diff --git a/deployments/mediaServer/docker-compose.yml b/deployments/mediaServer/docker-compose.yml
index a84f0ec..c6febd7 100644
--- a/deployments/mediaServer/docker-compose.yml
+++ b/deployments/mediaServer/docker-compose.yml
@@ -72,3 +72,17 @@ services:
       - "/Volumes/usenet/audio/:/music"
       - "/Volumes/usenet/movies/:/movies"
       - "/Volumes/usenet/itunes-synology/iTunes Media/Automatically Add to iTunes.localized/:/itunes"
+  lazylibrarian:
+    image: "thraxis/lazylibrarian-calibre"
+    ports:
+      - "5299:5299"
+    restart: unless-stopped
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: America/Chicago
+    volumes:
+      - "/Users/josiah/Documents/apps/lazylibrarian:/config"
+      - "/Users/josiah/Downloads/usenet-complete/:/downloads"
+      - "/Volumes/usenet/book-library/books/:/books"
+      - "/Volumes/usenet/book-library/audiobooks:/audiobooks"
diff --git a/deployments/serverBuild/ipsec.conf b/deployments/serverBuild/ipsec.conf
index f8faa02..3509e5f 100644
--- a/deployments/serverBuild/ipsec.conf
+++ b/deployments/serverBuild/ipsec.conf
@@ -1,27 +1,23 @@
-
+# basic configuration
 config setup
-    charondebug="ike 1, knl 1, cfg 0"
-    uniqueids=no
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
 
-conn ikev2-vpn
-    auto=add
-    compress=no
-    type=tunnel
-    keyexchange=ikev2
-    fragmentation=yes
-    forceencaps=yes
-    dpdaction=clear
-    dpddelay=300s
-    rekey=no
-    left=%any
-    leftid=@vpn.awful.club
-    leftcert=awful-server-cert.pem
-    leftsendcert=always
-    leftsubnet=0.0.0.0/0
-    right=%any
-    rightid=%any
-    rightauth=eap-mschapv2
-    rightsourceip=10.10.10.0/24
-    rightdns=1.1.1.1,1.0.0.1
-    rightsendcert=never
-    eap_identity=%identity
+# connection to amsterdam datacenter
+conn home-to-digitalocean
+  authby=secret
+  left=%defaultroute
+  leftid=165.22.156.25
+  leftsubnet=10.138.0.0/16
+  right=0.0.0.0
+  rightsubnet=192.168.1.0/24
+  ike=aes256-sha2_256-modp1024!
+  esp=aes256-sha2_256!
+  keyingtries=0
+  ikelifetime=1h
+  lifetime=8h
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=restart
+  auto=start
diff --git a/deployments/serverBuild/ipsec.secrets b/deployments/serverBuild/ipsec.secrets
deleted file mode 100644
index 03549aa..0000000
--- a/deployments/serverBuild/ipsec.secrets
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA "awful-server-key.pem"
-
-jowj : EAP "fake-password" 
-
-# get secrets from other files
-include ipsec.*.secrets
-
diff --git a/deployments/serverBuild/vpnBuild.yml b/deployments/serverBuild/vpnBuild.yml
index 5a97177..6abf3ac 100644
--- a/deployments/serverBuild/vpnBuild.yml
+++ b/deployments/serverBuild/vpnBuild.yml
@@ -6,6 +6,8 @@
   become: yes
   vars:
     vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
+    remote_host: 165.22.156.25
+    local_host:  0.0.0.0
 
   tasks:
     - name: Update apt
@@ -14,31 +16,23 @@
     - name: Install required system packages
       apt: name={{ vpn_packages }} state=latest
 
-    - name: Build temp pki dir structure - cacerts
-      shell: mkdir -p ~/pki/cacerts
-    - name: Build temp pki dir structure - certs
-      shell: mkdir -p ~/pki/certs
-    - name: Build temp pki dir structure - private and set perms
-      shell: mkdir -p ~/pki/private && chmod 700 ~/pki
+    - name: set kernel params
+      shell: |
+        cat >> /etc/sysctl.conf << EOF
+        net.ipv4.ip_forward = 1 
+        net.ipv4.conf.all.accept_redirects = 0 
+        net.ipv4.conf.all.send_redirects = 0
+        EOF
 
-    - name: Generate root key 4096 bit RSA
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem
-
-    - name: Create root cert authority & sign with root key
-      become_method: sudo
-      shell:    ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem
-
-    - name: Generate cert for the VPN host
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem
-
-    - name: Create & sign VPN server cert with CA cert.
-      shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem >  ~/pki/certs/awful-server-cert.pem
-
-    - name: move temp pki dir structure to proper /etc/ipsec.d/ dir
-      shell: sudo cp -r ~/pki/* /etc/ipsec.d/
+    - name: save kernel params
+      shell: sysctl -p /etc/sysctl.conf
+      
+    - name: Generate preshared key
+      shell: openssl rand -hex 32
+      register: awful_psk
 
-    - name: make backup of  default sswan conf file
-      shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original
+    - debug:
+        msg: got this key {{ awful_psk }}
 
     - name: Copy my ipsec.conf file to the VPN host
       # this file does a lot. view more info in the readme.md
@@ -48,81 +42,17 @@
         owner: root
         group: root
 
-    - name: Copy my ipsec.secrets file to the VPN host
-      # this file does a lot. view more info in the readme.md
-      copy:
-        src: ipsec.secrets
-        dest: /etc/ipsec.secrets
-        owner: root
-        group: root
-
-    - name: restart strongswan
-      shell: systemctl restart strongswan
-
-    - name: allow SSH connections
-      ufw:
-        rule: allow
-        name: OpenSSH
-        
-    - name: Deny everything and enable UFW
-      ufw:
-        state: enabled
-        policy: deny
-
-    - name: rate limit ssh connections
-      ufw:
-        rule: limit
-        port: ssh
-        proto: tcp
+    - name: remove existing ipsec.secerts
+      shell: rm /etc/ipsec.secrets
 
-    - name: Allow all access from RFC1918 networks to this host
-      ufw:
-        rule: allow
-        src: '{{ item }}'
-      loop:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-
-    - name: Allow tcp ipsec ports
-      ufw:
-        rule: allow
-        port: 500
-        port: 4500
-        proto: tcp
-          
-    - name: Allow udp ipsec ports
-      ufw:
-        rule: allow
-        port: 4500
-        port: 500
-        proto: udp
-
-    - name: copy local before.rules to vpn host
-      copy:
-        src: before.rules
-        dest: /etc/ufw/before.rules
-        owner: root
-        group: root
+    - name: create ipsec.secrets with psk info
+      shell: |
+        cat >> /etc/ipsec.secrets << EOF
+        {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
+        EOF
       
-    - name: copy local sysctl.conf to vpn host
-      copy:
-        src: sysctl.conf
-        dest: /etc/ufw/sysctl.conf
-        owner: root
-        group: root
-
-    - name: disable ufw to save config
-      ufw:
-        state: disabled
-
-    - name: reload ufw to activate changes
-      ufw:
-        state: enabled
+    - name: update route rules
+      shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE
 
-    - name: Copy ca-cert down to local machine
-      fetch:
-        src: /etc/ipsec.d/cacerts/awful-ca-cert.pem
-        dest: awful-ca-cert.pem
-        flat: yes
+    # - name: copy psk down to local machine
+    #   local_action: copy_content={{ awful_psk }} dest=psk.txt