From 2a3c1bb429efafae145da020b759d7526723d912 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Tue, 12 Jul 2016 08:27:11 +0100
Subject: [PATCH] Begin combining mesh install functions

---
 src/freedombone-app-batman      |  42 +++
 src/freedombone-app-syncthing   |  41 +++
 src/freedombone-app-tox         | 240 +++++++++++++
 src/freedombone-app-zeronet     | 165 ++++++++-
 src/freedombone-image-customise | 587 +-------------------------------
 src/freedombone-utils-avahi     |  40 +++
 src/freedombone-utils-firewall  | 427 +++++++++++++----------
 src/freedombone-utils-web       |  14 +
 src/freedombone-vars            |   3 +
 9 files changed, 790 insertions(+), 769 deletions(-)

diff --git a/src/freedombone-app-batman b/src/freedombone-app-batman
index cfa334d15..2d1da224a 100755
--- a/src/freedombone-app-batman
+++ b/src/freedombone-app-batman
@@ -84,7 +84,49 @@ function remove_batman {
 	sed -i '/configure_firewall_for_batman/d' $COMPLETION_FILE
 }
 
+function mesh_install_batman {
+	chroot "$rootdir" apt-get -y install iproute bridge-utils libnetfilter-conntrack3 batctl
+	chroot "$rootdir" apt-get -y install python-dev libevent-dev ebtables python-pip git
+	chroot "$rootdir" apt-get -y install wireless-tools rfkill
+
+	if ! grep -q "batman_adv" $rootdir/etc/modules; then
+		echo 'batman_adv' >> $rootdir/etc/modules
+	fi
+
+	BATMAN_SCRIPT=$rootdir/var/lib/batman
+
+	if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
+		cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
+	else
+		cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
+	fi
+
+	BATMAN_DAEMON=$rootdir/etc/systemd/system/batman.service
+	echo '[Unit]' > $BATMAN_DAEMON
+	echo 'Description=B.A.T.M.A.N. Advanced' >> $BATMAN_DAEMON
+	echo 'After=network.target' >> $BATMAN_DAEMON
+	echo '' >> $BATMAN_DAEMON
+	echo '[Service]' >> $BATMAN_DAEMON
+	echo 'RemainAfterExit=yes' >> $BATMAN_DAEMON
+	echo "ExecStart=/var/lib/batman start" >> $BATMAN_DAEMON
+	echo "ExecStop=/var/lib/batman stop" >> $BATMAN_DAEMON
+	echo 'Restart=on-failure' >> $BATMAN_DAEMON
+	echo 'SuccessExitStatus=3 4' >> $BATMAN_DAEMON
+	echo 'RestartForceExitStatus=3 4' >> $BATMAN_DAEMON
+	echo '' >> $BATMAN_DAEMON
+	echo '# Allow time for the server to start/stop' >> $BATMAN_DAEMON
+	echo 'TimeoutSec=300' >> $BATMAN_DAEMON
+	echo '' >> $BATMAN_DAEMON
+	echo '[Install]' >> $BATMAN_DAEMON
+	echo 'WantedBy=multi-user.target' >> $BATMAN_DAEMON
+	chroot "$rootdir" systemctl enable batman
+}
+
 function install_batman {
+	if [ $INSTALLING_MESH ]; then
+		mesh_install_batman
+		return
+	fi
 	if grep -Fxq "install_batman" $COMPLETION_FILE; then
 		return
 	fi
diff --git a/src/freedombone-app-syncthing b/src/freedombone-app-syncthing
index a36577339..ac806e829 100755
--- a/src/freedombone-app-syncthing
+++ b/src/freedombone-app-syncthing
@@ -255,7 +255,48 @@ function configure_firewall_for_syncthing {
 	echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
 }
 
+function mesh_install_syncthing {
+	chroot "$rootdir" wget -q https://syncthing.net/release-key.txt -O- | apt-key add -
+
+	echo "deb http://apt.syncthing.net/ syncthing release" | tee $rootdir/etc/apt/sources.list.d/syncthing.list
+	chroot "$rootdir" apt-get update
+	chroot "$rootdir" apt-get -y --force-yes install syncthing
+
+	# This probably does need to run as root so that it can access the Sync directories
+	# in each user's home directory
+	chroot "$rootdir" echo '[Unit]' > /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'After=network.target' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo '' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo '[Service]' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'User=root' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo '' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo '[Install]' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service
+	chroot "$rootdir" systemctl enable syncthing
+	chroot "$rootdir" systemctl daemon-reload
+
+	if ! grep -q "syncthing" $rootdir/etc/crontab; then
+		chroot "$rootdir" echo "*/1            * *   *   *   root /usr/local/bin/${PROJECT_NAME}-syncthing > /dev/null" >> /etc/crontab
+		chroot "$rootdir" systemctl restart cron
+	fi
+
+	echo 'mesh_install_syncthing'
+}
+
 function install_syncthing {
+	if [ $INSTALLING_MESH ]; then
+		mesh_install_syncthing
+		return
+	fi
+
 	if grep -Fxq "install_syncthing" $COMPLETION_FILE; then
 		return
 	fi
diff --git a/src/freedombone-app-tox b/src/freedombone-app-tox
index ffb6a8d86..7cc9b3d86 100755
--- a/src/freedombone-app-tox
+++ b/src/freedombone-app-tox
@@ -246,6 +246,11 @@ function tox_avahi {
 }
 
 function install_tox_node {
+	if [ $INSTALLING_MESH ]; then
+		mesh_tox_node
+		return
+	fi
+
 	if grep -Fxq "install_tox_node" $COMPLETION_FILE; then
 		return
 	fi
@@ -327,4 +332,239 @@ function install_tox {
 	echo 'install_tox' >> $COMPLETION_FILE
 }
 
+function mesh_tox_node {
+	# obtain commits from the main file
+	TOXCORE_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXCORE_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+	if [ ${#TOXCORE_COMMIT_MAIN} -gt 10 ]; then
+		TOXCORE_COMMIT=$TOXCORE_COMMIT_MAIN
+	fi
+	if [ ! $TOXCORE_COMMIT ]; then
+		echo $'No Tox commit was specified'
+		exit 76325
+	fi
+
+	TOX_PORT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOX_PORT=" | head -n 1 | awk -F '=' '{print $2}')
+	if [ ${#TOX_PORT_MAIN} -gt 2 ]; then
+		TOX_PORT=$TOX_PORT_MAIN
+	fi
+	if [ ! $TOX_PORT ]; then
+		echo $'No Tox port was specified'
+		exit 32856
+	fi
+
+	TOXCORE_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXCORE_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	if [ ${#TOXCORE_REPO_MAIN} -gt 10 ]; then
+		TOXCORE_REPO=$TOXCORE_REPO_MAIN
+	fi
+	if [ ! $TOXCORE_REPO ]; then
+		echo $'No Tox repo was specified'
+		exit 16865
+	fi
+
+	chroot "$rootdir" apt-get -y install build-essential libtool autotools-dev
+	chroot "$rootdir" apt-get -y install automake checkinstall check git yasm
+	chroot "$rootdir" apt-get -y install libsodium13 libsodium-dev libcap2-bin
+	chroot "$rootdir" apt-get -y install libconfig9 libconfig-dev
+
+
+	TEMP_SCRIPT_NAME=fbtmp37272.sh
+	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
+	echo '#!/bin/bash' > $TEMP_SCRIPT
+	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
+	echo "git clone $TOXCORE_REPO $INSTALL_DIR/toxcore" >> $TEMP_SCRIPT
+	echo "cd $INSTALL_DIR/toxcore" >> $TEMP_SCRIPT
+	echo "git checkout $TOXCORE_COMMIT -b $TOXCORE_COMMIT" >> $TEMP_SCRIPT
+	echo 'autoreconf -i' >> $TEMP_SCRIPT
+	echo './configure --enable-daemon --disable-av' >> $TEMP_SCRIPT
+	echo 'make' >> $TEMP_SCRIPT
+	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
+	echo '    exit 1' >> $TEMP_SCRIPT
+	echo 'fi' >> $TEMP_SCRIPT
+	echo 'make install' >> $TEMP_SCRIPT
+	echo 'cp /usr/local/lib/libtoxcore* /usr/lib/' >> $TEMP_SCRIPT
+	echo "cp $INSTALL_DIR/toxcore/other/bootstrap_daemon/tox-bootstrapd.service /etc/systemd/system/" >> $TEMP_SCRIPT
+	echo "sed -i 's|ExecStart=.*|ExecStart=/usr/local/bin/tox-bootstrapd --config /etc/tox-bootstrapd.conf|g' /etc/systemd/system/tox-bootstrapd.service" >> $TEMP_SCRIPT
+	echo 'systemctl enable tox-bootstrapd.service' >> $TEMP_SCRIPT
+	echo 'exit 0' >> $TEMP_SCRIPT
+	chmod +x $TEMP_SCRIPT
+	cp $TEMP_SCRIPT $rootdir/root/
+
+	SECONDS=0
+	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
+	if [ ! "$?" = "0" ]; then
+		duration=$SECONDS
+		echo $"Toxcore compile failed at $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
+		echo $'Unable to make toxcore'
+		rm $TEMP_SCRIPT
+		exit 73835
+	fi
+	duration=$SECONDS
+	echo $"Toxcore compile $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
+	rm $TEMP_SCRIPT
+
+	if [ ! -f $rootdir/usr/local/bin/tox-bootstrapd ]; then
+		echo $"File not found /usr/local/bin/tox-bootstrapd"
+		exit 37825
+	fi
+
+	chroot "$rootdir" useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
+	chroot "$rootdir" chmod 700 /var/lib/tox-bootstrapd
+
+	# remove Maildir
+	if [ -d $rootdir/var/lib/tox-bootstrapd/Maildir ]; then
+		rm -rf $rootdir/var/lib/tox-bootstrapd/Maildir
+	fi
+
+	# create configuration file
+	TOX_BOOTSTRAP_CONFIG=$rootdir/etc/tox-bootstrapd.conf
+	echo "port = $TOX_PORT" > $TOX_BOOTSTRAP_CONFIG
+	echo 'keys_file_path = "/var/lib/tox-bootstrapd/keys"' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'pid_file_path = "/var/run/tox-bootstrapd/tox-bootstrapd.pid"' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'enable_ipv6 = true' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'enable_ipv4_fallback = true' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'enable_lan_discovery = true' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'enable_tcp_relay = true' >> $TOX_BOOTSTRAP_CONFIG
+	echo "tcp_relay_ports = [443, 3389, $TOX_PORT]" >> $TOX_BOOTSTRAP_CONFIG
+	echo 'enable_motd = true' >> $TOX_BOOTSTRAP_CONFIG
+	echo 'motd = "tox-bootstrapd"' >> $TOX_BOOTSTRAP_CONFIG
+
+	if [ $TOX_NODES ]; then
+		echo 'bootstrap_nodes = (' >> $TOX_BOOTSTRAP_CONFIG
+		toxcount=0
+		while [ "x${TOX_NODES[toxcount]}" != "x" ]
+		do
+			toxval_ipv4=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $1}')
+			toxval_ipv6=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $2}')
+			toxval_port=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $3}')
+			toxval_pubkey=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $4}')
+			toxval_maintainer=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $5}')
+			echo "{ // $toxval_maintainer" >> $TOX_BOOTSTRAP_CONFIG
+			if [[ $toxval_ipv6 != 'NONE' ]]; then
+				echo "  address = \"$toxval_ipv6\"" >> $TOX_BOOTSTRAP_CONFIG
+			else
+				echo "  address = \"$toxval_ipv4\"" >> $TOX_BOOTSTRAP_CONFIG
+			fi
+			echo "  port = $toxval_port" >> $TOX_BOOTSTRAP_CONFIG
+			echo "  public_key = \"$toxval_pubkey\"" >> $TOX_BOOTSTRAP_CONFIG
+			toxcount=$(( $toxcount + 1 ))
+			if [ "x${TOX_NODES[toxcount]}" != "x" ]; then
+				echo "}," >> $TOX_BOOTSTRAP_CONFIG
+			else
+				echo "}" >> $TOX_BOOTSTRAP_CONFIG
+			fi
+		done
+		echo ')' >> $TOX_BOOTSTRAP_CONFIG
+	fi
+}
+
+function mesh_tox_avahi {
+	if [ ! -d $rootdir/etc/avahi ]; then
+		echo $'tox_avahi: avahi is not installed'
+		exit 87359
+	fi
+
+	TOXID_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXID_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	if [ ${#TOXID_REPO_MAIN} -gt 5 ]; then
+		TOXID_REPO=$TOXID_REPO_MAIN
+	fi
+	if [ ! $TOXID_REPO ]; then
+		echo $'No ToxID repo was specified'
+		exit 78252
+	fi
+
+	TEMP_SCRIPT_NAME=fbtmp5328252.sh
+	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
+	echo '#!/bin/bash' > $TEMP_SCRIPT
+	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
+	echo "git clone $TOXID_REPO $INSTALL_DIR/toxid" >> $TEMP_SCRIPT
+	echo "if [ ! -d $INSTALL_DIR/toxid ]; then" >> $TEMP_SCRIPT
+	echo '    exit 1' >> $TEMP_SCRIPT
+	echo 'fi' >> $TEMP_SCRIPT
+	echo "cd $INSTALL_DIR/toxid" >> $TEMP_SCRIPT
+	echo "make" >> $TEMP_SCRIPT
+	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
+	echo '    exit 2' >> $TEMP_SCRIPT
+	echo 'fi' >> $TEMP_SCRIPT
+	echo 'make install' >> $TEMP_SCRIPT
+	echo 'if [ ! -f /usr/local/bin/toxavahi ]; then' >> $TEMP_SCRIPT
+	echo '  exit 3' >> $TEMP_SCRIPT
+	echo 'fi' >> $TEMP_SCRIPT
+	echo 'toxavahi' >> $TEMP_SCRIPT
+	echo 'echo "* *     * * *   root    /usr/local/bin/toxavahi > /dev/null" >> /etc/crontab' >> $TEMP_SCRIPT
+	echo 'systemctl restart avahi-daemon' >> $TEMP_SCRIPT
+	echo 'exit 0' >> $TEMP_SCRIPT
+	chmod +x $TEMP_SCRIPT
+	cp $TEMP_SCRIPT $rootdir/root/
+
+	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
+	if [ ! "$?" = "0" ]; then
+		echo $"Unable to install toxid, returned $?"
+		rm $TEMP_SCRIPT
+		exit 62835
+	fi
+	rm $TEMP_SCRIPT
+}
+
+function mesh_tox_client {
+	TOXIC_FILE=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_FILE=" | head -n 1 | awk -F '=' '{print $2}')
+
+	# obtain commits from the main file
+	TOXIC_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+	if [ ${#TOXIC_COMMIT_MAIN} -gt 10 ]; then
+		TOXIC_COMMIT=$TOXIC_COMMIT_MAIN
+	fi
+
+	TOXIC_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	if [ ${#TOXIC_REPO_MAIN} -gt 5 ]; then
+		TOXIC_REPO=$TOXIC_REPO_MAIN
+	fi
+
+	chroot "$rootdir" apt-get -y install libncursesw5-dev libconfig-dev libqrencode-dev
+	chroot "$rootdir" apt-get -y install libcurl4-openssl-dev libvpx-dev libopenal-dev
+
+	TEMP_SCRIPT_NAME=fbtmp728353.sh
+	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
+	echo '#!/bin/bash' > $TEMP_SCRIPT
+	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
+	echo "git clone $TOXIC_REPO $INSTALL_DIR/toxic" >> $TEMP_SCRIPT
+	echo "cd $INSTALL_DIR/toxic" >> $TEMP_SCRIPT
+	echo "git checkout $TOXIC_COMMIT -b $TOXIC_COMMIT" >> $TEMP_SCRIPT
+	echo 'make' >> $TEMP_SCRIPT
+	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
+	echo '    exit 1' >> $TEMP_SCRIPT
+	echo 'fi' >> $TEMP_SCRIPT
+	echo 'make install' >> $TEMP_SCRIPT
+	echo 'exit 0' >> $TEMP_SCRIPT
+	chmod +x $TEMP_SCRIPT
+	cp $TEMP_SCRIPT $rootdir/root/
+
+	TOXIC_FILE=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_FILE=" | head -n 1 | awk -F '=' '{print $2}')
+
+	SECONDS=0
+	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
+	if [ ! "$?" = "0" ]; then
+		duration=$SECONDS
+		echo $"Toxic client compile failed at $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
+		echo $'Unable to make tox client'
+		rm $TEMP_SCRIPT
+		exit 74872
+	fi
+	rm $TEMP_SCRIPT
+	if [ ! -f $rootdir$TOXIC_FILE ]; then
+		echo $"Tox client was not installed to $TOXIC_FILE"
+		exit 63278
+	fi
+	duration=$SECONDS
+	echo $"Toxic client compile $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
+}
+
+function enable_tox_repo {
+	echo 'deb http://download.opensuse.org/repositories/home:/antonbatenev:/tox/Debian_8.0/ /' > $rootdir/etc/apt/sources.list.d/tox.list
+
+
+	chroot "$rootdir" wget -q http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_8.0/Release.key -O- | apt-key add -
+	chroot "$rootdir" apt-get update
+	echo "Tox Repository Installed."
+}
+
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-app-zeronet b/src/freedombone-app-zeronet
index 5ad3c8285..f729d549b 100755
--- a/src/freedombone-app-zeronet
+++ b/src/freedombone-app-zeronet
@@ -48,7 +48,7 @@ ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID"
 ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b'
 
 function reconfigure_zeronet {
-    echo -n ''
+	echo -n ''
 }
 
 function upgrade_zeronet {
@@ -454,7 +454,170 @@ function install_zeronet_main {
 	echo 'install_zeronet_main' >> $COMPLETION_FILE
 }
 
+function mesh_zeronet {
+	# obtain commits from the main file
+	ZERONET_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+	if [ ${#ZERONET_COMMIT_MAIN} -gt 10 ]; then
+		ZERONET_COMMIT=$ZERONET_COMMIT_MAIN
+	fi
+	if [ ! $ZERONET_COMMIT ]; then
+		echo $'No Tox commit was specified'
+		exit 37046
+	fi
+
+	ZERONET_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	if [ ${#ZERONET_REPO_MAIN} -gt 5 ]; then
+		ZERONET_REPO=$ZERONET_REPO_MAIN
+	fi
+	if [ ! $ZERONET_REPO ]; then
+		echo $'No Tox commit was specified'
+		exit 37046
+	fi
+
+	ZERONET_PORT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_PORT=" | head -n 1 | awk -F '=' '{print $2}')
+	if [ ${#ZERONET_PORT_MAIN} -gt 1 ]; then
+		ZERONET_PORT=$ZERONET_PORT_MAIN
+	fi
+	if [ ! $ZERONET_PORT ]; then
+		echo $'No zeronet port was specified'
+		exit 67433
+	fi
+
+	chroot "$rootdir" apt-get -y install python python-msgpack python-gevent
+	chroot "$rootdir" apt-get -y install python-pip bittornado
+	chroot "$rootdir" pip install msgpack-python --upgrade
+
+	chroot "$rootdir" useradd -d $MESH_INSTALL_DIR/zeronet/ -s /bin/false zeronet
+	git clone $ZERONET_REPO $rootdir$MESH_INSTALL_DIR/zeronet
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet ]; then
+		echo 'WARNING: Unable to clone zeronet'
+		return
+	fi
+	cd $rootdir$MESH_INSTALL_DIR/zeronet
+	git checkout $ZERONET_COMMIT -b $ZERONET_COMMIT
+	if ! grep -q "ZeroNet commit" $COMPLETION_FILE; then
+		echo "ZeroNet commit:$ZERONET_COMMIT" >> $rootdir$COMPLETION_FILE
+	else
+		sed -i "s/ZeroNet commit.*/ZeroNet commit:$ZERONET_COMMIT/g" $COMPLETION_FILE
+	fi
+	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
+
+	# Hack to ensure that the file access port is opened
+	# This is because zeronet normally relies on an internet site
+	# to do this, but on a purely local mesh the internet isn't available
+	sed -i 's|fileserver_port = 0|fileserver_port = config.fileserver_port\n            sys.modules["main"].file_server.port_opened = True|g' $rootdir$MESH_INSTALL_DIR/zeronet/src/Site/Site.py
+
+	ZERONET_DAEMON=$rootdir/etc/systemd/system/zeronet.service
+	echo '[Unit]' > $ZERONET_DAEMON
+	echo 'Description=Zeronet Server' >> $ZERONET_DAEMON
+	echo 'After=syslog.target' >> $ZERONET_DAEMON
+	echo 'After=network.target' >> $ZERONET_DAEMON
+	echo '[Service]' >> $ZERONET_DAEMON
+	echo 'Type=simple' >> $ZERONET_DAEMON
+	echo 'User=zeronet' >> $ZERONET_DAEMON
+	echo 'Group=zeronet' >> $ZERONET_DAEMON
+	echo "WorkingDirectory=$MESH_INSTALL_DIR/zeronet" >> $ZERONET_DAEMON
+	echo "ExecStart=/usr/bin/python zeronet.py --ip_external replace.local --trackers_file $MESH_INSTALL_DIR/zeronet/bootstrap" >> $ZERONET_DAEMON
+	echo '' >> $ZERONET_DAEMON
+	echo 'TimeoutSec=300' >> $ZERONET_DAEMON
+	echo '' >> $ZERONET_DAEMON
+	echo '[Install]' >> $ZERONET_DAEMON
+	echo 'WantedBy=multi-user.target' >> $ZERONET_DAEMON
+
+	TRACKER_DAEMON=$rootdir/etc/systemd/system/tracker.service
+	echo '[Unit]' > $TRACKER_DAEMON
+	echo 'Description=Torrent Tracker' >> $TRACKER_DAEMON
+	echo 'After=syslog.target' >> $TRACKER_DAEMON
+	echo 'After=network.target' >> $TRACKER_DAEMON
+	echo '[Service]' >> $TRACKER_DAEMON
+	echo 'Type=simple' >> $TRACKER_DAEMON
+	echo 'User=tracker' >> $TRACKER_DAEMON
+	echo 'Group=tracker' >> $TRACKER_DAEMON
+	echo "WorkingDirectory=$MESH_INSTALL_DIR/tracker" >> $TRACKER_DAEMON
+	echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile $MESH_INSTALL_DIR/tracker/dstate --logfile $MESH_INSTALL_DIR/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0" >> $TRACKER_DAEMON
+	echo '' >> $TRACKER_DAEMON
+	echo 'TimeoutSec=300' >> $TRACKER_DAEMON
+	echo '' >> $TRACKER_DAEMON
+	echo '[Install]' >> $TRACKER_DAEMON
+	echo 'WantedBy=multi-user.target' >> $TRACKER_DAEMON
+
+	chroot "$rootdir" useradd -d $MESH_INSTALL_DIR/tracker/ -s /bin/false tracker
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/tracker ]; then
+		mkdir $rootdir$MESH_INSTALL_DIR/tracker
+	fi
+	chroot "$rootdir" chown -R tracker:tracker $MESH_INSTALL_DIR/tracker
+
+	# publish regularly
+	echo "* *     * * *   root    zeronetavahi > /dev/null" >> $rootdir/etc/crontab
+
+	chroot "$rootdir" systemctl enable tracker.service
+	chroot "$rootdir" systemctl enable zeronet.service
+}
+
+function mesh_zeronet_blog {
+	ZERONET_BLOG_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_BLOG_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	ZERONET_BLOG_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_BLOG_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+
+	git clone $ZERONET_BLOG_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog ]; then
+		echo $'ZeroBlog repo could not be cloned'
+		exit 6739
+	fi
+	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog
+	git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT
+	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
+}
+
+function mesh_zeronet_mail {
+	ZERONET_MAIL_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_MAIL_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	ZERONET_MAIL_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_MAIL_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+
+	git clone $ZERONET_MAIL_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail ]; then
+		echo $'ZeroMail repo could not be cloned'
+		exit 78493
+	fi
+	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail
+	git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT
+	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
+}
+
+function mesh_zeronet_forum {
+	ZERONET_FORUM_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_FORUM_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	ZERONET_FORUM_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_FORUM_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+
+	git clone $ZERONET_FORUM_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk ]; then
+		echo $'ZeroTalk repo could not be cloned'
+		exit 78252
+	fi
+	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk
+	git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT
+	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
+}
+
+function mesh_zeronet_id {
+	ZERONET_ID_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_ID_REPO=" | head -n 1 | awk -F '"' '{print $2}')
+	ZERONET_ID_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_ID_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
+
+	git clone $ZERONET_ID_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID
+	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID ]; then
+		echo $'ZeroID repo could not be cloned'
+		exit 37936
+	fi
+	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID
+	git checkout $ZERONET_ID_COMMIT -b $ZERONET_ID_COMMIT
+	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
+}
+
 function install_zeronet {
+	if [ $INSTALLING_MESH ]; then
+		mesh_zeronet
+		mesh_zeronet_blog
+		mesh_zeronet_mail
+		mesh_zeronet_forum
+		return
+	fi
 	if grep -Fxq "install_zeronet" $COMPLETION_FILE; then
 		return
 	fi
diff --git a/src/freedombone-image-customise b/src/freedombone-image-customise
index 3bfc5ce6f..b6d8a6f56 100755
--- a/src/freedombone-image-customise
+++ b/src/freedombone-image-customise
@@ -491,534 +491,7 @@ ZERONET_ID_COMMIT=
 # Directory where source code is downloaded and compiled
 INSTALL_DIR=$HOME/build
 
-function mesh_avahi {
-	chroot "$rootdir" apt-get -y install avahi-utils avahi-autoipd avahi-dnsconfd
-
-	decarray=( 1 2 3 4 5 6 7 8 9 0 )
-	PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
-	sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
-
-	if [ ! -d $rootdir/etc/avahi/services ]; then
-		mkdir -p $rootdir/etc/avahi/services
-	fi
-
-	# remove an avahi service which isn't used
-	if [ -f $rootdir/etc/avahi/services/udisks.service ]; then
-		rm $rootdir/etc/avahi/services/udisks.service
-	fi
-
-	# Add an ssh service
-	echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > $rootdir/etc/avahi/services/ssh.service
-	echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> $rootdir/etc/avahi/services/ssh.service
-	echo '<service-group>' >> $rootdir/etc/avahi/services/ssh.service
-	echo '  <name replace-wildcards="yes">%h SSH</name>' >> $rootdir/etc/avahi/services/ssh.service
-	echo '  <service>' >> $rootdir/etc/avahi/services/ssh.service
-	echo '    <type>_ssh._tcp</type>' >> $rootdir/etc/avahi/services/ssh.service
-	echo "    <port>$SSH_PORT</port>" >> $rootdir/etc/avahi/services/ssh.service
-	echo '  </service>' >> $rootdir/etc/avahi/services/ssh.service
-	echo '</service-group>' >> $rootdir/etc/avahi/services/ssh.service
-
-	# keep the daemon running
-	WATCHDOG_SCRIPT_NAME="keepon"
-	echo '' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo '# keep avahi daemon running' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo 'AVAHI_RUNNING=$(pgrep avahi-daemon > /dev/null && echo Running)' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo 'if [ ! $AVAHI_RUNNING ]; then' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo '  systemctl start avahi-daemon' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo '  echo -n $CURRENT_DATE >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo '  echo " Avahi daemon restarted" >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	echo 'fi' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-}
-
-function install_batman {
-	chroot "$rootdir" apt-get -y install iproute bridge-utils libnetfilter-conntrack3 batctl
-	chroot "$rootdir" apt-get -y install python-dev libevent-dev ebtables python-pip git
-	chroot "$rootdir" apt-get -y install wireless-tools rfkill
-
-	if ! grep -q "batman_adv" $rootdir/etc/modules; then
-		echo 'batman_adv' >> $rootdir/etc/modules
-	fi
-
-	BATMAN_SCRIPT=$rootdir/var/lib/batman
-
-	if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
-		cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
-	else
-		cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
-	fi
-
-	BATMAN_DAEMON=$rootdir/etc/systemd/system/batman.service
-	echo '[Unit]' > $BATMAN_DAEMON
-	echo 'Description=B.A.T.M.A.N. Advanced' >> $BATMAN_DAEMON
-	echo 'After=network.target' >> $BATMAN_DAEMON
-	echo '' >> $BATMAN_DAEMON
-	echo '[Service]' >> $BATMAN_DAEMON
-	echo 'RemainAfterExit=yes' >> $BATMAN_DAEMON
-	echo "ExecStart=/var/lib/batman start" >> $BATMAN_DAEMON
-	echo "ExecStop=/var/lib/batman stop" >> $BATMAN_DAEMON
-	echo 'Restart=on-failure' >> $BATMAN_DAEMON
-	echo 'SuccessExitStatus=3 4' >> $BATMAN_DAEMON
-	echo 'RestartForceExitStatus=3 4' >> $BATMAN_DAEMON
-	echo '' >> $BATMAN_DAEMON
-	echo '# Allow time for the server to start/stop' >> $BATMAN_DAEMON
-	echo 'TimeoutSec=300' >> $BATMAN_DAEMON
-	echo '' >> $BATMAN_DAEMON
-	echo '[Install]' >> $BATMAN_DAEMON
-	echo 'WantedBy=multi-user.target' >> $BATMAN_DAEMON
-	chroot "$rootdir" systemctl enable batman
-}
-
-function mesh_firewall {
-	FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
-	MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
-
-	echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
-	echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
-	echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
-	echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
-	echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
-	echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
-	echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
-	echo '' >> $MESH_FIREWALL_SCRIPT
-	echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo '' >> $MESH_FIREWALL_SCRIPT
-	echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo '' >> $MESH_FIREWALL_SCRIPT
-	echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo '' >> $MESH_FIREWALL_SCRIPT
-	echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
-	echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
-	echo '' >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-	chmod +x $MESH_FIREWALL_SCRIPT
-
-	echo '[Unit]' > $FIREWALL_FILENAME
-	echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
-	echo '' >> $FIREWALL_FILENAME
-	echo '[Service]' >> $FIREWALL_FILENAME
-	echo 'Type=oneshot' >> $FIREWALL_FILENAME
-	echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
-	echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
-	echo '' >> $FIREWALL_FILENAME
-	echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
-	echo '' >> $FIREWALL_FILENAME
-	echo '[Install]' >> $FIREWALL_FILENAME
-	echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
-	chroot "$rootdir" systemctl enable meshfirewall
-}
-
-function mesh_tox_node {
-	# obtain commits from the main file
-	TOXCORE_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXCORE_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-	if [ ${#TOXCORE_COMMIT_MAIN} -gt 10 ]; then
-		TOXCORE_COMMIT=$TOXCORE_COMMIT_MAIN
-	fi
-	if [ ! $TOXCORE_COMMIT ]; then
-		echo $'No Tox commit was specified'
-		exit 76325
-	fi
-
-	TOX_PORT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOX_PORT=" | head -n 1 | awk -F '=' '{print $2}')
-	if [ ${#TOX_PORT_MAIN} -gt 2 ]; then
-		TOX_PORT=$TOX_PORT_MAIN
-	fi
-	if [ ! $TOX_PORT ]; then
-		echo $'No Tox port was specified'
-		exit 32856
-	fi
-
-	TOXCORE_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXCORE_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	if [ ${#TOXCORE_REPO_MAIN} -gt 10 ]; then
-		TOXCORE_REPO=$TOXCORE_REPO_MAIN
-	fi
-	if [ ! $TOXCORE_REPO ]; then
-		echo $'No Tox repo was specified'
-		exit 16865
-	fi
-
-	chroot "$rootdir" apt-get -y install build-essential libtool autotools-dev
-	chroot "$rootdir" apt-get -y install automake checkinstall check git yasm
-	chroot "$rootdir" apt-get -y install libsodium13 libsodium-dev libcap2-bin
-	chroot "$rootdir" apt-get -y install libconfig9 libconfig-dev
-
-
-	TEMP_SCRIPT_NAME=fbtmp37272.sh
-	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
-	echo '#!/bin/bash' > $TEMP_SCRIPT
-	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
-	echo "git clone $TOXCORE_REPO $INSTALL_DIR/toxcore" >> $TEMP_SCRIPT
-	echo "cd $INSTALL_DIR/toxcore" >> $TEMP_SCRIPT
-	echo "git checkout $TOXCORE_COMMIT -b $TOXCORE_COMMIT" >> $TEMP_SCRIPT
-	echo 'autoreconf -i' >> $TEMP_SCRIPT
-	echo './configure --enable-daemon --disable-av' >> $TEMP_SCRIPT
-	echo 'make' >> $TEMP_SCRIPT
-	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
-	echo '    exit 1' >> $TEMP_SCRIPT
-	echo 'fi' >> $TEMP_SCRIPT
-	echo 'make install' >> $TEMP_SCRIPT
-	echo 'cp /usr/local/lib/libtoxcore* /usr/lib/' >> $TEMP_SCRIPT
-	echo "cp $INSTALL_DIR/toxcore/other/bootstrap_daemon/tox-bootstrapd.service /etc/systemd/system/" >> $TEMP_SCRIPT
-	echo "sed -i 's|ExecStart=.*|ExecStart=/usr/local/bin/tox-bootstrapd --config /etc/tox-bootstrapd.conf|g' /etc/systemd/system/tox-bootstrapd.service" >> $TEMP_SCRIPT
-	echo 'systemctl enable tox-bootstrapd.service' >> $TEMP_SCRIPT
-	echo 'exit 0' >> $TEMP_SCRIPT
-	chmod +x $TEMP_SCRIPT
-	cp $TEMP_SCRIPT $rootdir/root/
-
-	SECONDS=0
-	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
-	if [ ! "$?" = "0" ]; then
-		duration=$SECONDS
-		echo $"Toxcore compile failed at $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
-		echo $'Unable to make toxcore'
-		rm $TEMP_SCRIPT
-		exit 73835
-	fi
-	duration=$SECONDS
-	echo $"Toxcore compile $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
-	rm $TEMP_SCRIPT
-
-	if [ ! -f $rootdir/usr/local/bin/tox-bootstrapd ]; then
-		echo $"File not found /usr/local/bin/tox-bootstrapd"
-		exit 37825
-	fi
-
-	chroot "$rootdir" useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
-	chroot "$rootdir" chmod 700 /var/lib/tox-bootstrapd
-
-	# remove Maildir
-	if [ -d $rootdir/var/lib/tox-bootstrapd/Maildir ]; then
-		rm -rf $rootdir/var/lib/tox-bootstrapd/Maildir
-	fi
-
-	# create configuration file
-	TOX_BOOTSTRAP_CONFIG=$rootdir/etc/tox-bootstrapd.conf
-	echo "port = $TOX_PORT" > $TOX_BOOTSTRAP_CONFIG
-	echo 'keys_file_path = "/var/lib/tox-bootstrapd/keys"' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'pid_file_path = "/var/run/tox-bootstrapd/tox-bootstrapd.pid"' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'enable_ipv6 = true' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'enable_ipv4_fallback = true' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'enable_lan_discovery = true' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'enable_tcp_relay = true' >> $TOX_BOOTSTRAP_CONFIG
-	echo "tcp_relay_ports = [443, 3389, $TOX_PORT]" >> $TOX_BOOTSTRAP_CONFIG
-	echo 'enable_motd = true' >> $TOX_BOOTSTRAP_CONFIG
-	echo 'motd = "tox-bootstrapd"' >> $TOX_BOOTSTRAP_CONFIG
-
-	if [ $TOX_NODES ]; then
-		echo 'bootstrap_nodes = (' >> $TOX_BOOTSTRAP_CONFIG
-		toxcount=0
-		while [ "x${TOX_NODES[toxcount]}" != "x" ]
-		do
-			toxval_ipv4=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $1}')
-			toxval_ipv6=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $2}')
-			toxval_port=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $3}')
-			toxval_pubkey=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $4}')
-			toxval_maintainer=$(echo $TOX_NODES[toxcount] | awk -F ',' '{print $5}')
-			echo "{ // $toxval_maintainer" >> $TOX_BOOTSTRAP_CONFIG
-			if [[ $toxval_ipv6 != 'NONE' ]]; then
-				echo "  address = \"$toxval_ipv6\"" >> $TOX_BOOTSTRAP_CONFIG
-			else
-				echo "  address = \"$toxval_ipv4\"" >> $TOX_BOOTSTRAP_CONFIG
-			fi
-			echo "  port = $toxval_port" >> $TOX_BOOTSTRAP_CONFIG
-			echo "  public_key = \"$toxval_pubkey\"" >> $TOX_BOOTSTRAP_CONFIG
-			toxcount=$(( $toxcount + 1 ))
-			if [ "x${TOX_NODES[toxcount]}" != "x" ]; then
-				echo "}," >> $TOX_BOOTSTRAP_CONFIG
-			else
-				echo "}" >> $TOX_BOOTSTRAP_CONFIG
-			fi
-		done
-		echo ')' >> $TOX_BOOTSTRAP_CONFIG
-	fi
-}
-
-function mesh_tox_avahi {
-	if [ ! -d $rootdir/etc/avahi ]; then
-		echo $'tox_avahi: avahi is not installed'
-		exit 87359
-	fi
-
-	TOXID_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXID_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	if [ ${#TOXID_REPO_MAIN} -gt 5 ]; then
-		TOXID_REPO=$TOXID_REPO_MAIN
-	fi
-	if [ ! $TOXID_REPO ]; then
-		echo $'No ToxID repo was specified'
-		exit 78252
-	fi
-
-	TEMP_SCRIPT_NAME=fbtmp5328252.sh
-	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
-	echo '#!/bin/bash' > $TEMP_SCRIPT
-	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
-	echo "git clone $TOXID_REPO $INSTALL_DIR/toxid" >> $TEMP_SCRIPT
-	echo "if [ ! -d $INSTALL_DIR/toxid ]; then" >> $TEMP_SCRIPT
-	echo '    exit 1' >> $TEMP_SCRIPT
-	echo 'fi' >> $TEMP_SCRIPT
-	echo "cd $INSTALL_DIR/toxid" >> $TEMP_SCRIPT
-	echo "make" >> $TEMP_SCRIPT
-	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
-	echo '    exit 2' >> $TEMP_SCRIPT
-	echo 'fi' >> $TEMP_SCRIPT
-	echo 'make install' >> $TEMP_SCRIPT
-	echo 'if [ ! -f /usr/local/bin/toxavahi ]; then' >> $TEMP_SCRIPT
-	echo '  exit 3' >> $TEMP_SCRIPT
-	echo 'fi' >> $TEMP_SCRIPT
-	echo 'toxavahi' >> $TEMP_SCRIPT
-	echo 'echo "* *     * * *   root    /usr/local/bin/toxavahi > /dev/null" >> /etc/crontab' >> $TEMP_SCRIPT
-	echo 'systemctl restart avahi-daemon' >> $TEMP_SCRIPT
-	echo 'exit 0' >> $TEMP_SCRIPT
-	chmod +x $TEMP_SCRIPT
-	cp $TEMP_SCRIPT $rootdir/root/
-
-	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
-	if [ ! "$?" = "0" ]; then
-		echo $"Unable to install toxid, returned $?"
-		rm $TEMP_SCRIPT
-		exit 62835
-	fi
-	rm $TEMP_SCRIPT
-}
-
-function mesh_tox_client {
-	TOXIC_FILE=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_FILE=" | head -n 1 | awk -F '=' '{print $2}')
-
-	# obtain commits from the main file
-	TOXIC_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-	if [ ${#TOXIC_COMMIT_MAIN} -gt 10 ]; then
-		TOXIC_COMMIT=$TOXIC_COMMIT_MAIN
-	fi
-
-	TOXIC_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	if [ ${#TOXIC_REPO_MAIN} -gt 5 ]; then
-		TOXIC_REPO=$TOXIC_REPO_MAIN
-	fi
-
-	chroot "$rootdir" apt-get -y install libncursesw5-dev libconfig-dev libqrencode-dev
-	chroot "$rootdir" apt-get -y install libcurl4-openssl-dev libvpx-dev libopenal-dev
-
-	TEMP_SCRIPT_NAME=fbtmp728353.sh
-	TEMP_SCRIPT=/tmp/$TEMP_SCRIPT_NAME
-	echo '#!/bin/bash' > $TEMP_SCRIPT
-	echo "mkdir -p $INSTALL_DIR" >> $TEMP_SCRIPT
-	echo "git clone $TOXIC_REPO $INSTALL_DIR/toxic" >> $TEMP_SCRIPT
-	echo "cd $INSTALL_DIR/toxic" >> $TEMP_SCRIPT
-	echo "git checkout $TOXIC_COMMIT -b $TOXIC_COMMIT" >> $TEMP_SCRIPT
-	echo 'make' >> $TEMP_SCRIPT
-	echo 'if [ ! "$?" = "0" ]; then' >> $TEMP_SCRIPT
-	echo '    exit 1' >> $TEMP_SCRIPT
-	echo 'fi' >> $TEMP_SCRIPT
-	echo 'make install' >> $TEMP_SCRIPT
-	echo 'exit 0' >> $TEMP_SCRIPT
-	chmod +x $TEMP_SCRIPT
-	cp $TEMP_SCRIPT $rootdir/root/
-
-	TOXIC_FILE=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-tox | grep "TOXIC_FILE=" | head -n 1 | awk -F '=' '{print $2}')
-
-	SECONDS=0
-	chroot "$rootdir" /root/$TEMP_SCRIPT_NAME
-	if [ ! "$?" = "0" ]; then
-		duration=$SECONDS
-		echo $"Toxic client compile failed at $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
-		echo $'Unable to make tox client'
-		rm $TEMP_SCRIPT
-		exit 74872
-	fi
-	rm $TEMP_SCRIPT
-	if [ ! -f $rootdir$TOXIC_FILE ]; then
-		echo $"Tox client was not installed to $TOXIC_FILE"
-		exit 63278
-	fi
-	duration=$SECONDS
-	echo $"Toxic client compile $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
-}
-
-function mesh_zeronet {
-	# obtain commits from the main file
-	ZERONET_COMMIT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-	if [ ${#ZERONET_COMMIT_MAIN} -gt 10 ]; then
-		ZERONET_COMMIT=$ZERONET_COMMIT_MAIN
-	fi
-	if [ ! $ZERONET_COMMIT ]; then
-		echo $'No Tox commit was specified'
-		exit 37046
-	fi
-	
-	ZERONET_REPO_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	if [ ${#ZERONET_REPO_MAIN} -gt 5 ]; then
-		ZERONET_REPO=$ZERONET_REPO_MAIN
-	fi
-	if [ ! $ZERONET_REPO ]; then
-		echo $'No Tox commit was specified'
-		exit 37046
-	fi
-
-	ZERONET_PORT_MAIN=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_PORT=" | head -n 1 | awk -F '=' '{print $2}')
-	if [ ${#ZERONET_PORT_MAIN} -gt 1 ]; then
-		ZERONET_PORT=$ZERONET_PORT_MAIN
-	fi
-	if [ ! $ZERONET_PORT ]; then
-		echo $'No zeronet port was specified'
-		exit 67433
-	fi
-
-	chroot "$rootdir" apt-get -y install python python-msgpack python-gevent
-	chroot "$rootdir" apt-get -y install python-pip bittornado
-	chroot "$rootdir" pip install msgpack-python --upgrade
-
-	chroot "$rootdir" useradd -d $MESH_INSTALL_DIR/zeronet/ -s /bin/false zeronet
-	git clone $ZERONET_REPO $rootdir$MESH_INSTALL_DIR/zeronet
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet ]; then
-		echo 'WARNING: Unable to clone zeronet'
-		return
-	fi
-	cd $rootdir$MESH_INSTALL_DIR/zeronet
-	git checkout $ZERONET_COMMIT -b $ZERONET_COMMIT
-	if ! grep -q "ZeroNet commit" $COMPLETION_FILE; then
-		echo "ZeroNet commit:$ZERONET_COMMIT" >> $rootdir$COMPLETION_FILE
-	else
-		sed -i "s/ZeroNet commit.*/ZeroNet commit:$ZERONET_COMMIT/g" $COMPLETION_FILE
-	fi
-	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
-
-	# Hack to ensure that the file access port is opened
-	# This is because zeronet normally relies on an internet site
-	# to do this, but on a purely local mesh the internet isn't available
-	sed -i 's|fileserver_port = 0|fileserver_port = config.fileserver_port\n            sys.modules["main"].file_server.port_opened = True|g' $rootdir$MESH_INSTALL_DIR/zeronet/src/Site/Site.py
-
-	ZERONET_DAEMON=$rootdir/etc/systemd/system/zeronet.service
-	echo '[Unit]' > $ZERONET_DAEMON
-	echo 'Description=Zeronet Server' >> $ZERONET_DAEMON
-	echo 'After=syslog.target' >> $ZERONET_DAEMON
-	echo 'After=network.target' >> $ZERONET_DAEMON
-	echo '[Service]' >> $ZERONET_DAEMON
-	echo 'Type=simple' >> $ZERONET_DAEMON
-	echo 'User=zeronet' >> $ZERONET_DAEMON
-	echo 'Group=zeronet' >> $ZERONET_DAEMON
-	echo "WorkingDirectory=$MESH_INSTALL_DIR/zeronet" >> $ZERONET_DAEMON
-	echo "ExecStart=/usr/bin/python zeronet.py --ip_external replace.local --trackers_file $MESH_INSTALL_DIR/zeronet/bootstrap" >> $ZERONET_DAEMON
-	echo '' >> $ZERONET_DAEMON
-	echo 'TimeoutSec=300' >> $ZERONET_DAEMON
-	echo '' >> $ZERONET_DAEMON
-	echo '[Install]' >> $ZERONET_DAEMON
-	echo 'WantedBy=multi-user.target' >> $ZERONET_DAEMON
-
-	TRACKER_DAEMON=$rootdir/etc/systemd/system/tracker.service
-	echo '[Unit]' > $TRACKER_DAEMON
-	echo 'Description=Torrent Tracker' >> $TRACKER_DAEMON
-	echo 'After=syslog.target' >> $TRACKER_DAEMON
-	echo 'After=network.target' >> $TRACKER_DAEMON
-	echo '[Service]' >> $TRACKER_DAEMON
-	echo 'Type=simple' >> $TRACKER_DAEMON
-	echo 'User=tracker' >> $TRACKER_DAEMON
-	echo 'Group=tracker' >> $TRACKER_DAEMON
-	echo "WorkingDirectory=$MESH_INSTALL_DIR/tracker" >> $TRACKER_DAEMON
-	echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile $MESH_INSTALL_DIR/tracker/dstate --logfile $MESH_INSTALL_DIR/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0" >> $TRACKER_DAEMON
-	echo '' >> $TRACKER_DAEMON
-	echo 'TimeoutSec=300' >> $TRACKER_DAEMON
-	echo '' >> $TRACKER_DAEMON
-	echo '[Install]' >> $TRACKER_DAEMON
-	echo 'WantedBy=multi-user.target' >> $TRACKER_DAEMON
-
-	chroot "$rootdir" useradd -d $MESH_INSTALL_DIR/tracker/ -s /bin/false tracker
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/tracker ]; then
-		mkdir $rootdir$MESH_INSTALL_DIR/tracker
-	fi
-	chroot "$rootdir" chown -R tracker:tracker $MESH_INSTALL_DIR/tracker
-
-	# publish regularly
-	echo "* *     * * *   root    zeronetavahi > /dev/null" >> $rootdir/etc/crontab
-
-	chroot "$rootdir" systemctl enable tracker.service
-	chroot "$rootdir" systemctl enable zeronet.service
-}
-
-function mesh_zeronet_blog {
-	ZERONET_BLOG_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_BLOG_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	ZERONET_BLOG_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_BLOG_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-
-	git clone $ZERONET_BLOG_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog ]; then
-		echo $'ZeroBlog repo could not be cloned'
-		exit 6739
-	fi
-	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroBlog
-	git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT
-	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
-}
-
-function mesh_zeronet_mail {
-	ZERONET_MAIL_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_MAIL_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	ZERONET_MAIL_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_MAIL_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-
-	git clone $ZERONET_MAIL_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail ]; then
-		echo $'ZeroMail repo could not be cloned'
-		exit 78493
-	fi
-	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroMail
-	git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT
-	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
-}
-
-function mesh_zeronet_forum {
-	ZERONET_FORUM_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_FORUM_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	ZERONET_FORUM_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_FORUM_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-
-	git clone $ZERONET_FORUM_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk ]; then
-		echo $'ZeroTalk repo could not be cloned'
-		exit 78252
-	fi
-	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroTalk
-	git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT
-	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
-}
-
-function mesh_zeronet_id {
-	ZERONET_ID_REPO=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_ID_REPO=" | head -n 1 | awk -F '"' '{print $2}')
-	ZERONET_ID_COMMIT=$(cat /usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-zeronet | grep "ZERONET_ID_COMMIT=" | head -n 1 | awk -F "'" '{print $2}')
-
-	git clone $ZERONET_ID_REPO $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID
-	if [ ! -d $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID ]; then
-		echo $'ZeroID repo could not be cloned'
-		exit 37936
-	fi
-	cd $rootdir$MESH_INSTALL_DIR/zeronet/ZeroID
-	git checkout $ZERONET_ID_COMMIT -b $ZERONET_ID_COMMIT
-	chroot "$rootdir" chown -R zeronet:zeronet $MESH_INSTALL_DIR/zeronet
-}
-
-function mesh_web_server {
-	if [ -d /etc/apache2 ]; then
-		chroot "$rootdir" apt-get -y remove --purge apache2
-		chroot "$rootdir" rm -rf /etc/apache2
-	fi
-
-	chroot "$rootdir" apt-get -y install nginx
-
-	if [ ! -d $rootdir/etc/nginx ]; then
-		echo $'Unable to install web server'
-		exit 346825
-	fi
-}
+INSTALLING_MESH=
 
 initialise_mesh() {
 	if [[ $VARIANT != "mesh" && $VARIANT != "meshclient" && $VARIANT != "meshusb" ]]; then
@@ -1045,17 +518,16 @@ initialise_mesh() {
 		chroot "$rootdir" apt-get -y install firmware-iwlwifi
 	fi
 
+	INSTALLING_MESH=1
+
 	mesh_firewall
 	mesh_avahi
 	install_batman
-	mesh_tox_node
+	install_tox_node
 	mesh_tox_avahi
 	mesh_tox_client
 	mesh_web_server
-	mesh_zeronet
-	mesh_zeronet_blog
-	mesh_zeronet_mail
-	mesh_zeronet_forum
+	install_zeronet
 
 	MESH_SERVICE='mesh-setup.service'
 	MESH_SETUP_DAEMON=$rootdir/etc/systemd/system/$MESH_SERVICE
@@ -1080,55 +552,6 @@ initialise_mesh() {
 
 # User interface for USB drive installs ######################################
 
-function enable_tox_repo {
-	echo 'deb http://download.opensuse.org/repositories/home:/antonbatenev:/tox/Debian_8.0/ /' > $rootdir/etc/apt/sources.list.d/tox.list
-
-
-	chroot "$rootdir" wget -q http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_8.0/Release.key -O- | apt-key add -
-	chroot "$rootdir" apt-get update
-	echo "Tox Repository Installed."
-}
-
-function install_syncthing {
-	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
-		return
-	fi
-
-	chroot "$rootdir" wget -q https://syncthing.net/release-key.txt -O- | apt-key add -
-
-	echo "deb http://apt.syncthing.net/ syncthing release" | tee $rootdir/etc/apt/sources.list.d/syncthing.list
-	chroot "$rootdir" apt-get update
-	chroot "$rootdir" apt-get -y --force-yes install syncthing
-
-	# This probably does need to run as root so that it can access the Sync directories
-	# in each user's home directory
-	chroot "$rootdir" echo '[Unit]' > /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'After=network.target' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo '' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo '[Service]' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'User=root' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo '' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo '[Install]' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service
-	chroot "$rootdir" systemctl enable syncthing
-	chroot "$rootdir" systemctl daemon-reload
-
-	if ! grep -q "syncthing" $rootdir/etc/crontab; then
-		chroot "$rootdir" echo "*/1            * *   *   *   root /usr/local/bin/${PROJECT_NAME}-syncthing > /dev/null" >> /etc/crontab
-		chroot "$rootdir" systemctl restart cron
-	fi
-
-	echo 'install_syncthing'
-}
-
 function mesh_client_startup_applications {
 	if [ ! -d $rootdir/home/$MY_USERNAME/Desktop ]; then
 		mkdir -p $rootdir/home/$MY_USERNAME/Desktop
diff --git a/src/freedombone-utils-avahi b/src/freedombone-utils-avahi
index 422b129fd..95ced47ab 100755
--- a/src/freedombone-utils-avahi
+++ b/src/freedombone-utils-avahi
@@ -54,6 +54,46 @@ function create_avahi_service {
 	echo '</service-group>' >> /etc/avahi/services/${service_name}.service
 }
 
+function mesh_avahi {
+	chroot "$rootdir" apt-get -y install avahi-utils avahi-autoipd avahi-dnsconfd
+
+	decarray=( 1 2 3 4 5 6 7 8 9 0 )
+	PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
+	sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
+
+	if [ ! -d $rootdir/etc/avahi/services ]; then
+		mkdir -p $rootdir/etc/avahi/services
+	fi
+
+	# remove an avahi service which isn't used
+	if [ -f $rootdir/etc/avahi/services/udisks.service ]; then
+		rm $rootdir/etc/avahi/services/udisks.service
+	fi
+
+	# Add an ssh service
+	echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > $rootdir/etc/avahi/services/ssh.service
+	echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> $rootdir/etc/avahi/services/ssh.service
+	echo '<service-group>' >> $rootdir/etc/avahi/services/ssh.service
+	echo '  <name replace-wildcards="yes">%h SSH</name>' >> $rootdir/etc/avahi/services/ssh.service
+	echo '  <service>' >> $rootdir/etc/avahi/services/ssh.service
+	echo '    <type>_ssh._tcp</type>' >> $rootdir/etc/avahi/services/ssh.service
+	echo "    <port>$SSH_PORT</port>" >> $rootdir/etc/avahi/services/ssh.service
+	echo '  </service>' >> $rootdir/etc/avahi/services/ssh.service
+	echo '</service-group>' >> $rootdir/etc/avahi/services/ssh.service
+
+	# keep the daemon running
+	WATCHDOG_SCRIPT_NAME="keepon"
+	echo '' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '# keep avahi daemon running' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'AVAHI_RUNNING=$(pgrep avahi-daemon > /dev/null && echo Running)' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'if [ ! $AVAHI_RUNNING ]; then' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  systemctl start avahi-daemon' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  echo -n $CURRENT_DATE >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo '  echo " Avahi daemon restarted" >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	echo 'fi' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+	chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+}
+
 function configure_avahi {
 	if grep -Fxq "configure_avahi" $COMPLETION_FILE; then
 		return
diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index d232989d8..f7857378c 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -29,220 +29,275 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 function save_firewall_settings {
-	iptables-save > /etc/firewall.conf
-	ip6tables-save > /etc/firewall6.conf
-	printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
-	printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
-	printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
-	chmod +x /etc/network/if-up.d/iptables
+    iptables-save > /etc/firewall.conf
+    ip6tables-save > /etc/firewall6.conf
+    printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
+    printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
+    printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
+    chmod +x /etc/network/if-up.d/iptables
 }
 
 function enable_ipv6 {
-	# endure that ipv6 is enabled and can route
-	sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
-	#sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
-	#sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
-	sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+    # endure that ipv6 is enabled and can route
+    sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
+    #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
+    #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
+    sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 }
 
 function configure_firewall {
-	if grep -q "RELATED" /etc/firewall.conf; then
-		# recreate the firewall to remove RELATED
-		sed -i "/firewall/d" $COMPLETION_FILE
-	fi
-	if grep -Fxq "configure_firewall" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	iptables -P INPUT ACCEPT
-	ip6tables -P INPUT ACCEPT
-	iptables -F
-	ip6tables -F
-	iptables -t nat -F
-	ip6tables -t nat -F
-	iptables -X
-	ip6tables -X
-	iptables -P INPUT DROP
-	ip6tables -P INPUT DROP
-	iptables -A INPUT -i lo -j ACCEPT
-	iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-
-	# Make sure incoming tcp connections are SYN packets
-	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-
-	# Drop packets with incoming fragments
-	iptables -A INPUT -f -j DROP
-
-	# Drop bogons
-	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-	iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-	iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-
-	# Incoming malformed NULL packets:
-	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-
-	echo 'configure_firewall' >> $COMPLETION_FILE
+    if grep -q "RELATED" /etc/firewall.conf; then
+        # recreate the firewall to remove RELATED
+        sed -i "/firewall/d" $COMPLETION_FILE
+    fi
+    if grep -Fxq "configure_firewall" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    iptables -P INPUT ACCEPT
+    ip6tables -P INPUT ACCEPT
+    iptables -F
+    ip6tables -F
+    iptables -t nat -F
+    ip6tables -t nat -F
+    iptables -X
+    ip6tables -X
+    iptables -P INPUT DROP
+    ip6tables -P INPUT DROP
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+    # Make sure incoming tcp connections are SYN packets
+    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+    # Drop packets with incoming fragments
+    iptables -A INPUT -f -j DROP
+
+    # Drop bogons
+    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+    # Incoming malformed NULL packets:
+    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+    echo 'configure_firewall' >> $COMPLETION_FILE
 }
 
 function configure_firewall_ping {
-	if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
-		return
-	fi
-	# Only allow ping for mesh installs
-	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
-		return
-	fi
-	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-	iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-	echo 'configure_firewall_ping' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
+        return
+    fi
+    # Only allow ping for mesh installs
+    if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+        return
+    fi
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+    echo 'configure_firewall_ping' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_avahi {
-	if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 548 -j ACCEPT
-	iptables -A INPUT -p udp --dport 548 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
-	iptables -A INPUT -p udp --dport 5353 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
-	iptables -A INPUT -p udp --dport 5354 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-	echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
+        return
+    fi
+    iptables -A INPUT -p tcp --dport 548 -j ACCEPT
+    iptables -A INPUT -p udp --dport 548 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
+    iptables -A INPUT -p udp --dport 5353 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
+    iptables -A INPUT -p udp --dport 5354 -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+    echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_dns {
-	if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-	echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+    echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_web_access {
-	if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    if [[ $ONION_ONLY != "no" ]]; then
+        return
+    fi
+    iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+
+    echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_web_server {
-	if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=('HTTP     80')
-	OPEN_PORTS+=('HTTPS    443')
-	echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    if [[ $ONION_ONLY != "no" ]]; then
+        return
+    fi
+    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+
+    OPEN_PORTS+=('HTTP     80')
+    OPEN_PORTS+=('HTTPS    443')
+    echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_ssh {
-	if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("SSH      $SSH_PORT")
-	echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+    iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+
+    OPEN_PORTS+=("SSH      $SSH_PORT")
+    echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
 }
 
 function configure_firewall_for_git {
-	if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("Git      9418")
-	echo 'configure_firewall_for_git' >> $COMPLETION_FILE
+    if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+        # docker does its own firewalling
+        return
+    fi
+    if [[ $ONION_ONLY != "no" ]]; then
+        return
+    fi
+    iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+
+    OPEN_PORTS+=("Git      9418")
+    echo 'configure_firewall_for_git' >> $COMPLETION_FILE
 }
 
 function configure_internet_protocol {
-	if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
-		return
-	fi
-	sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
-	sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
-	if ! grep -q "ignore pings" /etc/sysctl.conf; then
-		echo '# ignore pings' >> /etc/sysctl.conf
-		echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
-		echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
-	fi
-	if ! grep -q "disable ipv6" /etc/sysctl.conf; then
-		echo '# disable ipv6' >> /etc/sysctl.conf
-		echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
-	fi
-	if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
-		echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
-		echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
-	fi
-	if ! grep -q "keepalive" /etc/sysctl.conf; then
-		echo '# keepalive' >> /etc/sysctl.conf
-		echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
-		echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
-		echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
-	fi
-	echo 'configure_internet_protocol' >> $COMPLETION_FILE
+    if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
+        return
+    fi
+    sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
+    sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
+    if ! grep -q "ignore pings" /etc/sysctl.conf; then
+        echo '# ignore pings' >> /etc/sysctl.conf
+        echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
+        echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
+    fi
+    if ! grep -q "disable ipv6" /etc/sysctl.conf; then
+        echo '# disable ipv6' >> /etc/sysctl.conf
+        echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
+    fi
+    if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
+        echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
+        echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
+    fi
+    if ! grep -q "keepalive" /etc/sysctl.conf; then
+        echo '# keepalive' >> /etc/sysctl.conf
+        echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
+        echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
+        echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
+    fi
+    echo 'configure_internet_protocol' >> $COMPLETION_FILE
+}
+
+function mesh_firewall {
+    FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
+    MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
+
+    echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
+    echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo '' >> $MESH_FIREWALL_SCRIPT
+    echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo '' >> $MESH_FIREWALL_SCRIPT
+    echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo '' >> $MESH_FIREWALL_SCRIPT
+    echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo '' >> $MESH_FIREWALL_SCRIPT
+    echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo '' >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    chmod +x $MESH_FIREWALL_SCRIPT
+
+    echo '[Unit]' > $FIREWALL_FILENAME
+    echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo '[Service]' >> $FIREWALL_FILENAME
+    echo 'Type=oneshot' >> $FIREWALL_FILENAME
+    echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
+    echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo '[Install]' >> $FIREWALL_FILENAME
+    echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
+    chroot "$rootdir" systemctl enable meshfirewall
 }
diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 213eadf0b..98de56b64 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -548,4 +548,18 @@ function install_command_line_browser {
 	echo 'install_command_line_browser' >> $COMPLETION_FILE
 }
 
+function mesh_web_server {
+	if [ -d /etc/apache2 ]; then
+		chroot "$rootdir" apt-get -y remove --purge apache2
+		chroot "$rootdir" rm -rf /etc/apache2
+	fi
+
+	chroot "$rootdir" apt-get -y install nginx
+
+	if [ ! -d $rootdir/etc/nginx ]; then
+		echo $'Unable to install web server'
+		exit 346825
+	fi
+}
+
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-vars b/src/freedombone-vars
index 99b9ca38b..53b3fab51 100755
--- a/src/freedombone-vars
+++ b/src/freedombone-vars
@@ -97,4 +97,7 @@ done
 # optionally specify your name to appear on the blog
 MY_NAME=$DEFAULT_DOMAIN_NAME
 
+# used to select mesh install functions when creating a mesh image
+INSTALLING_MESH=
+
 # NOTE: deliberately there is no "exit 0"
-- 
GitLab