diff --git a/iac/files.go b/iac/files.go
index 18dfedd0..ada8a01e 100644
--- a/iac/files.go
+++ b/iac/files.go
@@ -14,16 +14,18 @@ func createPulumiFile(ctx *pulumi.Context, name string, value pulumi.StringOutpu
   data_root := path.Join(repo_root, "./data")
   ctx.Export(name, value)
   return local.NewCommand(ctx, name, &local.CommandArgs{
-    Create: pulumi.String(fmt.Sprintf("pulumi stack output %s --show-secrets > %s", name, name)),
-    Update: pulumi.String(fmt.Sprintf("pulumi stack output %s --show-secrets > %s", name, name)),
+    Create: pulumi.String(fmt.Sprintf("pulumi stack output %s --non-interactive --show-secrets > %s", name, name)),
+    Update: pulumi.String(fmt.Sprintf("pulumi stack output %s --non-interactive --show-secrets > %s", name, name)),
     Delete: pulumi.String(fmt.Sprintf("rm %s", name)),
     Dir: pulumi.String(data_root),
+    Environment: goMapToPulumiMap(map[string]string{
+      "PULUMI_SKIP_UPDATE_CHECK": "true",
+    }),
   }, pulumi.DependsOn([]pulumi.Resource{resource}))
 }
 
 func PKITLSFiles(ctx *pulumi.Context, files_ map[string]*local.Command, keys map[string]*tls.PrivateKey, certs map[string]*tls.LocallySignedCert) (files map[string]*local.Command, err error) {
   for name_, key := range keys {
-    ctx.Log.Info("mew!", nil)
     name := fmt.Sprintf("%s-file", name_)
     files_[name], err = createPulumiFile(ctx, name, key.PrivateKeyPem, key)
     if err != nil {
diff --git a/iac/ssh.go b/iac/ssh.go
new file mode 100644
index 00000000..e69de29b
diff --git a/iac/tailscale.go b/iac/tailscale.go
index 5dbaddc3..e469d5d1 100644
--- a/iac/tailscale.go
+++ b/iac/tailscale.go
@@ -96,13 +96,12 @@ func HandleTSHostCerts(ctx *pulumi.Context,
   keys = make(map[string]*tls.PrivateKey)
   crs = make(map[string]*tls.CertRequest)
   certs = make(map[string]*tls.LocallySignedCert)
-
   for _, device := range tailnet.Devices {
     if device.User != "kat@inskip.me" {
-      return nil, nil, nil, err
+      continue
     }
     name := strings.Split(device.Name, ".")[0]
-    keys[name], crs[name], certs[name], err = HandleTSHostCert(ctx, device, ca_key, ca_cert)
+    keys[fmt.Sprintf("ts-%s-host-key", name)], crs[fmt.Sprintf("ts-%s-host-cr", name)], certs[fmt.Sprintf("ts-%s-host-cert", name)], err = HandleTSHostCert(ctx, device, ca_key, ca_cert)
     if err != nil {
       return nil, nil, nil, err
     }
diff --git a/iac/tls.go b/iac/tls.go
index 7f505625..cce3867a 100644
--- a/iac/tls.go
+++ b/iac/tls.go
@@ -18,7 +18,7 @@ func generateKeyPair(ctx *pulumi.Context,
   key, err = tls.NewPrivateKey(ctx, fmt.Sprintf("%s-key", purpose), &tls.PrivateKeyArgs{
     Algorithm: pulumi.String("RSA"),
     RsaBits: pulumi.Int(4096),
-  })
+  }, pulumi.DependsOn([]pulumi.Resource{ca_key, ca_cert}))
   if err != nil {
     return nil, nil, nil, err
   }
@@ -30,7 +30,7 @@ func generateKeyPair(ctx *pulumi.Context,
       CommonName: pulumi.String("inskip.me"),
       Organization: pulumi.String("Kat Inskip"),
     },
-  })
+  }, pulumi.DependsOn([]pulumi.Resource{ca_key, ca_cert, key}))
   if err != nil {
     return nil, nil, nil, err
   }
@@ -46,7 +46,7 @@ func generateKeyPair(ctx *pulumi.Context,
     CertRequestPem: cr.CertRequestPem,
     ValidityPeriodHours: pulumi.Int(1440),
     EarlyRenewalHours: pulumi.Int(168),
-  })
+  }, pulumi.DependsOn([]pulumi.Resource{ca_key, ca_cert, key, cr}))
   if err != nil {
     return nil, nil, nil, err
   }