--- /dev/null
+#! /bin/bash
+
+error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code
+
+# currently missing from bootstrap-vz:
+# init.d/generate-ssh-hostkeys (currently done in rc.local/CLOUD)
+
+ainsl -av /etc/sysctl.d/70-disable-ipv6.conf 'net.ipv6.conf.all.disable_ipv6 = 1'
+ainsl -av /etc/sysctl.d/70-disable-ipv6.conf 'net.ipv6.conf.lo.disable_ipv6 = 0'
+$ROOTCMD shadowconfig on
+sed -i -e 's/^#PasswordAuthentication yes/PasswordAuthentication no/' $target/etc/ssh/sshd_config
+sed -i -e 's/^PermitRootLogin .*/PermitRootLogin no/' $target/etc/ssh/sshd_config
+ainsl $target/etc/ssh/sshd_config 'ClientAliveInterval 420'
+
+rm -f $target/var/lib/apt/lists/*
+rm -f $target/etc/resolv.conf