diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-sf-redis-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-sf-redis-bootstrap
new file mode 100755
index 0000000..acd7d55
--- /dev/null
+++ b/source/resources/apps/sharkfork-bootstrap/forksand-sf-redis-bootstrap
@@ -0,0 +1,289 @@
+#!/bin/bash
+# forksand-sf-redis-bootstrap
+# GPLv3+
+# This script does some initial setup and config
+
+# Log script
+exec > >(tee /root/bootstrap-sf-redis.log) 2>/root/bootstrap-sf-redis.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Use apt-cache
+echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "jebba"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
+
+# Firewall
+# Create iptables startup script (is this still needed? From squeeze era)
+cat > /etc/network/if-pre-up.d/iptables <<EOF
+#!/bin/bash
+# iptables
+/sbin/iptables-restore < /etc/iptables.up.rules
+EOF
+
+cat > /etc/iptables.test.rules <<EOF
+# iptables.test.rules
+*filter
+
+# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+
+# Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allows all outbound traffic
+# You could modify this to only allow certain traffic
+-A OUTPUT -j ACCEPT
+
+# SSH Access Port
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 22202 -j ACCEPT
+
+# Allow web port 80 for Letsencrypt
+#-A INPUT -p tcp --dport  80 -j ACCEPT
+
+# Redis Access Ports
+-A INPUT -p tcp --dport  6379 -j ACCEPT
+-A INPUT -p tcp --dport 16379 -j ACCEPT
+
+# Allow ping
+#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+# log iptables denied calls (access via 'dmesg' command)
+
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+# Reject all other inbound - default deny unless explicitly allowed policy:
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+COMMIT
+EOF
+
+touch /etc/iptables.up.rules
+chmod 600 /etc/iptables.up.rules
+chmod 755 /etc/network/if-pre-up.d/iptables
+chmod 600 /etc/iptables.test.rules
+iptables-restore < /etc/iptables.test.rules
+iptables -L -n
+iptables-save > /etc/iptables.up.rules
+
+cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
+
+# scriptlet for root to reload firewall rules
+cat > /root/iptables-reload <<EOF
+iptables-restore < /etc/iptables.test.rules
+iptables-save > /etc/iptables.up.rules
+EOF
+chmod 700 /root/iptables-reload
+
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+deb http://mirrors.kernel.org/debian/ stretch-backports main
+deb http://mirrors.kernel.org/debian/ stretch main
+deb http://mirrors.kernel.org/debian/ stretch-updates main
+deb http://security.debian.org/ stretch/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE SERVER
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	python3								\
+	qemu-guest-agent						\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	python3								\
+	qemu-guest-agent						\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
+
+cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin no/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+# XXX add user for ansbile
+echo "AllowUsers jebba" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Don't load IPv6 kernel modules.
+echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
+echo alias net-pf-10 off >>  /etc/modprobe.d/aliases.conf
+echo alias ivp6 off  >>  /etc/modprobe.d/aliases.conf
+# Disable IPv6 with sysctl.
+cat >> /etc/sysctl.conf <<EOF
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+#net.ipv6.conf.ens3.disable_ipv6 = 1
+EOF
+
+sysctl -p
+cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+cd /etc ; git add . ; git commit -a -m 'autoremove'
+
+apt clean
+
+exit 0
+
+# Reboot
+
+# Set up Redis
+apt-get install -t stretch-backports redis redis-sentinel