diff --git a/.gitignore b/.gitignore
index 431e81e7..716dd1e3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ dist/
 scale_build.egg-info/
 scale_build/__pycache__/
 venv-*
+conf/tn/root/*
diff --git a/change_branches.sh b/change_branches.sh
new file mode 100755
index 00000000..9101c742
--- /dev/null
+++ b/change_branches.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+
+branch="master"
+cd /mnt/evo/build
+
+for i in "truenas" "truenas_files" "middlewared"; do
+	echo "\nupdating $i"
+	git -C sources/"$i" fetch origin
+	git -C sources/"$i" checkout "$branch"
+	git -C sources/"$i" reset --hard origin/"$branch"
+done
diff --git a/chroot.sh b/chroot.sh
new file mode 100755
index 00000000..6a0e0891
--- /dev/null
+++ b/chroot.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+umount -f ./tmp/b/proc
+umount -f ./tmp/b/sys
+umount -f ./tmp/b/packages
+rm -rf ./tmp/b
+mkdir ./tmp/b
+unsquashfs -f -d ./tmp/b ./tmp/cache/basechroot-package.squashfs
+mkdir -p ./tmp/b/proc ./tmp/b/sys ./tmp/b/packages
+mount proc ./tmp/b/proc -t proc
+mount sysfs ./tmp/b/sys -t sysfs
+mount --bind ./tmp/pkgdir ./tmp/b/packages
+
+echo "Setup basechroot directory for chroot successfully"
+
+chroot ./tmp/b bash
+
+echo "Cleaning up mounts"
+umount -f ./tmp/b/proc
+umount -f ./tmp/b/sys
+umount -f ./tmp/b/packages
diff --git a/conf/build.manifest b/conf/build.manifest
index c0e78590..1e951901 100644
--- a/conf/build.manifest
+++ b/conf/build.manifest
@@ -90,6 +90,10 @@ base-packages:
   install_recommends: false
 - name: ifstat
   install_recommends: true
+- name: nslcd
+  install_recommends: true
+- name: apt-cacher-ng
+  install_recommends: true
 - name: openzfs
   install_recommends: true
 - name: open-vm-tools
@@ -126,6 +130,18 @@ base-packages:
   install_recommends: true
 - name: openzfs-zfs-initramfs
   install_recommends: true
+- name: build-essential
+  install_recommends: true
+- name: locales
+  install_recommends: true
+- name: debootstrap
+  install_recommends: true
+- name: xorriso
+  install_recommends: true
+- name: squashfs-tools
+  install_recommends: true
+- name: unzip
+  install_recommends: true
 - name: nvme-cli
   install_recommends: true
 - name: convmv
diff --git a/conf/reference-files/etc/group b/conf/reference-files/etc/group
index 8a357738..7d54d5e0 100644
--- a/conf/reference-files/etc/group
+++ b/conf/reference-files/etc/group
@@ -79,6 +79,7 @@ libvirt-qemu:x:64055:libvirt-qemu
 haproxy:x:130:
 uuidd:x:131:
 i2c:x:132:
+apt-cacher-ng:x:180:
 sgx:x:133:
 _ssh:x:134:
 ntpsec:x:135:
diff --git a/conf/reference-files/etc/passwd b/conf/reference-files/etc/passwd
index c10e65e6..ff8104ee 100644
--- a/conf/reference-files/etc/passwd
+++ b/conf/reference-files/etc/passwd
@@ -45,6 +45,7 @@ webdav:x:666:666:WebDAV Anonymous User:/var/empty:/usr/sbin/nologin
 libvirt-qemu:x:64055:106:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
 haproxy:x:126:130::/var/lib/haproxy:/usr/sbin/nologin
 uuidd:x:127:131::/run/uuidd:/usr/sbin/nologin
+apt-cacher-ng:x:180:180::/var/cache/apt-cacher-ng:/usr/sbin/nologin
 ntpsec:x:128:135::/nonexistent:/usr/sbin/nologin
 tss:x:129:136:TPM software stack,,,:/var/lib/tpm:/bin/false
 iperf3:x:130:137::/nonexistent:/usr/sbin/nologin
diff --git a/conf/tn/etc/apt-cacher-ng/acng.conf b/conf/tn/etc/apt-cacher-ng/acng.conf
new file mode 100644
index 00000000..1933331b
--- /dev/null
+++ b/conf/tn/etc/apt-cacher-ng/acng.conf
@@ -0,0 +1,563 @@
+#
+# IMPORTANT NOTE:
+#
+# THIS FILE IS MAYBE JUST ONE OF MANY CONFIGURATION FILES IN THIS DIRECTORY.
+# SETTINGS MADE IN OTHER FILES CAN OVERRIDE VALUES THAT YOU CHANGE HERE. GO
+# LOOK FOR OTHER CONFIGURATION FILES! CHECK THE MANUAL AND INSTALLATION NOTES
+# (like README.Debian) FOR MORE DETAILS!
+#
+
+# This is a configuration file for apt-cacher-ng, a smart caching proxy for
+# software package downloads. It's supposed to be in a directory specified by
+# the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details.
+# RULES:
+# - letter case in variable names does not matter
+# - names and values are separated by colon or equals sign
+# - for boolean variables, zero means false, non-zero means true
+# - "default value" means built-in (!) defaults, i.e. something which the
+#   program uses if the option is not set here or in other config files.
+#   That value might be explicitly mentioned in the description. Where it is
+#   not, there is no reason to assume any of the examples to be the default
+#   value! In doubt, use acngtool to query the value of the particular variable.
+
+# Storage directory for downloaded data and related maintenance activity.
+#
+# Note: When the value for CacheDir is changed, change the file
+# /lib/systemd/system/apt-cacher-ng.service too
+#
+# CacheDir: /var/cache/apt-cacher-ng
+CacheDir: /mnt/evo/apt-cacher-ng
+
+# Log file directory, can be set empty to disable logging
+#
+LogDir: /var/log/apt-cacher-ng
+
+# A place to look for additional configuration and resource files if they are not
+# found in the configuration directory
+#
+SupportDir: /usr/lib/apt-cacher-ng
+
+# TCP server port for incoming http (or HTTP proxy) connections.
+# Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server
+# (SocketPath must be set in this case).
+#
+# Port:3142
+
+# Addresses or hostnames to listen on. Multiple addresses must be separated by
+# spaces. Each entry must be an exact local address which is associated with a
+# local interface. DNS resolution is performed using getaddrinfo(3) for all
+# available protocols (IPv4, IPv6, ...). Using a protocol specific format will
+# create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
+# listen only to IPv4.
+#
+# Default: listens on all interfaces and protocols
+#
+# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface
+
+# The specification of another HTTP proxy which shall be used for downloads.
+# It can include user name and password but see the manual for limitations.
+#
+# Default: uses direct connection
+#
+# Proxy: http://www-proxy.example.net:3128
+# Proxy: https://username:proxypassword@proxy.example.net:3129
+
+# Repository remapping. See manual for details.
+# In this example, some backends files might be generated during package
+# installation using information collected on the system.
+# Examples:
+Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
+Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
+Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
+Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
+Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+Remap-fedora: file:fedora_mirrors # Fedora Linux
+Remap-epel:   file:epel_mirrors # Fedora EPEL
+Remap-slrep:  file:sl_mirrors # Scientific Linux
+Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
+Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security
+
+# Virtual page accessible in a web browser to see statistics and status
+# information, i.e. under http://localhost:3142/acng-report.html
+# NOTE: This option must be configured to run maintenance jobs (even when used
+# via acngtool in cron scripts). The AdminAuth option can be used to restrict
+# access to sensitive areas on that page.
+#
+# Default: not set, should be set by the system administrator
+#
+ReportPage: acng-report.html
+
+# Socket file for accessing through local UNIX socket instead of TCP/IP. Can be
+# used with inetd (via bridge tool in.acng from apt-cacher-ng package), is also
+# used internally for administrative purposes.
+#
+# Default: /run/apt-cacher-ng/socket
+#
+# SocketPath: /var/run/apt-cacher-ng/socket
+
+# If set to 1, makes log files be written to disk on every new line. Default
+# is 0, buffers are flushed after the client disconnects. Technically,
+# it's a convenience alias for the Debug option, see below for details.
+#
+# UnbufferLogs: 0
+
+# Enables extended client information in log entries. When set to 0, only
+# activity type, time and transfer sizes are logged.
+#
+# VerboseLog: 1
+
+# Don't detach from the starting console.
+#
+# ForeGround: 0
+
+# Store the pid of the daemon process in the specified text file.
+# Default: disabled
+#
+# PidFile: /var/run/apt-cacher-ng/pid
+
+# Forbid outgoing connections and work without an internet connection or
+# respond with 503 error where it's not possible.
+#
+# Offlinemode: 0
+
+# Forbid downloads from locations that are directly specified in the user
+# request, i.e. all downloads must be processed by the preconfigured remapping
+# backends (see above).
+#
+# ForceManaged: 0
+
+# Days before considering an unreferenced file expired (to be deleted).
+# WARNING: if the value is set too low and particular index files are not
+# available for some days (mirror downtime) then there is a risk of removal of
+# still useful package files.
+#
+ExThreshold: 4
+
+# If the expiration is run daily, it sometimes does not make much sense to do
+# it because the expected changes (i.e. removal of expired files) don't justify
+# the extra processing time or additional downloads for expiration operation
+# itself. This discrepancy might be especially worse if the local client
+# installations are small or are rarely updated but the daily changes of
+# the remote archive metadata are heavy.
+#
+# The following option enables a possible trade-off: the expiration run is
+# suppressed until a certain amount of data has been downloaded through
+# apt-cacher-ng since the last expiration execution (which might indicate that
+# packages were replaced with newer versions).
+#
+# The number can have a suffix (k,K,m,M for Kb,KiB,Mb,MiB)
+#
+# ExStartTradeOff: 500m
+
+# Stop expiration when a critical problem appears, issue like a failed update
+# of an index file in the preparation step.
+#
+# WARNING: don't set this option to zero or empty without considering possible
+# consequences like a sudden and complete cache data loss.
+#
+# ExAbortOnProblems: 1
+
+# Number of failed nightly expiration runs which are considered acceptable and
+# do not trigger an error notification to the admin (e.g. via daily cron job)
+# before the (day) count is reached. Might be useful with whacky internet
+# connections.
+#
+# Default: a guessed value, 1 if ExThreshold is 5 or more, 0 otherwise.
+#
+# ExSuppressAdminNotification: 1
+
+# Modify file names to work around limitations of some file systems.
+# WARNING: experimental feature, subject to change
+#
+# StupidFs: 0
+
+# Experimental feature for apt-listbugs: pass-through SOAP requests and
+# responses to/from bugs.debian.org.
+# Default: guessed value, true unless ForceManaged is enabled
+#
+# ForwardBtsSoap: 1
+
+# There is a small in-memory cache for DNS resolution data, expired by
+# this timeout (in seconds). Internal caching is disabled if set to a value
+# less than zero.
+#
+# DnsCacheSeconds: 1800
+
+###############################################################################
+#
+# WARNING: don't modify thread and file matching parameters without a clear
+# idea of what is happening behind the scene!
+#
+# Max. count of connection threads kept ready (for faster response in the
+# future). Should be a sane value between 0 and average number of connections,
+# and depend on the amount of spare RAM.
+# MaxStandbyConThreads: 8
+#
+# Hard limit of active thread count for incoming connections, i.e. operation
+# is refused when this value is reached (below zero = unlimited).
+# MaxConThreads: -1
+#
+# Timeout for a forced disconnect in cases where a client connection is about
+# to be closed but remote refuses to confirm the disconnect request. Setting
+# this to a lower value mitigates the effects of resource starvation in case of
+# a DOS attack but increases the risk of failing to flush the remaining portion
+# of data.
+# DisconnectTimeout: 15
+
+# By default, if a remote suddenly reconnects, ACNG tries at least two times to
+# redownload from the same or different location (if known).
+# DlMaxRetries: 2
+
+# Pigeonholing files (like static vs. volatile contents) is done by (extended)
+# regular expressions.
+#
+# The following patterns are available for the purposes detailed, where
+# the latter takes precedence over the former:
+# - «PFilePattern» for static data that doesn't change silently on the server.
+# - «VFilePattern» for volatile data that may change like every hour. Files
+#   that match both PFilePattern and VfilePattern will be treated as volatile.
+# - Static data with file names that match VFilePattern may be overriden being
+#   treated as volatile by making it match the special static data pattern,
+#   «SPfilePattern».
+# - «SVfilePattern» or the "special volatile data" pattern is for the
+#   convenience of specifying any exceptions to matches with SPfilePattern,
+#   for cases where data must still be treated as volatile.
+# - «WfilePattern» specifies a "whitelist pattern" for the regular expiration
+#   job, telling it to keep the files even if they are not referenced by
+#   others, like crypto signatures with which clients begin their downloads.
+#
+# There are two versions. The pattern variables mentioned above should not be
+# set without good reason, because they would override the built-in defaults
+# (that might impact updates to future versions of apt-cacher-ng). There are
+# also versions of those patterns ending with Ex, which may be modified by the
+# local administrator. They are evaluated in addition to the regular patterns
+# at runtime.
+#
+# To see examples of the expected syntax, run: apt-cacher-ng -p debug=1
+#
+# PfilePatternEx:
+# VfilePatternEx:
+# SPfilePatternEx:
+# SVfilePatternEx:
+# WfilePatternEx:
+#
+###############################################################################
+
+# A bitmask type value declaring the loging verbosity and behavior of the error
+# log writing. Non-zero value triggers at least faster log file flushing.
+#
+# Some higher bits only working with a special debug build of apt-cacher-ng,
+# see the manual for details.
+#
+# WARNING: this can write significant amount of data into apt-cacher.err logfile.
+#
+# Default: 0
+#
+# Debug:3
+
+# Usually, general purpose proxies like Squid expose the IP address of the
+# client user to the remote server using the X-Forwarded-For HTTP header. This
+# behaviour can be optionally turned on with the Expose-Origin option.
+#
+# ExposeOrigin: 0
+
+# When logging the originating IP address, trust the information supplied by
+# the client in the X-Forwarded-For header.
+#
+# LogSubmittedOrigin: 0
+
+# The version string reported to the peer, to be displayed as HTTP client (and
+# version) in the logs of the mirror.
+#
+# WARNING: Expect side effects! Some archives use this header to guess
+# capabilities of the client (i.e. allow redirection and/or https links) and
+# change their behaviour accordingly but ACNG might not support the expected
+# features.
+#
+# Default:
+#
+# UserAgent: Yet Another HTTP Client/1.2.3p4
+
+# In some cases the Import and Expiration tasks might create fresh volatile
+# data for internal use by reconstructing them using patch files. This
+# by-product might be recompressed with bzip2 and with some luck the resulting
+# file becomes identical to the *.bz2 file on the server which can be used by
+# APT when requesting a complete version of this file.
+# The downside of this feature is higher CPU load on the server during
+# the maintenance tasks, and the outcome might have not much value in a LAN
+# where all clients update their data often and regularly and therefore usually
+# don't need the full version of the index file.
+#
+# RecompBz2: 0
+
+# Network timeout for outgoing connections, in seconds.
+#
+# NetworkTimeout: 40
+
+# Fast fallback timeout, in seconds. This is the time to wait before
+# alternative target addresses for a client connection are tried, which can be
+# usefull for quick fallback to IPv4 in case of whacky IPv6 configuration.
+#
+# FastTimeout = 4
+
+# Sometimes it makes sense to not store the data in cache and just return the
+# package data to client while it comes in. The following DontCache* parameters
+# can enable this behaviour for certain URL types. The tokens are extended
+# regular expressions which the URLs are evaluated against.
+#
+# DontCacheRequested is applied to the URL as it comes in from the client.
+# Example: exclude packages built with kernel-package for x86
+# DontCacheRequested: linux-.*_10\...\.Custo._i386
+# Example usecase: exclude popular private IP ranges from caching
+# DontCacheRequested: 192.168.0 ^10\..* 172.30
+#
+# DontCacheResolved is applied to URLs after mapping to the target server. If
+# multiple backend servers are specified then it's only matched against the
+# download link for the FIRST possible source (due to implementation limits).
+#
+# Example usecase: all Ubuntu stuff comes from a local mirror (specified as
+# backend), don't cache it again:
+# DontCacheResolved: ubuntumirror.local.net
+#
+# DontCache directive sets (overrides) both, DontCacheResolved and
+# DontCacheRequested.  Provided for convenience, see those directives for
+# details.
+#
+# Example:
+# DontCache: .*.local.university.int
+
+# Default permission set of freshly created files and directories, as octal
+# numbers (see chmod(1) for details).
+# Can by limited by the umask value (see umask(2) for details) if it's set in
+# the environment of the starting shell, e.g. in apt-cacher-ng init script or
+# in its configuration file.
+#
+# DirPerms: 00755
+# FilePerms: 00664
+
+# It's possible to use use apt-cacher-ng as a regular web server with a limited
+# feature set, i.e. directory browsing, downloads of any files, Content-Type
+# based on /etc/mime.types, but without sorting, CGI execution, index page
+# redirection and other funny things.
+# To get this behavior, mappings between virtual directories and real
+# directories on the server must be defined with the LocalDirs directive.
+# Virtual and real directories are separated by spaces, multiple pairs are
+# separated by semi-colons. Real directories must be absolute paths.
+# NOTE: Since the names of that key directories share the same namespace as
+# repository names (see Remap-...) it is administrator's job to avoid conflicts
+# between them or explicitly create them.
+#
+# LocalDirs: woo /data/debarchive/woody ; hamm /data/debarchive/hamm
+LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
+
+# Precache a set of files referenced by specified index files. This can be used
+# to create a partial mirror usable for offline work. There are certain limits
+# and restrictions on the path specification, see manual and the cache control
+# web site for details. A list of (maybe) relevant index files could be
+# retrieved via "apt-get --print-uris update" on a client machine.
+#
+# Example:
+# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages*
+
+# Arbitrary set of data to append to request headers sent over the wire. Should
+# be a well formated HTTP headers part including newlines (DOS style) which
+# can be entered as escape sequences (\r\n).
+#
+# RequestAppendix: X-Tracking-Choice: do-not-track\r\n
+
+# Specifies the IP protocol families to use for remote connections. Order does
+# matter, first specified are considered first. Possible combinations:
+# v6 v4
+# v4 v6
+# v6
+# v4
+# Default: use native order of the system's TCP/IP stack, influenced by the
+# BindAddress value.
+#
+# ConnectProto: v6 v4
+
+# Regular expiration algorithm finds package files which are no longer listed
+# in any index file and removes them of them after a safety period.
+# This option allows to keep more versions of a package in the cache after
+# the safety period is over.
+#
+# KeepExtraVersions: 0
+
+# Optionally uses TCP access control provided by libwrap, see hosts_access(5)
+# for details. Daemon name is apt-cacher-ng.
+#
+# Default: guessed on startup by looking for explicit mention of apt-cacher-ng
+# in /etc/hosts.allow or /etc/hosts.deny files.
+#
+# UseWrap: 0
+
+# If many machines from the same local network attempt to update index files
+# (apt-get update) at nearly the same time, the known state of these index file
+# is temporarily frozen and multiple requests receive the cached response
+# without contacting the remote server again. This parameter (in seconds)
+# specifies the length of this period before these (volatile) files are
+# considered outdated.
+# Setting this value too low transfers more data and increases remote server
+# load, setting this too high (more than a couple of minutes) increases the
+# risk of delivering inconsistent responses to the clients.
+#
+# FreshIndexMaxAge: 27
+
+# Usually the users are not allowed to specify custom TCP ports of remote
+# mirrors in the requests, only the default HTTP port can be used (as
+# workaround, proxy administrator can create Remap- rules with custom ports).
+# This restriction can be disabled by specifying a list of allowed ports or 0
+# for any port.
+#
+# AllowUserPorts: 80
+
+# Normally the HTTP redirection responses are forwarded to the original caller
+# (i.e. APT) which starts a new download attempt from the new URL. This
+# solution is ok for client configurations with proxy mode but doesn't work
+# well with configurations using URL prefixes in sources.list. To work around
+# this the server can restart its own download with a redirection URL,
+# configured with the following option. The downside is that this might be used
+# to circumvent download source policies by malicious users.
+# The RedirMax option specifies how many such redirects the server is allowed
+# to follow per request, 0 disables the internal redirection.
+# Default: guessed on startup, 0 if ForceManaged is used and 5 otherwise.
+#
+# RedirMax: 5
+
+# There some broken HTTP servers and proxy servers in the wild which don't
+# support the If-Range header correctly and return incorrect data when the
+# contents of a (volatile) file changed. Setting VfileUseRangeOps to zero
+# disables Range-based requests while retrieving volatile files, using
+# If-Modified-Since and requesting the complete file instead. Setting it to
+# a negative value removes even If-Modified-Since headers.
+#
+# VfileUseRangeOps: 1
+
+# Allow data pass-through mode for certain hosts when requested by the client
+# using a CONNECT request. This is particularly useful to allow access to SSL
+# sites (https proxying). The string is a regular expression which should cover
+# the server name with port and must be correctly formated and terminated.
+# Examples:
+# PassThroughPattern: private-ppa\.launchpad\.net:443$
+# PassThroughPattern: .* # this would allow CONNECT to everything
+#
+# Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
+# PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
+
+# It's possible that an evil client requests a volatile file but does not
+# retrieve the response and keeps the connection effectively stuck over
+# many hours, blocking the particular file for other download attempts (which
+# leads to not reporting file changes on server side to other users). The work
+# around is the use of alternative file descriptors inside of apt-cacher-ng,
+# however this might cost some extra download traffic due to worse cache usage.
+# The ResponseFreezeDetectTime value specifies when a file descriptor in the
+# mentioned state is to be considered defect and will require special handling.
+# Default time is 500 seconds.
+#
+# ResponseFreezeDetectTime: 500
+
+# Keep outgoing connections alive and reuse them for later downloads from
+# the same server as long as possible.
+#
+# ReuseConnections: 1
+
+# Maximum number of requests sent in a batch to remote servers before the first
+# response is expected. Using higher values can greatly improve average
+# throughput depending on network latency and the implementation of remote
+# servers. Makes most sense when also enabled on the client side, see apt.conf
+# documentation for details.
+#
+# Default: 10 if ReuseConnections is set, 1 otherwise
+#
+# PipelineDepth: 10
+
+# Path to the system directory containing trusted CA certificates used for
+# outgoing connections, see OpenSSL documentation for details.
+#
+# CApath: /etc/ssl/certs
+#
+# Path to a single trusted trusted CA certificate used for outgoing
+# connections, see OpenSSL documentation for details.
+#
+# CAfile:
+
+# There are different ways to detect that an upstream proxy is broken and turn
+# off its use and connect directly. The first is through a custom command -
+# when it returns successfully, the proxy is used, otherwise not and the
+# command will be rerun only after a specified period.
+# Another way is to try to connect to the proxy first and detect a connection
+# timeout. The connection will then be made without HTTP proxy for the life
+# time of the particular download stream and it may also affect other other
+# parallel downloads.
+# NOTE: this operation modes are still experimental and are subject to change!
+# Unwanted side effects may occur with multiple simultaneous user connections
+# or with specific per-repository proxy settings.
+#
+# Shell command, default: not set. Executed with the default shell and
+# permissions of the apt-cacher-ng's process user. Examples:
+# /bin/ip route | grep -q 192.168.117
+# /usr/sbin/arp | grep -q 00:22:1f:51:8e:c1
+#
+# OptProxyCheckCommand: ...
+#
+# Check intervall, in seconds.
+#
+# OptProxyCheckInterval: 99
+#
+# Conection timeout in seconds, default: negative, means disabled.
+#
+# OptProxyTimeout: -1
+
+# It's possible to limit the processing speed of download agents to set an
+# overall download speed limit. Unit: KiB/s, Default: unlimited.
+#
+# MaxDlSpeed: 500
+
+# In special corner cases, download clients attempt to download random chunks
+# of a files headers, i.e. the first kilobytes. The "don't get client stuck"
+# policy converts this usually to a 200 response starting the body from the
+# beginning but that confuses some clients. When this option is set to a
+# certain value, this modifies the behaviour and allows to start a file
+# download where the distance between available data and the specified range
+# lies within that bounds. This can look like random lag for the user but
+# should be harmless apart from that.
+#
+# MaxInresponsiveDlSize: 64000
+
+# In mobile environments having an adhoc connection with a redirection to some
+# id verification side, this redirect might damage the cache since the data is
+# involuntarily stored as package data. There is a mechanism which attempts to
+# detect a such situation and mitigate the mentioned effects by not storing the
+# data and also dropping the DNS cache. The trigger is the occurrence of a
+# specific SUBSTRING in the content type field of the final download target
+# (i.e. the auth web site) and at least one followed redirection.
+#
+# BadRedirDetectMime: text/html
+
+# When a BUS signal is received (typically on IO errors), a shell command can be
+# executed before the daemon is terminated.
+# Example:
+# BusAction: ls -l /proc/$PPID/ | mail -s SIGBUS! root
+
+# Only set this value for debugging purposes. It disables SSL security checks
+# like strict host verification. 0 means no, any other value can have
+# differrent meaning in the future.
+#
+# NoSSLChecks: 0
+
+# Setting this value means: on file downloads from/via cache, tag relevant
+# files. And when acngtool runs the shrink command, it will look at the day
+# when the file was retrieved from cache last time (and not when it was
+# originally downloaded).
+#
+# TrackFileUse: 0
+
+# Controls preallocation of file system space where this feature is supported.
+# This might reduce disk fragmentation and therefore improve later read
+# performance. However, write performance can be reduced which could be
+# exploited by malicious users.
+# The value defines a size limit of how much to report to the OS as expected
+# file size (starting from the beginning of the file).
+# Set to zero to disable this feature completely. Default: one megabyte
+#
+# ReserveSpace: 1048576
diff --git a/conf/tn/etc/locale.gen b/conf/tn/etc/locale.gen
new file mode 100644
index 00000000..a7d06a74
--- /dev/null
+++ b/conf/tn/etc/locale.gen
@@ -0,0 +1,501 @@
+# This file lists locales that you wish to have built. You can find a list
+# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
+# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
+# this file, you need to rerun locale-gen.
+
+
+# aa_DJ ISO-8859-1
+# aa_DJ.UTF-8 UTF-8
+# aa_ER UTF-8
+# aa_ER@saaho UTF-8
+# aa_ET UTF-8
+# af_ZA ISO-8859-1
+# af_ZA.UTF-8 UTF-8
+# agr_PE UTF-8
+# ak_GH UTF-8
+# am_ET UTF-8
+# an_ES ISO-8859-15
+# an_ES.UTF-8 UTF-8
+# anp_IN UTF-8
+# ar_AE ISO-8859-6
+# ar_AE.UTF-8 UTF-8
+# ar_BH ISO-8859-6
+# ar_BH.UTF-8 UTF-8
+# ar_DZ ISO-8859-6
+# ar_DZ.UTF-8 UTF-8
+# ar_EG ISO-8859-6
+# ar_EG.UTF-8 UTF-8
+# ar_IN UTF-8
+# ar_IQ ISO-8859-6
+# ar_IQ.UTF-8 UTF-8
+# ar_JO ISO-8859-6
+# ar_JO.UTF-8 UTF-8
+# ar_KW ISO-8859-6
+# ar_KW.UTF-8 UTF-8
+# ar_LB ISO-8859-6
+# ar_LB.UTF-8 UTF-8
+# ar_LY ISO-8859-6
+# ar_LY.UTF-8 UTF-8
+# ar_MA ISO-8859-6
+# ar_MA.UTF-8 UTF-8
+# ar_OM ISO-8859-6
+# ar_OM.UTF-8 UTF-8
+# ar_QA ISO-8859-6
+# ar_QA.UTF-8 UTF-8
+# ar_SA ISO-8859-6
+# ar_SA.UTF-8 UTF-8
+# ar_SD ISO-8859-6
+# ar_SD.UTF-8 UTF-8
+# ar_SS UTF-8
+# ar_SY ISO-8859-6
+# ar_SY.UTF-8 UTF-8
+# ar_TN ISO-8859-6
+# ar_TN.UTF-8 UTF-8
+# ar_YE ISO-8859-6
+# ar_YE.UTF-8 UTF-8
+# as_IN UTF-8
+# ast_ES ISO-8859-15
+# ast_ES.UTF-8 UTF-8
+# ayc_PE UTF-8
+# az_AZ UTF-8
+# az_IR UTF-8
+# be_BY CP1251
+# be_BY.UTF-8 UTF-8
+# be_BY@latin UTF-8
+# bem_ZM UTF-8
+# ber_DZ UTF-8
+# ber_MA UTF-8
+# bg_BG CP1251
+# bg_BG.UTF-8 UTF-8
+# bhb_IN.UTF-8 UTF-8
+# bho_IN UTF-8
+# bho_NP UTF-8
+# bi_VU UTF-8
+# bn_BD UTF-8
+# bn_IN UTF-8
+# bo_CN UTF-8
+# bo_IN UTF-8
+# br_FR ISO-8859-1
+# br_FR.UTF-8 UTF-8
+# br_FR@euro ISO-8859-15
+# brx_IN UTF-8
+# bs_BA ISO-8859-2
+# bs_BA.UTF-8 UTF-8
+# byn_ER UTF-8
+# ca_AD ISO-8859-15
+# ca_AD.UTF-8 UTF-8
+# ca_ES ISO-8859-1
+# ca_ES.UTF-8 UTF-8
+# ca_ES@euro ISO-8859-15
+# ca_ES@valencia UTF-8
+# ca_FR ISO-8859-15
+# ca_FR.UTF-8 UTF-8
+# ca_IT ISO-8859-15
+# ca_IT.UTF-8 UTF-8
+# ce_RU UTF-8
+# chr_US UTF-8
+# cmn_TW UTF-8
+# crh_UA UTF-8
+# cs_CZ ISO-8859-2
+# cs_CZ.UTF-8 UTF-8
+# csb_PL UTF-8
+# cv_RU UTF-8
+# cy_GB ISO-8859-14
+# cy_GB.UTF-8 UTF-8
+# da_DK ISO-8859-1
+# da_DK.UTF-8 UTF-8
+# de_AT ISO-8859-1
+# de_AT.UTF-8 UTF-8
+# de_AT@euro ISO-8859-15
+# de_BE ISO-8859-1
+# de_BE.UTF-8 UTF-8
+# de_BE@euro ISO-8859-15
+# de_CH ISO-8859-1
+# de_CH.UTF-8 UTF-8
+# de_DE ISO-8859-1
+# de_DE.UTF-8 UTF-8
+# de_DE@euro ISO-8859-15
+# de_IT ISO-8859-1
+# de_IT.UTF-8 UTF-8
+# de_LI.UTF-8 UTF-8
+# de_LU ISO-8859-1
+# de_LU.UTF-8 UTF-8
+# de_LU@euro ISO-8859-15
+# doi_IN UTF-8
+# dsb_DE UTF-8
+# dv_MV UTF-8
+# dz_BT UTF-8
+# el_CY ISO-8859-7
+# el_CY.UTF-8 UTF-8
+# el_GR ISO-8859-7
+# el_GR.UTF-8 UTF-8
+# el_GR@euro ISO-8859-7
+# en_AG UTF-8
+# en_AU ISO-8859-1
+# en_AU.UTF-8 UTF-8
+# en_BW ISO-8859-1
+# en_BW.UTF-8 UTF-8
+# en_CA ISO-8859-1
+# en_CA.UTF-8 UTF-8
+# en_DK ISO-8859-1
+# en_DK.ISO-8859-15 ISO-8859-15
+# en_DK.UTF-8 UTF-8
+# en_GB ISO-8859-1
+# en_GB.ISO-8859-15 ISO-8859-15
+en_GB.UTF-8 UTF-8
+# en_HK ISO-8859-1
+# en_HK.UTF-8 UTF-8
+# en_IE ISO-8859-1
+# en_IE.UTF-8 UTF-8
+# en_IE@euro ISO-8859-15
+# en_IL UTF-8
+# en_IN UTF-8
+# en_NG UTF-8
+# en_NZ ISO-8859-1
+# en_NZ.UTF-8 UTF-8
+# en_PH ISO-8859-1
+# en_PH.UTF-8 UTF-8
+# en_SC.UTF-8 UTF-8
+# en_SG ISO-8859-1
+# en_SG.UTF-8 UTF-8
+# en_US ISO-8859-1
+# en_US.ISO-8859-15 ISO-8859-15
+en_US.UTF-8 UTF-8
+# en_ZA ISO-8859-1
+# en_ZA.UTF-8 UTF-8
+# en_ZM UTF-8
+# en_ZW ISO-8859-1
+# en_ZW.UTF-8 UTF-8
+# eo UTF-8
+# es_AR ISO-8859-1
+# es_AR.UTF-8 UTF-8
+# es_BO ISO-8859-1
+# es_BO.UTF-8 UTF-8
+# es_CL ISO-8859-1
+# es_CL.UTF-8 UTF-8
+# es_CO ISO-8859-1
+# es_CO.UTF-8 UTF-8
+# es_CR ISO-8859-1
+# es_CR.UTF-8 UTF-8
+# es_CU UTF-8
+# es_DO ISO-8859-1
+# es_DO.UTF-8 UTF-8
+# es_EC ISO-8859-1
+# es_EC.UTF-8 UTF-8
+# es_ES ISO-8859-1
+# es_ES.UTF-8 UTF-8
+# es_ES@euro ISO-8859-15
+# es_GT ISO-8859-1
+# es_GT.UTF-8 UTF-8
+# es_HN ISO-8859-1
+# es_HN.UTF-8 UTF-8
+# es_MX ISO-8859-1
+# es_MX.UTF-8 UTF-8
+# es_NI ISO-8859-1
+# es_NI.UTF-8 UTF-8
+# es_PA ISO-8859-1
+# es_PA.UTF-8 UTF-8
+# es_PE ISO-8859-1
+# es_PE.UTF-8 UTF-8
+# es_PR ISO-8859-1
+# es_PR.UTF-8 UTF-8
+# es_PY ISO-8859-1
+# es_PY.UTF-8 UTF-8
+# es_SV ISO-8859-1
+# es_SV.UTF-8 UTF-8
+# es_US ISO-8859-1
+# es_US.UTF-8 UTF-8
+# es_UY ISO-8859-1
+# es_UY.UTF-8 UTF-8
+# es_VE ISO-8859-1
+# es_VE.UTF-8 UTF-8
+# et_EE ISO-8859-1
+# et_EE.ISO-8859-15 ISO-8859-15
+# et_EE.UTF-8 UTF-8
+# eu_ES ISO-8859-1
+# eu_ES.UTF-8 UTF-8
+# eu_ES@euro ISO-8859-15
+# eu_FR ISO-8859-1
+# eu_FR.UTF-8 UTF-8
+# eu_FR@euro ISO-8859-15
+# fa_IR UTF-8
+# ff_SN UTF-8
+# fi_FI ISO-8859-1
+# fi_FI.UTF-8 UTF-8
+# fi_FI@euro ISO-8859-15
+# fil_PH UTF-8
+# fo_FO ISO-8859-1
+# fo_FO.UTF-8 UTF-8
+# fr_BE ISO-8859-1
+# fr_BE.UTF-8 UTF-8
+# fr_BE@euro ISO-8859-15
+# fr_CA ISO-8859-1
+# fr_CA.UTF-8 UTF-8
+# fr_CH ISO-8859-1
+# fr_CH.UTF-8 UTF-8
+# fr_FR ISO-8859-1
+# fr_FR.UTF-8 UTF-8
+# fr_FR@euro ISO-8859-15
+# fr_LU ISO-8859-1
+# fr_LU.UTF-8 UTF-8
+# fr_LU@euro ISO-8859-15
+# fur_IT UTF-8
+# fy_DE UTF-8
+# fy_NL UTF-8
+# ga_IE ISO-8859-1
+# ga_IE.UTF-8 UTF-8
+# ga_IE@euro ISO-8859-15
+# gd_GB ISO-8859-15
+# gd_GB.UTF-8 UTF-8
+# gez_ER UTF-8
+# gez_ER@abegede UTF-8
+# gez_ET UTF-8
+# gez_ET@abegede UTF-8
+# gl_ES ISO-8859-1
+# gl_ES.UTF-8 UTF-8
+# gl_ES@euro ISO-8859-15
+# gu_IN UTF-8
+# gv_GB ISO-8859-1
+# gv_GB.UTF-8 UTF-8
+# ha_NG UTF-8
+# hak_TW UTF-8
+# he_IL ISO-8859-8
+# he_IL.UTF-8 UTF-8
+# hi_IN UTF-8
+# hif_FJ UTF-8
+# hne_IN UTF-8
+# hr_HR ISO-8859-2
+# hr_HR.UTF-8 UTF-8
+# hsb_DE ISO-8859-2
+# hsb_DE.UTF-8 UTF-8
+# ht_HT UTF-8
+# hu_HU ISO-8859-2
+# hu_HU.UTF-8 UTF-8
+# hy_AM UTF-8
+# hy_AM.ARMSCII-8 ARMSCII-8
+# ia_FR UTF-8
+# id_ID ISO-8859-1
+# id_ID.UTF-8 UTF-8
+# ig_NG UTF-8
+# ik_CA UTF-8
+# is_IS ISO-8859-1
+# is_IS.UTF-8 UTF-8
+# it_CH ISO-8859-1
+# it_CH.UTF-8 UTF-8
+# it_IT ISO-8859-1
+# it_IT.UTF-8 UTF-8
+# it_IT@euro ISO-8859-15
+# iu_CA UTF-8
+# ja_JP.EUC-JP EUC-JP
+# ja_JP.UTF-8 UTF-8
+# ka_GE GEORGIAN-PS
+# ka_GE.UTF-8 UTF-8
+# kab_DZ UTF-8
+# kk_KZ PT154
+# kk_KZ.RK1048 RK1048
+# kk_KZ.UTF-8 UTF-8
+# kl_GL ISO-8859-1
+# kl_GL.UTF-8 UTF-8
+# km_KH UTF-8
+# kn_IN UTF-8
+# ko_KR.EUC-KR EUC-KR
+# ko_KR.UTF-8 UTF-8
+# kok_IN UTF-8
+# ks_IN UTF-8
+# ks_IN@devanagari UTF-8
+# ku_TR ISO-8859-9
+# ku_TR.UTF-8 UTF-8
+# kw_GB ISO-8859-1
+# kw_GB.UTF-8 UTF-8
+# ky_KG UTF-8
+# lb_LU UTF-8
+# lg_UG ISO-8859-10
+# lg_UG.UTF-8 UTF-8
+# li_BE UTF-8
+# li_NL UTF-8
+# lij_IT UTF-8
+# ln_CD UTF-8
+# lo_LA UTF-8
+# lt_LT ISO-8859-13
+# lt_LT.UTF-8 UTF-8
+# lv_LV ISO-8859-13
+# lv_LV.UTF-8 UTF-8
+# lzh_TW UTF-8
+# mag_IN UTF-8
+# mai_IN UTF-8
+# mai_NP UTF-8
+# mfe_MU UTF-8
+# mg_MG ISO-8859-15
+# mg_MG.UTF-8 UTF-8
+# mhr_RU UTF-8
+# mi_NZ ISO-8859-13
+# mi_NZ.UTF-8 UTF-8
+# miq_NI UTF-8
+# mjw_IN UTF-8
+# mk_MK ISO-8859-5
+# mk_MK.UTF-8 UTF-8
+# ml_IN UTF-8
+# mn_MN UTF-8
+# mni_IN UTF-8
+# mr_IN UTF-8
+# ms_MY ISO-8859-1
+# ms_MY.UTF-8 UTF-8
+# mt_MT ISO-8859-3
+# mt_MT.UTF-8 UTF-8
+# my_MM UTF-8
+# nan_TW UTF-8
+# nan_TW@latin UTF-8
+# nb_NO ISO-8859-1
+# nb_NO.UTF-8 UTF-8
+# nds_DE UTF-8
+# nds_NL UTF-8
+# ne_NP UTF-8
+# nhn_MX UTF-8
+# niu_NU UTF-8
+# niu_NZ UTF-8
+# nl_AW UTF-8
+# nl_BE ISO-8859-1
+# nl_BE.UTF-8 UTF-8
+# nl_BE@euro ISO-8859-15
+# nl_NL ISO-8859-1
+# nl_NL.UTF-8 UTF-8
+# nl_NL@euro ISO-8859-15
+# nn_NO ISO-8859-1
+# nn_NO.UTF-8 UTF-8
+# nr_ZA UTF-8
+# nso_ZA UTF-8
+# oc_FR ISO-8859-1
+# oc_FR.UTF-8 UTF-8
+# om_ET UTF-8
+# om_KE ISO-8859-1
+# om_KE.UTF-8 UTF-8
+# or_IN UTF-8
+# os_RU UTF-8
+# pa_IN UTF-8
+# pa_PK UTF-8
+# pap_AW UTF-8
+# pap_CW UTF-8
+# pl_PL ISO-8859-2
+# pl_PL.UTF-8 UTF-8
+# ps_AF UTF-8
+# pt_BR ISO-8859-1
+# pt_BR.UTF-8 UTF-8
+# pt_PT ISO-8859-1
+# pt_PT.UTF-8 UTF-8
+# pt_PT@euro ISO-8859-15
+# quz_PE UTF-8
+# raj_IN UTF-8
+# ro_RO ISO-8859-2
+# ro_RO.UTF-8 UTF-8
+# ru_RU ISO-8859-5
+# ru_RU.CP1251 CP1251
+# ru_RU.KOI8-R KOI8-R
+# ru_RU.UTF-8 UTF-8
+# ru_UA KOI8-U
+# ru_UA.UTF-8 UTF-8
+# rw_RW UTF-8
+# sa_IN UTF-8
+# sah_RU UTF-8
+# sat_IN UTF-8
+# sc_IT UTF-8
+# sd_IN UTF-8
+# sd_IN@devanagari UTF-8
+# se_NO UTF-8
+# sgs_LT UTF-8
+# shn_MM UTF-8
+# shs_CA UTF-8
+# si_LK UTF-8
+# sid_ET UTF-8
+# sk_SK ISO-8859-2
+# sk_SK.UTF-8 UTF-8
+# sl_SI ISO-8859-2
+# sl_SI.UTF-8 UTF-8
+# sm_WS UTF-8
+# so_DJ ISO-8859-1
+# so_DJ.UTF-8 UTF-8
+# so_ET UTF-8
+# so_KE ISO-8859-1
+# so_KE.UTF-8 UTF-8
+# so_SO ISO-8859-1
+# so_SO.UTF-8 UTF-8
+# sq_AL ISO-8859-1
+# sq_AL.UTF-8 UTF-8
+# sq_MK UTF-8
+# sr_ME UTF-8
+# sr_RS UTF-8
+# sr_RS@latin UTF-8
+# ss_ZA UTF-8
+# st_ZA ISO-8859-1
+# st_ZA.UTF-8 UTF-8
+# sv_FI ISO-8859-1
+# sv_FI.UTF-8 UTF-8
+# sv_FI@euro ISO-8859-15
+# sv_SE ISO-8859-1
+# sv_SE.ISO-8859-15 ISO-8859-15
+# sv_SE.UTF-8 UTF-8
+# sw_KE UTF-8
+# sw_TZ UTF-8
+# szl_PL UTF-8
+# ta_IN UTF-8
+# ta_LK UTF-8
+# tcy_IN.UTF-8 UTF-8
+# te_IN UTF-8
+# tg_TJ KOI8-T
+# tg_TJ.UTF-8 UTF-8
+# th_TH TIS-620
+# th_TH.UTF-8 UTF-8
+# the_NP UTF-8
+# ti_ER UTF-8
+# ti_ET UTF-8
+# tig_ER UTF-8
+# tk_TM UTF-8
+# tl_PH ISO-8859-1
+# tl_PH.UTF-8 UTF-8
+# tn_ZA UTF-8
+# to_TO UTF-8
+# tpi_PG UTF-8
+# tr_CY ISO-8859-9
+# tr_CY.UTF-8 UTF-8
+# tr_TR ISO-8859-9
+# tr_TR.UTF-8 UTF-8
+# ts_ZA UTF-8
+# tt_RU UTF-8
+# tt_RU@iqtelif UTF-8
+# ug_CN UTF-8
+# uk_UA KOI8-U
+# uk_UA.UTF-8 UTF-8
+# unm_US UTF-8
+# ur_IN UTF-8
+# ur_PK UTF-8
+# uz_UZ ISO-8859-1
+# uz_UZ.UTF-8 UTF-8
+# uz_UZ@cyrillic UTF-8
+# ve_ZA UTF-8
+# vi_VN UTF-8
+# wa_BE ISO-8859-1
+# wa_BE.UTF-8 UTF-8
+# wa_BE@euro ISO-8859-15
+# wae_CH UTF-8
+# wal_ET UTF-8
+# wo_SN UTF-8
+# xh_ZA ISO-8859-1
+# xh_ZA.UTF-8 UTF-8
+# yi_US CP1255
+# yi_US.UTF-8 UTF-8
+# yo_NG UTF-8
+# yue_HK UTF-8
+# yuw_PG UTF-8
+# zh_CN GB2312
+# zh_CN.GB18030 GB18030
+# zh_CN.GBK GBK
+# zh_CN.UTF-8 UTF-8
+# zh_HK BIG5-HKSCS
+# zh_HK.UTF-8 UTF-8
+# zh_SG GB2312
+# zh_SG.GBK GBK
+# zh_SG.UTF-8 UTF-8
+# zh_TW BIG5
+# zh_TW.EUC-TW EUC-TW
+# zh_TW.UTF-8 UTF-8
+# zu_ZA ISO-8859-1
+# zu_ZA.UTF-8 UTF-8
diff --git a/scale_build/bootstrap/bootstrapdir.py b/scale_build/bootstrap/bootstrapdir.py
index 4e771196..7b5806fc 100644
--- a/scale_build/bootstrap/bootstrapdir.py
+++ b/scale_build/bootstrap/bootstrapdir.py
@@ -60,6 +60,17 @@ def setup_impl(self):
         # We need to have gnupg installed before adding apt mirrors because apt-key needs it
         run(['chroot', self.chroot_basedir, 'apt', 'install', '-y', 'gnupg'])
 
+        self.logger.debug('Setting up apt-cacher')
+        os.makedirs(os.path.join(self.chroot_basedir, 'etc/apt/apt.conf.d'), exist_ok=True)
+        with open(os.path.join(self.chroot_basedir, 'etc/apt/apt.conf.d/02proxy'), 'w') as f:
+            f.write('Acquire::http::Proxy "http://192.168.0.3:3142";\n')
+
+        self.logger.debug('Adding ssh key to authorized file')
+        os.makedirs(os.path.join(self.chroot_basedir, 'root/.ssh'), exist_ok=True)
+        with open(os.path.join(self.chroot_basedir, 'root/.ssh/authorized_keys'), 'a+') as f:
+            f.write('''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClkokvZ7Rq75GcOvP65xlubdkMY3Ob81cNrsVg7dDJ/xJ5dmWDvEIpBelTskKDUyBrpcteq6RkmAomNvRe0M4I80syELRtlJULtfKBuA5bM0DXAd1+3kjVAi/VqH+7fNKxbMMZN1u3MaCbW31S3Hk3WMIYbZnkgfXmXauPfA6bWf6pKmpAVIezfUqbEaQRktbDzPb4G0pZmZs8N4hf8dxWnaRn0BRhRx/EUpCtgE+A0ESy1ZTN7SpsSlTYeqUx+PphSURnY+oNmwLR1ZsKqRiv69rmKBUZBOUH0vGvX6EFbcWPp/wJjsGeMrMI1hAyUuDoHEMZDPZgnycuS1HtfDTd waqar@Waqar's-mbp\n''')
+            f.write('''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrzF/xK6YVa0EEa9NFfJIHQyUq2VWSakHdQmvHyKiMxRm5MQ+2I/XdBw+QRAPEUThcCCC/1+Xb4YBHKWF1yIKMlvim2r1cuJgN+LlIJro9H/DjLcSCqZwp8WoDte7zEIpI36u2YNErH/bXDV3pMW/etXtL4KtLLUcHY8FjNzDXlsQZjVNiKMQk9c9tX8LmegOyLqa4j3Eyk30EqqZrKSthVs3NOuX+yVWeYmYW7srjnbMP+Iz3qkP0b3bTlomtQTZNME4bXmRti00u/bhq7YWR+G/2IcWHpVoAI3mUU2cR8u+WpNrYHJ1ocLogOKeVqYcxjr4zx96ADrC+kMwQwdPzF3fNdV1j99O7b+rmuRyBTTzWRepLuqlQAecY8+XB+OGpetk1VNuNocUzdwQZe1kPrmMsX5Kb29PjaA9V+lhpOdh0qce3YfhxrGh2+rNbpukIk6gZ6nU8TxfCO/j8mBFd4rF9xS+cYMuB/HUcpiAsea0PNXPnm9hUGH+i3SAbXM0= root@truenas.local\n''')
+
         # Save the correct repo in sources.list
         apt_sources = [f'deb {apt_repos["url"]} {apt_repos["distribution"]} {apt_repos["components"]}']
 
diff --git a/scale_build/image/update.py b/scale_build/image/update.py
index 75a43d84..fab20a98 100644
--- a/scale_build/image/update.py
+++ b/scale_build/image/update.py
@@ -1,3 +1,4 @@
+import distutils.dir_util
 import glob
 import itertools
 import logging
@@ -9,7 +10,7 @@
 from scale_build.config import SIGNING_KEY, SIGNING_PASSWORD
 from scale_build.utils.manifest import get_manifest
 from scale_build.utils.run import run
-from scale_build.utils.paths import CHROOT_BASEDIR, RELEASE_DIR, UPDATE_DIR
+from scale_build.utils.paths import CHROOT_BASEDIR, CUSTOM_TN, RELEASE_DIR, UPDATE_DIR
 
 from .bootstrap import umount_chroot_basedir
 from .manifest import build_manifest, build_release_manifest, get_version, update_file_path, update_file_checksum_path
@@ -137,6 +138,18 @@ def post_rootfs_setup():
         old_mode = os.stat(pkg_mgmt_disabled_path).st_mode
         os.chmod(pkg_mgmt_disabled_path, old_mode | executable_flag)
 
+    # Copy over custom tn setup
+    distutils.dir_util._path_created = {}
+    distutils.dir_util.copy_tree(CUSTOM_TN, CHROOT_BASEDIR, preserve_symlinks=True)
+
+    run_in_chroot(['locale-gen'])
+    run(['mkdir', '-p', os.path.join(CHROOT_BASEDIR, 'var/log/apt-cacher-ng')])
+    run(['chown', '-R', 'apt-cacher-ng:apt-cacher-ng', os.path.join(CHROOT_BASEDIR, 'var/log/apt-cacher-ng')])
+    run([
+        'chown', '-R', 'root:root', os.path.join(CHROOT_BASEDIR, 'root/.zshrc'),
+        os.path.join(CHROOT_BASEDIR, 'root/.oh-my-zsh'), os.path.join(CHROOT_BASEDIR, 'root/.zsh_history')
+    ])
+
 
 def custom_rootfs_setup():
     # Any kind of custom mangling of the built rootfs image can exist here
diff --git a/scale_build/utils/paths.py b/scale_build/utils/paths.py
index b46b1e15..a592b6ef 100644
--- a/scale_build/utils/paths.py
+++ b/scale_build/utils/paths.py
@@ -15,6 +15,7 @@
 CHROOT_BASEDIR = os.path.join(TMPFS, 'chroot')
 CHROOT_OVERLAY = os.path.join(TMPFS, 'chroot-overlay')
 CONF_GRUB = os.path.join(BUILDER_DIR, 'scripts/grub.cfg')
+CUSTOM_TN = os.path.join(BUILDER_DIR, 'conf/tn')
 DPKG_OVERLAY = os.path.join(TMP_DIR, 'dpkg-overlay')
 GIT_MANIFEST_PATH = os.path.join(LOG_DIR, 'GITMANIFEST')
 GIT_LOG_DIR_NAME = 'git'
diff --git a/update.sh b/update.sh
new file mode 100755
index 00000000..71722dea
--- /dev/null
+++ b/update.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+git fetch origin
+git reset --hard origin/proxy-waqar