diff --git a/profile_manifests/ecord-global.yml b/profile_manifests/ecord-global.yml
index be7b9a1..428b1f5 100644
--- a/profile_manifests/ecord-global.yml
+++ b/profile_manifests/ecord-global.yml
@@ -1,24 +1,18 @@
 ---
-# profile_manifests/ecord.yaml
-# Configures an E-CORD global pod
+# profile_manifests/ecord-global.yml
+# E-CORD Profile Manifest
 
-# site configuration
+# Site configuration
 site_name: mysite
 site_humanname: MySite
+site_suffix: "{{ site_name }}.cord.lab"
 deployment_type: MyDeployment
 
-credentials_dir: "{{ playbook_dir }}/credentials"
-xos_admin_user: "xosadmin@opencord.org"
-xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
+# Feature toggles
+on_maas: True
 
-xos_users: []
-
-use_vtn: True
-
+# XOS config
 xos_tosca_config_templates:
-  - openstack.yaml
   - vtn-service.yaml
   - fabric-service.yaml
   - vnodglobal-service.yaml
@@ -52,25 +46,6 @@
   - name: metronetwork
     path: orchestration/xos_services/metro-net
 
-xos_service_sshkeys:
-  - name: onos_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: onos_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-
-# VM networks/bridges on head
-virt_nets:
-  - name: mgmtbr
-    ipv4_prefix: 192.168.122
-    head_vms: true
-
-# site domain suffix
-site_suffix: cord.lab
-
-# resolv.conf settings
-dns_search:
-  - "{{ site_suffix }}"
-
 # SSL server certificate generation
 server_certs:
   - cn: "keystone.{{ site_suffix }}"
@@ -83,58 +58,48 @@
     altnames:
       - "DNS:xos-core.{{ site_suffix }}"
 
-# NSD/Unbound settings
+# Network/DNS settings
+dns_search:
+  - "{{ site_suffix }}"
+
+mgmt_ipv4_first_octets: "192.168.200"
+
+dns_servers:
+  - "{{ mgmt_ipv4_first_octets }}.1"
+
+# DNS settings for NSD/Unbound
 nsd_zones:
   - name: "{{ site_suffix }}"
-    ipv4_first_octets: 192.168.122
+    ipv4_first_octets: "{{ mgmt_ipv4_first_octets }}"
     name_reverse_unbound: "168.192.in-addr.arpa"
     soa: ns1
     ns:
       - { name: ns1 }
-    nodelist: head_vm_list
+    nodelists:
+      - head_lxd_list
     aliases:
-      - { name: "ns1" , dest: "head" }
-      - { name: "ns" , dest: "head" }
-      - { name: "apt-cache" , dest: "head" }
+      - { name: "apt-cache", dest: "head1" }
+      - { name: "cordloghost", dest: "head1" }
+      - { name: "docker", dest: "head1" }
+      - { name: "ns", dest: "head1" }
+      - { name: "ns1", dest: "head1" }
+      - { name: "onos-cord", dest: "head1" }
+      - { name: "xos", dest: "head1" }
+      - { name: "xos-chameleon", dest: "head1" }
+      - { name: "xos-rest-gw", dest: "head1" }
+      - { name: "xos-spa-gui", dest: "head1" }
 
-name_on_public_interface: head
+unbound_listen_all: True
+
+unbound_interfaces:
+  - "{{ mgmt_ipv4_first_octets }}.1/24"
 
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
 data_plane_ip: 10.168.0.253/24
 
-
-# CORD ONOS app version
-cord_app_version: 1.2-SNAPSHOT
-
-# If true, unbound listens on the head node's `ansible_default_ipv4` interface
-unbound_listen_on_default: True
-
-# turn this on, or override it when running the playbook with --extra-vars="on_cloudlab=True"
-on_cloudlab: False
-
-# turn this off, or override when running playbook with --extra-vars="on_maas=False"
-on_maas: True
-
-run_dist_upgrade: False
-
-maas_node_key: /etc/maas/ansible/id_rsa
-
-openstack_version: kilo
-
-juju_config_name: cord
-
-juju_config_path: /usr/local/src/juju_config.yml
-
-keystone_admin_password: "{{ lookup('password', 'credentials/cord_keystone_admin chars=ascii_letters,digits') }}"
-
-deployment_flavors:
-  - m1.small
-  - m1.medium
-  - m1.large
-  - m1.xlarge
-
+# Juju config
 charm_versions:
   ceilometer: "cs:trusty/ceilometer-17"
   ceilometer-agent: "cs:trusty/ceilometer-agent-13"
@@ -151,7 +116,6 @@
   openstack-dashboard: "cs:trusty/openstack-dashboard-19"
   rabbitmq-server: "cs:trusty/rabbitmq-server-42"
 
-head_vm_list: []
 
 head_lxd_list:
   - name: "juju-1"
@@ -248,6 +212,7 @@
   - percona-cluster
   - rabbitmq-server
 
+
 standalone_service_list:
   - ntp
   - nrpe
diff --git a/profile_manifests/ecord.yml b/profile_manifests/ecord.yml
index 75af41b..140f9a4 100644
--- a/profile_manifests/ecord.yml
+++ b/profile_manifests/ecord.yml
@@ -1,24 +1,18 @@
 ---
 # profile_manifests/ecord.yaml
-# Configures an E-CORD pod
+# E-CORD Profile Manifest
 
-# site configuration
+# Site configuration
 site_name: mysite
 site_humanname: MySite
+site_suffix: "{{ site_name }}.opencord.org"
 deployment_type: MyDeployment
 
-credentials_dir: "{{ playbook_dir }}/credentials"
-xos_admin_user: "xosadmin@opencord.org"
-xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
+# Feature toggles
+on_maas: True
 
-xos_users: []
-
-use_vtn: True
-
+# XOS config
 xos_tosca_config_templates:
-  - openstack.yaml
   - vtn-service.yaml
   - fabric-service.yaml
   - management-net.yaml
@@ -63,29 +57,6 @@
   - name: vee
     path: orchestration/xos_services/vEE
 
-xos_service_sshkeys:
-  - name: onos_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: onos_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-  - name: veg_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: veg_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-
-# VM networks/bridges on head
-virt_nets:
-  - name: mgmtbr
-    ipv4_prefix: 192.168.122
-    head_vms: true
-
-# site domain suffix
-site_suffix: cord.lab
-
-# resolv.conf settings
-dns_search:
-  - "{{ site_suffix }}"
-
 # SSL server certificate generation
 server_certs:
   - cn: "keystone.{{ site_suffix }}"
@@ -98,57 +69,48 @@
     altnames:
       - "DNS:xos-core.{{ site_suffix }}"
 
-# NSD/Unbound settings
+# Network/DNS settings
+dns_search:
+  - "{{ site_suffix }}"
+
+mgmt_ipv4_first_octets: "192.168.200"
+
+dns_servers:
+  - "{{ mgmt_ipv4_first_octets }}.1"
+
+# DNS settings for NSD/Unbound
 nsd_zones:
   - name: "{{ site_suffix }}"
-    ipv4_first_octets: 192.168.122
+    ipv4_first_octets: "{{ mgmt_ipv4_first_octets }}"
     name_reverse_unbound: "168.192.in-addr.arpa"
     soa: ns1
     ns:
       - { name: ns1 }
-    nodelist: head_vm_list
+    nodelists:
+      - head_lxd_list
     aliases:
-      - { name: "ns1" , dest: "head" }
-      - { name: "ns" , dest: "head" }
-      - { name: "apt-cache" , dest: "head" }
+      - { name: "apt-cache", dest: "head1" }
+      - { name: "cordloghost", dest: "head1" }
+      - { name: "docker", dest: "head1" }
+      - { name: "ns", dest: "head1" }
+      - { name: "ns1", dest: "head1" }
+      - { name: "onos-cord", dest: "head1" }
+      - { name: "xos", dest: "head1" }
+      - { name: "xos-chameleon", dest: "head1" }
+      - { name: "xos-rest-gw", dest: "head1" }
+      - { name: "xos-spa-gui", dest: "head1" }
 
-name_on_public_interface: head
+unbound_listen_all: True
+
+unbound_interfaces:
+  - "{{ mgmt_ipv4_first_octets }}.1/24"
 
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
 data_plane_ip: 10.168.0.253/24
 
-# CORD ONOS app version
-cord_app_version: 1.2-SNAPSHOT
-
-# If true, unbound listens on the head node's `ansible_default_ipv4` interface
-unbound_listen_on_default: True
-
-# turn this on, or override it when running the playbook with --extra-vars="on_cloudlab=True"
-on_cloudlab: False
-
-# turn this off, or override when running playbook with --extra-vars="on_maas=False"
-on_maas: True
-
-run_dist_upgrade: False
-
-maas_node_key: /etc/maas/ansible/id_rsa
-
-openstack_version: kilo
-
-juju_config_name: cord
-
-juju_config_path: /usr/local/src/juju_config.yml
-
-keystone_admin_password: "{{ lookup('password', 'credentials/cord_keystone_admin chars=ascii_letters,digits') }}"
-
-deployment_flavors:
-  - m1.small
-  - m1.medium
-  - m1.large
-  - m1.xlarge
-
+# Juju config
 charm_versions:
   ceilometer: "cs:trusty/ceilometer-17"
   ceilometer-agent: "cs:trusty/ceilometer-agent-13"
@@ -165,8 +127,6 @@
   openstack-dashboard: "cs:trusty/openstack-dashboard-19"
   rabbitmq-server: "cs:trusty/rabbitmq-server-42"
 
-head_vm_list: []
-
 head_lxd_list:
   - name: "juju-1"
     service: "juju"
diff --git a/profile_manifests/frontend.yml b/profile_manifests/frontend.yml
index f67fad5..5d0461d 100644
--- a/profile_manifests/frontend.yml
+++ b/profile_manifests/frontend.yml
@@ -1,29 +1,22 @@
 ---
-# vars/frontend.yaml
+# profile_manifests/frontend.yaml
+# A minimal frontend config for GUI dev
 
 site_name: frontend
 deployment_type: "Frontend Mock"
+site_suffix: "{{ site_name }}.opencloud.us"
 
+# Feature toggles
 frontend_only: True
-use_redis: True
 use_openstack: False
 use_vtn: False
-needs_pki_install: True
 
 build_xos_base_image: True
 
-credentials_dir: "{{ playbook_dir }}/credentials"
-xos_admin_user: "xosadmin@opencord.org"
-xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
-
+# XOS Config
 xos_tosca_config_templates:
   - sample.yaml
 
-# site domain suffix
-site_suffix: opencloud.us
-
 # SSL server certificate generation
 server_certs:
   - cn: "xos-core.{{ site_suffix }}"
diff --git a/profile_manifests/mcord.yml b/profile_manifests/mcord.yml
index 755533f..7e83b5f 100644
--- a/profile_manifests/mcord.yml
+++ b/profile_manifests/mcord.yml
@@ -1,23 +1,18 @@
 ---
-# vars/cord-pod.yaml
+# profile_manifests/mcord.yml
 # Configures an M-CORD pod
 
 # site configuration
 site_name: mysite
 site_humanname: MySite
+site_suffix: "{{ site_name }}.opencord.org"
 deployment_type: MyDeployment
 
-xos_admin_user: xosadmin@opencord.org
-xos_admin_pass: "{{ lookup('password', 'credentials/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
+# Feature toggles
+on_maas: True
 
-xos_users: []
-
-use_vtn: True
-
+# XOS config
 xos_tosca_config_templates:
-  - openstack.yaml
   - vtn-service.yaml
   - fabric-service.yaml
   - management-net.yaml
@@ -88,40 +83,8 @@
     keypair: monitoringservice_rsa
     synchronizer: false
 
-xos_service_sshkeys:
-  - name: onos_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: onos_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-  - name: mcord_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: mcord_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-# needed onboarding synchronizer doesn't require service code to be present when started
-  - name: exampleservice_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: exampleservice_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-  - name: monitoringservice_rsa
-    source_path: "~/.ssh/id_rsa"
-  - name: monitoringservice_rsa.pub
-    source_path: "~/.ssh/id_rsa.pub"
-
 # profile_library: "mcord"
 
-# VM networks/bridges on head
-virt_nets:
-  - name: mgmtbr
-    ipv4_prefix: 192.168.122
-    head_vms: true
-
-# site domain suffix
-site_suffix: cord.lab
-
-# resolv.conf settings
-dns_search:
-  - "{{ site_suffix }}"
-
 # SSL server certificate generation
 server_certs:
   - cn: "keystone.{{ site_suffix }}"
@@ -134,57 +97,48 @@
     altnames:
       - "DNS:xos-core.{{ site_suffix }}"
 
-# NSD/Unbound settings
+# Network/DNS settings
+dns_search:
+  - "{{ site_suffix }}"
+
+mgmt_ipv4_first_octets: "192.168.200"
+
+dns_servers:
+  - "{{ mgmt_ipv4_first_octets }}.1"
+
+# DNS settings for NSD/Unbound
 nsd_zones:
   - name: "{{ site_suffix }}"
-    ipv4_first_octets: 192.168.122
+    ipv4_first_octets: "{{ mgmt_ipv4_first_octets }}"
     name_reverse_unbound: "168.192.in-addr.arpa"
     soa: ns1
     ns:
       - { name: ns1 }
-    nodelist: head_vm_list
+    nodelists:
+      - head_lxd_list
     aliases:
-      - { name: "ns1" , dest: "head" }
-      - { name: "ns" , dest: "head" }
-      - { name: "apt-cache" , dest: "head" }
+      - { name: "apt-cache", dest: "head1" }
+      - { name: "cordloghost", dest: "head1" }
+      - { name: "docker", dest: "head1" }
+      - { name: "ns", dest: "head1" }
+      - { name: "ns1", dest: "head1" }
+      - { name: "onos-cord", dest: "head1" }
+      - { name: "xos", dest: "head1" }
+      - { name: "xos-chameleon", dest: "head1" }
+      - { name: "xos-rest-gw", dest: "head1" }
+      - { name: "xos-spa-gui", dest: "head1" }
 
-name_on_public_interface: head
+unbound_listen_all: True
+
+unbound_interfaces:
+  - "{{ mgmt_ipv4_first_octets }}.1/24"
 
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
 data_plane_ip: 10.168.0.253/24
 
-# CORD ONOS app version
-cord_app_version: 1.2-SNAPSHOT
-
-# If true, unbound listens on the head node's `ansible_default_ipv4` interface
-unbound_listen_on_default: True
-
-# turn this on, or override it when running the playbook with --extra-vars="on_cloudlab=True"
-on_cloudlab: False
-
-# turn this off, or override when running playbook with --extra-vars="on_maas=False"
-on_maas: True
-
-run_dist_upgrade: False
-
-maas_node_key: /etc/maas/ansible/id_rsa
-
-openstack_version: kilo
-
-juju_config_name: cord
-
-juju_config_path: /usr/local/src/juju_config.yml
-
-keystone_admin_password: "{{ lookup('password', 'credentials/cord_keystone_admin chars=ascii_letters,digits') }}"
-
-deployment_flavors:
-  - m1.small
-  - m1.medium
-  - m1.large
-  - m1.xlarge
-
+# Juju config
 charm_versions:
   ceilometer: "cs:trusty/ceilometer-17"
   ceilometer-agent: "cs:trusty/ceilometer-agent-13"
@@ -201,8 +155,6 @@
   openstack-dashboard: "cs:trusty/openstack-dashboard-19"
   rabbitmq-server: "cs:trusty/rabbitmq-server-42"
 
-head_vm_list: []
-
 head_lxd_list:
   - name: "juju-1"
     service: "juju"
diff --git a/profile_manifests/opencloud.yml b/profile_manifests/opencloud.yml
index 95ddd93..3fef027 100644
--- a/profile_manifests/opencloud.yml
+++ b/profile_manifests/opencloud.yml
@@ -1,34 +1,20 @@
 ---
 # profile_manifests/opencloud.yml
-# Generic OpenCloud Site
+# OpenCloud Profile Manifest
 
-# site configuration
-site_name: generic_opencloud
+# Site configuration
+site_name: generic-opencloud
 site_humanname: "Generic OpenCloud"
+site_suffix: "{{ site_name }}.opencloud.us"
 deployment_type: campus
 
-xos_admin_user: "xosadmin@opencord.org"
-xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
+# Feature toggles
 
-xos_users: []
-
-use_vtn: True
-use_openstack: True
-use_fabric: False
-
-headnode_name: head1
-
+# XOS config
 xos_tosca_config_templates:
   - vtn-service.yaml
   - management-net.yaml
 
-build_xos_base_image: True
-
-# GUI Branding
-# Not neeeded, default is OpenCloud
-
 # GUI Config [new GUI], used in app.config.js.j2 and style.config.js.j2
 gui_project_name: "OpenCloud"
 gui_favicon: "opencloud-favicon.png"
@@ -49,8 +35,6 @@
   - name: vrouter
     path: orchestration/xos_services/vrouter
 
-profile_library: "rcord"
-
 # SSL certificate generation
 ssl_cert_subj_prefix: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU={{ site_humanname }} Deployment"
 
@@ -66,8 +50,6 @@
       - "DNS:xos-core.{{ site_suffix }}"
 
 # Network/DNS settings
-site_suffix: generic.infra.opencloud.us
-
 dns_search:
   - "{{ site_suffix }}"
 
@@ -76,8 +58,6 @@
 dns_servers:
   - "{{ mgmt_ipv4_first_octets }}.1"
 
-headnode_user: vagrant
-
 # DNS settings for NSD/Unbound
 nsd_zones:
   - name: "{{ site_suffix }}"
@@ -115,9 +95,6 @@
       - physical_node_list
       - head_lxd_list
 
-# network interface setup
-mgmt_interface: eth1
-
 physical_node_list:
   - name: head1
     ipv4_last_octet: 1
@@ -128,36 +105,15 @@
   - name: compute2
     ipv4_last_octet: 21
 
+# External interface name on compute nodes
+compute_external_interface: eth0
+
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
 data_plane_ip: 10.168.0.253/24
 
-# External interface names on compute nodes
-compute_external_interfaces:
-  - eth0
-
-# ONOS version
-onos_docker_image: "onosproject/onos:1.8.7"
-
-on_maas: False
-on_cloudlab: False
-
-run_dist_upgrade: False
-
-openstack_version: kilo
-
-juju_config_name: opencloud
-juju_config_path: /usr/local/src/juju_config.yml
-
-keystone_admin_password: "{{ lookup('password', 'credentials/generic_opencloud_keystone_admin chars=ascii_letters,digits') }}"
-
-deployment_flavors:
-  - m1.small
-  - m1.medium
-  - m1.large
-  - m1.xlarge
-
+# Juju setup
 charm_versions:
   ceilometer-agent: "cs:trusty/ceilometer-agent-13"
   ceilometer: "cs:trusty/ceilometer-17"
diff --git a/profile_manifests/rcord.yml b/profile_manifests/rcord.yml
index 22713e2..c54038d 100644
--- a/profile_manifests/rcord.yml
+++ b/profile_manifests/rcord.yml
@@ -1,25 +1,20 @@
 ---
-# vars/cord-pod.yaml
-# Configures an R-CORD pod
+# profile_manifests/rcord.yml
+# R-CORD Profile Manifest
 
-# site configuration
+# Site configuration
 site_name: mysite
 site_humanname: MySite
+#site_suffix: "{{ site_name }}.cord.lab" - broken, see CORD-1520
+site_suffix: "cord.lab"
 deployment_type: MyDeployment
 
-credentials_dir: "{{ playbook_dir }}/credentials"
-xos_admin_user: "xosadmin@opencord.org"
-xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
-xos_admin_first: XOS
-xos_admin_last: Admin
-
-xos_users: []
-
-use_vtn: True
+# Feature toggles
 use_fabric: True
+on_maas: True
 
+# XOS config
 xos_tosca_config_templates:
-  - openstack.yaml
   - vtn-service.yaml
   - fabric-service.yaml
   - management-net.yaml
@@ -77,19 +72,6 @@
 
 profile_library: "rcord"
 
-# VM networks/bridges on head
-virt_nets:
-  - name: mgmtbr
-    ipv4_prefix: 192.168.122
-    head_vms: true
-
-# site domain suffix
-site_suffix: cord.lab
-
-# resolv.conf settings
-dns_search:
-  - "{{ site_suffix }}"
-
 # SSL server certificate generation
 server_certs:
   - cn: "keystone.{{ site_suffix }}"
@@ -102,57 +84,48 @@
     altnames:
       - "DNS:xos-core.{{ site_suffix }}"
 
-# NSD/Unbound settings
+# Network/DNS settings
+dns_search:
+  - "{{ site_suffix }}"
+
+mgmt_ipv4_first_octets: "192.168.200"
+
+dns_servers:
+  - "{{ mgmt_ipv4_first_octets }}.1"
+
+# DNS settings for NSD/Unbound
 nsd_zones:
   - name: "{{ site_suffix }}"
-    ipv4_first_octets: 192.168.122
+    ipv4_first_octets: "{{ mgmt_ipv4_first_octets }}"
     name_reverse_unbound: "168.192.in-addr.arpa"
     soa: ns1
     ns:
       - { name: ns1 }
-    nodelist: head_vm_list
+    nodelists:
+      - head_lxd_list
     aliases:
-      - { name: "ns1" , dest: "head" }
-      - { name: "ns" , dest: "head" }
-      - { name: "apt-cache" , dest: "head" }
+      - { name: "apt-cache", dest: "head1" }
+      - { name: "cordloghost", dest: "head1" }
+      - { name: "docker", dest: "head1" }
+      - { name: "ns", dest: "head1" }
+      - { name: "ns1", dest: "head1" }
+      - { name: "onos-cord", dest: "head1" }
+      - { name: "xos", dest: "head1" }
+      - { name: "xos-chameleon", dest: "head1" }
+      - { name: "xos-rest-gw", dest: "head1" }
+      - { name: "xos-spa-gui", dest: "head1" }
 
-name_on_public_interface: head
+unbound_listen_all: True
+
+unbound_interfaces:
+  - "{{ mgmt_ipv4_first_octets }}.1/24"
 
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
 data_plane_ip: 10.168.0.253/24
 
-# CORD ONOS app version
-cord_app_version: 1.2-SNAPSHOT
-
-# If true, unbound listens on the head node's `ansible_default_ipv4` interface
-unbound_listen_on_default: True
-
-# turn this on, or override it when running the playbook with --extra-vars="on_cloudlab=True"
-on_cloudlab: False
-
-# turn this off, or override when running playbook with --extra-vars="on_maas=False"
-on_maas: True
-
-run_dist_upgrade: False
-
-maas_node_key: /etc/maas/ansible/id_rsa
-
-openstack_version: kilo
-
-juju_config_name: cord
-
-juju_config_path: /usr/local/src/juju_config.yml
-
-keystone_admin_password: "{{ lookup('password', 'credentials/cord_keystone_admin chars=ascii_letters,digits') }}"
-
-deployment_flavors:
-  - m1.small
-  - m1.medium
-  - m1.large
-  - m1.xlarge
-
+# Juju config
 charm_versions:
   ceilometer-agent: "cs:trusty/ceilometer-agent-13"
   ceilometer: "cs:trusty/ceilometer-17"
@@ -169,7 +142,6 @@
   percona-cluster: "cs:trusty/percona-cluster-31"
   rabbitmq-server: "cs:trusty/rabbitmq-server-42"
 
-head_vm_list: []
 
 head_lxd_list:
   - name: "juju-1"
@@ -254,6 +226,7 @@
       - "mongodb"
     ipv4_last_octet: 110
 
+
 lxd_service_list:
   - ceilometer
   - glance
@@ -266,6 +239,7 @@
   - percona-cluster
   - rabbitmq-server
 
+
 standalone_service_list:
   - ntp
   - nrpe
diff --git a/roles/cord-profile/defaults/main.yml b/roles/cord-profile/defaults/main.yml
index 82d517f..0f71033 100644
--- a/roles/cord-profile/defaults/main.yml
+++ b/roles/cord-profile/defaults/main.yml
@@ -91,17 +91,20 @@
 gui_branding_bg: "/static/bg.jpg"
 gui_service_view_class: False
 
+# used in admin-openrc.sh.j2
+keystone_admin_password: "{{ lookup('password', credentials_dir ~ '/cord_keystone_admin chars=ascii_letters,digits') }}"
+
 # used in deployment.yaml.j2
 xos_admin_user: "xosadmin@opencord.org"
 xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
 xos_admin_first: XOS
 xos_admin_last: Admin
 
-site_name: sitename
-site_humanname: "Site HumanName"
-site_suffix: sitename.test
+site_name: placeholder-sitename
+site_humanname: "Placeholder Site HumanName"
+site_suffix: "{{ site_name }}.test"
 
-deployment_type: deploymenttype
+deployment_type: placeholder-deploymenttype
 
 deployment_flavors:
   - m1.small
diff --git a/roles/create-lxd/templates/ansible_hosts.j2 b/roles/create-lxd/templates/ansible_hosts.j2
index 21f5c8a..d2caf33 100644
--- a/roles/create-lxd/templates/ansible_hosts.j2
+++ b/roles/create-lxd/templates/ansible_hosts.j2
@@ -1,14 +1,6 @@
 [localhost]
 127.0.0.1 hostname={{ ansible_fqdn }}
 
-# VMs will go away shortly in favor of containers
-[vms]
-{% if head_vm_list is defined -%}
-{% for vm in head_vm_list -%}
-{{ vm.name }}
-{% endfor -%}
-{% endif -%}
-
 [containers]
 {% if head_lxd_list is defined -%}
 {% for lxd in head_lxd_list -%}
@@ -17,13 +9,5 @@
 {% endif -%}
 
 [services:children]
-vms
 containers
 
-[docker]
-{% if head_vm_list is defined -%}
-{% for vm in head_vm_list | selectattr('docker_path', 'defined') -%}
-{{ vm.name }}
-{% endfor -%}
-{% endif -%}
-
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index 3024e0e..a9c7e81 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml
@@ -8,3 +8,8 @@
 charm_versions: {}
 
 pki_dir: "{{ playbook_dir }}/pki"
+
+site_name: placeholder-sitename
+site_suffix: "{{ site_name }}.test"
+
+keystone_admin_password: "{{ lookup('password', credentials_dir ~ '/cord_keystone_admin chars=ascii_letters,digits') }}"
diff --git a/roles/lxd-finish/defaults/main.yml b/roles/lxd-finish/defaults/main.yml
index 17836e2..0f65371 100644
--- a/roles/lxd-finish/defaults/main.yml
+++ b/roles/lxd-finish/defaults/main.yml
@@ -3,3 +3,5 @@
 
 apt_cacher_name: apt-cache
 
+run_dist_upgrade: False
+
diff --git a/roles/pki-intermediate-ca/defaults/main.yml b/roles/pki-intermediate-ca/defaults/main.yml
index 3a5b545..5bdf5a3 100644
--- a/roles/pki-intermediate-ca/defaults/main.yml
+++ b/roles/pki-intermediate-ca/defaults/main.yml
@@ -5,9 +5,9 @@
 credentials_dir: "{{ playbook_dir }}/credentials"
 
 # used to name the intermediate CA
-site_name: sitename
-site_humanname: "Site HumanName"
-site_suffix: sitename.test
+site_name: placeholder-sitename
+site_humanname: "Placeholder Site HumanName"
+site_suffix: "{{ site_name }}.test"
 
 # crypto parameters
 ca_digest: "sha256"
diff --git a/roles/test-exampleservice/defaults/main.yml b/roles/test-exampleservice/defaults/main.yml
index 82900ab..8ec28f6 100644
--- a/roles/test-exampleservice/defaults/main.yml
+++ b/roles/test-exampleservice/defaults/main.yml
@@ -2,5 +2,9 @@
 # test-exampleservice/defaults/main.yml
 
 head_cord_profile_dir: "/opt/cord_profile"
+
 xos_ui_port: 9000
 
+xos_admin_user: "xosadmin@opencord.org"
+xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
+
diff --git a/roles/test-subscriber-enable/defaults/main.yml b/roles/test-subscriber-enable/defaults/main.yml
new file mode 100644
index 0000000..a7720ec
--- /dev/null
+++ b/roles/test-subscriber-enable/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+# test-subscriber-enable/defaults/main.yml
+
+xos_admin_user: "xosadmin@opencord.org"
+
diff --git a/roles/vtn-refresh/defaults/main.yml b/roles/vtn-refresh/defaults/main.yml
index 07ee055..9925958 100644
--- a/roles/vtn-refresh/defaults/main.yml
+++ b/roles/vtn-refresh/defaults/main.yml
@@ -3,7 +3,7 @@
 
 credentials_dir: "{{ playbook_dir }}/credentials"
 
-xos_admin_user: xosadmin@opencord.org
+xos_admin_user: "xosadmin@opencord.org"
 xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
 
 keystone_admin_password: "{{ lookup('password', credentials_dir ~ '/cord_keystone_admin chars=ascii_letters,digits') }}"
diff --git a/roles/xos-config/defaults/main.yml b/roles/xos-config/defaults/main.yml
index c610f28..0e91e57 100644
--- a/roles/xos-config/defaults/main.yml
+++ b/roles/xos-config/defaults/main.yml
@@ -4,3 +4,5 @@
 xos_admin_user: "xosadmin@opencord.org"
 
 xos_tosca_config_templates: []
+
+use_openstack: True
diff --git a/roles/xos-config/tasks/main.yml b/roles/xos-config/tasks/main.yml
index 14b3d45..39ecd35 100644
--- a/roles/xos-config/tasks/main.yml
+++ b/roles/xos-config/tasks/main.yml
@@ -9,6 +9,14 @@
   tags:
     - skip_ansible_lint # TOSCA loading should be idempotent
 
+- name: Configure XOS with OpenStack config
+  when: use_openstack
+  command: "python /opt/xos/tosca/run.py {{ xos_admin_user }} /opt/cord_profile/{{ item }}"
+  with_items:
+    - openstack.yaml
+  tags:
+    - skip_ansible_lint # TOSCA loading should be idempotent
+
 - name: Configure XOS with profile specific TOSCA
   command: "python /opt/xos/tosca/run.py {{ xos_admin_user }} /opt/cord_profile/{{ item }}"
   with_items: "{{ xos_tosca_config_templates }}"