diff --git a/nextcloud-aci/README.md b/nextcloud-aci/README.md
index 246330c..fe697af 100644
--- a/nextcloud-aci/README.md
+++ b/nextcloud-aci/README.md
@@ -41,7 +41,7 @@ Unfortunately, this approach doesn't work well for two reasons: a technical
 issue, and a pricing issue.
 
 ### The Technical Issue with This Approach
-ended up not working because of limitations in both
+This approach ended up not working because of limitations in both
 Azure Files and Nextcloud. Nextcloud requires `config.php` to be owned by the
 same user account as the web server is running under (i.e. `www-data`) and to
 have permissions of `0770`. Meanwhile, Azure Files uses SMB which does not 
@@ -99,3 +99,6 @@ provides more robust control over volumes at a much more affordable price. F2s
 v2 instances can be used as Kubernetes nodes. This has the added benefit that
 multiple applications can be run on the same VMs in addition to Nextcloud, 
 further increasing the cost effectiveness of your installation.
+
+**See the [nextcloud-aks](https://github.com/GuyPaddock/inveniem-nextcloud-azure/tree/master/nextcloud-aks)
+folder for an approach that works by using AKS.**
diff --git a/nextcloud-aks/helm-ingress/.gitignore b/nextcloud-aks/addons/helm-ingress/.gitignore
similarity index 100%
rename from nextcloud-aks/helm-ingress/.gitignore
rename to nextcloud-aks/addons/helm-ingress/.gitignore
diff --git a/nextcloud-aks/addons/helm-ingress/README.md b/nextcloud-aks/addons/helm-ingress/README.md
new file mode 100644
index 0000000..b4893f3
--- /dev/null
+++ b/nextcloud-aks/addons/helm-ingress/README.md
@@ -0,0 +1,58 @@
+# Helm Ingress Add-on for Nextcloud Running on AKS 
+This folder contains configurations and scripts to assist in setting up an 
+ingress controller on AKS, running over HTTPS with certificates automatically
+issued and renewed by Let's Encrypt.
+
+This approach is based primarily on 
+[Microsoft's Official Documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-tls).
+
+## Using this Kit
+### Providing Settings to the Scripts
+All of the settings needed by scripts need to be provided in `config.env`.
+Copy `config.example.env` to `config.env` and then customize it for your needs.
+
+Some settings are pulled-in from the top-level `nextcloud-aks` `config.env` file 
+as well; make sure both have been configured. See top-level README.md for details.
+
+### Prerequisite: Setting Up Helm and Tiller
+Before Helm can be used to install components on the cluster, the cluster needs
+to be configured with a Tiller server, and provided with TLS certificates to
+secure the connection between the server and Helm clients.
+
+After providing settings in both `config.env` files (the one in the current 
+directory and the one in the top-level folder), run scripts in the following 
+order to perform this setup:
+1. `./generate_ca_cert.sh` (do NOT run this a second time or you will lose CA certs).
+2. `./generate_helm_client_cert.sh`
+3. `./generate_tiller_server_cert.sh`
+4. `./setup_helm.sh`
+
+## Prerequisite: Installing an Ingress Controller and Certificate Issuer
+Before ingress can be deployed for Nextcloud, the cluster needs an ingress 
+_controller_ and a certificate issuer that can use Let's Encrypt to generate 
+SSL certificates.
+
+After setting-up Helm and Tiller, run scripts in the following order to 
+deploy an nginx-based ingress controller and certificate issuer:
+
+1. `./setup_cert_manager.sh`
+2. `./deploy_certmanager_issuer.sh`
+3. `./setup_ingress_controller.sh`
+
+### Deploying the Certificate Manager and Nextcloud Ingress
+You can now deploy an ingress route for Nextcloud in the current Kubernetes 
+namespace by running the following command:
+
+```
+./deploy_nextcloud_ingress.sh
+```
+
+This command is idempotent; you can tweak your deployment and run it again to
+make changes to the ingress configuration.
+
+This configuration automatically routes to the Nextcloud service that is 
+deployed and made available by the top-level `nextcloud-aks` kit. You only need
+to deploy the ingress route once; you don't need to be re-deploy it if/when
+you re-deploy Nextcloud or make changes to your Nextcloud deployment (e.g. 
+adding or removing replicas, updating images, etc). If there are no Nextcloud
+instances available for the ingress to route to, you will get a 503 error.
diff --git a/nextcloud-aks/helm-ingress/config.example.env b/nextcloud-aks/addons/helm-ingress/config.example.env
similarity index 96%
rename from nextcloud-aks/helm-ingress/config.example.env
rename to nextcloud-aks/addons/helm-ingress/config.example.env
index 6ff333c..9354d24 100644
--- a/nextcloud-aks/helm-ingress/config.example.env
+++ b/nextcloud-aks/addons/helm-ingress/config.example.env
@@ -11,6 +11,8 @@
 # @license GNU AGPL version 3 or any later version
 #
 
+source "../../config.env"
+
 ################################################################################
 # Certificate Settings
 ################################################################################
@@ -91,5 +93,4 @@ CERTMANAGER_NAMESPACE="kube-system"
 #
 # The default is to source from the trusted domain list in the top-level config.
 #
-TRUSTED_DOMAIN_LIST=( ${NEXTCLOUD_TRUSTED_DOMAINS} )
-NEXTCLOUD_INGRESS_HOSTNAME="${TRUSTED_DOMAIN_LIST[0]}"
+NEXTCLOUD_INGRESS_HOSTNAME="${NEXTCLOUD_PRIMARY_HOSTNAME}"
diff --git a/nextcloud-aks/helm-ingress/configs/certmanager-issuer.template.yaml b/nextcloud-aks/addons/helm-ingress/configs/certmanager-issuer.template.yaml
similarity index 100%
rename from nextcloud-aks/helm-ingress/configs/certmanager-issuer.template.yaml
rename to nextcloud-aks/addons/helm-ingress/configs/certmanager-issuer.template.yaml
diff --git a/nextcloud-aks/helm-ingress/configs/helm-rbac.yaml b/nextcloud-aks/addons/helm-ingress/configs/helm-rbac.yaml
similarity index 100%
rename from nextcloud-aks/helm-ingress/configs/helm-rbac.yaml
rename to nextcloud-aks/addons/helm-ingress/configs/helm-rbac.yaml
diff --git a/nextcloud-aks/helm-ingress/configs/ingress-nextcloud.template.yaml b/nextcloud-aks/addons/helm-ingress/configs/ingress-nextcloud.template.yaml
similarity index 100%
rename from nextcloud-aks/helm-ingress/configs/ingress-nextcloud.template.yaml
rename to nextcloud-aks/addons/helm-ingress/configs/ingress-nextcloud.template.yaml
diff --git a/nextcloud-aks/helm-ingress/constants.env b/nextcloud-aks/addons/helm-ingress/constants.env
similarity index 100%
rename from nextcloud-aks/helm-ingress/constants.env
rename to nextcloud-aks/addons/helm-ingress/constants.env
diff --git a/nextcloud-aks/helm-ingress/deploy_certmanager_issuer.sh b/nextcloud-aks/addons/helm-ingress/deploy_certmanager_issuer.sh
similarity index 93%
rename from nextcloud-aks/helm-ingress/deploy_certmanager_issuer.sh
rename to nextcloud-aks/addons/helm-ingress/deploy_certmanager_issuer.sh
index b4a03e9..4d194e1 100755
--- a/nextcloud-aks/helm-ingress/deploy_certmanager_issuer.sh
+++ b/nextcloud-aks/addons/helm-ingress/deploy_certmanager_issuer.sh
@@ -21,8 +21,8 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
+source "constants.env"
+source "config.env"
 
 ../preprocess_config.sh "${KUBE_CONFIG_PATH}/certmanager-issuer.template.yaml" | \
     kubectl apply -f -
diff --git a/nextcloud-aks/helm-ingress/deploy_nextcloud_ingress.sh b/nextcloud-aks/addons/helm-ingress/deploy_nextcloud_ingress.sh
similarity index 93%
rename from nextcloud-aks/helm-ingress/deploy_nextcloud_ingress.sh
rename to nextcloud-aks/addons/helm-ingress/deploy_nextcloud_ingress.sh
index b3678bc..10e0cf4 100755
--- a/nextcloud-aks/helm-ingress/deploy_nextcloud_ingress.sh
+++ b/nextcloud-aks/addons/helm-ingress/deploy_nextcloud_ingress.sh
@@ -23,8 +23,8 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
+source "constants.env"
+source "config.env"
 
 ../preprocess_config.sh "${KUBE_CONFIG_PATH}/ingress-nextcloud.template.yaml" |
     kubectl apply -f -
diff --git a/nextcloud-aks/helm-ingress/functions.sh b/nextcloud-aks/addons/helm-ingress/functions.sh
old mode 100644
new mode 100755
similarity index 100%
rename from nextcloud-aks/helm-ingress/functions.sh
rename to nextcloud-aks/addons/helm-ingress/functions.sh
diff --git a/nextcloud-aks/helm-ingress/generate_ca_cert.sh b/nextcloud-aks/addons/helm-ingress/generate_ca_cert.sh
similarity index 95%
rename from nextcloud-aks/helm-ingress/generate_ca_cert.sh
rename to nextcloud-aks/addons/helm-ingress/generate_ca_cert.sh
index fdc7297..0d76153 100755
--- a/nextcloud-aks/helm-ingress/generate_ca_cert.sh
+++ b/nextcloud-aks/addons/helm-ingress/generate_ca_cert.sh
@@ -21,9 +21,9 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
-source "./functions.sh"
+source "constants.env"
+source "config.env"
+source "functions.sh"
 
 mkdir -p "${OUTPUT_PATH}"
 
diff --git a/nextcloud-aks/helm-ingress/generate_helm_client_cert.sh b/nextcloud-aks/addons/helm-ingress/generate_helm_client_cert.sh
similarity index 95%
rename from nextcloud-aks/helm-ingress/generate_helm_client_cert.sh
rename to nextcloud-aks/addons/helm-ingress/generate_helm_client_cert.sh
index 1a56301..0b715da 100755
--- a/nextcloud-aks/helm-ingress/generate_helm_client_cert.sh
+++ b/nextcloud-aks/addons/helm-ingress/generate_helm_client_cert.sh
@@ -20,9 +20,9 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
-source "./functions.sh"
+source "constants.env"
+source "config.env"
+source "functions.sh"
 
 mkdir -p "${OUTPUT_PATH}"
 
diff --git a/nextcloud-aks/helm-ingress/generate_tiller_server_cert.sh b/nextcloud-aks/addons/helm-ingress/generate_tiller_server_cert.sh
similarity index 95%
rename from nextcloud-aks/helm-ingress/generate_tiller_server_cert.sh
rename to nextcloud-aks/addons/helm-ingress/generate_tiller_server_cert.sh
index 2596c42..27fe231 100755
--- a/nextcloud-aks/helm-ingress/generate_tiller_server_cert.sh
+++ b/nextcloud-aks/addons/helm-ingress/generate_tiller_server_cert.sh
@@ -20,9 +20,9 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
-source "./functions.sh"
+source "constants.env"
+source "config.env"
+source "functions.sh"
 
 mkdir -p "${OUTPUT_PATH}"
 
diff --git a/nextcloud-aks/helm-ingress/setup_cert_manager.sh b/nextcloud-aks/addons/helm-ingress/setup_cert_manager.sh
similarity index 95%
rename from nextcloud-aks/helm-ingress/setup_cert_manager.sh
rename to nextcloud-aks/addons/helm-ingress/setup_cert_manager.sh
index eb1e057..593ae20 100755
--- a/nextcloud-aks/helm-ingress/setup_cert_manager.sh
+++ b/nextcloud-aks/addons/helm-ingress/setup_cert_manager.sh
@@ -21,8 +21,8 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
+source "constants.env"
+source "config.env"
 
 kubectl label namespace \
     "${CERTMANAGER_NAMESPACE}" \
diff --git a/nextcloud-aks/helm-ingress/setup_helm.sh b/nextcloud-aks/addons/helm-ingress/setup_helm.sh
similarity index 97%
rename from nextcloud-aks/helm-ingress/setup_helm.sh
rename to nextcloud-aks/addons/helm-ingress/setup_helm.sh
index 0aa62e8..4a89813 100755
--- a/nextcloud-aks/helm-ingress/setup_helm.sh
+++ b/nextcloud-aks/addons/helm-ingress/setup_helm.sh
@@ -30,8 +30,8 @@
 set -e
 set -u
 
-source "./constants.env"
-source "./config.env"
+source "constants.env"
+source "config.env"
 
 if [[ ! -f "${CA_CERT_PATH}" ]]; then
     echo "CA certificate is missing: ${CA_CERT_PATH}" >&2
diff --git a/nextcloud-aks/helm-ingress/setup_ingress_controller.sh b/nextcloud-aks/addons/helm-ingress/setup_ingress_controller.sh
similarity index 96%
rename from nextcloud-aks/helm-ingress/setup_ingress_controller.sh
rename to nextcloud-aks/addons/helm-ingress/setup_ingress_controller.sh
index b51a2ff..90027db 100755
--- a/nextcloud-aks/helm-ingress/setup_ingress_controller.sh
+++ b/nextcloud-aks/addons/helm-ingress/setup_ingress_controller.sh
@@ -26,14 +26,14 @@ set -e
 set -u
 
 source "constants.env"
-source "./config.env"
+source "config.env"
 
 helm install --tls \
     stable/nginx-ingress \
     --namespace "${INGRESS_NAMESPACE}" \
     --set 'controller.replicaCount=2' \
     --set 'controller.service.externalTrafficPolicy=Local' \
-    --set-string controller.config.proxy-body-size="512M"
+    --set-string controller.config.proxy-body-size="2G"
 
 # Public IP address of your ingress controller
 for attempt in {1..20}; do
diff --git a/nextcloud-aks/addons/sftp/.gitignore b/nextcloud-aks/addons/sftp/.gitignore
new file mode 100644
index 0000000..b386605
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/.gitignore
@@ -0,0 +1 @@
+host_keys/
diff --git a/nextcloud-aks/addons/sftp/README.md b/nextcloud-aks/addons/sftp/README.md
new file mode 100644
index 0000000..0cee261
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/README.md
@@ -0,0 +1,75 @@
+# SFTP Server Add-on for Nextcloud Running on AKS 
+This folder contains configurations and scripts to assist in setting up an 
+SFTP server that can grant one or more users direct access to the Azure Files
+volumes that underlie a Nextcloud AKS deployment.
+
+## Using this Kit
+### Providing Settings to the Scripts
+All of the settings needed by scripts need to be provided in `config.env`.
+Copy `config.example.env` to `config.env` and then customize it for your needs.
+
+Some settings are pulled-in from the top-level `nextcloud-aks` `config.env` file 
+as well; make sure both have been configured. See top-level README.md for 
+details.
+
+### Specifying User Names and Passwords
+This is controlled by the `SFTP_USER_ARRAY` array in `config.env`.
+
+See 
+[`config.example.env`](https://github.com/GuyPaddock/inveniem-nextcloud-azure/blob/master/nextcloud-aks/addons/sftp/config.example.env)
+for an example of how to add users and passwords. In the example file, 
+the following users are allowed to log-in to the system:
+- `larry` with a password of `larry-password` (password was encrypted).
+- `moe` with a password of `moe-password` (password was encrypted).
+- `curly` with a password of `curly-password` (password was encrypted).
+
+**NOTE:** All users _must_ have a user ID of `33` to maintain compatibility
+with the way that the Azure Files volumes are mounted in the Nextcloud 
+containers. 
+
+Long story short, Azure Files does not implement an ACL or POSIX ownership 
+controls, but Nextcloud requires specific permissions to function. To 
+accommodate this, the top-level `nextcloud-aks` kit uses options exposed by the 
+Azure Files driver (`mountOptions`) to set the user ID and permissions of each 
+volume at the _Persistent Volume_ level. In the Nextcloud containers, user ID
+`33` is `www-data`. To avoid having to duplicate each persistent volumes just to 
+support SFTP, we are therefore forced to re-use the same user ID in the SFTP 
+container to ensure each user has access to files on those same persistent 
+volumes.
+
+### Specifying which Volumes Users Have Access To
+This is controlled by the `PATH_USERS` associative array in `config.env`.
+
+See 
+[`config.example.env`](https://github.com/GuyPaddock/inveniem-nextcloud-azure/blob/master/nextcloud-aks/addons/sftp/config.example.env)
+for an example of how to grant users access to file shares. In the example file, 
+the following users have access to the file shares specified:
+- Larry and Moe both have access to the `client1` volume/share. It will appear 
+  as `/client1` in SFTP when they log-in to their chroot-ed environment.
+- Only Moe has access to the `client2` volume/share. It will appear as 
+  `/client2` in SFTP when he logs-in to his chroot-ed environment.
+- Curly and Moe both have access to the `client3` volume/share. It will appear 
+  as `/client3` in SFTP when they log-in to their chroot-ed environment.
+
+### Prerequisite: Generating and Deploying Host Keys
+To ensure that users don't get security errors when reconnecting to the cluster
+after an SFTP pod has been cycled, this resource kit requires that SSH server
+keys are pre-generated and deployed as a secret in the cluster.
+
+After providing settings in both `config.env` files (the one in the current 
+directory and the one in the top-level folder), run the following script
+to perform this setup:
+```
+./setup_host_keys.sh
+```
+
+### Deploying the SFTP Server
+You can now deploy the SFTP server to the cluster in the current Kubernetes 
+namespace by running the following command:
+
+```
+./deploy_sftp_app.sh
+```
+
+This command is idempotent; you can tweak your deployment and run it again to
+make changes to the SFTP pod configuration.
diff --git a/nextcloud-aks/addons/sftp/config.example.env b/nextcloud-aks/addons/sftp/config.example.env
new file mode 100644
index 0000000..8693d57
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/config.example.env
@@ -0,0 +1,71 @@
+##
+# Configuration Constants for the SFTP add-on application.
+#
+# This is an example configuration file for the scripts in this folder. You must
+# tailor it to meet your needs, or you will end up with a less-than-ideal setup.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+source '../../config.env'
+
+################################################################################
+# User Accounts and User Access
+################################################################################
+
+##
+# An array of all the users who should be granted access to the system, along
+# with their encrypted passwords and user IDs.
+#
+# NOTE: User ID MUST be 33 in order to match the Azure Files mount options that
+#       are in place for compatibility with Nextcloud's volume mounts. This
+#       means that all users log-in as the same user ID but with different login
+#       names.
+#
+#       This is safe because:
+#       - Azure Files does not provide any ACL/permission enforcement anyway.
+#       - All users are chroot-ed by login name, so they can't see each other's
+#         files anyway.
+#       - SSH access is disabled, so they can't see who else is logged-in.
+#
+# See documentation here for the format:
+# https://hub.docker.com/r/atmoz/sftp#encrypted-password
+#
+# Per documentation above, passwords can be generated like this:
+# ```
+#   echo -n "your-password" | \
+#     docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-
+# ```
+#
+SFTP_USER_ARRAY=(
+    'larry:$1$36ZEFQn6$bDdiGy8EFUzaCtO.07xPO1:e:33'
+    'curly:$1$KIB014xD$EOpbnqVSBjPUrJkn2L/Kk1:e:33'
+    'moe:$1$e103gR21$M5JK/a8e2tOIDk.cH9S/5/:e:33'
+)
+SFTP_USER_STRING="${SFTP_USER_ARRAY[@]}"
+
+##
+# An associative array from Nextcloud volume mounts to a space-separated list
+# of users who should have access to that volume mount.
+#
+# Each key defined here must match a value that was defined in the
+# STORAGE_FILE_SHARES value of the top-level config.env file in order for it
+# to be effective.
+#
+declare -A PATH_USERS
+PATH_USERS['client1']='larry moe'
+PATH_USERS['client2']='moe'
+PATH_USERS['client3']='curly moe'
+
+################################################################################
+# Secret Names
+################################################################################
+# The names of ALL secrets must be unique, and must not overlap with any secrets
+# from any other application running on the Kubernetes cluster.
+
+##
+# The name of the secret within Kubernetes that will store the SFTP host keys.
+#
+KUBE_SFTP_CREDS_SECRET="sftp-host-keys"
diff --git a/nextcloud-aks/addons/sftp/configs/app-sftp.template.yaml b/nextcloud-aks/addons/sftp/configs/app-sftp.template.yaml
new file mode 100644
index 0000000..c5d57a6
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/configs/app-sftp.template.yaml
@@ -0,0 +1,82 @@
+##
+# Kubernetes deployment configuration for running SFTP alongside Nextcloud for
+# one or more shares.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sftp
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: frontend-sftp
+  template:
+    metadata:
+      labels:
+        app: frontend-sftp
+        role: frontend
+    spec:
+      containers:
+        # Container: The SFTP server.
+        - name: frontend-sftp
+          image: "atmoz/sftp:alpine"
+          ports:
+            - containerPort: 22
+          resources:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+            limits:
+              cpu: 500m
+              memory: 128Mi
+          volumeMounts:
+            - name: volume-secret-ssh-host-keys
+              mountPath: /etc/ssh/ssh_host_ed25519_key
+              subPath: ssh_host_ed25519_key
+              readOnly: true
+            - name: volume-secret-ssh-host-keys
+              mountPath: /etc/ssh/ssh_host_rsa_key
+              subPath: ssh_host_rsa_key
+              readOnly: true
+            # HACK: Until AKS supports pod presets, we have to kludge the dynamic
+            # mounts in via a variable expansion. Do not modify the last line of
+            # this comment; it gets expanded and replaced automatically when this
+            # file is pre-processed. Remove this entire comment when switching over
+            # to using pod presets.
+            #
+            # ${FILE_SHARE_VOLUME_MOUNT_LINES}
+          env:
+            - name: SFTP_USERS
+              value: "${SFTP_USER_STRING}"
+      volumes:
+        - name: volume-secret-ssh-host-keys
+          secret:
+            secretName: "${KUBE_SFTP_CREDS_SECRET}"
+            defaultMode: 0400
+        # HACK: Until AKS supports pod presets, we have to kludge the dynamic
+        # mounts in via a variable expansion. Do not modify the last line of
+        # this comment; it gets expanded and replaced automatically when this
+        # file is pre-processed. Remove this entire comment when switching over
+        # to using pod presets.
+        #
+        # ${FILE_SHARE_VOLUME_LINES}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-sftp
+  labels:
+    role: external-service
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 22889
+      targetPort: 22
+  selector:
+    app: frontend-sftp
diff --git a/nextcloud-aks/addons/sftp/delete_sftp_app.sh b/nextcloud-aks/addons/sftp/delete_sftp_app.sh
new file mode 100755
index 0000000..0975475
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/delete_sftp_app.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+##
+# This script removes the SFTP application and its load balancer from
+# Kubernetes.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+set -e
+set -u
+
+source './config.env'
+
+FILES+=(
+    'app-sftp.template.yaml'
+)
+
+# HACK: Until AKS supports pod presets, we have to kludge the dynamic mounts in
+# via a variable expansions.
+source ./generate_share_mount_lines.sh
+
+echo "Un-deploying SFTP application..."
+for file in "${FILES[@]}"; do
+    ../../preprocess_config.sh "configs/${file}" | kubectl delete -f -
+done
+echo "Done."
+echo ""
diff --git a/nextcloud-aks/addons/sftp/deploy_sftp_app.sh b/nextcloud-aks/addons/sftp/deploy_sftp_app.sh
new file mode 100755
index 0000000..b3ea69e
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/deploy_sftp_app.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+##
+# This script deploys the SFTP application and its load balancer to Kubernetes.
+#
+# NOTE: You MUST run `./setup_host_keys.sh` BEFORE running this script.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+set -e
+set -u
+
+source './config.env'
+
+FILES+=(
+    'app-sftp.template.yaml'
+)
+
+# HACK: Until AKS supports pod presets, we have to kludge the dynamic mounts in
+# via a variable expansions instead.
+source ./generate_share_mount_lines.sh
+
+echo "Deploying SFTP application..."
+for file in "${FILES[@]}"; do
+    ../../preprocess_config.sh "configs/${file}" | kubectl apply -f -
+done
+echo "Done."
+echo ""
diff --git a/nextcloud-aks/addons/sftp/generate_host_keys.sh b/nextcloud-aks/addons/sftp/generate_host_keys.sh
new file mode 100755
index 0000000..0c2fb4a
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/generate_host_keys.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+##
+# This script generates SSH host keys for the SFTP container.
+#
+# This ensures users do not get a security error upon connecting over SFTP after
+# containers have cycled.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+set -e
+set -u
+
+mkdir -p ./host_keys/
+ssh-keygen -t ed25519 -f ./host_keys/ssh_host_ed25519_key -N ''
+ssh-keygen -t rsa -b 4096 -f ./host_keys/ssh_host_rsa_key -N ''
diff --git a/nextcloud-aks/addons/sftp/generate_share_mount_lines.sh b/nextcloud-aks/addons/sftp/generate_share_mount_lines.sh
new file mode 100755
index 0000000..5674274
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/generate_share_mount_lines.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+##
+# This script dynamically generates the portions of a Kubernetes container
+# configuration that specify mounts for every file share defined in the
+# configuration.
+#
+# - The `volumeMount` lines are exported in `FILE_SHARE_VOLUME_MOUNT_LINES`.
+# - The `volume` lines are exported in `FILE_SHARE_VOLUME_LINES`.
+#
+# This frees users from having to edit shares directly in
+# `app-sftp.template.yaml`.
+#
+# NOTE: This is a hack until AKS supports pod presets, which provide a much
+# more elegant approach to this problem. Vote for the feature here:
+# https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35054089-support-podpreset-alpha-feature
+#
+# ALSO NOTE: This is similar to, but distinct from,
+# `generate_backend_share_mount_lines.sh` in the parent folder. This script has
+# been tailored to match the needs of the SFTP application.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+set -e
+set -u
+
+source './config.env'
+
+generate_volume_mount_lines() {
+    # Ensure we end the comment on the prior line of the YAML file.
+    echo ""
+
+    for file_share_name in "${STORAGE_FILE_SHARES[@]}"; do
+        if [[ ! ${PATH_USERS["${file_share_name}"]+_} ]]; then
+            continue
+        fi
+
+        for user in ${PATH_USERS["${file_share_name}"]}; do
+            mount_path="/home/${user}/${file_share_name}"
+
+            cat <<EOF
+            - mountPath: "${mount_path}"
+              name: "volume-nextcloud-${file_share_name}"
+EOF
+        done
+    done
+}
+
+generate_volume_lines() {
+    # Ensure we end the comment on the prior line of the YAML file.
+    echo ""
+
+    for file_share_name in "${STORAGE_FILE_SHARES[@]}"; do
+        cat <<EOF
+        - name: "volume-nextcloud-${file_share_name}"
+          persistentVolumeClaim:
+            claimName: "claim-nextcloud-${file_share_name}"
+EOF
+    done
+}
+
+export FILE_SHARE_VOLUME_MOUNT_LINES=$(generate_volume_mount_lines)
+export FILE_SHARE_VOLUME_LINES=$(generate_volume_lines)
diff --git a/nextcloud-aks/addons/sftp/setup_host_keys.sh b/nextcloud-aks/addons/sftp/setup_host_keys.sh
new file mode 100755
index 0000000..90936c9
--- /dev/null
+++ b/nextcloud-aks/addons/sftp/setup_host_keys.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+##
+# This script generates SSH host keys for the SFTP container, then saves them
+# to a Kubernetes secret.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @copyright Copyright (c) 2019, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+
+set -e
+set -u
+
+source './config.env'
+
+./generate_host_keys.sh
+
+kubectl create secret generic "${KUBE_SFTP_CREDS_SECRET}" \
+    --from-file=./host_keys/ssh_host_ed25519_key \
+    --from-file=./host_keys/ssh_host_rsa_key
diff --git a/nextcloud-aks/config.example.env b/nextcloud-aks/config.example.env
index ef0992b..09df766 100644
--- a/nextcloud-aks/config.example.env
+++ b/nextcloud-aks/config.example.env
@@ -93,6 +93,22 @@ REGISTRY_SERVICE_PRINCIPLE_NAME="my-kube-acr"
 # deployment without having to SSH-in to modify your config.php file directly.
 NEXTCLOUD_TRUSTED_DOMAINS='nextcloud1.example.com nextcloud2.example.com'
 
+##
+# Exposes NEXTCLOUD_TRUSTED_DOMAINS as an array, for convenience.
+#
+# You should not need to modify this logic/setting.
+#
+NEXTCLOUD_TRUSTED_DOMAIN_LIST=( ${NEXTCLOUD_TRUSTED_DOMAINS} )
+
+##
+# The hostname that should be considered the "primary" way to access Nextcloud.
+#
+# This defaults to the first hostname specified in
+# NEXTCLOUD_TRUSTED_DOMAIN_LIST (which is typically populated automatically from
+# NEXTCLOUD_TRUSTED_DOMAINS).
+#
+NEXTCLOUD_PRIMARY_HOSTNAME="${NEXTCLOUD_TRUSTED_DOMAIN_LIST[0]}"
+
 ##
 # The credentials for the Nextcloud admin account to create after deployment.
 #
@@ -114,13 +130,37 @@ NEXTCLOUD_CUSTOM_APPS=(
 # The number of instances of Nextcloud to have running concurrently, to maximize
 # availability.
 #
-# NOTE: This should be 1 during initial install, so that only one instance is
-# attempting to perform installation. Then, once Nextcloud is running and
-# stable, you can adjust it to 2+ and run ./deploy_nextcloud_app.sh to increase
-# availability.
+# NOTE: This MUST be set to `1` during initial install, so that only one
+# instance is attempting to perform installation. Then, once Nextcloud is
+# running and stable, you can adjust it to 2+ and run ./deploy_nextcloud_app.sh
+# to increase availability.
 #
 NEXTCLOUD_REPLICA_COUNT=1
 
+##
+# Control whether or not the Nextcloud configuration files are writable.
+#
+# You should not need to modify this logic/setting.
+#
+# The default behavior here is that the configuration files are NOT writable
+# once there are multiple replicas. Per the note above for
+# `NEXTCLOUD_REPLICA_COUNT`, installation should only be attempted with a
+# single replica deployed. Then, once installation is complete and additional
+# replicas are added to the deployment, the configuration files are made
+# read-only to ensure that all instances have a consistent view of the
+# configuration, the installer cannot be run again, and no single instance can
+# accidentally overwrite the configuration.
+#
+# This value is also exposed to the container at run-time as
+# `NEXTCLOUD_CONFIG_READ_ONLY`.
+#
+#
+if [[ "${NEXTCLOUD_REPLICA_COUNT}" -gt 1 ]]; then
+    NEXTCLOUD_CONFIG_READ_ONLY="true"
+else
+    NEXTCLOUD_CONFIG_READ_ONLY="false"
+fi
+
 ################################################################################
 # MySQL Database Settings
 ################################################################################
diff --git a/nextcloud-aks/configs/clamav.template.yaml b/nextcloud-aks/configs/app-clamav.template.yaml
similarity index 90%
rename from nextcloud-aks/configs/clamav.template.yaml
rename to nextcloud-aks/configs/app-clamav.template.yaml
index 58fc0aa..e01016d 100644
--- a/nextcloud-aks/configs/clamav.template.yaml
+++ b/nextcloud-aks/configs/app-clamav.template.yaml
@@ -28,8 +28,8 @@ spec:
     spec:
       containers:
         - name: backend-clamav
-          image: "mkodockx/docker-clamav:latest"
-          imagePullPolicy: Always
+          image: "mkodockx/docker-clamav@sha256:09faf0d32b3f6f1169d2428e8226f2ea12bbb8fc3d96acc95ee1278f1a9f39c4"
+#          imagePullPolicy: Always
           ports:
             - containerPort: 3310
           resources:
diff --git a/nextcloud-aks/configs/nextcloud-apache.template.yaml b/nextcloud-aks/configs/app-nextcloud-apache.template.yaml
similarity index 81%
rename from nextcloud-aks/configs/nextcloud-apache.template.yaml
rename to nextcloud-aks/configs/app-nextcloud-apache.template.yaml
index 20b1295..ef353b9 100644
--- a/nextcloud-aks/configs/nextcloud-apache.template.yaml
+++ b/nextcloud-aks/configs/app-nextcloud-apache.template.yaml
@@ -26,12 +26,12 @@ spec:
         # Container: The Apache-based Nextcloud backend
         - name: backend-nextcloud-apache
           image: "${REGISTRY_HOST}/inveniem/nextcloud-apache:${CONTAINER_VERSION}"
-          imagePullPolicy: Always
+#          imagePullPolicy: Always
           ports:
             - containerPort: 80
           resources:
             requests:
-              cpu: 100m
+              cpu: 25m
               memory: 128Mi
             limits:
               cpu: 1500m
@@ -49,6 +49,8 @@ spec:
             #
             # ${FILE_SHARE_VOLUME_MOUNT_LINES}
           env:
+            - name: NEXTCLOUD_CONFIG_READ_ONLY
+              value: "${NEXTCLOUD_CONFIG_READ_ONLY}"
             - name: NEXTCLOUD_TRUSTED_DOMAINS
               valueFrom:
                 configMapKeyRef:
@@ -93,16 +95,39 @@ spec:
                 secretKeyRef:
                   name: "${KUBE_REDIS_KEY_SECRET}"
                   key: key
+          readinessProbe:
+            httpGet:
+              # This path should work both before and after installation.
+              # In local testing, Nextcloud serves up the installer regardless
+              # of which URL is provided.
+              path: "/index.php/login?direct=1"
+              port: 80
+              httpHeaders:
+                - name: "Host"
+                  value: "${NEXTCLOUD_PRIMARY_HOSTNAME}"
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            timeoutSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: "/status.php"
+              port: 80
+              httpHeaders:
+                - name: "Host"
+                  value: "${NEXTCLOUD_PRIMARY_HOSTNAME}"
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 10
         # Container: Secure Tunnel Middleware
         - name: middle-stunnel
-          image: "guyelsmorepaddock/stunnel:latest"
-          imagePullPolicy: Always
+          image: "guyelsmorepaddock/stunnel@sha256:1e066a006c75ba487754857fa5b1ed259937e7e7650c108e16ff5ea184c94f0f"
+#          imagePullPolicy: Always
           resources:
             requests:
-              cpu: 100m
+              cpu: 25m
               memory: 50Mi
             limits:
-              cpu: 200m
+              cpu: 1000m
               memory: 128Mi
           env:
             - name: REDIS_HOST
@@ -140,6 +165,7 @@ spec:
         - name: volume-nextcloud-config
           persistentVolumeClaim:
             claimName: claim-nextcloud-config
+            readOnly: ${NEXTCLOUD_CONFIG_READ_ONLY}
         # HACK: Until AKS supports pod presets, we have to kludge the dynamic
         # mounts in via a variable expansion. Do not modify the last line of
         # this comment; it gets expanded and replaced automatically when this
@@ -152,6 +178,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: internal-nextcloud
+  labels:
+    role: internal-service
 spec:
   type: ClusterIP
   ports:
diff --git a/nextcloud-aks/configs/nextcloud-fpm-nginx.template.yaml b/nextcloud-aks/configs/app-nextcloud-fpm-nginx.template.yaml
similarity index 80%
rename from nextcloud-aks/configs/nextcloud-fpm-nginx.template.yaml
rename to nextcloud-aks/configs/app-nextcloud-fpm-nginx.template.yaml
index 41fe7a2..a7e90a2 100644
--- a/nextcloud-aks/configs/nextcloud-fpm-nginx.template.yaml
+++ b/nextcloud-aks/configs/app-nextcloud-fpm-nginx.template.yaml
@@ -26,10 +26,10 @@ spec:
         # Container: The PHP-FPM-based Nextcloud backend
         - name: backend-nextcloud-fpm
           image: "${REGISTRY_HOST}/inveniem/nextcloud-fpm:${CONTAINER_VERSION}"
-          imagePullPolicy: Always
+#          imagePullPolicy: Always
           resources:
             requests:
-              cpu: 100m
+              cpu: 10m
               memory: 128Mi
             limits:
               cpu: 1500m
@@ -47,6 +47,8 @@ spec:
             #
             # ${FILE_SHARE_VOLUME_MOUNT_LINES}
           env:
+            - name: NEXTCLOUD_CONFIG_READ_ONLY
+              value: "${NEXTCLOUD_CONFIG_READ_ONLY}"
             - name: NEXTCLOUD_TRUSTED_DOMAINS
               valueFrom:
                 configMapKeyRef:
@@ -93,11 +95,11 @@ spec:
                   key: key
         # Container: Secure Tunnel Middleware
         - name: middle-stunnel
-          image: "guyelsmorepaddock/stunnel:latest"
-          imagePullPolicy: Always
+          image: "guyelsmorepaddock/stunnel@sha256:1e066a006c75ba487754857fa5b1ed259937e7e7650c108e16ff5ea184c94f0f"
+#          imagePullPolicy: Always
           resources:
             requests:
-              cpu: 100m
+              cpu: 25m
               memory: 50Mi
             limits:
               cpu: 1000m
@@ -130,12 +132,12 @@ spec:
         # Container: Nginx Server Middleware
         - name: middle-nextcloud-nginx
           image: "${REGISTRY_HOST}/inveniem/nextcloud-nginx-middleware:${CONTAINER_VERSION}"
-          imagePullPolicy: Always
+#          imagePullPolicy: Always
           ports:
             - containerPort: 80
           resources:
             requests:
-              cpu: 100m
+              cpu: 10m
               memory: 128Mi
             limits:
               cpu: 1000m
@@ -144,18 +146,43 @@ spec:
             - name: volume-nextcloud-app
               mountPath: /var/www/html
               readOnly: true
+          readinessProbe:
+            httpGet:
+              # This path should work both before and after installation.
+              # In local testing, Nextcloud serves up the installer regardless
+              # of which URL is provided.
+              path: "/index.php/login?direct=1"
+              port: 80
+              httpHeaders:
+                - name: "Host"
+                  value: "${NEXTCLOUD_PRIMARY_HOSTNAME}"
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            timeoutSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: "/status.php"
+              port: 80
+              httpHeaders:
+                - name: "Host"
+                  value: "${NEXTCLOUD_PRIMARY_HOSTNAME}"
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 10
       imagePullSecrets:
         # NOTE: This secret is added by `setup_aks_acr_service_principal.sh`.
         - name: "${ACR_DOCKER_CREDS_SECRET}"
       volumes:
-        # Ephemeral volume shared between the Nextcloud PHP-FPM and Nginx
-        # containers within the same pod
+        # Ephemeral volume that contains the loaded Nextcloud software,
+        # shared between the Nextcloud PHP-FPM and Nginx containers within the
+        # same pod
         - name: volume-nextcloud-app
           emptyDir: {}
         # Remaining volumes are handled through Persistent Volume Claims
         - name: volume-nextcloud-config
           persistentVolumeClaim:
             claimName: claim-nextcloud-config
+            readOnly: ${NEXTCLOUD_CONFIG_READ_ONLY}
         # HACK: Until AKS supports pod presets, we have to kludge the dynamic
         # mounts in via a variable expansion. Do not modify the last line of
         # this comment; it gets expanded and replaced automatically when this
diff --git a/nextcloud-aks/configs/blob-claims.template.yaml b/nextcloud-aks/configs/blob-claims.template.yaml
deleted file mode 100644
index 00c547c..0000000
--- a/nextcloud-aks/configs/blob-claims.template.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-##
-# Kubernetes configuration for setting up all of the persistent volume claims
-# for Nextcloud to store its configuration, apps, and themes on Azure Blob
-# storage.
-#
-# These must exactly match the claims in `blob-volumes.template.yaml`. Claims are
-# being used to allow storage to be portable across pods.
-#
-# @author Guy Elsmore-Paddock (guy@inveniem.com)
-# @copyright Copyright (c) 2019, Inveniem
-# @license GNU AGPL version 3 or any later version
-#
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: claim-nextcloud-config
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 100Mi
-  volumeName: vol-nextcloud-blob-config
diff --git a/nextcloud-aks/configs/nextcloud-namespace-dev.yaml b/nextcloud-aks/configs/namespace-nextcloud-dev.yaml
similarity index 100%
rename from nextcloud-aks/configs/nextcloud-namespace-dev.yaml
rename to nextcloud-aks/configs/namespace-nextcloud-dev.yaml
diff --git a/nextcloud-aks/configs/nextcloud-namespace-live.yaml b/nextcloud-aks/configs/namespace-nextcloud-live.yaml
similarity index 100%
rename from nextcloud-aks/configs/nextcloud-namespace-live.yaml
rename to nextcloud-aks/configs/namespace-nextcloud-live.yaml
diff --git a/nextcloud-aks/configs/blob-volumes.template.yaml b/nextcloud-aks/configs/vol-blob.template.yaml
similarity index 63%
rename from nextcloud-aks/configs/blob-volumes.template.yaml
rename to nextcloud-aks/configs/vol-blob.template.yaml
index 17023aa..738f7ed 100644
--- a/nextcloud-aks/configs/blob-volumes.template.yaml
+++ b/nextcloud-aks/configs/vol-blob.template.yaml
@@ -1,10 +1,6 @@
 ##
-# Kubernetes configuration for setting up all of the persistent volumes for
-# Nextcloud to store its configuration, apps, and themes on Azure Blob
-# storage.
-#
-# These must exactly match the claims in `blob-claims.template.yaml`. Claims are
-# being used to allow storage to be portable across pods.
+# Kubernetes configuration for setting up a persistent volume for Nextcloud to
+# store its configuration on Azure Blob storage.
 #
 # @author Guy Elsmore-Paddock (guy@inveniem.com)
 # @copyright Copyright (c) 2019, Inveniem
@@ -28,3 +24,16 @@ spec:
       container: nextcloud-config
       tmppath: /mnt/blobfusetmp/nextcloud-config
       mountoptions: "-o uid=33 -o gid=33 -o allow_other -o umask=007 --file-cache-timeout-in-seconds=120"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: claim-nextcloud-config
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi
+  volumeName: vol-nextcloud-blob-config
diff --git a/nextcloud-aks/configs/file-share.template.yaml b/nextcloud-aks/configs/vol-file-share.template.yaml
similarity index 91%
rename from nextcloud-aks/configs/file-share.template.yaml
rename to nextcloud-aks/configs/vol-file-share.template.yaml
index 9ca0cca..853defb 100644
--- a/nextcloud-aks/configs/file-share.template.yaml
+++ b/nextcloud-aks/configs/vol-file-share.template.yaml
@@ -46,4 +46,7 @@ spec:
     requests:
       storage: 100Gi
   volumeName: "vol-nextcloud-share-${file_share_name}"
+
+# NOTE: Preserve the following break; this template runs in a loop and is concatenated
+# together to form the final config.
 ---
diff --git a/nextcloud-aks/delete_clamav.sh b/nextcloud-aks/delete_clamav.sh
index 0958516..78d43a8 100755
--- a/nextcloud-aks/delete_clamav.sh
+++ b/nextcloud-aks/delete_clamav.sh
@@ -14,7 +14,7 @@ set -u
 source './config.env'
 
 FILES=(
-    'clamav.template.yaml'
+    'app-clamav.template.yaml'
 )
 
 echo "Un-deploying ClamAV Daemon..."
diff --git a/nextcloud-aks/delete_namespaces.sh b/nextcloud-aks/delete_namespaces.sh
index fbf4edf..f1d1934 100755
--- a/nextcloud-aks/delete_namespaces.sh
+++ b/nextcloud-aks/delete_namespaces.sh
@@ -19,8 +19,8 @@ set -u
 source './config.env'
 
 FILES=(
-    'nextcloud-namespace-dev.yaml'
-    'nextcloud-namespace-live.yaml'
+    'namespace-nextcloud-dev.yaml'
+    'namespace-nextcloud-live.yaml'
 )
 
 echo "Removing Nextcloud namespaces..."
diff --git a/nextcloud-aks/delete_nextcloud_app.sh b/nextcloud-aks/delete_nextcloud_app.sh
index 9c5e3c2..0884b05 100755
--- a/nextcloud-aks/delete_nextcloud_app.sh
+++ b/nextcloud-aks/delete_nextcloud_app.sh
@@ -15,9 +15,9 @@ set -u
 source './config.env'
 
 if [[ "${POD_TYPE:-apache}" = "fpm-nginx" ]]; then
-    FILES=('nextcloud-fpm-nginx.template.yaml')
+    FILES=('app-nextcloud-fpm-nginx.template.yaml')
 else
-    FILES=('nextcloud-apache.template.yaml')
+    FILES=('app-nextcloud-apache.template.yaml')
 fi
 
 FILES+=(
diff --git a/nextcloud-aks/delete_nextcloud_volumes.sh b/nextcloud-aks/delete_nextcloud_volumes.sh
index 181e910..7d0e3d8 100755
--- a/nextcloud-aks/delete_nextcloud_volumes.sh
+++ b/nextcloud-aks/delete_nextcloud_volumes.sh
@@ -15,8 +15,7 @@ set -e
 set -u
 
 FILES=(
-    'blob-volumes.template.yaml'
-    'blob-claims.template.yaml'
+    'vol-blob.template.yaml'
 )
 
 echo "Removing Nextcloud persisted volumes for Azure Blob Storage..."
diff --git a/nextcloud-aks/deploy_clamav.sh b/nextcloud-aks/deploy_clamav.sh
index 90e00c9..f56e99c 100755
--- a/nextcloud-aks/deploy_clamav.sh
+++ b/nextcloud-aks/deploy_clamav.sh
@@ -14,7 +14,7 @@ set -u
 source './config.env'
 
 FILES=(
-    'clamav.template.yaml'
+    'app-clamav.template.yaml'
 )
 
 
diff --git a/nextcloud-aks/deploy_namespaces.sh b/nextcloud-aks/deploy_namespaces.sh
index 4e99d80..98d21c4 100755
--- a/nextcloud-aks/deploy_namespaces.sh
+++ b/nextcloud-aks/deploy_namespaces.sh
@@ -20,8 +20,8 @@ set -u
 source './config.env'
 
 FILES=(
-    'nextcloud-namespace-dev.yaml'
-    'nextcloud-namespace-live.yaml'
+    'namespace-nextcloud-dev.yaml'
+    'namespace-nextcloud-live.yaml'
 )
 
 echo "Deploying Nextcloud namespaces..."
diff --git a/nextcloud-aks/deploy_nextcloud_app.sh b/nextcloud-aks/deploy_nextcloud_app.sh
index b6f4f21..2e98b33 100755
--- a/nextcloud-aks/deploy_nextcloud_app.sh
+++ b/nextcloud-aks/deploy_nextcloud_app.sh
@@ -28,9 +28,9 @@ FILES=(
 )
 
 if [[ "${POD_TYPE:-apache}" = "fpm-nginx" ]]; then
-    FILES+=('nextcloud-fpm-nginx.template.yaml')
+    FILES+=('app-nextcloud-fpm-nginx.template.yaml')
 else
-    FILES+=('nextcloud-apache.template.yaml')
+    FILES+=('app-nextcloud-apache.template.yaml')
 fi
 
 
diff --git a/nextcloud-aks/deploy_nextcloud_volumes.sh b/nextcloud-aks/deploy_nextcloud_volumes.sh
index 177537c..6366039 100755
--- a/nextcloud-aks/deploy_nextcloud_volumes.sh
+++ b/nextcloud-aks/deploy_nextcloud_volumes.sh
@@ -15,8 +15,7 @@ set -u
 source './config.env'
 
 FILES=(
-    'blob-volumes.template.yaml'
-    'blob-claims.template.yaml'
+    'vol-blob.template.yaml'
 )
 
 echo "Setting up Nextcloud persisted volumes for Azure Blob Storage..."
diff --git a/nextcloud-aks/docker/backend-nextcloud-apache/Dockerfile b/nextcloud-aks/docker/backend-nextcloud-apache/Dockerfile
index 3cd5c43..070d3fe 100644
--- a/nextcloud-aks/docker/backend-nextcloud-apache/Dockerfile
+++ b/nextcloud-aks/docker/backend-nextcloud-apache/Dockerfile
@@ -10,6 +10,8 @@
 #
 FROM nextcloud:15.0.5-apache
 
+ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
+
 # Eliminate default APCu configuration (we're using Redis)
 RUN rm /usr/src/nextcloud/config/apcu.config.php
 
diff --git a/nextcloud-aks/docker/backend-nextcloud-fpm/Dockerfile b/nextcloud-aks/docker/backend-nextcloud-fpm/Dockerfile
index 8e96b3b..a06c949 100644
--- a/nextcloud-aks/docker/backend-nextcloud-fpm/Dockerfile
+++ b/nextcloud-aks/docker/backend-nextcloud-fpm/Dockerfile
@@ -10,6 +10,8 @@
 #
 FROM nextcloud:15.0.5-fpm
 
+ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
+
 # Eliminate default APCu configuration (we're using Redis)
 RUN rm /usr/src/nextcloud/config/apcu.config.php
 
diff --git a/nextcloud-aks/docker/middle-nextcloud-nginx/Dockerfile b/nextcloud-aks/docker/middle-nextcloud-nginx/Dockerfile
index eb7f45a..170856d 100644
--- a/nextcloud-aks/docker/middle-nextcloud-nginx/Dockerfile
+++ b/nextcloud-aks/docker/middle-nextcloud-nginx/Dockerfile
@@ -1,8 +1,3 @@
-##
-# Dockerfile for an Nginx reverse proxy and static content server for Nextcloud.
-#
-# This was borrowed from https://github.com/nextcloud/docker.
-#
-FROM nginx:1
+FROM nginx:1.15.10-alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf
diff --git a/nextcloud-aks/docker/nextcloud-common/config/logger.config.php b/nextcloud-aks/docker/nextcloud-common/config/logger.config.php
index b050dfa..31289ce 100644
--- a/nextcloud-aks/docker/nextcloud-common/config/logger.config.php
+++ b/nextcloud-aks/docker/nextcloud-common/config/logger.config.php
@@ -3,4 +3,5 @@
 	# that gets echoed out to the Pod log.
 	$CONFIG = array(
 		'logfile' => '/var/log/nextcloud.log',
+		'loglevel' => 1,
 	);
diff --git a/nextcloud-aks/docker/nextcloud-common/config/readonly.config.php b/nextcloud-aks/docker/nextcloud-common/config/readonly.config.php
new file mode 100644
index 0000000..a5a954b
--- /dev/null
+++ b/nextcloud-aks/docker/nextcloud-common/config/readonly.config.php
@@ -0,0 +1,11 @@
+<?php
+	$read_only_str = getenv('NEXTCLOUD_CONFIG_READ_ONLY');
+
+	$read_only_bool =
+		!empty('NEXTCLOUD_CONFIG_READ_ONLY')
+		&& strtolower($read_only_str) === 'true';
+
+	# Allow config to made read-only after setup.
+	$CONFIG = array(
+		'config_is_read_only' => $read_only_bool,
+	);
diff --git a/nextcloud-aks/docker/nextcloud-common/entrypoint.sh b/nextcloud-aks/docker/nextcloud-common/entrypoint.sh
index ad51825..f5ac603 100755
--- a/nextcloud-aks/docker/nextcloud-common/entrypoint.sh
+++ b/nextcloud-aks/docker/nextcloud-common/entrypoint.sh
@@ -96,6 +96,17 @@ deploy_nextcloud_release() {
     # Explicitly sync 'custom_apps' in this Docker image
     rsync $rsync_options --delete /usr/src/nextcloud/custom_apps/ /var/www/html/custom_apps/
 
+    if [ -w "/var/www/html/config" ]; then
+        echo "'config' directory is writable."
+        echo "Sync-ing configuration snippets:"
+        cp -v /usr/src/nextcloud/config/*.config.php /var/www/html/config/
+        echo ""
+    else
+        echo "'config' directory is not writable."
+        echo "Configuration snippets will not be synced."
+        echo ""
+    fi
+
     echo "Deployment finished."
     echo ""
 }
diff --git a/nextcloud-aks/docker/publish_all.sh b/nextcloud-aks/docker/publish_all.sh
index 47b7937..4fafdcc 100755
--- a/nextcloud-aks/docker/publish_all.sh
+++ b/nextcloud-aks/docker/publish_all.sh
@@ -12,14 +12,10 @@
 set -e
 set -u
 
-DIRS=(
-    'backend-nextcloud-apache'
-    'backend-nextcloud-fpm'
-    'middle-nextcloud-nginx'
-)
+DIRS=$(find . -mindepth 1 -maxdepth 1 -type d -not -name '*common')
 
 ./nextcloud-common/download_apps.sh
 
-for dir in "${DIRS[@]}"; do
-    "${dir}/publish.sh"
+echo "${DIRS[@]}" | while read -r dir; do
+  "${dir}/publish.sh"
 done
diff --git a/nextcloud-aks/generate_azure_file_volume_configs.sh b/nextcloud-aks/generate_azure_file_volume_configs.sh
index 1d9c218..a32e0e1 100755
--- a/nextcloud-aks/generate_azure_file_volume_configs.sh
+++ b/nextcloud-aks/generate_azure_file_volume_configs.sh
@@ -21,6 +21,6 @@ for file_share_name in "${STORAGE_FILE_SHARES[@]}"; do
     export file_share_name
 
     # We use `grep -o` to skip Bash comment lines
-    ./preprocess_config.sh './configs/file-share.template.yaml' | \
+    ./preprocess_config.sh './configs/vol-file-share.template.yaml' | \
         grep -o '^[^#]*'
 done
diff --git a/nextcloud-aks/generate_backend_share_mount_lines.sh b/nextcloud-aks/generate_backend_share_mount_lines.sh
index 0e99c40..811ef0b 100755
--- a/nextcloud-aks/generate_backend_share_mount_lines.sh
+++ b/nextcloud-aks/generate_backend_share_mount_lines.sh
@@ -9,7 +9,7 @@
 # - The `volume` lines are exported in `FILE_SHARE_VOLUME_LINES`.
 #
 # This frees users from having to edit shares directly in
-# `nextcloud-apache.template.yaml` or `nextcloud-fpm-nginx.template.yaml`.
+# `app-nextcloud-apache.template.yaml` or `app-nextcloud-fpm-nginx.template.yaml`.
 #
 # NOTE: This is a hack until AKS supports pod presets, which provide a much
 # more elegant approach to this problem. Vote for the feature here:
diff --git a/nextcloud-aks/generate_share_mount_pod_preset.sh b/nextcloud-aks/generate_share_mount_pod_preset.sh
index 837291c..01b4ea5 100755
--- a/nextcloud-aks/generate_share_mount_pod_preset.sh
+++ b/nextcloud-aks/generate_share_mount_pod_preset.sh
@@ -6,7 +6,7 @@
 # configuration.
 #
 # This frees users from having to edit shares directly in
-# `nextcloud-apache.template.yaml` or `nextcloud-fpm-nginx.template.yaml`.
+# `app-nextcloud-apache.template.yaml` or `app-nextcloud-fpm-nginx.template.yaml`.
 #
 # @author Guy Elsmore-Paddock (guy@inveniem.com)
 # @copyright Copyright (c) 2019, Inveniem
diff --git a/nextcloud-aks/launch_aks_dashboard.sh b/nextcloud-aks/launch_aks_dashboard.sh
index 3dd2668..015d79f 100755
--- a/nextcloud-aks/launch_aks_dashboard.sh
+++ b/nextcloud-aks/launch_aks_dashboard.sh
@@ -16,10 +16,16 @@ source './config.env'
 
 # Loop to restore tunnel if it dies due to inactivity
 while true; do
+    PREVIOUS_CONTEXT=$(kubectl config current-context)
+
+    # NOTE: This changes to the "default" Kube context
     az aks get-credentials \
         --resource-group "${KUBE_RESOURCE_GROUP}" \
         --name "${KUBE_NAME}" \
 
+    # Restore context
+    kubectl config use-context "${PREVIOUS_CONTEXT}"
+
     echo "Open http://localhost:8090 in your browser to connect to the Kubernetes dashboard."
     az aks browse \
         --resource-group "${KUBE_RESOURCE_GROUP}" \
@@ -27,6 +33,9 @@ while true; do
         --listen-port=8090 \
         --disable-browser
 
+    # Restore context
+    kubectl config use-context "${PREVIOUS_CONTEXT}"
+
     echo "Relaunching tunnel in 2 seconds (CTRL+C to cancel)..."
     sleep 2
 done
diff --git a/nextcloud-aks/setup_aks_acr_service_principal.sh b/nextcloud-aks/setup_aks_acr_service_principal.sh
index b0c84a8..ea7f6f0 100755
--- a/nextcloud-aks/setup_aks_acr_service_principal.sh
+++ b/nextcloud-aks/setup_aks_acr_service_principal.sh
@@ -4,7 +4,7 @@
 # This script is used to setup AKS with credentials to an Azure AD service
 # principal that has access to the ACR repo where images are stored.
 #
-# This script only needs to be run once per AKS instance. The name of each
+# This script only needs to be run once per AKS context. The name of each
 # ACR service principal must be unique within an AD tenant.
 #
 # This script is based on: