diff --git a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/functions b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/functions
new file mode 100644
index 00000000..bd6445f5
--- /dev/null
+++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/functions
@@ -0,0 +1,93 @@
+function set_confluent_vars() {
+    if [ -z "$mgr" ]; then
+        mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg | sed -e 's/[^ ]*: //')
+    fi
+    if [ -z "$profile" ]; then
+        profile=$(grep ^profile: /etc/confluent/confluent.deploycfg | sed -e 's/[^ ]*: //')
+    fi
+}
+
+fetch_remote() {
+    if [ -f /etc/confluent/ca.pem ]; then
+        curlargs=" --cacert /etc/confluent/ca.pem"
+    fi
+    set_confluent_vars
+    mkdir -p $(dirname $1)
+    curl -f -sS $curlargs https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
+    if [ $? != 0 ]; then echo $1 failed to download; return 1; fi
+}
+
+run_remote_parts() {
+    scriptlist=$(python3 /etc/confluent/apiclient /confluent-api/self/scriptlist/$1|sed -e 's/^- //')
+    for script in $scriptlist; do
+        run_remote $1.d/$script
+    done
+}
+
+run_remote() {
+    requestedcmd="'$*'"
+    curlargs=""
+    if [ -f /etc/confluent/ca.pem ]; then
+        curlargs=" --cacert /etc/confluent/ca.pem"
+    fi
+    set_confluent_vars
+    echo
+    echo '---------------------------------------------------------------------------'
+    echo Running $requestedcmd from https://$mgr/confluent-public/os/$profile/scripts/
+    tmpdir=$(mktemp -d)
+    echo Executing in $tmpdir
+    cd $tmpdir
+    mkdir -p $(dirname $1)
+    curl -f -sS $curlargs https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
+    if [ $? != 0 ]; then echo $requestedcmd failed to download; return 1; fi
+    chmod +x $1
+    cmd=$1
+    #if [ -x /usr/bin/chcon ]; then
+    #    chcon system_u:object_r:bin_t:s0 $cmd
+    #fi
+    shift
+    ./$cmd $*
+    retcode=$?
+    echo "$requestedcmd exited with code $retcode"
+    cd - > /dev/null
+    return $retcode
+}
+
+run_remote_python() {
+    echo
+    set_confluent_vars
+    if [ -f /etc/confluent/ca.pem ]; then
+        curlargs=" --cacert /etc/confluent/ca.pem"
+    fi
+    echo '---------------------------------------------------------------------------'
+    echo Running python script "'$*'" from https://$mgr/confluent-public/os/$profile/scripts/
+    tmpdir=$(mktemp -d)
+    echo Executing in $tmpdir
+    cd $tmpdir
+    mkdir -p $(dirname $1)
+    curl -f -sS $curlargs https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
+    if [ $? != 0 ]; then echo "'$*'" failed to download; return 1; fi
+    python3 $*
+    retcode=$?
+    echo "'$*' exited with code $retcode"
+    cd - > /dev/null
+    return $retcode
+}
+
+run_remote_config() {
+    echo
+    set_confluent_vars
+    apiclient=/opt/confluent/bin/apiclient
+    if [ -f /etc/confluent/apiclient ]; then
+        apiclient=/etc/confluent/apiclient
+    fi
+    echo '---------------------------------------------------------------------------'
+    echo Requesting to run remote configuration for "'$*'" from $mgr under profile $profile
+    python3 $apiclient /confluent-api/self/remoteconfig/"$*" -d {}
+    python3 $apiclient /confluent-api/self/remoteconfig/status -w 204
+    echo
+    echo 'Completed remote configuration'
+    echo '---------------------------------------------------------------------------'
+    return
+}
+
diff --git a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh
index 27111aec..27f178a9 100755
--- a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh
@@ -21,6 +21,8 @@ echo '    EnableSSHKeysign yes' >> $sshconf
 echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
 
 curl -f https://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /target/etc/confluent/firstboot.sh
+curl -f https://$mgr/confluent-public/os/$profile/scripts/functions > /target/etc/confluent/functions
+source /target/etc/confluent/functions
 chmod +x /target/etc/confluent/firstboot.sh
 cp /tmp/allnodes /target/root/.shosts
 cp /tmp/allnodes /target/etc/ssh/shosts.equiv
@@ -44,11 +46,27 @@ kargs=$(curl https://$mgr/confluent-public/os/$profile/profile.yaml | grep ^inst
 if [ ! -z "$kargs" ]; then
     sed -i 's/GRUB_CMDLINE_LINUX="\([^"]*\)"/GRUB_CMDLINE_LINUX="\1 '"${kargs}"'"/' /target/etc/default/grub
 fi
-if [ 1 = $updategrub ]; then
-    mount -o bind /dev /target/dev
-    mount -o bind /proc /target/proc
-    mount -o bind /sys /target/sys
-    chroot /target update-grub
-    umount /target/sys /target/dev /target/proc
-fi
+mkdir -p /opt/confluent/bin
+mkdir -p /etc/confluent
+cp -a /target/etc/confluent/* /etc/confluent
+cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin/
+cp /custom-installation/confluent/bin/apiclient /target/etc/confluent/
+
+mount -o bind /dev /target/dev
+mount -o bind /proc /target/proc
+mount -o bind /sys /target/sys
+if [ 1 = $updategrub ]; then
+    chroot /target update-grub
+fi
+echo "Port 22" >> /etc/ssh/sshd_config
+echo "Port 2222" >> /etc/ssh/sshd_config
+echo "Match LocalPort 22" >> /etc/ssh/sshd_config
+echo "    ChrootDirectory /target" >> /etc/ssh/sshd_config
+kill -HUP $(cat /run/sshd.pid)
+cat /target/etc/confluent/tls/*.pem > /target/etc/confluent/ca.pem
+chroot /target bash -c "source /etc/confluent/functions; run_remote_parts post"
+source /target/etc/confluent/functions
+run_remote_config post
+
+umount /target/sys /target/dev /target/proc