diff --git a/.gitignore b/.gitignore
index d5dca0c..af55184 100644
--- a/.gitignore
+++ b/.gitignore
@@ -412,3 +412,7 @@ FodyWeavers.xsd
 # Built Visual Studio Code Extensions
 *.vsix
 
+
+# do not include built images in git
+images
+
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..3848346
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,6 @@
+[submodule "mocha-php"]
+	path = mocha-php
+	url = git@gitea.azcona-becker.net:mochapowered/mocha-php
+[submodule "mocha-common"]
+	path = mocha-common
+	url = git@gitea.azcona-becker.net:mochapowered/mocha-common
diff --git a/carafe b/carafe
new file mode 100755
index 0000000..64b4567
--- /dev/null
+++ b/carafe
@@ -0,0 +1,184 @@
+#!/bin/bash
+
+# usage: ./mocha-carafe new BASE
+if [ "$1" == "new" ]; then
+
+	if [ "$USER" != "root" ]; then
+		echo "must be run as root"
+		exit 2
+	fi
+
+	BASE=$2
+	BASEPATH=images/$BASE/$BASE
+	FLAVOR=noble
+
+	if [ ! -d "images" ]; then
+		mkdir "images"
+	fi
+	if [ ! -d "images/$BASE" ]; then
+		mkdir "images/$BASE"
+	fi
+
+	if [ ! -d "$BASEPATH" ]; then
+
+		debootstrap $FLAVOR "$BASEPATH"
+
+	fi
+
+	if [ ! -d "$BASEPATH" ]; then
+		echo "base path not found: $BASEPATH"
+		exit 2
+	fi
+
+	echo "deb http://archive.ubuntu.com/ubuntu noble main universe
+deb http://archive.ubuntu.com/ubuntu noble-updates main universe
+deb http://archive.ubuntu.com/ubuntu noble-backports main universe
+deb http://archive.ubuntu.com/ubuntu noble-security main universe" > $BASEPATH/etc/apt/sources.list
+
+	if [ ! -d "$BASEPATH/usr/lib/mocha/carafe" ]; then
+		mkdir -p "$BASEPATH/usr/lib/mocha/carafe"
+	fi
+
+	if [ ! -d "$BASEPATH/usr/share/mocha/system" ]; then
+		mkdir -p "$BASEPATH/usr/share/mocha/system"
+	fi
+
+	cp -r libexec/mocha/carafe $BASEPATH/usr/lib/mocha
+	cp -r fs/* $BASEPATH/
+
+	if [ ! -d "$BASEPATH/usr/lib/mocha/oms" ]; then
+		mkdir -p $BASEPATH/usr/lib/mocha/oms
+	fi
+
+	./copy-oms $BASEPATH/usr/lib/mocha/oms
+	cp ./mocha-common/mocha-common/output/*.mcl $BASEPATH/usr/share/mocha/system
+
+	if [ ! -d "$BASEPATH/var/mocha/uploads" ]; then
+		mkdir -p "$BASEPATH/var/mocha/uploads"
+	fi
+	cp ./mocha-php/mocha-php/src/mocha-php/images/logo.svg $BASEPATH/var/mocha/uploads/c4f31b1aaede4e919fa0511537f098a5.svg
+
+	chroot $BASEPATH /usr/lib/mocha/carafe/preinstall.sh
+
+	if [ $? -ne 0 ]; then
+		echo "preinstall failed, try running 'chroot \$BASEPATH /usr/lib/mocha/carafe/preinstall.sh' again"
+		exit 2
+	fi
+
+	echo "Listen 443" > $BASEPATH/etc/apache2/ports.conf
+	cp site.conf $BASEPATH/etc/apache2/sites-available/000-default.conf
+	cp certs/localhost.crt certs/localhost.key $BASEPATH/etc/ssl/certs
+
+	cp -r mocha-php/mocha-php/src/mocha-php/* $BASEPATH/var/www/html
+	cp mocha-php/mocha-php/src/mocha-php/.htaccess $BASEPATH/var/www/html
+
+	rm -rf $BASEPATH/var/www/html/lib/phast
+	cp -r mocha-php/phast/lib/phast/server $BASEPATH/var/www/html/lib/phast
+
+	# mocha etc
+	if [ ! -d $BASEPATH/etc/mocha/include ]; then
+		mkdir -p $BASEPATH/etc/mocha/include
+	fi
+	cp mocha-php/mocha-php/src/mocha-php/include/Configuration.inc.php.template $BASEPATH/etc/mocha/include/Configuration.inc.php.template
+
+	# mocha libexec
+	if [ ! -d $BASEPATH/usr/lib/mocha ]; then
+		mkdir -p $BASEPATH/usr/lib/mocha
+	fi
+	cp libexec/mocha/mocha-* $BASEPATH/usr/lib/mocha
+	cp libexec/mocha/mocha $BASEPATH/usr/bin
+	chmod a+x $BASEPATH/usr/lib/mocha/*
+	chmod a+x $BASEPATH/usr/bin/mocha
+
+	if [ -d $BASEPATH/var/www/html/index.html ]; then
+		rm $BASEPATH/var/www/html/index.html
+	fi
+
+	# ! FIXME: we don't want to run this in chroot, we need to run it in lxc!
+	chroot $BASEPATH /usr/lib/mocha/carafe/postinstall.sh
+
+	echo "architecture: \"x86_64\"
+creation_date: $(date +%s) # To get current date in Unix time, use \`date +%s\` command
+properties:
+architecture: \"x86_64\"
+description: \"Ubuntu Noble with Apache2 and PHP (20171227)\"
+os: \"ubuntu\"
+release: \"noble\"" > images/$BASE/metadata.yaml
+
+	tar -cvzf images/$BASE/metadata.tar.gz -C images/$BASE metadata.yaml
+	rm images/$BASE/metadata.yaml
+
+	if [ ! -f images/$BASE/$BASE.tar.gz ]; then
+
+		tar -cvzf images/$BASE/$BASE.tar.gz -C $BASEPATH .
+		# rm -rf $BASEPATH
+	else
+
+		echo "$BASE.tar.gz already exists; not overwriting"
+	fi
+
+	EXISTS=$(lxc image list | grep $BASE )
+	if [ "$EXISTS" == "" ]; then
+
+		lxc image import images/$BASE/metadata.tar.gz images/$BASE/$BASE.tar.gz --alias $BASE
+
+	else
+
+		echo "not importing image; already exists as $BASE"
+
+	fi
+
+	SUV_ID=$(hexdump -vn8 -e'2/4 "%08x" 1 "\n"' /dev/urandom)
+	CONTAINER_NAME=i-0$SUV_ID
+	lxc init $BASE $CONTAINER_NAME
+
+	echo "Instance name is: $CONTAINER_NAME"
+
+	lxc start $CONTAINER_NAME
+	lxc shell $CONTAINER_NAME -- bash -c "echo \"$CONTAINER_NAME\" > /etc/mocha/container"
+	sleep 5
+
+	CONTAINER_IP=$(lxc exec $CONTAINER_NAME ip addr | grep 'scope global' | sed -e 's/    inet6 //' -e 's/\/64 scope global dynamic mngtmpaddr//')
+	lxc shell $CONTAINER_NAME mocha up
+
+	SUV_DOMAINNAME=".privatesuv.com"
+	echo "enter sudo password to add entry to /etc/hosts if desired"
+	echo "$CONTAINER_IP $CONTAINER_NAME$SUV_DOMAINNAME" | sudo tee -a /etc/hosts
+
+elif [ "$1" == "list" ]; then
+
+	lxc list
+
+elif [ "$1" == "up" ]; then
+
+	lxc start "$2"
+
+elif [ "$1" == "shell" ]; then
+
+	lxc shell "$2"
+
+elif [ "$1" == "reset" ]; then
+
+	BASE="$2"
+
+	echo "deleting compiled files..."
+	rm images/$BASE/*.gz
+
+	echo "removing the image..."
+	lxc image delete $BASE
+
+elif [ "$1" == "destroy" ]; then
+
+	./carafe reset $2
+	rm -rf images/$2
+
+# elif [ "$1" == "build" ]; then
+# 
+# 
+
+else
+
+	echo "usage: mocha carafe new BASE"
+
+fi
+
diff --git a/certs/localhost.crt b/certs/localhost.crt
new file mode 100644
index 0000000..d2035bd
--- /dev/null
+++ b/certs/localhost.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7zCCA9egAwIBAgIURvpBSseeEDIKEO0c1VBMWkLexMQwDQYJKoZIhvcNAQEL
+BQAwgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJGTDEQMA4GA1UEBwwHT3JsYW5k
+bzEfMB0GA1UECgwWTUJTIEJ1c2luZXNzIFNvbHV0aW9uczEkMCIGA1UEAwwbTUJT
+IEludGVybmFsIERldmVsb3BtZW50IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0
+QHRldHJvbmljYS5jb20wHhcNMjMxMTA3MTI0MjMyWhcNMjUxMTA2MTI0MjMyWjBo
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCRkwxEDAOBgNVBAcMB09ybGFuZG8xHzAd
+BgNVBAoMFk1CUyBCdXNpbmVzcyBTb2x1dGlvbnMxGTAXBgNVBAMMECoucHJpdmF0
+ZXN1di5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCB79lGqz1t
+wC5KDJ6TMsJk6/BK7vQiyT3umuut2RPhwkMHfihz+zfxaYo4C7KHkSoCPT4v3u1y
+MONJfiev8E+/ZzHlPNYhxs/Su1iSavJQHPvKzKMSkvjbMQFX/Cqzp/A2NL5EkmYv
+HrFd9WiV2azp5knQ8hLWdvWR8gUHJZK0FocKA6qbQNQ3G/McOsEsaUZtjCcb1oJw
+fKt4G8i2Iv0aMMTOJfCQYhrpuGuX8qkcD1gR9imb8qhthiLw54LwcrtQcIVEwFAG
+YyDPVRsw6xvLYHchRkx+DvRdgy/UKMha9tq/3lzF9Fm1/3cnelEsKe7W51ZGkU+3
+apVqNovaYZ+ty1rRxMe/tj4XtHaOLTioG/UMT7AL0LK3darEAS29n8UdT+xORBsU
+7iENL112ZcY4yrzCDzUz1Ys0NJAl9a4p6kW33lu0idRTq75xwOYoKhX69Kff0bF8
+dAAebxZSYcIF9/uKHpKW31zK8ac9d1bHYnkL8Ej2yA6Ps98tYLDUecC3dbYk+k2I
+igz2BN2UhyEonb5DUz6dSlR+RR3kB884ycMrBi9FNEhjBhm5+iOHs1nAh1Hzm/IJ
+Koiw49XyWZIxNYWkcqq9h4wQEQIiZ/3S1FeJWxj+vt+tZKAhDc71V5kSHHJXCh3X
+EIqXLZYKXPAG0uST+H8VY5bXahKW/A60UQIDAQABo18wXTAbBgNVHREEFDASghAq
+LnByaXZhdGVzdXYuY29tMB0GA1UdDgQWBBSCn5UhCbR7QG5M5RgZXI4y4LoFSDAf
+BgNVHSMEGDAWgBSkDws8lTr7dn6nUzawl/gS5J2i3DANBgkqhkiG9w0BAQsFAAOC
+AQEAPozqKZadO7QR4HxdU2KNuBlfbvZ62KS2UoiISnUS/cHEejkSdU6RaWN1wVv4
+rimBhhVX+vkIBcd4OiaRTxFBQpgkyTxI7L+B/fKTmwUP3KEl2GSiWFwmAcRQjn4u
+tNuABnn7d7UTl9NCR/n3981A1gl6cIAjv6XBEuDWCCTSCVWgWDBlpG2OA0Fp5+GL
+J4Jl7xfjpiFAdOllVi/Cd63DiQmv6Fxuc2wBeugatLYCM8Mu6WOJ8+SvbJ57zYec
+1oWftLmRr5WxpgGrbDMcAwwD74OXlTOuNX/Jx7uX2Y4Qlqysl7gHJtztlTQCO+23
+RRiyHDf6iKxeh2S16xnVi2vtWw==
+-----END CERTIFICATE-----
diff --git a/certs/localhost.key b/certs/localhost.key
new file mode 100644
index 0000000..428ed2b
--- /dev/null
+++ b/certs/localhost.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQCB79lGqz1twC5K
+DJ6TMsJk6/BK7vQiyT3umuut2RPhwkMHfihz+zfxaYo4C7KHkSoCPT4v3u1yMONJ
+fiev8E+/ZzHlPNYhxs/Su1iSavJQHPvKzKMSkvjbMQFX/Cqzp/A2NL5EkmYvHrFd
+9WiV2azp5knQ8hLWdvWR8gUHJZK0FocKA6qbQNQ3G/McOsEsaUZtjCcb1oJwfKt4
+G8i2Iv0aMMTOJfCQYhrpuGuX8qkcD1gR9imb8qhthiLw54LwcrtQcIVEwFAGYyDP
+VRsw6xvLYHchRkx+DvRdgy/UKMha9tq/3lzF9Fm1/3cnelEsKe7W51ZGkU+3apVq
+NovaYZ+ty1rRxMe/tj4XtHaOLTioG/UMT7AL0LK3darEAS29n8UdT+xORBsU7iEN
+L112ZcY4yrzCDzUz1Ys0NJAl9a4p6kW33lu0idRTq75xwOYoKhX69Kff0bF8dAAe
+bxZSYcIF9/uKHpKW31zK8ac9d1bHYnkL8Ej2yA6Ps98tYLDUecC3dbYk+k2Iigz2
+BN2UhyEonb5DUz6dSlR+RR3kB884ycMrBi9FNEhjBhm5+iOHs1nAh1Hzm/IJKoiw
+49XyWZIxNYWkcqq9h4wQEQIiZ/3S1FeJWxj+vt+tZKAhDc71V5kSHHJXCh3XEIqX
+LZYKXPAG0uST+H8VY5bXahKW/A60UQIDAQABAoIB/3zxpdHOgm3b3qcAe3tlKTLi
+WAMLbgwFIbMkRSa7wTfVFPSfhfFWIEqDXJAyr06sx+MKAO0HRaFdtoYfnl9lNUoC
+cSLS3RVIQjmLl3Uzts2nu8xxT7MMoJTPtVBlqqoWqBAiUiid808GtIck9EHOjqGw
++kob0awTDRAfKQvg6rCWTkPS7WVcxrOMrLj4cR3DcsrkJLcgDfhx6RrAR2rcj4TK
+YHSFBvh6CGcLGcAtbBpkpstJablgx5SJkg+/OVRSVCGFZqDgTBMtlDR0zIYS4yct
+cLW5DiopNya0fx6uGKVfufkbA8VWBu3QOUOSMCZyLA16EKbKvrIgSzdW5s7su3LZ
+f+wNcsaYuUx7iWSyHVRz9zKkfnikphuPjIbF+gLmQYsLp+5jAt/NVnS045cilNbD
+QQGoGQaArz7xYoCO2slT5ppAkFq7+z1heBFKJ2BbA3uZTE4EhEZipqDTn+Rk08O3
+jm+KwUcl69odk8XoL6EKIfFeu/F8qRNnsTzlEhXCi6jsyfbMSUckvrZMfQQmDDHG
+WzqbkCv7MJ1gtZpo8eME87lhSYQrXKeXHlnNpFg/eZxkLgm60+zZiJ48rvrJ/Ga5
+mzL2NxgT4qZGljQMuloP93vsfd67A9Z3ELaTYUcqP+Le8sdbZs84rgMl0XYQZtRp
+JlGkYn3UR0Rkm/xeR18CggEBALdrLz9KkaqNvi5sdcjh4Iwb4dsZx7o84nMhzN90
+9MdVaQUKQ9JT3hek8l+CSMlXFGK2eQ96ZUXbFdqnZFvD73inHUX/dx+cnwuvIzjs
+IhZK6XYIqZ3oI5xQSNiFk6C/J4r+ZWrUtwdZZKCASRInDlvg4kMJxFDtRoR9wb1H
+sdcIjyM3PNArVGaNkBETBekdmsOMV5jo5D4l3GiXVCWB9HKAokxvo1v0T7h7P1S8
+guyY3W/wLwERW7hjJ8JMT0UsWq9QjTdNTiMnS9B/qlalnO3S0WxvRTxtQnqNd6Cj
+YM+Y37DBVLrERYehGUz0/2fUVdzoJYtEC+ow4iCAmDyncM8CggEBALVa0DmIzD55
+KwgHzDvyOYn+ntEdr+0VjLBjyITcMX0pva9gl3xpLKHroXBXqa+q91SwYgz3oLMA
+SFYiLwdCF5bc5lojGvW9tlQZljEVlTvFsKmpMQVZE0SclMnHonugbeRsFd4CATkK
+gX2YxXDXdpTLfC0mQlrFL3cIAoNfGn4DHfQWVZ17CkRnzY4DxfBGyzhuO9dSqLV9
+kX+iI/PB88hC+WM/euRqGOY0/F+7yyyCSlu3SlT+gF7G7xxe8n2kNc55zl1s+eub
+pcCygGsys5r25BIL3gXyQozs3XNQIWWnZtALgITkkyPgD/72uZ4Rk1gb6S73/q3O
+5HhSrzcRkN8CggEASvMFj3tNIsBg4l93keqa8yXBmOJj9vpCHoHFUdpc28dO7rxP
+Encq3caNM/HtBDkNH3ko5uZA09a+i2azX7wk8sx27c+CQeyiIQgkAHKdSza5R34q
+sVfWlV1JJxEOTjVOV0G0936Me/hPYjaJpV1IRMsUKginq9oJYsJwlIPja9cXhnBf
+7UCHcJCQOinn1GZAg3+pm9YuziZydlrAC8Oau99Mcqd7vWuL1/qk2l9dsIiWk9M1
+od4R+Lqr2H2ONtn1BIaJ7fss3riEBmLknBt4kMYAxaqCRDrxW1rLc1zPhoUVgwi9
+MsRZFR8DU6sZYrgljetezBW2OLBY9qcVjlNtiQKCAQB4p+y0+pB4WAELHLUChQtH
+BgH/urKbF6U8jYaQ7jZ2wViT372pZgftymjj507bsvFOhPMXEYD21o9JzwBe4dfz
+5Q/UlFqReCBgH43PJj7dP49jsU8N8c9h7JMJFCrD+V5jhI2f4NGTc6vnNcbWZmNc
+Z208VKH85gfIN6oEYTes8sHw7RMU7RFNpYoam+QLEe6Oorhpb3MTHHG66tLkj/tz
+Fyv4nflTEktyjXoC71wjRqPWFUH8/j3F0LCwvXKzqJarwlpLyf8Ug79pTtkleNwJ
+k4z1fLPAXQdt3wEOgRdXHGLIs35T7AcA7Ud3KAsiYSsYialAOHpWhLl4W/p6ttMd
+AoIBAETFQ17eYJxPZH+Ai80+7RqBXJrb+fYgvTnvXmBoQRDcn4H89hcbw6e8I6on
+/HZwB2YEw/sSoQhqC8mezGzHpqAAMJfmyhbjW/hHzErx5LlLayS8PhyDHA79RBRA
+aCtPBgSyy3dp2cVfyslcBtV4qzjwSlp+SdUcUvvjNHP0SL6sKG4XHyzaoqsV7mI8
+zEKPgsrP8SC5ezdrGtDXts6T2s2DCudJXb1FgiiyHofrAjhrRsHcbtn/cudHc+hK
+fEf3oaNeOO/XfKZ3xkbHsbSlc+JsHEYVLkikm9Zu3ELJbxNw/Uq8H1sdFbT8Zkg+
+Hn/DMWon80lSV4Ds8yHgx6W7Y/c=
+-----END PRIVATE KEY-----
diff --git a/copy-oms b/copy-oms
new file mode 100755
index 0000000..fd59980
--- /dev/null
+++ b/copy-oms
@@ -0,0 +1,2 @@
+cp -r ../mocha-dotnet/mocha-dotnet/src/app/Mocha.Oms.Server/bin/Debug/net8.0/* $1
+
diff --git a/fs/usr/lib/systemd/system/firstrun.service b/fs/usr/lib/systemd/system/firstrun.service
new file mode 100644
index 0000000..def890e
--- /dev/null
+++ b/fs/usr/lib/systemd/system/firstrun.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=First Run
+After=network.target remote-fs.target nss-lookup.target
+Documentation=https://support.mochapowered.com/oms-dotnet/1.3/
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/firstrun
+
+[Install]
+WantedBy=multi-user.target
diff --git a/fs/usr/lib/systemd/system/mocha-oms.service b/fs/usr/lib/systemd/system/mocha-oms.service
new file mode 100644
index 0000000..f37af80
--- /dev/null
+++ b/fs/usr/lib/systemd/system/mocha-oms.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=The Mocha OMS Server
+After=network.target remote-fs.target nss-lookup.target
+Documentation=https://support.mochapowered.com/oms-dotnet/1.3/
+
+[Service]
+Type=forking
+Environment=MOCHAOMS_STARTED_BY_SYSTEMD=true
+ExecStart=/usr/sbin/mochactl start-oms
+ExecStop=/usr/sbin/mochactl stop-oms
+ExecReload=/usr/sbin/mochactl reload-oms
+KillMode=mixed
+PrivateTmp=true
+Restart=on-abort
+OOMPolicy=continue
+
+[Install]
+WantedBy=multi-user.target
diff --git a/fs/usr/sbin/firstrun b/fs/usr/sbin/firstrun
new file mode 100755
index 0000000..c9b283b
--- /dev/null
+++ b/fs/usr/sbin/firstrun
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+/usr/lib/mocha/carafe/firstrun.sh
+systemctl disable firstrun
+
+
diff --git a/fs/usr/sbin/mochactl b/fs/usr/sbin/mochactl
new file mode 100755
index 0000000..e03677d
--- /dev/null
+++ b/fs/usr/sbin/mochactl
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+EXECPATH="/usr/lib/mocha/oms"
+EXECFILE="Mocha.Oms.Server"
+
+case "$1" in
+	"start-oms")
+		exec $EXECPATH/$EXECFILE &
+esac
+
diff --git a/libexec/mocha/carafe/firstrun.sh b/libexec/mocha/carafe/firstrun.sh
new file mode 100755
index 0000000..aa63b50
--- /dev/null
+++ b/libexec/mocha/carafe/firstrun.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+rm /var/www/html/index.html
+
+# set up mocha user accounts
+addgroup webmasters
+
+PASS1=$(pwgen 16 1)
+useradd -p $(openssl passwd -6 $PASS1) webmaster
+
+PASS2=$(pwgen 16 1)
+useradd -p $(openssl passwd -6 $PASS2) zqadmin
+
+echo "webmaster: $PASS1
+zqadmin: $PASS2" > /etc/mocha/passwd
+
+chown --recursive zqadmin /etc/mocha /usr/lib/mocha /usr/share/mocha /var/mocha
+chgrp --recursive zqadmin /etc/mocha /usr/lib/mocha /usr/share/mocha /var/mocha
+
+chown --recursive webmaster /var/www /var/mocha/uploads
+chgrp --recursive webmasters /var/www /var/mocha/uploads
diff --git a/libexec/mocha/carafe/postinstall.sh b/libexec/mocha/carafe/postinstall.sh
new file mode 100644
index 0000000..c83da3d
--- /dev/null
+++ b/libexec/mocha/carafe/postinstall.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+systemctl enable firstrun
+
diff --git a/libexec/mocha/carafe/preinstall.sh b/libexec/mocha/carafe/preinstall.sh
new file mode 100755
index 0000000..9f7d33a
--- /dev/null
+++ b/libexec/mocha/carafe/preinstall.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+PACKAGE_LIST="apache2 php pwgen php-xml php-mbstring php-curl php-mysql mariadb-server dotnet-sdk-8.0"
+
+ENABLE_NANO=1
+if [ $ENABLE_NANO -eq 1 ]; then
+	PACKAGE_LIST+=" nano"
+fi
+
+ENABLE_SSH=1
+if [ $ENABLE_SSH -eq 1 ]; then
+	PACKAGE_LIST+=" openssh-server"
+fi
+
+apt update
+apt install -y $PACKAGE_LIST
+
+# enable apache modules
+a2enmod rewrite ssl
+
+# link service
+ln -s /usr/lib/systemd/system/mocha-oms.service /etc/systemd/system/multi-user.target.wants/mocha-oms.service
+systemctl enable mocha-oms
+
diff --git a/libexec/mocha/mocha b/libexec/mocha/mocha
new file mode 100644
index 0000000..17a9945
--- /dev/null
+++ b/libexec/mocha/mocha
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ $# -gt 0 ]; then
+
+	if [ -f "/usr/lib/mocha/mocha-$1" ]; then
+
+		MOCHA_COMMAND=$1
+		shift
+		exec "/usr/lib/mocha/mocha-$MOCHA_COMMAND" ${1+"$@"}
+
+	else
+	
+		echo "mocha: '$1' is not a mocha command. See 'mocha --help'."
+	
+	fi
+
+else
+
+	echo "usage: mocha $(echo /usr/lib/mocha/mocha-* | sed -e 's/\/usr\/lib\/mocha\/mocha\-//g' -e 's/ /|/g')"
+
+fi
diff --git a/libexec/mocha/mocha-clean b/libexec/mocha/mocha-clean
new file mode 100644
index 0000000..fa13f26
--- /dev/null
+++ b/libexec/mocha/mocha-clean
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$1" != "-y" ]; then
+
+        echo "ARE YOU SURE you wish to CLEAN this SUV?"
+        echo "This will DESTROY all data and rebuild from a clean master image."
+        echo ""
+        echo -n "Type YES to confirm: > "
+        read CONFIRMYES
+        if [ "$CONFIRMYES" != "YES" ]; then
+                echo ""
+                echo "OK, not doing anything"
+                exit 1
+        fi
+
+fi
+
+rm /etc/mocha/*
+mocha up
diff --git a/libexec/mocha/mocha-up b/libexec/mocha/mocha-up
new file mode 100755
index 0000000..96ccc89
--- /dev/null
+++ b/libexec/mocha/mocha-up
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+FIRSTRUN=0
+
+if [ -f "/etc/mocha/container" ]; then
+	MOCHA_CONTAINER=$(cat /etc/mocha/container)
+else
+	MOCHA_CONTAINER=""
+fi
+
+if [ -f "/etc/mocha/username" ]; then
+	MOCHA_USERNAME=$(cat /etc/mocha/username)
+	MOCHA_PASSWORD=$(cat /etc/mocha/userpass)
+else
+	# we are running for the first time (or we are transient)
+	HTML_HOME=/var/www/html
+	
+	# reset the configuration file
+	cp /etc/mocha/include/Configuration.inc.php.template $HTML_HOME/include/Configuration.inc.php
+	
+	# generate a not-very-secure but easily-rememberable password for zq-developer
+	MOCHA_USERNAME="zq-developer"
+	MOCHA_PASSWORD=$(pwgen -N 1)
+
+        if [ ! $? -eq 0 ]; then
+                echo ""
+                echo "could not generate a secure password, you may need to (re-)install pwgen"
+                echo ""
+                exit 3
+        fi
+
+	echo $MOCHA_USERNAME > /etc/mocha/username
+	echo $MOCHA_PASSWORD > /etc/mocha/userpass
+
+	MOCHA_DB_DATABASENAME="mocha_suv"
+	MOCHA_DB_USERNAME="mocha_suv"
+	
+	# also generate a slightly more secure machine password for the mariadb database...
+	MOCHA_DB_PASSWORD=$(pwgen -s 32 -N 1)
+	# ... and add it to the configuration file
+	sed -i -e "s/@@MOCHA_DB_DATABASENAME@@/$MOCHA_DB_DATABASENAME/" -e "s/@@MOCHA_DB_USERNAME@@/$MOCHA_DB_USERNAME/" -e "s/@@MOCHA_DB_PASSWORD@@/$MOCHA_DB_PASSWORD/" $HTML_HOME/include/Configuration.inc.php
+
+	# ... and also add it to our local configuration
+	echo $MOCHA_DB_DATABASENAME > /etc/mocha/dbname
+	echo $MOCHA_DB_USERNAME > /etc/mocha/dbuser
+	echo $MOCHA_DB_PASSWORD > /etc/mocha/dbpass
+
+	# don't forget to make a backup
+	cp $HTML_HOME/include/Configuration.inc.php $HTML_HOME/include/Configuration.inc.php.bak
+
+    # create the MySQL database and user with the previously generated password
+    mysql -e "DROP DATABASE IF EXISTS $MOCHA_DB_DATABASENAME; DROP USER IF EXISTS $MOCHA_DB_USERNAME;"
+	mysql -e "CREATE DATABASE $MOCHA_DB_DATABASENAME; CREATE USER $MOCHA_DB_USERNAME IDENTIFIED BY '$MOCHA_DB_PASSWORD'; GRANT ALL ON $MOCHA_DB_DATABASENAME.* TO '$MOCHA_DB_USERNAME'@'%';"
+
+    # install mocha using the `mocha oms` command
+	mocha oms install
+	mocha oms install library /usr/share/mocha/libraries
+
+	mocha oms tenant select super
+	
+	# set the new user name and password for the initial mocha user
+	mocha oms user set-password "$MOCHA_USERNAME" "$MOCHA_PASSWORD"
+
+	mocha oms tenant release
+    
+	# record the initial start time for the SUV
+	echo $(date "+%Y-%m-%dT%H:%M:%S") > /etc/mocha/suvstart
+	chmod a+r /etc/mocha/suvstart
+
+	FIRSTRUN=1
+fi
+
+echo ""
+echo "******************************************"
+echo ""
+echo "Thank you for provisioning your Mocha SUV!"
+echo "You can log in with the following details:"
+echo ""
+if [ "$MOCHA_CONTAINER" != "" ]; then
+	echo "Container:     $MOCHA_CONTAINER"
+fi
+echo "User name:     $MOCHA_USERNAME"
+echo "Password:      $MOCHA_PASSWORD"
+echo ""
+echo "Your domain and IP address information is:"
+echo ""
+echo "    $MOCHA_CONTAINER.privatesuv.com"
+# ip addr show dev enp0s8 | grep inet
+ip addr | grep 'scope global'
+echo ""
+
+SHOW_ADDITIONAL_LOGINS=0
+if [ $SHOW_ADDITIONAL_LOGINS -eq 1 ]; then
+	if [ -f /etc/mocha/passwd ]; then
+
+		echo "Additional login information is as follows:"
+		echo ""
+		cat /etc/mocha/passwd
+		echo ""
+
+	fi
+fi
+
+echo "******************************************"
+echo ""
+
+if [ $FIRSTRUN -eq 1 ]; then
+	# register the SUV for automatic shutdown in 10 hours
+	/usr/lib/mocha/spot_register_for_shutdown 600
+fi
diff --git a/libexec/mocha/spot_register_for_shutdown b/libexec/mocha/spot_register_for_shutdown
new file mode 100644
index 0000000..accc70e
--- /dev/null
+++ b/libexec/mocha/spot_register_for_shutdown
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "!!! This Spot Instance will automatically terminate in $1 minutes !!!"
+shutdown -P +$1
diff --git a/mocha-common b/mocha-common
new file mode 160000
index 0000000..65c6b69
--- /dev/null
+++ b/mocha-common
@@ -0,0 +1 @@
+Subproject commit 65c6b698a3dd1215ccd51de45ea3349f231bbf70
diff --git a/mocha-php b/mocha-php
new file mode 160000
index 0000000..368d3e5
--- /dev/null
+++ b/mocha-php
@@ -0,0 +1 @@
+Subproject commit 368d3e576f6be77aa17571da90f056fa2f5e9354
diff --git a/site.conf b/site.conf
new file mode 100644
index 0000000..4047ffd
--- /dev/null
+++ b/site.conf
@@ -0,0 +1,37 @@
+<VirtualHost *:443>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	<Directory /var/www/>
+		AllowOverride All
+	</Directory>
+
+	SSLEngine on
+	SSLCertificateFile      /etc/ssl/certs/localhost.crt
+	SSLCertificateKeyFile   /etc/ssl/certs/localhost.key
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+</VirtualHost>