diff --git a/grafana/docker-compose.yaml b/grafana/docker-compose.yaml
index 8b5fc0d..9ef7d8b 100644
--- a/grafana/docker-compose.yaml
+++ b/grafana/docker-compose.yaml
@@ -16,7 +16,7 @@ services:
       # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET is in env.secrets
       # auth URLs are in the env.secrets since they have hostname expansion
     volumes:
-      - ./data/grafana:/var/lib/grafana
+      - ../data/grafana:/var/lib/grafana
     restart: unless-stopped
     ports:
       - 8000:3000
diff --git a/hedgedoc/docker-compose.yaml b/hedgedoc/docker-compose.yaml
index e92d973..11601e6 100644
--- a/hedgedoc/docker-compose.yaml
+++ b/hedgedoc/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
       - POSTGRES_PASSWORD=password
       - POSTGRES_DB=hedgedoc
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/hedgedoc/database:/var/lib/postgresql/data
     restart: always
   hedgedoc:
     # Make sure to use the latest release from https://hedgedoc.org/latest-release
@@ -32,7 +32,7 @@ services:
       - CMD_OAUTH2_CLIENT_ID=hedgedoc
       - CMD_OAUTH2_PROVIDERNAME=Keycloak
     volumes:
-      - ./data/uploads:/hedgedoc/public/uploads
+      - ../data/hedgedoc/uploads:/hedgedoc/public/uploads
     ports:
       - "3000:3000"
     restart: always
diff --git a/keycloak/docker-compose.yaml b/keycloak/docker-compose.yaml
index a3d4f96..04d98db 100644
--- a/keycloak/docker-compose.yaml
+++ b/keycloak/docker-compose.yaml
@@ -8,7 +8,7 @@ services:
   mysql:
       image: mysql:5.7
       volumes:
-        - ./data/database:/var/lib/mysql
+        - ../data/keycloak/database:/var/lib/mysql
       environment:
         MYSQL_ROOT_PASSWORD: root
         MYSQL_DATABASE: keycloak
@@ -33,8 +33,8 @@ services:
         # KEYCLOAK_ADMIN_PASSWORD should be set in env.secrets
         PROXY_ADDRESS_FORWARDING: 'true'
       volumes:
-        - ./data/certs:/etc/x509/https
-        - ./data/keycloak:/opt/keycloak/data
+        - ../data/keycloak/certs:/etc/x509/https
+        - ../data/keycloak/keycloak:/opt/keycloak/data
       ports:
         - 8080:8080
       depends_on:
diff --git a/mastodon/docker-compose.yaml b/mastodon/docker-compose.yaml
index 2639e96..9e100de 100644
--- a/mastodon/docker-compose.yaml
+++ b/mastodon/docker-compose.yaml
@@ -9,7 +9,7 @@ services:
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/mastodon/database:/var/lib/postgresql/data
     environment:
       - POSTGRES_USER=mastodon
       - POSTGRES_PASSWORD=mastodon
@@ -23,7 +23,7 @@ services:
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - ./data/redis:/data
+      - ../data/mastodon/redis:/data
 
   es:
     restart: always
@@ -38,7 +38,7 @@ services:
     healthcheck:
        test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
     volumes:
-       - ./data/elasticsearch:/usr/share/elasticsearch/data
+       - ../data/mastodon/elasticsearch:/usr/share/elasticsearch/data
     # fixup the permissions on the data directory since they are created as root on host
     entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
     ulimits:
@@ -67,7 +67,7 @@ services:
       - redis
       - es
     volumes:
-      - ./data/system:/mastodon/public/system
+      - ../data/mastodon/system:/mastodon/public/system
 
   streaming:
     image: tootsuite/mastodon
@@ -104,7 +104,7 @@ services:
       - external_network
       - internal_network
     volumes:
-      - ./data/system:/mastodon/public/system
+      - ../data/mastodon/system:/mastodon/public/system
     healthcheck:
       test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
 
diff --git a/mastodon/setup b/mastodon/setup
index 84395d6..2f10840 100755
--- a/mastodon/setup
+++ b/mastodon/setup
@@ -7,8 +7,8 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-mkdir -p data/system
-chmod 777 data/system
+mkdir -p ../data/mastodon/system
+chmod 777 ../data/mastodon/system
 
 if [ -r "./env.secrets" ]; then
 	docker-compose up -d || die "unable to restart mastodon"
diff --git a/matrix/docker-compose.yaml b/matrix/docker-compose.yaml
index e9038cc..bee648c 100644
--- a/matrix/docker-compose.yaml
+++ b/matrix/docker-compose.yaml
@@ -4,7 +4,7 @@ services:
     image: postgres:13.4-alpine
     restart: unless-stopped
     volumes:
-     - ./data/postgresdata:/var/lib/postgresql/data
+     - ../data/matrix/postgresdata:/var/lib/postgresql/data
     environment:
      - POSTGRES_DB=synapse
      - POSTGRES_USER=synapse
@@ -22,6 +22,6 @@ services:
     image: matrixdotorg/synapse:latest
     restart: unless-stopped
     volumes:
-     - ./data/synapse:/data
+     - ../data/matrix/synapse:/data
     ports:
       - "5008:8008"
diff --git a/matrix/setup b/matrix/setup
index 4af40b5..9f262e1 100755
--- a/matrix/setup
+++ b/matrix/setup
@@ -6,9 +6,9 @@ cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
 
-HOMESERVER_YAML="data/synapse/homeserver.yaml"
+SYNAPSE_DIR="../data/matrix/synapse"
+HOMESERVER_YAML="$SYNAPSE_DIR/homeserver.yaml"
 if [  -r "$HOMESERVER_YAML" ]; then
-	echo "home server already configured? delete data directory to force reconfig"
 	docker-compose up -d || die "matrix: unable to restart"
 	exit 0
 fi
@@ -21,7 +21,7 @@ docker-compose down 2>/dev/null
 # the syntax here is confusing and it is not clear in
 # the docs *which* have to be updated.
 docker run -it --rm \
-	-v "`pwd`/data/synapse:/data" \
+	-v "`pwd`/$SYNAPSE_DIR:/data" \
 	-e "SYNAPSE_SERVER_NAME=$DOMAIN_NAME" \
 	-e SYNAPSE_REPORT_STATS=yes \
 	matrixdotorg/synapse:latest generate \
diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml
index 2fa079f..a7bc097 100644
--- a/nextcloud/docker-compose.yaml
+++ b/nextcloud/docker-compose.yaml
@@ -8,7 +8,7 @@ services:
       - POSTGRES_PASSWORD=nextcloud
       - POSTGRES_DB=nextcloud
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/nextcloud/database:/var/lib/postgresql/data
     restart: always
 
   nextcloud:
@@ -30,7 +30,7 @@ services:
       # NEXTCLOUD_ADMIN_PASSWORD in env.secrets
       # NEXTCLOUD_TRUSTED_DOMAINS also set in env.secrets
     volumes:
-      - ./data/nextcloud:/var/www/html
+      - ../data/nextcloud/nextcloud:/var/www/html
     depends_on:
       - database
 
diff --git a/nginx/certbot-renew b/nginx/certbot-renew
index dc575bd..25b4873 100755
--- a/nginx/certbot-renew
+++ b/nginx/certbot-renew
@@ -14,9 +14,9 @@ set -x
 
 # move the temp live directory away if
 # this is the first time we've run anything here
-if [ ! -d "data/certbot/conf/accounts" ]; then
+if [ ! -d "../data/certbot/conf/accounts" ]; then
 	echo "deleting temp keys"
-	rm -rf data/certbot/conf/live
+	rm -rf ../data/certbot/conf/live
 fi
 
 docker-compose run --rm certbot \
diff --git a/nginx/docker-compose.yaml b/nginx/docker-compose.yaml
index 5516e96..36e018e 100644
--- a/nginx/docker-compose.yaml
+++ b/nginx/docker-compose.yaml
@@ -10,8 +10,8 @@ services:
       - ./nginx/templates:/etc/nginx/templates
       - ./nginx/includes:/etc/nginx/includes
       - ../html:/var/www
-      - ./data/certbot/www:/var/www/certbot
-      - ./data/certbot/conf:/etc/letsencrypt
+      - ../data/certbot/www:/var/www/certbot
+      - ../data/certbot/conf:/etc/letsencrypt
     env_file:
       -  ../env.production
       -  env.production
@@ -21,5 +21,5 @@ services:
   certbot:
     image: certbot/certbot
     volumes:
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - ../data/certbot/conf:/etc/letsencrypt
+      - ../data/certbot/www:/var/www/certbot
diff --git a/nginx/setup b/nginx/setup
index 973d657..6426f22 100755
--- a/nginx/setup
+++ b/nginx/setup
@@ -11,23 +11,25 @@ if [ -z "${DOMAIN_NAME}" ]; then
 	die "DOMAIN_NAME not set"
 fi
 
-docker-compose down
+certdir="../data/certbot/conf/live/${DOMAIN_NAME}"
+
+if [ -r "$certdir/privkey.pem" ]; then
+	docker-compose up -d || die "nginx: unable to start"
+	exit 0
+fi
 
-certdir="data/certbot/conf/live/${DOMAIN_NAME}"
 mkdir -p "$certdir" || die "$certdir: unable to make"
 
-if [ ! -r "$certdir/privkey.pem" ]; then
-	openssl req \
-		-x509 \
-		-newkey rsa:2048 \
-		-keyout "$certdir/privkey.pem" \
-		-out "$certdir/fullchain.pem" \
-		-sha256 \
-		-nodes \
-		-days 365 \
-		-subj "/CN=${DOMAIN_NAME}'" \
-	|| die "$certdir/privkey.pem: unable to create temp key"
-fi
+openssl req \
+	-x509 \
+	-newkey rsa:2048 \
+	-keyout "$certdir/privkey.pem" \
+	-out "$certdir/fullchain.pem" \
+	-sha256 \
+	-nodes \
+	-days 365 \
+	-subj "/CN=${DOMAIN_NAME}'" \
+|| die "$certdir/privkey.pem: unable to create temp key"
 
 docker-compose up -d || die "unable to bring up nginx"
 
@@ -35,5 +37,3 @@ echo "SLEEPING..."
 sleep 10
 
 ./certbot-renew || die "unable to create certs"
-
-
diff --git a/start-all b/start-all
new file mode 100755
index 0000000..0b93585
--- /dev/null
+++ b/start-all
@@ -0,0 +1,13 @@
+#!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
+source ./env.production || die "no production env?"
+
+if [ -z "$DOMAIN_NAME" ]; then
+	die "\$DOMAIN_NAME not set; things will break"
+fi
+
+for service in keycloak nginx hedgedoc nextcloud mastodon grafana matrix ; do
+	echo "$service: starting"
+	./$service/setup || die "$server: failed to start"
+done