-ssh root@faiserver rm -rf /srv/fai/config/\*
-scp -r /a/bin/fai/fai/config root@faiserver:/srv/fai
-ssh root@faiserver tee -a /srv/fai/config/class/DESKTOP.var <<EOF
-ROOTPW='$(cat /p/shadow/standard)'
+##### end command line parsing ########
+
+# i use faiserver as a dns alias, but ssh key is associated with
+# a canonical hostname and we will have ssh warning spam unless we
+# use it, so look it up just to avoid the warning spam.
+faiserver_host=$(/a/exe/chost $host) || faiserver_host=$host
+
+faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:)
+if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then
+ rpre="-e 'ssh -F $HOME/.ssh/confighome' root@$faiserver_host:"
+ faiserver_shell="ssh -F $HOME/.ssh/confighome root@$faiserver_host"
+fi
+
+# these are gitignored.
+rsync -atL /home/iank/.ssh/authorized_keys fai/config/files/root/.ssh/authorized_keys/STANDARD
+# we hssh and ssh_filter_btrbk for the initial btrbk (alternatively, I could open up the
+# permissions in authorized_keys, but that just seems lazy)
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/hssh
+rsync -atL /a/bin/ds/hssh fai/config/files/usr/local/bin/hssh/STANDARD
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/ssh_filter_btrbk.sh
+rsync -atL /a/opt/btrbk/ssh_filter_btrbk.sh fai/config/files/usr/local/bin/ssh_filter_btrbk.sh/STANDARD
+
+rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config $rpre/srv
+
+# todo: automatically disable faiserver after a period so
+# these files are not available.
+
+if [[ $target ]]; then
+ if test -e /q/root/shadow/$target; then
+ shadowfile=shadow/$target # empty otherwise
+ fi
+ rsync -lpt --files-from=- /q/root $rpre/srv/fai/config/distro-install-common <<EOF
+luks/$target
+luks/host-$target
+$shadowfile