diff --git a/source/resources/apps/sharkfork-bootstrap/TUNING-NOTES b/source/resources/apps/sharkfork-bootstrap/TUNING-NOTES
index 8384eeb..4ab407c 100644
--- a/source/resources/apps/sharkfork-bootstrap/TUNING-NOTES
+++ b/source/resources/apps/sharkfork-bootstrap/TUNING-NOTES
@@ -107,3 +107,12 @@ ceph osd crush rule create-replicated fast default host nvme
 # Then do this to have pool use new rule:
 ceph osd pool set nvmepool crush_rule fast
 # nope
+
+
+##############################
+# Change disk encryption password, check disk with crypto, then:
+#cryptsetup -y luksAddKey /dev/sdb1
+#cryptsetup luksRemoveKey /dev/sdb1
+
+#cryptsetup -y luksAddKey /dev/sda2
+#cryptsetup luksRemoveKey /dev/sda2
diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-sf-005-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-sf-005-bootstrap
new file mode 100755
index 0000000..2805cb5
--- /dev/null
+++ b/source/resources/apps/sharkfork-bootstrap/forksand-sf-005-bootstrap
@@ -0,0 +1,239 @@
+#!/bin/bash
+# forksand-bootstrap-sf-005
+# GPLv3+
+# This script does some initial setup and config
+# Sets up Proxmox.
+
+# Log script
+exec > >(tee /root/bootstrap-sf-005.log) 2>/root/bootstrap-sf-005.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "Jeff Moe"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-005 server.'
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+deb http://mirrors.kernel.org/debian/ stretch-backports main
+deb http://mirrors.kernel.org/debian/ stretch main
+deb http://mirrors.kernel.org/debian/ stretch-updates main
+deb http://security.debian.org/ stretch/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE SERVER
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
+
+cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
+
+# Speed up
+echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
+/etc/init.d/cpufrequtils restart
+cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+# XXX add user for ansbile
+echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+
+apt-get -y remove os-prober
+
+# Proxmox
+#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
+##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
+#EOF
+cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
+deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
+EOF
+
+# Add Proxmox enterprise key XXX Add key 
+#cat > /etc/apt/auth.conf<<EOF
+#machine enterprise.proxmox.com
+# login pve2s-0000000000
+# password 00000000000000000000000000000000
+#EOF
+
+# XXX crufty add proxmox apt key
+wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
+
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+apt-get -y				 				\
+	install								\
+	ksm-control-daemon						\
+	omping								\
+	proxmox-ve
+
+cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
+apt clean
+
+exit 0