self.image);
-            }
+        } else if !image_ids.contains(&self.image) {
+            color_eyre::eyre::bail!("image for {} not contained in package", self.image);
        }
        if expected_io && self.io_format.is_none() {
            color_eyre::eyre::bail!("expected io-format");
        }
-        if &**eos_version >= &emver::Version::new(0, 3, 1, 1)
-            && self.inject
-            && !self.mounts.is_empty()
-        {
-            color_eyre::eyre::bail!("mounts not allowed in inject actions");
-        }
        Ok(())
    }

    #[instrument(skip(ctx, input))]
-    pub async fn execute<I: Serialize, O: for<'de> Deserialize<'de>>(
+    pub async fn execute<I: Serialize, O: DeserializeOwned>(
        &self,
        ctx: &RpcContext,
        pkg_id: &PackageId,
@@ -104,48 +221,42 @@ impl DockerProcedure {
        name: ProcedureName,
        volumes: &Volumes,
        input: Option<I>,
-        allow_inject: bool,
        timeout: Option<Duration>,
    ) -> Result<Result<O, (i32, String)>, Error> {
        let name = name.docker_name();
        let name: Option<&str> = name.as_ref().map(|x| &**x);
        let mut cmd = tokio::process::Command::new("docker");
-        if self.inject && allow_inject {
-            cmd.arg("exec");
-        } else {
-            let container_name = Self::container_name(pkg_id, name);
-            cmd.arg("run")
-                .arg("--rm")
-                .arg("--network=start9")
-                .arg(format!("--add-host=embassy:{}", Ipv4Addr::from(HOST_IP)))
-                .arg("--name")
-                .arg(&container_name)
-                .arg(format!("--hostname={}", &container_name))
-                .arg("--no-healthcheck");
-            match ctx
-                .docker
-                .remove_container(
-                    &container_name,
-                    Some(RemoveContainerOptions {
-                        v: false,
-                        force: true,
-                        link: false,
-                    }),
-                )
-                .await
-            {
-                Ok(())
-                | Err(bollard::errors::Error::DockerResponseServerError {
-                    status_code: 404, // NOT FOUND
-                    ..
-                }) => Ok(()),
-                Err(e) => Err(e),
-            }?;
-        }
-        cmd.args(
-            self.docker_args(ctx, pkg_id, pkg_version, volumes, allow_inject)
-                .await,
-        );
+        tracing::debug!("{:?} is run", name);
+        let container_name = Self::container_name(pkg_id, name);
+        cmd.arg("run")
+            .arg("--rm")
+            .arg("--network=start9")
+            .arg(format!("--add-host=embassy:{}", Ipv4Addr::from(HOST_IP)))
+            .arg("--name")
+            .arg(&container_name)
+            .arg(format!("--hostname={}", &container_name))
+            .arg("--no-healthcheck")
+            .kill_on_drop(true);
+        match ctx
+            .docker
+            .remove_container(
+                &container_name,
+                Some(RemoveContainerOptions {
+                    v: false,
+                    force: true,
+                    link: false,
+                }),
+            )
+            .await
+        {
+            Ok(())
+            | Err(bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, // NOT FOUND
+                ..
+            }) => Ok(()),
+            Err(e) => Err(e),
+        }?;
+        cmd.args(self.docker_args(ctx, pkg_id, pkg_version, volumes).await?);
        let input_buf = if let (Some(input), Some(format)) = (&input, &self.io_format) {
            cmd.stdin(std::process::Stdio::piped());
            Some(format.to_vec(input)?)
@@ -192,7 +303,162 @@ impl DockerProcedure {
            handle
                .stdout
                .take()
-                .ok_or_else(|| eyre!("Can't takeout stout"))
+                .ok_or_else(|| eyre!("Can't takeout stdout in execute"))
+                .with_kind(crate::ErrorKind::Docker)?,
+        );
+        let output = NonDetachingJoinHandle::from(tokio::spawn(async move {
+            match async {
+                if let Some(format) = io_format {
+                    return match max_by_lines(&mut output, None).await {
+                        MaxByLines::Done(buffer) => {
+                            Ok::<Value, Error>(
+                                match format.from_slice(buffer.as_bytes()) {
+                                    Ok(a) => a,
+                                    Err(e) => {
+                                        tracing::trace!(
+                                        "Failed to deserialize stdout from {}: {}, falling back to UTF-8 string.",
+                                        format,
+                                        e
+                                    );
+                                        Value::String(buffer)
+                                    }
+                                },
+                            )
+                        },
+                        MaxByLines::Error(e) => Err(e),
+                        MaxByLines::Overflow(buffer) => Ok(Value::String(buffer))
+                    }
+                }
+
+                let lines = buf_reader_to_lines(&mut output, 1000).await?;
+                if lines.is_empty() {
+                    return Ok(Value::Null);
+                }
+
+                let joined_output = lines.join("\n");
+                Ok(Value::String(joined_output))
+            }.await {
+                Ok(a) => Ok((a, output)),
+                Err(e) => Err((e, output))
+            }
+        }));
+        let err_output = BufReader::new(
+            handle
+                .stderr
+                .take()
+                .ok_or_else(|| eyre!("Can't takeout std err"))
+                .with_kind(crate::ErrorKind::Docker)?,
+        );
+
+        let err_output = NonDetachingJoinHandle::from(tokio::spawn(async move {
+            let lines = buf_reader_to_lines(err_output, 1000).await?;
+            let joined_output = lines.join("\n");
+            Ok::<_, Error>(joined_output)
+        }));
+
+        let res = tokio::select! {
+            res = handle.wait() => Race::Done(res.with_kind(crate::ErrorKind::Docker)?),
+            res = timeout_fut => {
+                res?;
+                Race::TimedOut
+            },
+        };
+        let exit_status = match res {
+            Race::Done(x) => x,
+            Race::TimedOut => {
+                if let Some(id) = id {
+                    signal::kill(Pid::from_raw(id as i32), signal::SIGKILL)
+                        .with_kind(crate::ErrorKind::Docker)?;
+                }
+                return Ok(Err((143, "Timed out. Retrying soon...".to_owned())));
+            }
+        };
+        Ok(
+            if exit_status.success() || exit_status.code() == Some(143) {
+                Ok(serde_json::from_value(
+                    output
+                        .await
+                        .with_kind(crate::ErrorKind::Unknown)?
+                        .map(|(v, _)| v)
+                        .map_err(|(e, _)| tracing::warn!("{}", e))
+                        .unwrap_or_default(),
+                )
+                .with_kind(crate::ErrorKind::Deserialization)?)
+            } else {
+                Err((
+                    exit_status.code().unwrap_or_default(),
+                    err_output.await.with_kind(crate::ErrorKind::Unknown)??,
+                ))
+            },
+        )
+    }
+
+    #[instrument(skip(_ctx, input))]
+    pub async fn inject<I: Serialize, O: DeserializeOwned>(
+        &self,
+        _ctx: &RpcContext,
+        pkg_id: &PackageId,
+        pkg_version: &Version,
+        name: ProcedureName,
+        volumes: &Volumes,
+        input: Option<I>,
+        timeout: Option<Duration>,
+    ) -> Result<Result<O, (i32, String)>, Error> {
+        let name = name.docker_name();
+        let name: Option<&str> = name.as_deref();
+        let mut cmd = tokio::process::Command::new("docker");
+
+        tracing::debug!("{:?} is exec", name);
+        cmd.arg("exec");
+
+        cmd.args(self.docker_args_inject(pkg_id).await?);
+        let input_buf = if let (Some(input), Some(format)) = (&input, &self.io_format) {
+            cmd.stdin(std::process::Stdio::piped());
+            Some(format.to_vec(input)?)
+        } else {
+            None
+        };
+        cmd.stdout(std::process::Stdio::piped());
+        cmd.stderr(std::process::Stdio::piped());
+        tracing::trace!(
+            "{}",
+            format!("{:?}", cmd)
+                .split(r#"" ""#)
+                .collect::<Vec<&str>>()
+                .join(" ")
+        );
+        let mut handle = cmd.spawn().with_kind(crate::ErrorKind::Docker)?;
+        let id = handle.id();
+        let timeout_fut = if let Some(timeout) = timeout {
+            EitherFuture::Right(async move {
+                tokio::time::sleep(timeout).await;
+
+                Ok(())
+            })
+        } else {
+            EitherFuture::Left(futures::future::pending::<Result<_, Error>>())
+        };
+        if let (Some(input), Some(mut stdin)) = (&input_buf, handle.stdin.take()) {
+            use tokio::io::AsyncWriteExt;
+            stdin
+                .write_all(input)
+                .await
+                .with_kind(crate::ErrorKind::Docker)?;
+            stdin.flush().await?;
+            stdin.shutdown().await?;
+            drop(stdin);
+        }
+        enum Race<T> {
+            Done(T),
+            TimedOut,
+        }
+
+        let io_format = self.io_format;
+        let mut output = BufReader::new(
+            handle
+                .stdout
+                .take()
+                .ok_or_else(|| eyre!("Can't takeout stdout in inject"))
                .with_kind(crate::ErrorKind::Docker)?,
        );
        let output = NonDetachingJoinHandle::from(tokio::spawn(async move {
@@ -283,7 +549,7 @@ impl DockerProcedure {
    }

    #[instrument(skip(ctx, input))]
-    pub async fn sandboxed<I: Serialize, O: for<'de> Deserialize<'de>>(
+    pub async fn sandboxed<I: Serialize, O: DeserializeOwned>(
        &self,
        ctx: &RpcContext,
        pkg_id: &PackageId,
@@ -295,8 +561,8 @@ impl DockerProcedure {
        let mut cmd = tokio::process::Command::new("docker");
        cmd.arg("run").arg("--rm").arg("--network=none");
        cmd.args(
-            self.docker_args(ctx, pkg_id, pkg_version, &volumes.to_readonly(), false)
-                .await,
+            self.docker_args(ctx, pkg_id, pkg_version, &volumes.to_readonly())
+                .await?,
        );
        let input_buf = if let (Some(input), Some(format)) = (&input, &self.io_format) {
            cmd.stdin(std::process::Stdio::piped());
@@ -333,7 +599,7 @@ impl DockerProcedure {
            handle
                .stdout
                .take()
-                .ok_or_else(|| eyre!("Can't takeout stout"))
+                .ok_or_else(|| eyre!("Can't takeout stdout in sandboxed"))
                .with_kind(crate::ErrorKind::Docker)?,
        );
        let output = NonDetachingJoinHandle::from(tokio::spawn(async move {
@@ -402,7 +668,7 @@ impl DockerProcedure {
        }
    }

-    pub fn uncontainer_name(name: &str) -> Option<(PackageId<&str>, Option<&str>)> {
+    pub fn uncontainer_name(name: &str) -> Option<(PackageId, Option<&str>)> {
        let (pre_tld, _) = name.split_once('.')?;
        if pre_tld.contains('_') {
            let (pkg, name) = name.split_once('_')?;
@@ -418,14 +684,8 @@ impl DockerProcedure {
        pkg_id: &PackageId,
        pkg_version: &Version,
        volumes: &Volumes,
-        allow_inject: bool,
-    ) -> Vec<Cow<'_, OsStr>> {
-        let mut res = Vec::with_capacity(
-            (2 * self.mounts.len()) // --mount <MOUNT_ARG>
-                + (2 * self.shm_size_mb.is_some() as usize) // --shm-size <SHM_SIZE>
-                + 5 // --interactive --log-driver=journald --entrypoint <ENTRYPOINT> <IMAGE>
-                + self.args.len(), // [ARG...]
-        );
+    ) -> Result<Vec<Cow<'_, OsStr>>, Error> {
+        let mut res = self.new_docker_args();
        for (volume_id, dst) in &self.mounts {
            let volume = if let Some(v) = volumes.get(volume_id) {
                v
@@ -433,9 +693,8 @@ impl DockerProcedure {
                continue;
            };
            let src = volume.path_for(&ctx.datadir, pkg_id, pkg_version, volume_id);
-            if let Err(e) = tokio::fs::metadata(&src).await {
-                tracing::warn!("{} not mounted to container: {}", src.display(), e);
-                continue;
+            if let Err(_e) = tokio::fs::metadata(&src).await {
+                tokio::fs::create_dir_all(&src).await?;
            }
            res.push(OsStr::new("--mount").into());
            res.push(
@@ -453,22 +712,42 @@ impl DockerProcedure {
            res.push(OsString::from(format!("{}m", shm_size_mb)).into());
        }
        res.push(OsStr::new("--interactive").into());
-        if self.inject && allow_inject {
-            res.push(OsString::from(Self::container_name(pkg_id, None)).into());
-            res.push(OsStr::new(&self.entrypoint).into());
+        res.push(OsStr::new("--log-driver=journald").into());
+        res.push(OsStr::new("--entrypoint").into());
+        res.push(OsStr::new(&self.entrypoint).into());
+        if self.system {
+            res.push(OsString::from(self.image.for_package(&*SYSTEM_PACKAGE_ID, None)).into());
        } else {
-            res.push(OsStr::new("--log-driver=journald").into());
-            res.push(OsStr::new("--entrypoint").into());
-            res.push(OsStr::new(&self.entrypoint).into());
-            if self.system {
-                res.push(OsString::from(self.image.for_package(SYSTEM_PACKAGE_ID, None)).into());
-            } else {
-                res.push(OsString::from(self.image.for_package(pkg_id, Some(pkg_version))).into());
-            }
+            res.push(OsString::from(self.image.for_package(pkg_id, Some(pkg_version))).into());
        }
+
        res.extend(self.args.iter().map(|s| OsStr::new(s).into()));

-        res
+        Ok(res)
+    }
+
+    fn new_docker_args(&self) -> Vec<Cow<OsStr>> {
+        Vec::with_capacity(
+            (2 * self.mounts.len()) // --mount <MOUNT_ARG>
+                + (2 * self.shm_size_mb.is_some() as usize) // --shm-size <SHM_SIZE>
+                + 5 // --interactive --log-driver=journald --entrypoint <ENTRYPOINT> <IMAGE>
+                + self.args.len(), // [ARG...]
+        )
+    }
+    async fn docker_args_inject(&self, pkg_id: &PackageId) -> Result<Vec<Cow<'_, OsStr>>, Error> {
+        let mut res = self.new_docker_args();
+        if let Some(shm_size_mb) = self.shm_size_mb {
+            res.push(OsStr::new("--shm-size").into());
+            res.push(OsString::from(format!("{}m", shm_size_mb)).into());
+        }
+        res.push(OsStr::new("--interactive").into());
+
+        res.push(OsString::from(Self::container_name(pkg_id, None)).into());
+        res.push(OsStr::new(&self.entrypoint).into());
+
+        res.extend(self.args.iter().map(|s| OsStr::new(s).into()));
+
+        Ok(res)
    }
 }

@@ -494,6 +773,124 @@ impl<T> RingVec<T> {
    }
 }

+/// This is created when we wanted a long running docker executor that we could send commands to and get the responses back.
+/// We wanted a long running since we want to be able to have the equivelent to the docker execute without the heavy costs of 400 + ms time lag.
+/// Also the long running let's us have the ability to start/ end the services quicker.
+pub struct LongRunning {
+    pub running_output: NonDetachingJoinHandle<()>,
+}
+
+impl LongRunning {
+    async fn setup_long_running_docker_cmd(
+        docker: &DockerContainer,
+        ctx: &RpcContext,
+        container_name: &str,
+        volumes: &Volumes,
+        pkg_id: &PackageId,
+        pkg_version: &Version,
+        socket_path: &Path,
+    ) -> Result<tokio::process::Command, Error> {
+        const INIT_EXEC: &str = "/start9/bin/embassy_container_init";
+        const BIND_LOCATION: &str = "/usr/lib/embassy/container/";
+        tracing::trace!("setup_long_running_docker_cmd");
+
+        LongRunning::cleanup_previous_container(ctx, container_name).await?;
+
+        let image_architecture = {
+            let mut cmd = tokio::process::Command::new("docker");
+            cmd.arg("image")
+                .arg("inspect")
+                .arg("--format")
+                .arg("'{{.Architecture}}'");
+
+            if docker.system {
+                cmd.arg(docker.image.for_package(&*SYSTEM_PACKAGE_ID, None));
+            } else {
+                cmd.arg(docker.image.for_package(pkg_id, Some(pkg_version)));
+            }
+            let arch = String::from_utf8(cmd.output().await?.stdout)?;
+            arch.replace('\'', "").trim().to_string()
+        };
+
+        let mut cmd = tokio::process::Command::new("docker");
+        cmd.arg("run")
+            .arg("--network=start9")
+            .arg(format!("--add-host=embassy:{}", Ipv4Addr::from(HOST_IP)))
+            .arg("--mount")
+            .arg(format!(
+                "type=bind,src={BIND_LOCATION},dst=/start9/bin/,readonly"
+            ))
+            .arg("--mount")
+            .arg(format!(
+                "type=bind,src={input},dst=/start9/sockets/",
+                input = socket_path.display()
+            ))
+            .arg("--name")
+            .arg(&container_name)
+            .arg(format!("--hostname={}", &container_name))
+            .arg("--entrypoint")
+            .arg(format!("{INIT_EXEC}.{image_architecture}"))
+            .arg("-i")
+            .arg("--rm")
+            .kill_on_drop(true);
+
+        for (volume_id, dst) in &docker.mounts {
+            let volume = if let Some(v) = volumes.get(volume_id) {
+                v
+            } else {
+                continue;
+            };
+            let src = volume.path_for(&ctx.datadir, pkg_id, pkg_version, volume_id);
+            if let Err(_e) = tokio::fs::metadata(&src).await {
+                tokio::fs::create_dir_all(&src).await?;
+            }
+            cmd.arg("--mount").arg(format!(
+                "type=bind,src={},dst={}{}",
+                src.display(),
+                dst.display(),
+                if volume.readonly() { ",readonly" } else { "" }
+            ));
+        }
+        if let Some(shm_size_mb) = docker.shm_size_mb {
+            cmd.arg("--shm-size").arg(format!("{}m", shm_size_mb));
+        }
+        cmd.arg("--log-driver=journald");
+        if docker.system {
+            cmd.arg(docker.image.for_package(&*SYSTEM_PACKAGE_ID, None));
+        } else {
+            cmd.arg(docker.image.for_package(pkg_id, Some(pkg_version)));
+        }
+        cmd.stdout(std::process::Stdio::piped());
+        cmd.stderr(std::process::Stdio::inherit());
+        cmd.stdin(std::process::Stdio::piped());
+        Ok(cmd)
+    }
+
+    async fn cleanup_previous_container(
+        ctx: &RpcContext,
+        container_name: &str,
+    ) -> Result<(), Error> {
+        match ctx
+            .docker
+            .remove_container(
+                container_name,
+                Some(RemoveContainerOptions {
+                    v: false,
+                    force: true,
+                    link: false,
+                }),
+            )
+            .await
+        {
+            Ok(())
+            | Err(bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, // NOT FOUND
+                ..
+            }) => Ok(()),
+            Err(e) => Err(e)?,
+        }
+    }
+}
 async fn buf_reader_to_lines(
    reader: impl AsyncBufRead + Unpin,
    limit: impl Into<Option<usize>>,
@@ -557,6 +954,7 @@ async fn max_by_lines(
    }
    MaxByLines::Done(answer)
 }
+
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/backend/src/procedure/js_scripts.rs
+++ b/backend/src/procedure/js_scripts.rs
@@ -1,16 +1,21 @@
 use std::path::{Path, PathBuf};
+use std::sync::Arc;
 use std::time::Duration;

+use color_eyre::eyre::eyre;
+use embassy_container_init::{ProcessGroupId, SignalGroup, SignalGroupParams};
+use helpers::UnixRpcClient;
 pub use js_engine::JsError;
 use js_engine::{JsExecutionEnvironment, PathForVolumeId};
-use models::VolumeId;
+use models::{ErrorKind, VolumeId};
+use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use tracing::instrument;

 use super::ProcedureName;
 use crate::context::RpcContext;
 use crate::s9pk::manifest::PackageId;
-use crate::util::Version;
+use crate::util::{GeneralGuard, Version};
 use crate::volume::Volumes;
 use crate::Error;

@@ -40,7 +45,7 @@ impl PathForVolumeId for Volumes {
    }
 }

-#[derive(Clone, Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct JsProcedure {
    #[serde(default)]
@@ -52,8 +57,8 @@ impl JsProcedure {
        Ok(())
    }

-    #[instrument(skip(directory, input))]
-    pub async fn execute<I: Serialize, O: for<'de> Deserialize<'de>>(
+    #[instrument(skip(directory, input, rpc_client))]
+    pub async fn execute<I: Serialize, O: DeserializeOwned>(
        &self,
        directory: &PathBuf,
        pkg_id: &PackageId,
@@ -62,17 +67,36 @@ impl JsProcedure {
        volumes: &Volumes,
        input: Option<I>,
        timeout: Option<Duration>,
+        gid: ProcessGroupId,
+        rpc_client: Option<Arc<UnixRpcClient>>,
    ) -> Result<Result<O, (i32, String)>, Error> {
-        Ok(async move {
+        let cleaner_client = rpc_client.clone();
+        let cleaner = GeneralGuard::new(move || {
+            tokio::spawn(async move {
+                if let Some(client) = cleaner_client {
+                    client
+                        .request(SignalGroup, SignalGroupParams { gid, signal: 9 })
+                        .await
+                        .map_err(|e| {
+                            Error::new(eyre!("{}: {:?}", e.message, e.data), ErrorKind::Docker)
+                        })
+                } else {
+                    Ok(())
+                }
+            })
+        });
+        let res = async move {
            let running_action = JsExecutionEnvironment::load_from_package(
                directory,
                pkg_id,
                pkg_version,
                Box::new(volumes.clone()),
+                gid,
+                rpc_client,
            )
            .await?
            .run_action(name, input, self.args.clone());
-            let output: ErrorValue = match timeout {
+            let output: Option<ErrorValue> = match timeout {
                Some(timeout_duration) => tokio::time::timeout(timeout_duration, running_action)
                    .await
                    .map_err(|_| (JsError::Timeout, "Timed out. Retrying soon...".to_owned()))??,
@@ -82,11 +106,13 @@ impl JsProcedure {
            Ok(output)
        }
        .await
-        .map_err(|(error, message)| (error.as_code_num(), message)))
+        .map_err(|(error, message)| (error.as_code_num(), message));
+        cleaner.drop().await.unwrap()?;
+        Ok(res)
    }

    #[instrument(skip(ctx, input))]
-    pub async fn sandboxed<I: Serialize, O: for<'de> Deserialize<'de>>(
+    pub async fn sandboxed<I: Serialize, O: DeserializeOwned>(
        &self,
        ctx: &RpcContext,
        pkg_id: &PackageId,
@@ -102,11 +128,13 @@ impl JsProcedure {
                pkg_id,
                pkg_version,
                Box::new(volumes.clone()),
+                ProcessGroupId(0),
+                None,
            )
            .await?
            .read_only_effects()
            .run_action(name, input, self.args.clone());
-            let output: ErrorValue = match timeout {
+            let output: Option<ErrorValue> = match timeout {
                Some(timeout_duration) => tokio::time::timeout(timeout_duration, running_action)
                    .await
                    .map_err(|_| (JsError::Timeout, "Timed out. Retrying soon...".to_owned()))??,
@@ -120,9 +148,10 @@ impl JsProcedure {
    }
 }

-fn unwrap_known_error<O: for<'de> Deserialize<'de>>(
-    error_value: ErrorValue,
+fn unwrap_known_error<O: DeserializeOwned>(
+    error_value: Option<ErrorValue>,
 ) -> Result<O, (JsError, String)> {
+    let error_value = error_value.unwrap_or_else(|| ErrorValue::Result(serde_json::Value::Null));
    match error_value {
        ErrorValue::Error(error) => Err((JsError::Javascript, error)),
        ErrorValue::ErrorCode((code, message)) => Err((JsError::Code(code), message)),
@@ -181,6 +210,8 @@ async fn js_action_execute() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
@@ -236,6 +267,8 @@ async fn js_action_execute_error() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap();
@@ -280,11 +313,63 @@ async fn js_action_fetch() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
        .unwrap();
 }
+
+#[tokio::test]
+async fn js_test_slow() {
+    let js_action = JsProcedure { args: vec![] };
+    let path: PathBuf = "test/js_action_execute/"
+        .parse::<PathBuf>()
+        .unwrap()
+        .canonicalize()
+        .unwrap();
+    let package_id = "test-package".parse().unwrap();
+    let package_version: Version = "0.3.0.3".parse().unwrap();
+    let name = ProcedureName::Action("slow".parse().unwrap());
+    let volumes: Volumes = serde_json::from_value(serde_json::json!({
+        "main": {
+            "type": "data"
+        },
+        "compat": {
+            "type": "assets"
+        },
+        "filebrowser" :{
+            "package-id": "filebrowser",
+            "path": "data",
+            "readonly": true,
+            "type": "pointer",
+            "volume-id": "main",
+        }
+    }))
+    .unwrap();
+    let input: Option<serde_json::Value> = None;
+    let timeout = Some(Duration::from_secs(10));
+    tracing::debug!("testing start");
+    tokio::select! {
+        a = js_action
+            .execute::<serde_json::Value, serde_json::Value>(
+                &path,
+                &package_id,
+                &package_version,
+                name,
+                &volumes,
+                input,
+                timeout,
+                ProcessGroupId(0),
+                None,
+            ) => { a.unwrap().unwrap(); },
+        _ = tokio::time::sleep(Duration::from_secs(1)) => ()
+    }
+    tracing::debug!("testing end should");
+    tokio::time::sleep(Duration::from_secs(2)).await;
+    tracing::debug!("Done");
+}
 #[tokio::test]
 async fn js_action_var_arg() {
    let js_action = JsProcedure {
@@ -325,6 +410,8 @@ async fn js_action_var_arg() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
@@ -369,6 +456,8 @@ async fn js_action_test_rename() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
@@ -413,6 +502,8 @@ async fn js_action_test_deep_dir() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
@@ -456,6 +547,144 @@ async fn js_action_test_deep_dir_escape() {
            &volumes,
            input,
            timeout,
+            ProcessGroupId(0),
+            None,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+}
+#[tokio::test]
+async fn js_action_test_zero_dir() {
+    let js_action = JsProcedure { args: vec![] };
+    let path: PathBuf = "test/js_action_execute/"
+        .parse::<PathBuf>()
+        .unwrap()
+        .canonicalize()
+        .unwrap();
+    let package_id = "test-package".parse().unwrap();
+    let package_version: Version = "0.3.0.3".parse().unwrap();
+    let name = ProcedureName::Action("test-zero-dir".parse().unwrap());
+    let volumes: Volumes = serde_json::from_value(serde_json::json!({
+        "main": {
+            "type": "data"
+        },
+        "compat": {
+            "type": "assets"
+        },
+        "filebrowser" :{
+            "package-id": "filebrowser",
+            "path": "data",
+            "readonly": true,
+            "type": "pointer",
+            "volume-id": "main",
+        }
+    }))
+    .unwrap();
+    let input: Option<serde_json::Value> = None;
+    let timeout = Some(Duration::from_secs(10));
+    js_action
+        .execute::<serde_json::Value, serde_json::Value>(
+            &path,
+            &package_id,
+            &package_version,
+            name,
+            &volumes,
+            input,
+            timeout,
+            ProcessGroupId(0),
+            None,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+}
+#[tokio::test]
+async fn js_action_test_read_dir() {
+    let js_action = JsProcedure { args: vec![] };
+    let path: PathBuf = "test/js_action_execute/"
+        .parse::<PathBuf>()
+        .unwrap()
+        .canonicalize()
+        .unwrap();
+    let package_id = "test-package".parse().unwrap();
+    let package_version: Version = "0.3.0.3".parse().unwrap();
+    let name = ProcedureName::Action("test-read-dir".parse().unwrap());
+    let volumes: Volumes = serde_json::from_value(serde_json::json!({
+        "main": {
+            "type": "data"
+        },
+        "compat": {
+            "type": "assets"
+        },
+        "filebrowser" :{
+            "package-id": "filebrowser",
+            "path": "data",
+            "readonly": true,
+            "type": "pointer",
+            "volume-id": "main",
+        }
+    }))
+    .unwrap();
+    let input: Option<serde_json::Value> = None;
+    let timeout = Some(Duration::from_secs(10));
+    js_action
+        .execute::<serde_json::Value, serde_json::Value>(
+            &path,
+            &package_id,
+            &package_version,
+            name,
+            &volumes,
+            input,
+            timeout,
+            ProcessGroupId(0),
+            None,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+}
+
+#[tokio::test]
+async fn js_rsync() {
+    let js_action = JsProcedure { args: vec![] };
+    let path: PathBuf = "test/js_action_execute/"
+        .parse::<PathBuf>()
+        .unwrap()
+        .canonicalize()
+        .unwrap();
+    let package_id = "test-package".parse().unwrap();
+    let package_version: Version = "0.3.0.3".parse().unwrap();
+    let name = ProcedureName::Action("test-rsync".parse().unwrap());
+    let volumes: Volumes = serde_json::from_value(serde_json::json!({
+        "main": {
+            "type": "data"
+        },
+        "compat": {
+            "type": "assets"
+        },
+        "filebrowser" :{
+            "package-id": "filebrowser",
+            "path": "data",
+            "readonly": true,
+            "type": "pointer",
+            "volume-id": "main",
+        }
+    }))
+    .unwrap();
+    let input: Option<serde_json::Value> = None;
+    let timeout = Some(Duration::from_secs(10));
+    js_action
+        .execute::<serde_json::Value, serde_json::Value>(
+            &path,
+            &package_id,
+            &package_version,
+            name,
+            &volumes,
+            input,
+            timeout,
+            ProcessGroupId(0),
+            None,
        )
        .await
        .unwrap()
--- a/backend/src/procedure/mod.rs
+++ b/backend/src/procedure/mod.rs
@@ -1,17 +1,19 @@
 use std::collections::BTreeSet;
 use std::time::Duration;

+use color_eyre::eyre::eyre;
+use models::ImageId;
 use patch_db::HasModel;
+use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use tracing::instrument;

-use self::docker::DockerProcedure;
+use self::docker::{DockerContainers, DockerProcedure};
 use crate::context::RpcContext;
-use crate::id::ImageId;
 use crate::s9pk::manifest::PackageId;
 use crate::util::Version;
 use crate::volume::Volumes;
-use crate::Error;
+use crate::{Error, ErrorKind};

 pub mod docker;
 #[cfg(feature = "js_engine")]
@@ -29,6 +31,7 @@ pub enum PackageProcedure {
    #[cfg(feature = "js_engine")]
    Script(js_scripts::JsProcedure),
 }
+
 impl PackageProcedure {
    pub fn is_script(&self) -> bool {
        match self {
@@ -40,6 +43,7 @@ impl PackageProcedure {
    #[instrument]
    pub fn validate(
        &self,
+        container: &Option<DockerContainers>,
        eos_version: &Version,
        volumes: &Volumes,
        image_ids: &BTreeSet<ImageId>,
@@ -49,14 +53,13 @@ impl PackageProcedure {
            PackageProcedure::Docker(action) => {
                action.validate(eos_version, volumes, image_ids, expected_io)
            }
-
            #[cfg(feature = "js_engine")]
            PackageProcedure::Script(action) => action.validate(volumes),
        }
    }

    #[instrument(skip(ctx, input))]
-    pub async fn execute<I: Serialize, O: for<'de> Deserialize<'de>>(
+    pub async fn execute<I: Serialize, O: DeserializeOwned + 'static>(
        &self,
        ctx: &RpcContext,
        pkg_id: &PackageId,
@@ -64,27 +67,43 @@ impl PackageProcedure {
        name: ProcedureName,
        volumes: &Volumes,
        input: Option<I>,
-        allow_inject: bool,
        timeout: Option<Duration>,
    ) -> Result<Result<O, (i32, String)>, Error> {
        tracing::trace!("Procedure execute {} {} - {:?}", self, pkg_id, name);
        match self {
+            PackageProcedure::Docker(procedure) if procedure.inject == true => {
+                procedure
+                    .inject(ctx, pkg_id, pkg_version, name, volumes, input, timeout)
+                    .await
+            }
            PackageProcedure::Docker(procedure) => {
                procedure
-                    .execute(
-                        ctx,
-                        pkg_id,
-                        pkg_version,
-                        name,
-                        volumes,
-                        input,
-                        allow_inject,
-                        timeout,
-                    )
+                    .execute(ctx, pkg_id, pkg_version, name, volumes, input, timeout)
                    .await
            }
            #[cfg(feature = "js_engine")]
            PackageProcedure::Script(procedure) => {
+                let (gid, rpc_client) = match ctx
+                    .managers
+                    .get(&(pkg_id.clone(), pkg_version.clone()))
+                    .await
+                {
+                    None => {
+                        return Err(Error::new(
+                            eyre!("No manager found for {}", pkg_id),
+                            ErrorKind::NotFound,
+                        ))
+                    }
+                    Some(man) => (
+                        if matches!(name, ProcedureName::Main) {
+                            man.new_main_gid()
+                        } else {
+                            man.new_gid()
+                        },
+                        man.rpc_client(),
+                    ),
+                };
+
                procedure
                    .execute(
                        &ctx.datadir,
@@ -94,14 +113,18 @@ impl PackageProcedure {
                        volumes,
                        input,
                        timeout,
+                        gid,
+                        rpc_client,
                    )
                    .await
            }
        }
    }
+
    #[instrument(skip(ctx, input))]
-    pub async fn sandboxed<I: Serialize, O: for<'de> Deserialize<'de>>(
+    pub async fn sandboxed<I: Serialize, O: DeserializeOwned>(
        &self,
+        container: &Option<DockerContainers>,
        ctx: &RpcContext,
        pkg_id: &PackageId,
        pkg_version: &Version,
@@ -137,6 +160,7 @@ impl std::fmt::Display for PackageProcedure {
        Ok(())
    }
 }
+
 #[derive(Debug)]
 pub struct NoOutput;
 impl<'de> Deserialize<'de> for NoOutput {
--- a/backend/src/properties.rs
+++ b/backend/src/properties.rs
@@ -21,12 +21,13 @@ pub async fn properties(#[context] ctx: RpcContext, #[arg] id: PackageId) -> Res
 #[instrument(skip(ctx))]
 pub async fn fetch_properties(ctx: RpcContext, id: PackageId) -> Result<Value, Error> {
    let mut db = ctx.db.handle();
+
    let manifest: Manifest = crate::db::DatabaseModel::new()
        .package_data()
        .idx_model(&id)
        .and_then(|p| p.installed())
        .map(|m| m.manifest())
-        .get(&mut db, true)
+        .get(&mut db)
        .await?
        .to_owned()
        .ok_or_else(|| Error::new(eyre!("{} is not installed", id), ErrorKind::NotFound))?;
@@ -39,7 +40,6 @@ pub async fn fetch_properties(ctx: RpcContext, id: PackageId) -> Result<Value, E
                ProcedureName::Properties,
                &manifest.volumes,
                None,
-                false,
                None,
            )
            .await?
--- a/backend/src/s9pk/docker.rs
+++ b/backend/src/s9pk/docker.rs
@@ -0,0 +1,95 @@
+use std::borrow::Cow;
+use std::collections::BTreeSet;
+use std::io::SeekFrom;
+use std::path::Path;
+
+use color_eyre::eyre::eyre;
+use futures::{FutureExt, TryStreamExt};
+use serde::{Deserialize, Serialize};
+use tokio::io::{AsyncRead, AsyncSeek, AsyncSeekExt};
+use tokio_tar::{Archive, Entry};
+
+use crate::util::io::from_cbor_async_reader;
+use crate::{Error, ErrorKind, ARCH};
+
+#[derive(Default, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct DockerMultiArch {
+    pub default: String,
+    pub available: BTreeSet<String>,
+}
+
+#[pin_project::pin_project(project = DockerReaderProject)]
+#[derive(Debug)]
+pub enum DockerReader<R: AsyncRead + Unpin> {
+    SingleArch(#[pin] R),
+    MultiArch(#[pin] Entry<Archive<R>>),
+}
+impl<R: AsyncRead + AsyncSeek + Unpin + Send + Sync> DockerReader<R> {
+    pub async fn new(mut rdr: R) -> Result<Self, Error> {
+        let arch = if let Some(multiarch) = tokio_tar::Archive::new(&mut rdr)
+            .entries()?
+            .try_filter_map(|e| {
+                async move {
+                    Ok(if &*e.path()? == Path::new("multiarch.cbor") {
+                        Some(e)
+                    } else {
+                        None
+                    })
+                }
+                .boxed()
+            })
+            .try_next()
+            .await?
+        {
+            let multiarch: DockerMultiArch = from_cbor_async_reader(multiarch).await?;
+            Some(if multiarch.available.contains(&**ARCH) {
+                Cow::Borrowed(&**ARCH)
+            } else {
+                Cow::Owned(multiarch.default)
+            })
+        } else {
+            None
+        };
+        rdr.seek(SeekFrom::Start(0)).await?;
+        if let Some(arch) = arch {
+            if let Some(image) = tokio_tar::Archive::new(rdr)
+                .entries()?
+                .try_filter_map(|e| {
+                    let arch = arch.clone();
+                    async move {
+                        Ok(if &*e.path()? == Path::new(&format!("{}.tar", arch)) {
+                            Some(e)
+                        } else {
+                            None
+                        })
+                    }
+                    .boxed()
+                })
+                .try_next()
+                .await?
+            {
+                Ok(Self::MultiArch(image))
+            } else {
+                Err(Error::new(
+                    eyre!("Docker image section does not contain tarball for architecture"),
+                    ErrorKind::ParseS9pk,
+                ))
+            }
+        } else {
+            Ok(Self::SingleArch(rdr))
+        }
+    }
+}
+impl<R: AsyncRead + Unpin + Send + Sync> AsyncRead for DockerReader<R> {
+    fn poll_read(
+        self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> std::task::Poll<std::io::Result<()>> {
+        match self.project() {
+            DockerReaderProject::SingleArch(r) => r.poll_read(cx, buf),
+            DockerReaderProject::MultiArch(r) => r.poll_read(cx, buf),
+        }
+    }
+}
--- a/backend/src/s9pk/git_hash.rs
+++ b/backend/src/s9pk/git_hash.rs
@@ -0,0 +1,41 @@
+use std::path::Path;
+
+use crate::Error;
+
+#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+pub struct GitHash(String);
+
+impl GitHash {
+    pub async fn from_path(path: impl AsRef<Path>) -> Result<GitHash, Error> {
+        let hash = tokio::process::Command::new("git")
+            .args(["describe", "--always", "--abbrev=40", "--dirty=-modified"])
+            .current_dir(path)
+            .output()
+            .await?;
+        if !hash.status.success() {
+            return Err(Error::new(
+                color_eyre::eyre::eyre!("Could not get hash: {}", String::from_utf8(hash.stderr)?),
+                crate::ErrorKind::Filesystem,
+            ));
+        }
+        Ok(GitHash(String::from_utf8(hash.stdout)?))
+    }
+}
+
+impl AsRef<str> for GitHash {
+    fn as_ref(&self) -> &str {
+        &self.0
+    }
+}
+
+// #[tokio::test]
+// async fn test_githash_for_current() {
+//     let answer: GitHash = GitHash::from_path(std::env::current_dir().unwrap())
+//         .await
+//         .unwrap();
+//     let answer_str: &str = answer.as_ref();
+//     assert!(
+//         !answer_str.is_empty(),
+//         "Should have a hash for this current working"
+//     );
+// }
--- a/backend/src/s9pk/manifest.rs
+++ b/backend/src/s9pk/manifest.rs
@@ -6,12 +6,14 @@ use patch_db::HasModel;
 use serde::{Deserialize, Serialize};
 use url::Url;

+use super::git_hash::GitHash;
 use crate::action::Actions;
 use crate::backup::BackupActions;
 use crate::config::action::ConfigActions;
 use crate::dependencies::Dependencies;
 use crate::migration::Migrations;
 use crate::net::interface::Interfaces;
+use crate::procedure::docker::DockerContainers;
 use crate::procedure::PackageProcedure;
 use crate::status::health_check::HealthChecks;
 use crate::util::Version;
@@ -29,6 +31,8 @@ pub struct Manifest {
    #[serde(default = "current_version")]
    pub eos_version: Version,
    pub id: PackageId,
+    #[serde(default)]
+    pub git_hash: Option<GitHash>,
    pub title: String,
    #[model]
    pub version: Version,
@@ -70,6 +74,11 @@ pub struct Manifest {
    #[serde(default)]
    #[model]
    pub dependencies: Dependencies,
+    #[model]
+    pub containers: Option<DockerContainers>,
+
+    #[serde(default)]
+    pub replaces: Vec<String>,
 }

 impl Manifest {
@@ -93,6 +102,11 @@ impl Manifest {
            .chain(migrations)
            .chain(actions)
    }
+
+    pub fn with_git_hash(mut self, git_hash: GitHash) -> Self {
+        self.git_hash = Some(git_hash);
+        self
+    }
 }

 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
@@ -141,7 +155,7 @@ impl Assets {
        self.docker_images
            .as_ref()
            .map(|a| a.as_path())
-            .unwrap_or(Path::new("image.tar"))
+            .unwrap_or(Path::new("docker-images"))
    }
    pub fn assets_path(&self) -> &Path {
        self.assets
--- a/Show More
+++ b/Show More