diff --git a/deploy/approve-certs.sh b/deploy/approve-certs.sh
new file mode 100755
index 0000000000000000000000000000000000000000..5c5af8be615b14c1444e7a8e09a93d723bbc323b
--- /dev/null
+++ b/deploy/approve-certs.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+for i in `deploy/list-sites.sh $1`; do
+ echo "Approving combined cert for $i";
+ cp ../orchestration/TLS/combined/$i.pem ../orchestration/TLS/approved-certs/$i.pem;
+ scp ../orchestration/TLS/approved-certs/$i.pem root@$1:/data/server-wide/haproxy/approved-certs/
+done
diff --git a/deploy/check-cert.sh b/deploy/check-cert.sh
new file mode 100755
index 0000000000000000000000000000000000000000..2f9b38e637e470bdbbda26fd2cd0f4ab16c1e72c
--- /dev/null
+++ b/deploy/check-cert.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+if [ $# -eq 2 ]; then
+ CA=$2
+else
+ CA="startssl"
+fi
+echo "CA is $CA"
+
+echo Some information about cert ../orchestration/TLS/cert/$1.cert:
+openssl x509 -text -in ../orchestration/TLS/cert/$1.cert | head -50 | grep -v ^\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
+
+#echo Some information about chain cert ../orchestration/TLS/chain/$2.pem:
+#openssl x509 -text -in ../orchestration/TLS/chain/$2.pem
+
+#echo Some information about key ../orchestration/TLS/key/$1.key:
+#openssl rsa -text -in ../orchestration/TLS/key/$1.key
+
+cat ../orchestration/TLS/cert/$1.cert ../orchestration/TLS/chain/$CA.pem ../orchestration/TLS/key/$1.key > ../orchestration/TLS/combined/$1.pem
+
+echo Running a test server on port 4433 on this server now \(please use your browser to check\):
+openssl s_server -cert ../orchestration/TLS/combined/$1.pem -www
diff --git a/deploy/default-ca b/deploy/default-ca
new file mode 100644
index 0000000000000000000000000000000000000000..5651ffe43c422e04839ffc5d1eef980af7318768
--- /dev/null
+++ b/deploy/default-ca
@@ -0,0 +1 @@
+startssl
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
new file mode 100755
index 0000000000000000000000000000000000000000..085d7fd7c8901f832ae9e18b4c073d9d58a49921
--- /dev/null
+++ b/deploy/deploy.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+if [ $# -ge 1 ]; then
+ SERVER=$1
+else
+ echo "Usage: sh ./deploy/deploy.sh server [branch [user]]"
+ exit 1
+fi
+if [ $# -ge 2 ]; then
+ BRANCH=$2
+else
+ BRANCH="master"
+fi
+if [ $# -ge 3 ]; then
+ USER=$3
+else
+ USER="core"
+fi
+if [ -e ../orchestration/per-server/$SERVER/default-site ]; then
+ DEFAULTSITE=`cat ../orchestration/per-server/$SERVER/default-site`
+else
+ DEFAULTSITE=$SERVER
+fi
+echo "Infrastructure branch is $BRANCH"
+echo "Remote user is $USER"
+echo "Default site is $DEFAULTSITE"
+
+chmod -R go-w ../orchestration/deploy-keys
+if [ -f ../orchestration/deploy-keys/authorized_keys ]; then
+ scp -r ../orchestration/deploy-keys $USER@$SERVER:.ssh
+fi
+scp ./deploy/onServer.sh $USER@$SERVER:
+ssh $USER@$SERVER sudo mkdir -p /var/lib/coreos-install/
+scp ../infrastructure/cloud-config $USER@$SERVER:/var/lib/coreos-install/user_data
+ssh $USER@$SERVER sudo sh ./onServer.sh $BRANCH $DEFAULTSITE
+cd ../orchestration/per-server/$SERVER/sites/
+for i in * ; do
+ echo "setting up site $i as `cat $i` on $SERVER";
+ ssh $USER@$SERVER sudo mkdir -p /data/per-user/$i/
+ scp ../../../TLS/approved-certs/$i.pem $USER@$SERVER:/data/server-wide/haproxy/approved-certs/$i.pem
+ rsync -r ../../../../user-data/live/$SERVER/$i/ $USER@$SERVER:/data/per-user/$i/
+ ssh $USER@$SERVER sudo sh /data/infrastructure/scripts/activate-user.sh $i `cat $i`
+done
+
+# Restart the default site now that its data has been rsync'ed in place:
+ssh $USER@$SERVER sudo systemctl restart nginx\@$DEFAULTSITE
diff --git a/deploy/forget-server-fingerprint.sh b/deploy/forget-server-fingerprint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c1e000c38318db0528f7eb22fda96c3629abdaf3
--- /dev/null
+++ b/deploy/forget-server-fingerprint.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+ssh-keygen -R $1
diff --git a/deploy/list-sites.sh b/deploy/list-sites.sh
new file mode 100755
index 0000000000000000000000000000000000000000..82875b950c5ec3a5c212e5b387c14e3dad04fec9
--- /dev/null
+++ b/deploy/list-sites.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+cd ../orchestration/per-server/$1/sites
+for i in *; do
+ echo $i
+done
diff --git a/deploy/onServer.sh b/deploy/onServer.sh
new file mode 100755
index 0000000000000000000000000000000000000000..94f9fc3eef08f164b6f9da3315b93bf7dcb15e2a
--- /dev/null
+++ b/deploy/onServer.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+echo Starting etcd:
+/usr/bin/coreos-cloudinit --from-file=/var/lib/coreos-install/user_data
+
+echo Cloning the infrastructure repo into /data/infrastructure:
+mkdir /data
+cd /data
+git clone https://github.com/indiehosters/infrastructure.git
+cd infrastructure
+
+echo Checking out $1 branch of the IndieHosters infrastructure:
+git checkout $1
+git pull
+
+echo Running the server setup script:
+sh scripts/setup.sh $2
diff --git a/doc/deploying-a-server.md b/doc/deploying-a-server.md
new file mode 100644
index 0000000000000000000000000000000000000000..763f1cf60e6c612ee67a927d3d1677c5abce4ba5
--- /dev/null
+++ b/doc/deploying-a-server.md
@@ -0,0 +1,60 @@
+# Deploying a server
+
+## Before you start
+Make sure you read [getting started](getting-started-as-a-hoster.md) first and created your `indiehosters` folder structure somewhere
+on your laptop.
+
+### Prepare your orchestration data
+* Get a CoreOS server, for instance from [RackSpace](rackspace.com) or [Vultr](vultr.com).
+* If you didn't add your public ssh key during the order process (e.g. through your IaaS control panel or a cloud-config file), and unless it's already there from a previous server deploy job, copy your laptop's public ssh key (probably in `~/.ssh/id_rsa.pub`) to `indiehosters/orchestration/deploy-keys/authorized_keys`
+* Give the new server a name (in this example, we call the server 'k3')
+* Create an empty folder `indiehosters/orchestration/per-server/k3/sites` (replace 'k3' with your server's domain name)
+* Add k3 to your /etc/hosts with the right IP address
+* If you have used this name before, run `./deploy/forget-server-fingerprint.sh k3`
+* From the `indiehosters/dev-scripts` folder, run `sh ./deploy/deploy.sh k3`
+* This will ask for the ssh password once; the rest should be automatic!
+
+### Adding a website to your server
+* For each site you want to deploy on the server, e.g. example.com, do the following:
+ * Does example.com already exist as a domain name?
+ * If yes, then find out to what extent it's currently in use (and needs to be migrated with care). There are a few options:
+ * Transfer the domain into your DNR account.
+ * Set up DNS hosting for it and ask the owner to set authoritative DNS to the DNS servers you control
+ * Ask the user to keep DNR and DNS control where it is currently, but to switch DNS when it's ready at the new server
+ * In any case, you will probably need access to the hostmaster@example.com email address, for the StartSSL process *before*
+ the final DNS switch. You could also ask them to tell you the verification code that arrives there, but that has to be done
+ in real time, immediately when you click 'verify' in the StartSSL UI. If they forward the email the next day, then the token
+ will already have expired.
+ * If no, register it (at Namecheap or elsewhere).
+ * Decide which image to run as the user's main website software (check out `../dockerfiles/sites/` to see which ones can be used for this)
+ * Say you picked nginx, then create a text file containing just the word 'nginx' at
+ `indiehosters/orchestration/per-server/k3/sites/example.com`
+ * If you already have some content that should go on there, and which is compatible with the image you chose,
+ put it in `indiehosters/user-data/example.com/nginx/` (replace 'nginx' with the actual image name you're using;
+ note that for wordpress it's currently a bit more complicated, as this relies on more than one image, so you
+ would then probably have to import both the user's wordpress folder and their mysql folder).
+ * Unless there is already a TLS certificate at `indiehosters/user-data/example.com/tls.pem` get one
+ (from StartSSL or elswhere) for example.com and concatenate the certificate
+ and its unencrypted private key into `indiehosters/user-data/example.com/tls.pem`
+ * Make sure the TLS certificate is valid (use `indiehosters/infrastructure/scripts/check-cert.sh` for this), and if it is,
+ copy it from
+ `indiehosters/user-data/example.com/tls.pem`
+ to `indiehosters/orchestration/TLS/approved-certs/example.com.pem`.
+ * Now run `deploy/deploy.sh k3` again. It will make sure the server is in the correct state, and scp the user data and the
+ approved cert into place, start a container running the image requested, update haproxy config, and restart the haproxy container.
+ * Test the site using your /etc/hosts. If you did not import data, there should be some default message there. For wordpress, be aware
+ that the site is installed in a state where any visitor can take control over it.
+ * Switch DNS and note down the current DNS situation in `indiehosters/orchestration/DNS/example.com` (or if you're hosting
+ a subdomain of another domain, update whichever is the zone file you edited).
+
+## Deploying a mailserver
+
+Right now, this is still a bit separate from the rest of the infrastructure - just get a server with Docker (doesn't have to be coreos), and run:
+
+```bash
+docker run -d -p 25:25 -p 443:443 indiehosters/yunohost /sbin/init
+```
+
+Then set up the mail domains and forwards through the web interface (with self-signed cert) on https://server.com/.
+Use Chrome for this, because Firefox will refuse to let you view the admin interface because of the invalid TLS cert.
+The initial admin password is 'changeme' - change it on https://server.com/yunohost/admin/#/tools/adminpw
diff --git a/doc/developing-dockerfiles-and-infrastructure.md b/doc/developing-dockerfiles-and-infrastructure.md
new file mode 100644
index 0000000000000000000000000000000000000000..029246aa8dc80fdf3468dc6314d746864bc2b0ad
--- /dev/null
+++ b/doc/developing-dockerfiles-and-infrastructure.md
@@ -0,0 +1,28 @@
+# Developing Dockerfiles and infrastructure
+
+## Developing Dockerfiles
+
+To develop Dockerfiles, you can use a server that's not serving any live domains, use `docker` locally on your laptop, or use the `vagrant up` instructions to run the infrastructure inside vagrant.
+
+## Developing infrastructure
+
+To develop the infrastructure, create a branch on the infrastructure repo and specify that branch at the end of the deploy command, for instance:
+
+```bash
+sh ./deploy/deploy.sh k4 dev
+```
+
+Will deploy a server at whatever IP address "k4" points to in your /etc/hosts, using the "dev" branch of https://github.com/indiehosters/infrastructure.
+
+## Testing new Dockerfiles in the infrastructure
+
+To test the infrastructure with a changed Dockerfile, you need to take several steps:
+
+* Develop the new Dockerfiles as described above at "Developing Dockerfiles"
+* When you're happy with the result, publish this new Dockerfile onto the docker hub registry under your own username (e.g. michielbdejong/haproxy-with-http-2.0)
+* Now create a branch on the infrastructure repo (e.g. "dev-http-2.0")
+* In this branch, grep for the Dockerfile you are updating, and replace its name with the experimental one everywhere:
+ * the `docker pull` statement in scripts/setup.sh
+ * the `docker run` statement in the appropriate systemd service file inside unit-files/
+* Push the branch to the https://github.com/indiehosters/infrastructure repo
+* Now deploy a server from your experimental infrastructure branch (which references your experimental Docker image), as described above at "Developing infrastructure"
diff --git a/doc/getting-started-as-a-hoster.md b/doc/getting-started-as-a-hoster.md
new file mode 100644
index 0000000000000000000000000000000000000000..6272ebed5425a3cb9d748004b1e9a66fc3692a13
--- /dev/null
+++ b/doc/getting-started-as-a-hoster.md
@@ -0,0 +1,123 @@
+Getting started as an IndieHosters hoster
+===========
+
+# Prerequisites
+
+Each IndieHoster is an entirely autonomous operator, without any infrastructural ties to other IndieHosters.
+These scripts and docs will help you run and manage servers and services as an IndieHoster, whether you're
+a certified as a branch of the IndieHosters franchise or not. To get started, on your laptop machine,
+create a folder structure as follows:
+
+```
+ indiehosters --- billing
+ |
+ -- dev-scripts
+ |
+ -- dockerfiles
+ |
+ -- infrastructure
+ |
+ -- orchestration --- deploy-keys
+ | |
+ | -- DNR
+ | |
+ | -- DNS
+ | |
+ | -- MON
+ | |
+ | -- per-server
+ | |
+ | -- TLS --- approved-certs
+ | |
+ -- user-data --- backup -- cert
+ | |
+ -- live -- chain
+ |
+ -- combined
+ |
+ -- key
+```
+The `infrastructure`, `dockerfiles`, and `dev-scripts` folders are the corresponding repos under https://github.com/indiehosters.
+
+# Hoster data
+
+The `orchestration` folder will contain your orchestration data (what *should* be happening on each server, at each domain name
+registrar, and at each TLS certificate authority), and `billing` will contain
+your billing data (data about your human customers, including contact info,
+who is in control of which product, which products were/should be added/removed on which dates, and history of all tech support
+issues of this customer, and if for paying customers also the billing and payment history).
+
+If you're used to working with git as a versioning tool, then it's a good idea to make `indiehosters/orchestration` and
+`indiehosters/billing` into (private!) git repos, so
+that you can track changes over time, and search the history to resolve mysteries when they occur. You may also use a different
+versioning system, or just take weekly and daily backups (but then it's probably a good idea to retain the weeklies for a couple
+of years, and even then it will not be as complete as a history in a versioning system).
+
+The per-server orchestration data is about what a specific one of your servers *should* be doing at this moment.
+This is fed into CoreOS (systemd -> etcd -> confd -> docker) to make sure the server actually starts and keeps doing these things,
+and also into monitoring, to make sure you get alerted when a server misbehaves.
+
+The DNR, TLS, MON, and DNS folders under orchestration are for you to keep track of Domain Name Registration, Transport
+Layer Security, MONitoring, and Domain Name System services which you are probably getting from
+third-party service providers, alongside the services which
+you run on your own servers.
+Note that although it's probably inevitable that you resell DNR and TLS services from some third party, and your monitoring would ideally
+also run on a system that's decoupled from your actual servers, you may not be reselling DNS
+hosting. If you host DNS for your customer on server-wide bind services that directly read data from files on the per-user data folders,
+then you don't need this folder, and instead DNS data will be under `indiehosters/user-data`.
+
+The deploy-keys folder contains the authorized_keys file which is the first thing you scp to each server you add to your fleet.
+
+# User data
+Everything under `indiehosters/user-data` is data owned by one of your users. Which human owns which site is something you can administer
+by hand somehow in the `indiehosters/billing` folder.
+All user data is *untrusted* from your point of view, it is not owned by you as a hoster,
+and users may change it at any time (and then probably contact you for a backup whenever they mess up!). It makes sense to give users
+only read-only access to this data by default, and have a big "Are you sure? Warranty will be void!" warning before they can activate
+write-access to their own data (and then probably trigger an extra backup run just before allowing them to edit their own raw data).
+This is how some operating systems on user devices also deal with this.
+But in the end, the user, and not you, owns this data, and they can do with it what they want, at their own risk.
+
+Just like a mailman is not supposed to open and read letters, you also should treat each user's data as a closed envelope
+which you never open up, unless in the following cases:
+
+* There may things you need to import from specific files on there (like a user-supplied TLS certificate or DNS zone)
+* When running backups, you sometimes can't avoid seeing some of the modified filenames flying by (depending on the backup software)
+* After explicit permission of the user, when this is useful for tech support (e.g. fix a corrupt mysql database for them)
+
+# Backups
+This folder structure contains all the critical data of your operations as an IndieHoster, from start to finish, so make sure you don't
+ever lose it, no matter what calamity may strike. Once a month, put a copy of it on a USB stick, and put that in a physically safe place.
+
+You may give a trusted person an emergency key to your infrastructure, in case you walk under a bus. Think about the risk of data loss and
+establish an emergency recovery plan for when, for instance, the hard disk of your laptop or of one of your servers die.
+
+Make sure you often rsync the live data from each of your servers to indiehosters/user-data/live/{servername}/{domain} and store snapshots
+regularly (for instance to indiehosters/user-data/backup). Users *will* contact you sooner or later asking for "the backup from last Tuesday"
+and they will expect you to have one.
+
+# Basic digital hygiene
+At the same time, be careful who may obtain access to your critical data. Is your laptop really safe? Does the NSA have access to the servers you run?
+
+Someone may plant a Trojan on a computer in an internet cafe from where you access your Facebook account, access your gmail account
+for which you use the same password, reset your RackSpace password and restore a backup from your Cloud Files to somewhere else.
+
+Make a diagram of how your laptop talks to your USB sticks and your servers. Then make a diagram of the services you use and to which
+email addresses they send password reset emails. Draw a perimeter of trust in both diagrams, and start taking some basic measures to
+keep your laptop secure.
+
+Don't mix accounts and email addresses which you may
+use from other computers, and keep your IndieHosters passwords and accounts separate from your other passwords and accounts, and reset
+them every few months. It might even
+make sense to dual-boot your laptop or boot from a live disk which resets on boot to make sure everything you do with IndieHosters data
+is done in a sterile environment.
+
+Also: lock your screen when walking away from your laptop, and think about what someone could do with it if they were to steal your bag,
+or your smartphone.
+
+# Do I have to use this?
+You can of course use any folder structure and scripts you want, as long as it doesn't change the format of each user-data folder, so that
+your customers can still migrate at will between you and other IndieHosters. However, you might find some of the scripts in this repo
+helpful at some point, and they (will) rely on
+`../infrastructure`, `../dockerfiles`, and `../orchestration/per-server` to be where they are in the diagram above.
+That's why it makes sense to create this folder structure now, and then continue to [deploying a server](deploying-a-server.md)! :)