diff --git a/build-iso.sh b/build-iso.sh
index ec63ee4..ca52040 100755
--- a/build-iso.sh
+++ b/build-iso.sh
@@ -25,8 +25,8 @@ WORK_DIR="$(mktemp -d /tmp/autoinstall-build.XXXXXX)"
 OUTPUT_ISO="autoinstall-$(date +%Y%m%d-%H%M).iso"
 SOPS_FILE="secrets.sops.yaml"
 TEMPLATE_DIR="templates"
-POST_INSTALL_SCRIPT="scripts/post-install.sh"
-TARGET_USERNAME=$(yq -e .autoinstall.identity.username templates/user-data.tmpl)
+TARGET_USER=$(yq -r .autoinstall.identity.username templates/user-data.tmpl)
+export TARGET_USER
 NOCLOUD_DIR="$WORK_DIR/iso/nocloud"
 mkdir -p "$NOCLOUD_DIR"
 
@@ -40,6 +40,12 @@ error() {
   echo -e "${RED}[✗]${NC} $*"
   exit 1
 }
+function envsubst_in_place() {
+  set -x
+  local _filename=$1
+  envsubst "\$TARGET_USER" <"$_filename" >$_filename.tmp && mv $_filename.tmp $_filename
+  set +x
+}
 
 while [[ $# -gt 0 ]]; do
   case $1 in
@@ -53,6 +59,7 @@ done
 
 cleanup() {
   info "Cleaning up..."
+  echo "$WORK_DIR"
   rm -rf "$WORK_DIR"
 }
 trap cleanup EXIT
@@ -69,6 +76,9 @@ info "Decrypting secrets and rendering template..."
 sops exec-env "$SOPS_FILE" "envsubst < $TEMPLATE_DIR/user-data.tmpl > $NOCLOUD_DIR/user-data"
 sops exec-env "$SOPS_FILE" "envsubst '\$WIFI_HOUSE_PASSWORD \$NOKIA_WIFI_KEY_PASSWORD' < $TEMPLATE_DIR/user-data-wifi.tmpl > $NOCLOUD_DIR/user-data-wifi.config"
 
+envsubst_in_place "$NOCLOUD_DIR/user-data"
+envsubst_in_place "$NOCLOUD_DIR/user-data-wifi.config"
+
 info "Template rendered."
 
 # ── Get Ubuntu ISO ─────────────────────────────────────────────────────────────
@@ -101,11 +111,12 @@ dd if="$UBUNTU_ISO" bs=1 count=432 of="$WORK_DIR/mbr_template.bin" 2>/dev/null
 # ── Inject autoinstall files ───────────────────────────────────────────────────
 info "Injecting autoinstall config and post-install script..."
 
-cp "$POST_INSTALL_SCRIPT" "$NOCLOUD_DIR/post-install.sh"
-cp "scripts/wifi.sh" "$NOCLOUD_DIR/wifi.sh"
+cp deployment/* "$NOCLOUD_DIR/"
 touch "$NOCLOUD_DIR/meta-data"
 
-cp $NOCLOUD_DIR/user-data* /tmp/
+envsubst_in_place "$NOCLOUD_DIR/post-install.sh"
+
+cp -r $NOCLOUD_DIR /tmp/
 
 # ── Patch GRUB ────────────────────────────────────────────────────────────────
 GRUB_CFG="$WORK_DIR/iso/boot/grub/grub.cfg"
diff --git a/scripts/post-install.sh b/deployment/post-install.sh
similarity index 99%
rename from scripts/post-install.sh
rename to deployment/post-install.sh
index 4d36862..ccfe471 100755
--- a/scripts/post-install.sh
+++ b/deployment/post-install.sh
@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-TARGET_USER=${TARGET_USERNAME:?must defined}
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 RED='\033[0;31m'
diff --git a/scripts/wifi.sh b/deployment/wifi.sh
similarity index 100%
rename from scripts/wifi.sh
rename to deployment/wifi.sh
diff --git a/deployment/zscaler-client_3.7.1.71-1_amd64.deb b/deployment/zscaler-client_3.7.1.71-1_amd64.deb
new file mode 100644
index 0000000..e510f64
Binary files /dev/null and b/deployment/zscaler-client_3.7.1.71-1_amd64.deb differ
diff --git a/templates/user-data-wifi.tmpl b/templates/user-data-wifi.tmpl
index 3b0f0a2..2f642e7 100644
--- a/templates/user-data-wifi.tmpl
+++ b/templates/user-data-wifi.tmpl
@@ -19,10 +19,10 @@ network:
           auth:
             key-management: eap
             method: tls
-            identity: "host/alfoldi.ipa.nsn-net.net"
+            identity: "host/${TARGET_USER}.ipa.nsn-net.net"
             ca-certificate: /nokia/vpn/NOKIA_Root_CA.crt
-            client-certificate: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
-            client-key: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+            client-certificate: /nokia/vpn/${TARGET_USER}.ipa.nsn-net.net.crt
+            client-key: /nokia/vpn/${TARGET_USER}.ipa.nsn-net.net.key
             client-key-password: "${NOKIA_WIFI_KEY_PASSWORD}"
 
 # vim: set filetype=yaml :
diff --git a/templates/user-data.tmpl b/templates/user-data.tmpl
index 331bb9a..3a2b0d9 100644
--- a/templates/user-data.tmpl
+++ b/templates/user-data.tmpl
@@ -50,24 +50,24 @@ autoinstall:
     write_files:
       - path: /nokia/vpn/NOKIA_Root_CA.crt
         permissions: "0600"
-        owner: alfoldi:alfoldi
+        owner: ${TARGET_USER}:${TARGET_USER}
         encoding: b64
         content: "${NOKIA_CA_CERT_B64}"
 
-      - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
+      - path: /nokia/vpn/${TARGET_USER}.ipa.nsn-net.net.crt
         permissions: "0600"
-        owner: alfoldi:alfoldi
+        owner: ${TARGET_USER}:${TARGET_USER}
         encoding: b64
         content: "${NOKIA_CLIENT_CERT_B64}"
 
-      - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+      - path: /nokia/vpn/${TARGET_USER}.ipa.nsn-net.net.key
         permissions: "0600"
-        owner: alfoldi:alfoldi
+        owner: ${TARGET_USER}:${TARGET_USER}
         encoding: b64
         content: "${NOKIA_CLIENT_KEY_B64}"
 
       # - path: /etc/himmelblau/himmelblau.conf
-      #   owner: alfoldi:alfoldi
+      #   owner: ${TARGET_USER}:${TARGET_USER}
       #   content: |
       #     [global]
       #     domain = nokia.com
@@ -78,9 +78,9 @@ autoinstall:
       #     # user_map_file = /etc/himmelblau/user-map
       #
       # - path: /etc/himmelblau/user-map
-      #   owner: alfoldi:alfoldi
+      #   owner: ${TARGET_USER}:${TARGET_USER}
       #   content: |
-      #     alfoldi:zsolt.alfoldi@nokia.com
+      #     ${TARGET_USER}:zsolt.${TARGET_USER}@nokia.com
 
       - path: /etc/ssh/sshd_config.d/99-custom.conf
         permissions: "0644"
@@ -175,9 +175,9 @@ autoinstall:
   #   - mkdir -p /target/etc/himmelblau
 
   late-commands:
-    # - cp /etc/resolv.conf /target/etc/resolv.conf
     - bash -x /cdrom/nocloud/wifi.sh
-    - cp /cdrom/nocloud/post-install.sh /target/home/
+    - mkdir -p /target/home/${TARGET_USER}/nocloud
+    - cp /cdrom/nocloud/* /target/home/${TARGET_USER}/nocloud/
 
   updates: all
   shutdown: poweroff