diff --git a/.gitignore b/.gitignore
index 653d800..ff66cd1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 TCBSD*.vdi
 TCBSD*.iso
 venv
+*.swp
diff --git a/README.md b/README.md
index a09f844..93c87a2 100644
--- a/README.md
+++ b/README.md
@@ -5,9 +5,9 @@ A repository for trying out Ansible provisioning of TwinCAT BSD PLCs.
 
 ### Quick start: set up a new plc in prod
 1. clone the repo
-2. run ``./scripts/first_time_setup.sh your-plc-name``
-3. Edit ``./inventory/plcs.yaml`` to add your plc (and possibly an appropriate group)
-4. Edit ``./host_vars/your-plc-name/vars.yaml`` if you'd like to change settings
+2. Edit ``./inventory/plcs.yaml`` to add your plc (and possibly an appropriate group)
+3. run ``./scripts/first_time_setup.sh your-plc-name``
+4. Optionally edit ``./host_vars/your-plc-name/vars.yaml`` if you'd like to change settings
 3. run ``./scripts/provision_plcs.sh your-plc-name``
 4. commit and submit the file edits as a PR
 
diff --git a/ansible.cfg b/ansible.cfg
index 560c134..faaf123 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -2,3 +2,6 @@
 inventory = ./inventory/
 deprecation_warnings = True
 role_path = ./roles
+
+[ssh_connection]
+ssh_args =
diff --git a/group_vars/tcbsd_plcs/vars.yml b/group_vars/tcbsd_plcs/vars.yml
index 8975fab..65ce6de 100644
--- a/group_vars/tcbsd_plcs/vars.yml
+++ b/group_vars/tcbsd_plcs/vars.yml
@@ -10,6 +10,19 @@ ansible_python_interpreter: /usr/local/bin/python3
 # point.
 enable_freebsd_packages: true
 
+# psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks
+use_psproxy: true
+use_psntp: true
+
+# set static IP on x000 (mac id 2)
+x000_set_static_ip: true
+x000_static_ip: 192.168.1.10
+
+# We can set the PLC's timezone, which is largely cosmetic
+# See /usr/share/zoneinfo/ on the PLC for options
+set_plc_timezone: true
+plc_timezone: America/Los_Angeles
+
 # This is the default of 32MB. Set to 67108864 for 64MB of router memory.
 tc_locked_memory_size_bytes: 33554432
 
diff --git a/group_vars/tcbsd_vms/vars.yml b/group_vars/tcbsd_vms/vars.yml
index 05ddb34..a1feeae 100644
--- a/group_vars/tcbsd_vms/vars.yml
+++ b/group_vars/tcbsd_vms/vars.yml
@@ -10,6 +10,19 @@ ansible_python_interpreter: /usr/local/bin/python3
 # point.
 enable_freebsd_packages: true
 
+# psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks
+use_psproxy: false
+use_psntp: false
+
+# set static IP on x000 (mac id 2)
+x000_set_static_ip: false
+x000_static_ip: 192.168.1.10
+
+# We can set the PLC's timezone, which is largely cosmetic
+# See /usr/share/zoneinfo/ on the PLC for options
+set_plc_timezone: false
+plc_timezone: America/Los_Angeles
+
 # This is the default of 32MB. Set to 67108864 for 64MB of router memory.
 tc_locked_memory_size_bytes: 33554432
 
diff --git a/host_vars/plc-tst-bsd/vars.yml b/host_vars/plc-tst-bsd/vars.yml
index 78b864e..e6c1233 100644
--- a/host_vars/plc-tst-bsd/vars.yml
+++ b/host_vars/plc-tst-bsd/vars.yml
@@ -14,6 +14,19 @@ tc_ams_net_id: 172.21.148.81.1.1
 ## point.
 #enable_freebsd_packages: true
 #
+## psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks
+#use_psproxy: true
+#use_psntp: true
+#
+# set static IP on x000 (mac id 2)
+#x000_set_static_ip: true
+#x000_static_ip: 192.168.1.10
+#
+## We can set the PLC's timezone, which is largely cosmetic
+## See /usr/share/zoneinfo/ on the PLC for options
+#set_plc_timezone: true
+#plc_timezone: America/Los_Angeles
+#
 ## This is the default of 32MB. Set to 67108864 for 64MB of router memory.
 #tc_locked_memory_size_bytes: 33554432
 #
diff --git a/tcbsd-plc.yaml.template b/tcbsd-plc.yaml.template
index 04605ae..2279404 100644
--- a/tcbsd-plc.yaml.template
+++ b/tcbsd-plc.yaml.template
@@ -14,6 +14,18 @@ tc_ams_net_id: ${PLC_NET_ID}
 ## point.
 #enable_freebsd_packages: true
 #
+## psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks
+#use_psproxy: true
+#use_psntp: true
+#
+## set static IP on x000 (mac id 2)
+#x000_set_static_ip: true
+#x000_static_ip: 192.168.1.10
+#
+## We can set the PLC's timezone, which is largely cosmetic
+## See /usr/share/zoneinfo/ on the PLC for options
+#plc_timezone: America/Los_Angeles
+#
 ## This is the default of 32MB. Set to 67108864 for 64MB of router memory.
 #tc_locked_memory_size_bytes: 33554432
 #
diff --git a/tcbsd-provision-playbook.yaml b/tcbsd-provision-playbook.yaml
index c0248b7..1679100 100644
--- a/tcbsd-provision-playbook.yaml
+++ b/tcbsd-provision-playbook.yaml
@@ -13,6 +13,68 @@
         path: /usr/local/etc/pkg/repos/FreeBSD.conf
         state: absent
 
+    - name: Setup psproxy
+      when: use_psproxy
+      register: psproxy_setup
+      ansible.builtin.blockinfile:
+        # Appending to this file lets us install packages from Beckhoff, etc.
+        # By using psproxy as our http/https proxy
+        dest: /usr/local/etc/pkg.conf
+        block: |
+          PKG_ENV {
+              http_proxy: "http://psproxy:3128",
+              https_proxy: "http://psproxy:3128",
+          }
+
+    # We need NTP sync in order to install packages.
+    # Use internal ntp servers
+    - name: Setup psntp
+      when: use_psntp
+      register: psntp_setup
+      ansible.builtin.blockinfile:
+        dest: /etc/ntp.conf
+        block: |
+          disable monitor
+
+          # Permit time synchronization with our time source, but do not
+          # permit the source to query or modify the service on this system.
+          restrict default kod nomodify notrap nopeer noquery
+          restrict 127.0.0.1
+
+          server psntp1.pcdsn iburst
+          server psntp2.pcdsn iburst
+          server psntp3.pcdsn iburst
+
+    - name: Set timezone
+      when: set_plc_timezone
+      ansible.builtin.copy:
+        # Strangely, copying a file is the designated way to set timezones.
+        remote_src: true
+        src: "/usr/share/zoneinfo/{{ plc_timezone }}"
+        dest: /etc/localtime
+
+    # ntpd does not necessarily re-sync promptly after start or reconfig
+    # stop the service, sync manually, then start it again
+    # (cannot run sync manually if the service is running)
+    - name: Stop NTP Service
+      when: psntp_setup.changed
+      ansible.builtin.service:
+        name: ntpd
+        enabled: yes
+        state: stopped
+
+    - name: Force NTP Sync Now
+      when: psntp_setup.changed
+      ansible.builtin.command: ntpd -g -q
+      changed_when: true
+
+    - name: (Re) Start NTP Service
+      when: psntp_setup.changed
+      ansible.builtin.service:
+        name: ntpd
+        enabled: yes
+        state: started
+
     - name: Install helpful system packages
       ansible.builtin.package:
         name:
@@ -44,8 +106,8 @@
       ansible.builtin.pip:
         name: "{{ tc_install_pip_packages }}"
 
-    - name: Install pip
-      # Packages only available via pip will be installed after this
+    - name: Uninstall pip
+      # Packages only available via pip will be installed before this
       # As far as the security implications go: well, that's up to you!
       when: tc_uninstall_pip
       ansible.builtin.package:
@@ -188,3 +250,17 @@
         enabled: yes
         state: restarted
       when: ams_net_id.changed or locked_memory_size.changed or heap_memory_size.changed
+
+      # We use the second port as a LAN port with a known static IP
+      # This makes it easy to use if we need it for e.g. doing service
+    - name: Set static IP on X000
+      when: x000_set_static_ip
+      register: static_ip_x000_set
+      community.general.sysrc:
+        name: ifconfig_igb1
+        value: "inet {{ x000_static_ip }} netmask 255.255.255.0"
+
+    - name: Reset X000
+      when: static_ip_x000_set.changed
+      ansible.builtin.command: /etc/rc.d/netif restart igb1
+      changed_when: true