diff --git a/deploy.sh b/deploy.sh
index 3ece21e..7cc3998 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -258,6 +258,7 @@ curl "https://dockge.kuma.pet/compose.yaml?port=5001&stacksPath=%2Fopt%2Fstacks"
 
 # write configuration to compose files
 cp -r $scriptdir/stacks /opt
+cp $scriptdir/setup /opt/stacks
 chmod -R 775 /opt/stacks
 
 cd /opt/stacks
@@ -446,9 +447,37 @@ cd /opt/stacks/dashboard
 docker compose up -d
 echo -e "${cyan}dashboard${nc} has been launched from http://dash.$domain, verify it is online, check that its entries work and press any button to continue"
 pause_if_enabled
-#doesnt work yet
 
 
+cat >/opt/stacks/setup/npmcertlist.txt <<EOF 
+browser.$domain
+cloud.$domain
+convert.$domain
+dash.$domain
+dns.$domain
+docker.$domain
+docs.$domain
+download.$domain
+dozzle.$domain
+office.$domain
+proxy.$domain
+status.$domain
+tools.$domain
+vault.$domain
+video.$domain
+vpn.$domain
+www.$domain
+test.$domain
+temp.$domain
+$domain
+llm.$domain
+mail.$domain
+private.$domain
+site.$domain
+
+Add any other subdomains you want to use.
+EOF
+
 echo ""
 echo ""
 echo ""
@@ -466,6 +495,10 @@ echo -e "${cyan}Dockge${nc} has been installed and launched. go to http://docker
 echo ""
 echo "you may have to go to settings > additional in owncloud and click "save" for the onlyoffice server settings."
 echo ""
+echo "-------------------------------"
+echo -e "the following set up steps must still be completed, you can find them in the "setup" folder at http://browser.$domain, this is required for vaultwarden to work"
+echo -e "${cyan}Nginx Proxy Manager${nc}: lets-encrypt certificate needs to be set up"
+echo -e "${cyan}Uptime Kuma#{nc}: Monitoring and status page configuration"
 # Capture the end time (Unix timestamp)
 END_TIME=$(date +%s)
 
diff --git a/setup/Nginx Proxy Manager - Certificates.txt b/setup/Nginx Proxy Manager - Certificates.txt
new file mode 100644
index 0000000..9765396
--- /dev/null
+++ b/setup/Nginx Proxy Manager - Certificates.txt	
@@ -0,0 +1,30 @@
+# Step 1:
+go to proxy.?domain? and log in with your admin account
+
+# Step 2:
+go to the "Certificates" tab and click Add Certificate > Let's Encrypt via HTTP
+
+# Step 3: 
+copy the contents of the "npmcertlist.txt" file into the domain names field.
+copy one line at a time if using ctrl+c/ctrl+v, be sure to press enter between each line.
+
+if you make use of clickpaste (or any tool that allows you to paste by simulating keyboard input), you can use that to paste the entire list in one go
+
+or you can type the entire list manually
+
+# Step 4:
+hit "save" and wait.
+
+# Step 5:
+go to the Hosts > proxy hosts tab and go through each of the hosts
+
+# Step 6: 
+repeat for each host: 
+>go to the SSL tab
+>select your certificate
+>enable force SSL
+in the case of owncloud you may also want to enable HTTP/2 
+then hit save.
+
+once you've done this for all your sites, your entire cloud is now running with SSL encryption. 
+
diff --git a/setup/Setting up extra containers - example with OpenWebUI.txt b/setup/Setting up extra containers - example with OpenWebUI.txt
new file mode 100644
index 0000000..a63954b
--- /dev/null
+++ b/setup/Setting up extra containers - example with OpenWebUI.txt	
@@ -0,0 +1,203 @@
+
+
+In this document, i'll be guiding you through setting up an additional service on this cloud stack.
+I'll be using OpenWebUI as the example here. It's a frontend for interacting with various LLM APIs. we'll be setting it up with Mistral.
+
+to starT: Obtain a compose.yml for the service you want.
+
+most of this tutorial will happen on docker.?domain?
+
+when you press "compose" in the top left, you'll see an interface with a stack name on the left, a text editor on the right and a deploy button at the top.
+
+this text editor on the right is where you need to write your compose file.
+
+a compose file defines the service. generally it looks a bit like this:
+
+
+services:
+    servicename:
+        image: username/imagename:versiontag
+        restart: restartbehaviour (generally should be unless-stopped)
+        container_name: containername
+        ports:
+            - externalport:internalport/protocol (for example: 1234:5678/udp forwards port 1234 on the host to port 5678 on the container for the UDP protocol)
+        networks:
+            - network_name
+        volumes:
+            - dockervolume:/path/in/container (this is for docker volumes, these need to be declared separately or pre-made using commands)
+            - ./relativefolder:/path/in/container (this is for if you want the volume to mount to a folder in the same folder as the compose.yml)
+            - /absolute/path:/path/in/container (this is mounting an absolute path on the host as a container path)
+        privileged: false/true (privileged containers have more capabilities, most notably access to systemd, you'll rarely see this, don't use this unless the container needs it)
+        user: username/userID (this allows you to configure which host user the container runs under, sharing that user's file permissions)
+        environment:
+            variable1: value1
+            variable2: value2
+            variable3: value3
+        healthcheck: 
+            test: (defines how to run the healthcheck)
+                - type (for example CMD)
+                - value (for example wget)
+                - arg1
+                - arg2
+                - arg3
+                - arg4
+            interval: 10s (Defines how often to run the healthcheck)
+            timeout: 5s (defines how long the healthcheck waits for response)
+            retries: 5 (defines how many times the healthcheck retries before marking as unhealthy)
+            start_period: 30s (defines how long the container is up before healthchecks start)
+networks:
+    network_name:
+        external: true (this must be declared for any network that is not natively part of the stack, for example a network that was made with a command or by another compose file)
+
+
+this is an example compose file that contains basically everything, but most of these are optional.
+
+the minimum required is:
+
+services:
+    servicename:
+        image: username/imagename:versiontag
+
+but generally, i'd recommend one of the following three based on networking needs:
+
+
+>option 1: port-exposed. this is used for (for example) your proxy at proxy.?domain?
+
+services:
+    app:
+    image: my/appname:version
+    restart: unless-stopped
+    ports:
+        - 81:81
+        - 80:80
+        - 443:443
+    environment:
+        TZ: ?timezone?
+    volumes:
+        - ./data:/data
+
+this does not have access to the internal cross-container network, but you can reach it using ?localip?:portnumber
+
+>option 2: internally networked. this is used for MOST of your services (for example, for convert.?domain?)
+
+services:
+    app:
+    image: my/appname:version
+    restart: unless-stopped
+    networks:
+        - dockge_default
+    environment:
+        TZ: ?timezone?
+    volumes:
+        - ./data:/data
+networks:
+    dockge_default:
+        external: true
+
+this allows the application to communicate with other docker containers, but also means you cannot reach the container externally.
+this is good because in this deployment, Nginx proxy manager handles access to the containers.
+so the user always hits up Nginx proxy manager at ports 80 and 443 (which are forwarded), and nginx internally forwards the traffic to the container.
+this is more secure because frequently, communication from the proxy to the container is http, unencrypted. 
+it also means that there's no way to bypass any security measures you use in nginx proxy manager (such as access lists or third-party auth)
+
+>option 3: hybrid. this is best for services that do other things they need ports for alongside serving web pages (for example, a minecraft server that also has a web interface)
+
+services:
+    app:
+    image: my/appname:version
+    restart: unless-stopped
+    ports:
+        - 81:81
+        - 80:80
+        - 443:443
+    networks:
+        - dockge_default
+    environment:
+        TZ: ?timezone?
+    volumes:
+        - ./data:/data
+networks:
+    dockge_default
+        external: true
+
+this allows you to both access a port externally AND access another port internally via nginx.
+this is done for wireguard. the container has two ports: 51820 and 51821. 51820 is the port the VPN itself communicates on, so it needs to be publicly exposed and forwarded.
+51821 is the web admin portal port. we want to protect the admin portal so we did not forward this, instead it's internally forwarded using nginx, meaning we can ensure our admin access list applies.
+
+
+for OpenWebUI, we've provided a compose.yml file. to host any other service, simply get an example compose file for it or a docker run command.
+example docker run command: 
+docker run -d -p 3000:8080 -v open-webui:/app/backend/data --name open-webui ghcr.io/open-webui/open-webui:main
+
+you can turn these into compose files with dockge by going to "Home" (top right) and pasting the command into the docker run section.
+
+the above docker run command maps to the following compose file:
+services:
+  open-webui:
+    ports:
+      - 3000:8080
+    volumes:
+      - open-webui:/app/backend/data
+    container_name: open-webui
+    image: ghcr.io/open-webui/open-webui:main
+volumes:
+  open-webui:
+    external: true
+    name: open-webui
+networks: {}
+
+
+AVOID ANY COMPOSE FILE WITH BUILD IN IT. this requires you to know how to use docker build, and tends to not work via dockge unless you manually clone the whole repo into /opt/stacks
+
+now that you've found your compose file example, paste it into dockge in the compose UI and edit it.
+
+if the service only provides a web page, remember the internal port (for example, for openwebui it's 8080) and replace ports: with networks:
+
+put the service on the dockge_default internal network. 
+
+also make sure all volumes are relative volumes (starting with ./), so they appear in the stacks directory and you can access them via filebrowser
+
+be sure to read the documentation for the compose image you're using to verify which environment variables you need to set. 
+
+in the case of our pre-provided compose.yml, you'll need to set two keys: the mistral API key and the webUI secret key. 
+
+the secret key can just be randomly generated. 
+
+
+for mistral, head to https://console.mistral.ai/home
+make an account if you haven't already and make sure to request the free tier API
+
+go to the API keys menu, make a key and paste that key into your compose.yml
+
+
+once you're done, you can press "Deploy" on your service.
+
+
+your service is now up, but it is not accessible. 
+
+for that, we need to first configure your proxy at proxy.?domain?
+
+first, determine which subdomain you want to use, in our case we'll be using llm.?domain?
+
+verify that you have a certificate that includes this subdomain under the certificates tab.
+
+if you do not, make one. it's fine if this certificate is a separate certificate from the others. We did already include llm.?domain? into the list of domains for the original cert.
+
+then go to hosts > proxy hosts and make a new proxy host.
+
+fill in your domain name at the top.
+for forward hostname, fill in the container name of your new service. in our case this is "openwebui"
+for port, fill in the internal port from the compose file if it came with one, or google what the default port is.
+
+in our case it's 8080 for the forward port.
+
+enable any access list if desired, turn on websockets support and enable the SSL certificate with "force SSL" in the SSL tab.
+
+
+now go to your configured subdomain (in our case llm.?domain?) and follow any post-install configuration. generally, the service will guide you through it.
+
+
+congrats! you've brought up an additional service.
+
+you can do this for any service you can find a docker compose file for. I'd recommend starting simple though. 
+
diff --git a/setup/Uptime Kuma - monitoring.txt b/setup/Uptime Kuma - monitoring.txt
new file mode 100644
index 0000000..7799efc
--- /dev/null
+++ b/setup/Uptime Kuma - monitoring.txt	
@@ -0,0 +1,27 @@
+# Step 1:
+head to status.?domain? and log in.
+
+# Step 2:
+click on "Add New Monitor"
+
+# Step 2.5 (optional):
+Set monitor type to "Group", friendly name to the group name and retries to 10. 
+repeat this for any groups you want, for example: Frontend and Backend
+
+# Step 3:
+use the following settings:
+type: HTTP(s)
+Friendly Name: Name of your service (for example: Cloud)
+url: the URL for the site (for example: https://cloud.?domain?)
+Retries: 10
+certificate expiry notification: on
+cachebuster: on
+group: optionally set this to the group you want
+
+leave all the other settings as default
+
+# Step 4:
+repeat step 3 for every service, for an easy list of URLs, go to proxy.?domain? and log in, you can see the list of proxy hosts which is also all of your URLs. 
+
+# Step 5 (optional):
+make a status page, instructions in Uptime Kuma - status page.txt
diff --git a/setup/Uptime Kuma - status page.txt b/setup/Uptime Kuma - status page.txt
new file mode 100644
index 0000000..b06ccaa
--- /dev/null
+++ b/setup/Uptime Kuma - status page.txt	
@@ -0,0 +1,14 @@
+# Step 1: 
+log in to status.?domain and click on "Status Pages" in the top right.
+
+# Step 2:
+make a new status page, Name it whatever you want and use slug "default"
+
+# Step 3: add all of the monitors you want to the page.
+
+# step 4: add a description if you'd like. 
+
+
+this status page is available at status.?domain?/status
+
+any other status pages you make are available at status.?domain?/status/<slug>
\ No newline at end of file
diff --git a/setup/compose.yml b/setup/compose.yml
new file mode 100644
index 0000000..6b60267
--- /dev/null
+++ b/setup/compose.yml
@@ -0,0 +1,19 @@
+services:
+  openwebui:
+    container_name: openwebui
+    restart: always
+    networks:
+      - dockge_default
+    volumes:
+      - ./data:/app/backend/data
+    environment:
+      - TZ=?timezone?
+      - OPENAI_API_BASE=https://api.mistral.ai/v1
+      - OPENAI_API_KEY=<YOUR_MISTRAL_KEY_HERE>
+      - WEB_NAME=OpenWebUI
+      - AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST=30
+      - WEBUI_SECRET_KEY=<RANDOM_SECRET_KEY_HERE>
+    image: ghcr.io/open-webui/open-webui:main
+networks:
+  dockge_default:
+    external: true
diff --git a/stacks/browser/compose.yml b/stacks/browser/compose.yml
index 29e9ace..137788d 100644
--- a/stacks/browser/compose.yml
+++ b/stacks/browser/compose.yml
@@ -9,6 +9,7 @@ services:
     volumes:
       - /opt/stacks:/srv/stacks
       - /opt/stacks/jellyfin/media:/srv/media
+      - /opt/stacks/setup:/srv/setup
       - ./filebrowser.db:/database.db
     restart: unless-stopped
 networks:
diff --git a/stacks/dashboard/config/www/app.sqlite b/stacks/dashboard/config/www/app.sqlite
index 23f736f..be9de91 100644
Binary files a/stacks/dashboard/config/www/app.sqlite and b/stacks/dashboard/config/www/app.sqlite differ
diff --git a/stacks/owncloud/compose.yml b/stacks/owncloud/compose.yml
index 66a408f..7c77eff 100644
--- a/stacks/owncloud/compose.yml
+++ b/stacks/owncloud/compose.yml
@@ -16,8 +16,9 @@ services:
       OWNCLOUD_DB_USERNAME: owncloud
       OWNCLOUD_DB_PASSWORD: ?ownclouddbpass?
       OWNCLOUD_DB_HOST: owncloud_db
-      OWNCLOUD_ADMIN_USERNAME: ?adminemail?
+      OWNCLOUD_ADMIN_USERNAME: administrator
       OWNCLOUD_ADMIN_PASSWORD: ?adminpass?
+      OWNCLOUD_ADMIN_EMAIL: ?adminemail?
       OWNCLOUD_MYSQL_UTF8MB4: true
       OWNCLOUD_REDIS_ENABLED: true
       OWNCLOUD_REDIS_HOST: owncloud_redis
diff --git a/todo.txt b/todo.txt
index e69de29..139597f 100644
--- a/todo.txt
+++ b/todo.txt
@@ -0,0 +1,2 @@
+
+