diff --git a/config-joey.hs b/config-joey.hs
index c7c3f3b..769357c 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -58,7 +58,7 @@ hosts =               --                  (o)  `
 
 		& alias "openid.kitenet.net"
 		& Docker.docked hosts "openid-provider"
-		 	`requires` Apt.installed ["ntp"]
+		 	`requires` Apt.serviceInstalledRunning "ntp"
 
 		& alias "ancient.kitenet.net"
 		& Docker.docked hosts "ancient-kitenet"
diff --git a/doc/README.mdwn b/doc/README.mdwn
index d809a76..71b265f 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -6,7 +6,8 @@ are satisfied.
 Propellor is configured via a git repository, which typically lives
 in `~/.propellor/` on your development machine. Propellor clones the
 repository to each host it manages, in a 
-[secure](http://propellor.branchable.com/security/) way.
+[secure](http://propellor.branchable.com/security/) way. The git repository
+contains the full source code to Propellor, along with its config file.
 
 Properties are defined using Haskell. Edit `~/.propellor/config.hs`
 to get started. There is fairly complete 
@@ -40,11 +41,12 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
      `apt-get install propellor`
 2. Run propellor for the first time. It will set up a `~/.propellor/` git
    repository for you.
-3. `cd ~/.propellor/`; use git to push the repository to a central
+3. If you don't have a gpg private key already, generate one: `gpg --gen-key`
+4. Run: `propellor --add-key $KEYID`, which will make propellor trust
+   your gpg key, and will sign your `~/.propellor` repository using it.
+5. `cd ~/.propellor/`; use git to push the repository to a central
    server (github, or your own git server). Configure that central
    server as the origin remote of the repository.
-4. If you don't have a gpg private key, generate one: `gpg --gen-key`
-5. Run: `propellor --add-key $KEYID`
 6. Edit `~/.propellor/config.hs`, and add a host you want to manage.
    You can start by not adding any properties, or only a few.
 7. Pick a host and run: `propellor --spin $HOST`
diff --git a/doc/todo/docker_todo_list.mdwn b/doc/todo/docker_todo_list.mdwn
index 9cb9e4d..65762cf 100644
--- a/doc/todo/docker_todo_list.mdwn
+++ b/doc/todo/docker_todo_list.mdwn
@@ -6,8 +6,3 @@
   need ntp installed for a good date source.
 * Docking a container in a host should add to the host any cnames that
   are assigned to the container.
-* It seems that provisionContainer sometimes hangs when the container
-  is already running. This seems likely to be a problem with the simpleSh
-  socket hack. (I think this was an uncaught exception crashing the
-  simpleSh server thread, and if so, it's fixed. Waiting some weeks to see,
-  as this bug rarely occurred..)
diff --git a/propellor.cabal b/propellor.cabal
index 507a0d4..55b7eb6 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -33,9 +33,10 @@ Description:
  .
  It is configured using haskell.
 
-Executable propellor
+Executable wrapper
   Main-Is: wrapper.hs
   GHC-Options: -Wall -threaded
+  Hs-Source-Dirs:  src
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
    containers, network, async, time, QuickCheck, mtl,
@@ -47,6 +48,7 @@ Executable propellor
 Executable config
   Main-Is: config.hs
   GHC-Options: -Wall -threaded
+  Hs-Source-Dirs:  src
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
    containers, network, async, time, QuickCheck, mtl,
@@ -57,6 +59,7 @@ Executable config
 
 Library
   GHC-Options: -Wall
+  Hs-Source-Dirs:  src
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
    containers, network, async, time, QuickCheck, mtl,
diff --git a/Propellor.hs b/src/Propellor.hs
similarity index 100%
rename from Propellor.hs
rename to src/Propellor.hs
diff --git a/Propellor/Attr.hs b/src/Propellor/Attr.hs
similarity index 100%
rename from Propellor/Attr.hs
rename to src/Propellor/Attr.hs
diff --git a/Propellor/CmdLine.hs b/src/Propellor/CmdLine.hs
similarity index 95%
rename from Propellor/CmdLine.hs
rename to src/Propellor/CmdLine.hs
index ad04abe..ab1d7f9 100644
--- a/Propellor/CmdLine.hs
+++ b/src/Propellor/CmdLine.hs
@@ -290,17 +290,26 @@ boot attr ps = do
 	mainProperties attr ps
 
 addKey :: String -> IO ()
-addKey keyid = exitBool =<< allM id [ gpg, gitadd, gitcommit ]
+addKey keyid = exitBool =<< allM id [ gpg, gitadd, gitconfig, gitcommit ]
   where
-	gpg = boolSystem "sh"
-		[ Param "-c"
-		, Param $ "gpg --export " ++ keyid ++ " | gpg " ++
-			unwords (gpgopts ++ ["--import"])
-		]
+	gpg = do
+		createDirectoryIfMissing True privDataDir
+		boolSystem "sh"
+			[ Param "-c"
+			, Param $ "gpg --export " ++ keyid ++ " | gpg " ++
+				unwords (gpgopts ++ ["--import"])
+			]
 	gitadd = boolSystem "git"
 		[ Param "add"
 		, File keyring
 		]
+
+	gitconfig = boolSystem "git"
+		[ Param "config"
+		, Param "user.signingkey"
+		, Param keyid
+		]
+
 	gitcommit = gitCommit
 		[ File keyring
 		, Param "-m"
@@ -340,11 +349,11 @@ checkDebugMode = go =<< getEnv "PROPELLOR_DEBUG"
   where
 	go (Just s)
 		| s == "1" = do
-			f <- setFormatter
-				<$> streamHandler stderr DEBUG
-				<*> pure (simpleLogFormatter "[$time] $msg")
-			updateGlobalLogger rootLoggerName $ 
-				setLevel DEBUG .  setHandlers [f]
+		f <- setFormatter
+			<$> streamHandler stderr DEBUG
+			<*> pure (simpleLogFormatter "[$time] $msg")
+		updateGlobalLogger rootLoggerName $ 
+			setLevel DEBUG .  setHandlers [f]
 	go _ = noop
 
 -- Parameters can be passed to both ssh and scp, to enable a ssh connection
diff --git a/Propellor/Engine.hs b/src/Propellor/Engine.hs
similarity index 100%
rename from Propellor/Engine.hs
rename to src/Propellor/Engine.hs
diff --git a/Propellor/Exception.hs b/src/Propellor/Exception.hs
similarity index 100%
rename from Propellor/Exception.hs
rename to src/Propellor/Exception.hs
diff --git a/Propellor/Message.hs b/src/Propellor/Message.hs
similarity index 100%
rename from Propellor/Message.hs
rename to src/Propellor/Message.hs
diff --git a/Propellor/PrivData.hs b/src/Propellor/PrivData.hs
similarity index 100%
rename from Propellor/PrivData.hs
rename to src/Propellor/PrivData.hs
diff --git a/Propellor/Property.hs b/src/Propellor/Property.hs
similarity index 100%
rename from Propellor/Property.hs
rename to src/Propellor/Property.hs
diff --git a/Propellor/Property/Apache.hs b/src/Propellor/Property/Apache.hs
similarity index 100%
rename from Propellor/Property/Apache.hs
rename to src/Propellor/Property/Apache.hs
diff --git a/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs
similarity index 100%
rename from Propellor/Property/Apt.hs
rename to src/Propellor/Property/Apt.hs
diff --git a/Propellor/Property/Cmd.hs b/src/Propellor/Property/Cmd.hs
similarity index 100%
rename from Propellor/Property/Cmd.hs
rename to src/Propellor/Property/Cmd.hs
diff --git a/Propellor/Property/Cron.hs b/src/Propellor/Property/Cron.hs
similarity index 100%
rename from Propellor/Property/Cron.hs
rename to src/Propellor/Property/Cron.hs
diff --git a/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
similarity index 100%
rename from Propellor/Property/Dns.hs
rename to src/Propellor/Property/Dns.hs
diff --git a/Propellor/Property/Docker.hs b/src/Propellor/Property/Docker.hs
similarity index 97%
rename from Propellor/Property/Docker.hs
rename to src/Propellor/Property/Docker.hs
index 6757c7c..09d7d6a 100644
--- a/Propellor/Property/Docker.hs
+++ b/src/Propellor/Property/Docker.hs
@@ -335,29 +335,19 @@ provisionContainer cid = containerDesc cid $ property "provision" $ liftIO $ do
 
 	go lastline (v:rest) = case v of
 		StdoutLine s -> do
-			debug ["stdout: ", show s]
 			maybe noop putStrLn lastline
 			hFlush stdout
 			go (Just s) rest
 		StderrLine s -> do
-			debug ["stderr: ", show s]
 			maybe noop putStrLn lastline
 			hFlush stdout
 			hPutStrLn stderr s
 			hFlush stderr
 			go Nothing rest
-		Done -> do
-			debug ["reached Done"]
-			ret lastline
-	go lastline [] = do
-		debug ["reached end of output"]
-		ret lastline
+		Done -> ret lastline
+	go lastline [] = ret lastline
 
-	ret lastline = do
-		let v = fromMaybe FailedChange $
-			readish =<< lastline
-		debug ["provisionContainer returning", show v]
-		return v
+	ret lastline = pure $ fromMaybe FailedChange $ readish =<< lastline
 
 stopContainer :: ContainerId -> IO Bool
 stopContainer cid = boolSystem dockercmd [Param "stop", Param $ fromContainerId cid ]
diff --git a/Propellor/Property/Docker/Shim.hs b/src/Propellor/Property/Docker/Shim.hs
similarity index 100%
rename from Propellor/Property/Docker/Shim.hs
rename to src/Propellor/Property/Docker/Shim.hs
diff --git a/Propellor/Property/File.hs b/src/Propellor/Property/File.hs
similarity index 100%
rename from Propellor/Property/File.hs
rename to src/Propellor/Property/File.hs
diff --git a/Propellor/Property/Git.hs b/src/Propellor/Property/Git.hs
similarity index 100%
rename from Propellor/Property/Git.hs
rename to src/Propellor/Property/Git.hs
diff --git a/Propellor/Property/Gpg.hs b/src/Propellor/Property/Gpg.hs
similarity index 100%
rename from Propellor/Property/Gpg.hs
rename to src/Propellor/Property/Gpg.hs
diff --git a/Propellor/Property/Hostname.hs b/src/Propellor/Property/Hostname.hs
similarity index 100%
rename from Propellor/Property/Hostname.hs
rename to src/Propellor/Property/Hostname.hs
diff --git a/Propellor/Property/Network.hs b/src/Propellor/Property/Network.hs
similarity index 100%
rename from Propellor/Property/Network.hs
rename to src/Propellor/Property/Network.hs
diff --git a/Propellor/Property/Obnam.hs b/src/Propellor/Property/Obnam.hs
similarity index 100%
rename from Propellor/Property/Obnam.hs
rename to src/Propellor/Property/Obnam.hs
diff --git a/Propellor/Property/OpenId.hs b/src/Propellor/Property/OpenId.hs
similarity index 100%
rename from Propellor/Property/OpenId.hs
rename to src/Propellor/Property/OpenId.hs
diff --git a/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs
similarity index 100%
rename from Propellor/Property/Postfix.hs
rename to src/Propellor/Property/Postfix.hs
diff --git a/Propellor/Property/Reboot.hs b/src/Propellor/Property/Reboot.hs
similarity index 100%
rename from Propellor/Property/Reboot.hs
rename to src/Propellor/Property/Reboot.hs
diff --git a/Propellor/Property/Scheduled.hs b/src/Propellor/Property/Scheduled.hs
similarity index 100%
rename from Propellor/Property/Scheduled.hs
rename to src/Propellor/Property/Scheduled.hs
diff --git a/Propellor/Property/Service.hs b/src/Propellor/Property/Service.hs
similarity index 100%
rename from Propellor/Property/Service.hs
rename to src/Propellor/Property/Service.hs
diff --git a/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
similarity index 100%
rename from Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
rename to src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
diff --git a/Propellor/Property/SiteSpecific/GitHome.hs b/src/Propellor/Property/SiteSpecific/GitHome.hs
similarity index 100%
rename from Propellor/Property/SiteSpecific/GitHome.hs
rename to src/Propellor/Property/SiteSpecific/GitHome.hs
diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
similarity index 100%
rename from Propellor/Property/SiteSpecific/JoeySites.hs
rename to src/Propellor/Property/SiteSpecific/JoeySites.hs
diff --git a/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
similarity index 100%
rename from Propellor/Property/Ssh.hs
rename to src/Propellor/Property/Ssh.hs
diff --git a/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs
similarity index 100%
rename from Propellor/Property/Sudo.hs
rename to src/Propellor/Property/Sudo.hs
diff --git a/Propellor/Property/Tor.hs b/src/Propellor/Property/Tor.hs
similarity index 100%
rename from Propellor/Property/Tor.hs
rename to src/Propellor/Property/Tor.hs
diff --git a/Propellor/Property/User.hs b/src/Propellor/Property/User.hs
similarity index 100%
rename from Propellor/Property/User.hs
rename to src/Propellor/Property/User.hs
diff --git a/Propellor/SimpleSh.hs b/src/Propellor/SimpleSh.hs
similarity index 92%
rename from Propellor/SimpleSh.hs
rename to src/Propellor/SimpleSh.hs
index d99268d..7ba30b0 100644
--- a/Propellor/SimpleSh.hs
+++ b/src/Propellor/SimpleSh.hs
@@ -6,7 +6,7 @@
 module Propellor.SimpleSh where
 
 import Network.Socket
-import Control.Concurrent.Chan
+import Control.Concurrent
 import Control.Concurrent.Async
 import System.Process (std_in, std_out, std_err)
 
@@ -31,8 +31,9 @@ simpleSh namedpipe = do
 	listen s 2
 	forever $ do
 		(client, _addr) <- accept s
-		h <- socketToHandle client ReadWriteMode
-		maybe noop (run h) . readish =<< hGetLine h
+		forkIO $ do
+			h <- socketToHandle client ReadWriteMode
+			maybe noop (run h) . readish =<< hGetLine h
   where
 	run h (Cmd cmd params) = do
 		chan <- newChan
@@ -71,16 +72,13 @@ simpleSh namedpipe = do
 
 simpleShClient :: FilePath -> String -> [String] -> ([Resp] -> IO a) -> IO a
 simpleShClient namedpipe cmd params handler = do
-	debug ["simplesh connecting"]
 	s <- socket AF_UNIX Stream defaultProtocol
 	connect s (SockAddrUnix namedpipe)
 	h <- socketToHandle s ReadWriteMode
 	hPutStrLn h $ show $ Cmd cmd params
 	hFlush h
-	debug ["simplesh sent command"]
 	resps <- catMaybes . map readish . lines <$> hGetContents h
 	v <- hClose h `after` handler resps
-	debug ["simplesh processed response"]
 	return v
 
 simpleShClientRetry :: Int -> FilePath -> String -> [String] -> ([Resp] -> IO a) -> IO a
diff --git a/Propellor/Types.hs b/src/Propellor/Types.hs
similarity index 100%
rename from Propellor/Types.hs
rename to src/Propellor/Types.hs
diff --git a/Propellor/Types/Attr.hs b/src/Propellor/Types/Attr.hs
similarity index 100%
rename from Propellor/Types/Attr.hs
rename to src/Propellor/Types/Attr.hs
diff --git a/Propellor/Types/Dns.hs b/src/Propellor/Types/Dns.hs
similarity index 100%
rename from Propellor/Types/Dns.hs
rename to src/Propellor/Types/Dns.hs
diff --git a/Propellor/Types/OS.hs b/src/Propellor/Types/OS.hs
similarity index 100%
rename from Propellor/Types/OS.hs
rename to src/Propellor/Types/OS.hs
diff --git a/Utility/Applicative.hs b/src/Utility/Applicative.hs
similarity index 100%
rename from Utility/Applicative.hs
rename to src/Utility/Applicative.hs
diff --git a/Utility/Data.hs b/src/Utility/Data.hs
similarity index 100%
rename from Utility/Data.hs
rename to src/Utility/Data.hs
diff --git a/Utility/Directory.hs b/src/Utility/Directory.hs
similarity index 100%
rename from Utility/Directory.hs
rename to src/Utility/Directory.hs
diff --git a/Utility/Env.hs b/src/Utility/Env.hs
similarity index 100%
rename from Utility/Env.hs
rename to src/Utility/Env.hs
diff --git a/Utility/Exception.hs b/src/Utility/Exception.hs
similarity index 100%
rename from Utility/Exception.hs
rename to src/Utility/Exception.hs
diff --git a/Utility/FileMode.hs b/src/Utility/FileMode.hs
similarity index 100%
rename from Utility/FileMode.hs
rename to src/Utility/FileMode.hs
diff --git a/Utility/FileSystemEncoding.hs b/src/Utility/FileSystemEncoding.hs
similarity index 100%
rename from Utility/FileSystemEncoding.hs
rename to src/Utility/FileSystemEncoding.hs
diff --git a/Utility/LinuxMkLibs.hs b/src/Utility/LinuxMkLibs.hs
similarity index 100%
rename from Utility/LinuxMkLibs.hs
rename to src/Utility/LinuxMkLibs.hs
diff --git a/Utility/Misc.hs b/src/Utility/Misc.hs
similarity index 100%
rename from Utility/Misc.hs
rename to src/Utility/Misc.hs
diff --git a/Utility/Monad.hs b/src/Utility/Monad.hs
similarity index 100%
rename from Utility/Monad.hs
rename to src/Utility/Monad.hs
diff --git a/Utility/PartialPrelude.hs b/src/Utility/PartialPrelude.hs
similarity index 100%
rename from Utility/PartialPrelude.hs
rename to src/Utility/PartialPrelude.hs
diff --git a/Utility/Path.hs b/src/Utility/Path.hs
similarity index 100%
rename from Utility/Path.hs
rename to src/Utility/Path.hs
diff --git a/Utility/PosixFiles.hs b/src/Utility/PosixFiles.hs
similarity index 100%
rename from Utility/PosixFiles.hs
rename to src/Utility/PosixFiles.hs
diff --git a/Utility/Process.hs b/src/Utility/Process.hs
similarity index 100%
rename from Utility/Process.hs
rename to src/Utility/Process.hs
diff --git a/Utility/QuickCheck.hs b/src/Utility/QuickCheck.hs
similarity index 100%
rename from Utility/QuickCheck.hs
rename to src/Utility/QuickCheck.hs
diff --git a/Utility/SafeCommand.hs b/src/Utility/SafeCommand.hs
similarity index 100%
rename from Utility/SafeCommand.hs
rename to src/Utility/SafeCommand.hs
diff --git a/Utility/Scheduled.hs b/src/Utility/Scheduled.hs
similarity index 100%
rename from Utility/Scheduled.hs
rename to src/Utility/Scheduled.hs
diff --git a/Utility/ThreadScheduler.hs b/src/Utility/ThreadScheduler.hs
similarity index 100%
rename from Utility/ThreadScheduler.hs
rename to src/Utility/ThreadScheduler.hs
diff --git a/Utility/Tmp.hs b/src/Utility/Tmp.hs
similarity index 100%
rename from Utility/Tmp.hs
rename to src/Utility/Tmp.hs
diff --git a/Utility/UserInfo.hs b/src/Utility/UserInfo.hs
similarity index 100%
rename from Utility/UserInfo.hs
rename to src/Utility/UserInfo.hs
diff --git a/src/config.hs b/src/config.hs
new file mode 120000
index 0000000..e3af968
--- /dev/null
+++ b/src/config.hs
@@ -0,0 +1 @@
+../config.hs
\ No newline at end of file
diff --git a/wrapper.hs b/src/wrapper.hs
similarity index 100%
rename from wrapper.hs
rename to src/wrapper.hs