diff --git a/DEVELOP.md b/DEVELOP.md
index d312032..38cf677 100644
--- a/DEVELOP.md
+++ b/DEVELOP.md
@@ -72,14 +72,22 @@ Be sure to run `./hack/lint.sh` and `./hack/test.sh` before submitting anything.
     * no write
     * no cap
  * use the provided infrastructure
-    * runnable artifacts go to:
-        * `/boot/bin` (read-only)
-    * configuration should be read from:
-        * `/config` (read-only)
-    * certificates should go to:
-        * `/certs` (either read-only or read-write)
-    * persistent application data should use:
-        * `/data` (usually read-write)
-    * volatile data should use:
-        * `/tmp` (usually read-write)
+   * runnable artifacts go to:
+     * `/boot/bin` (read-only)
+   * configuration should be read from:
+     * `/magnetar/system/config` (read-only)
+   * and:
+     * `/magnetar/user/config` (read-write, user controlled)
+   * certificates should go to:
+     * `/magnetar/user/data` (either read-only or read-write)
+   * or:
+     * `/magnetar/system/data` (read-only)
+   * persistent application data should use:
+     * `/magnerar/system/data` (usually read-only)
+   * runtime data (socket, pipes) should use:
+     * `/magnerar/runtime`
+   * temp data (logs, states, etc) should use:
+     * `/magnerar/state`
+   * cache should use:
+     * `/magnerar/cache`
  * only use chroot to downgrade if you really REALLY need to start your entrypoint with "root"
diff --git a/Dockerfile b/Dockerfile
index 588ef57..a02d967 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -214,8 +214,8 @@ EXPOSE        $DNS_OVER_TLS_LEGO_PORT/tcp
 #EXPOSE        $DNS_OVER_GRPC_PORT/tcp
 EXPOSE        $MOD_METRICS_BIND/tcp
 
-# Lego just needs /certs to work
-VOLUME        /certs
+# Lego just needs certs to work
+VOLUME        "$XDG_DATA_HOME"
 
 ENV           HEALTHCHECK_URL="127.0.0.1:$DNS_PORT"
 ENV           HEALTHCHECK_QUESTION=dns.autonomous.healthcheck.farcloser.world
diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh
index 5204fc0..5026cd5 100755
--- a/context/runtime/boot/entrypoint.sh
+++ b/context/runtime/boot/entrypoint.sh
@@ -6,7 +6,7 @@ readonly root
 # shellcheck source=/dev/null
 . "$root/helpers.sh"
 
-helpers::dir::writable /certs
+helpers::dir::writable "$XDG_DATA_HOME"
 
 LOG_LEVEL=${LOG_LEVEL:-}
 
@@ -43,17 +43,17 @@ certs::renew(){
     && staging= \
     || staging="--server=https://acme-staging-v02.api.letsencrypt.org/directory"
 
-  [ -e "/certs/certificates/$domain.key" ] || command="run"
+  [ -e "$XDG_DATA_HOME/certificates/$domain.key" ] || command="run"
 
   printf >&2 "Running command: %s" "lego  --domains=\"$domain\" \
-        --accept-tos --email=\"$email\" --path=/certs --tls $staging --pem \
+        --accept-tos --email=\"$email\" --path=\"$XDG_DATA_HOME\" --tls $staging --pem \
         --tls.port=:$port \
         ${command}"
 
   lego  --domains="$domain" \
         --accept-tos \
         --email="$email" \
-        --path=/certs \
+        --path="$XDG_DATA_HOME" \
         --tls $staging --pem \
         --tls.port=:"$port" \
         ${command}
@@ -84,7 +84,7 @@ fi
 [ "$DNS_FORWARD_ENABLED" == true ]  && mode=forward || mode=recursive
 [ "$DNS_STUFF_MDNS" == true ]  && with_mdns=+mdns || with_mdns=
 
-args=(-conf "/config/coredns-${mode}${with_tls}${with_mdns}.conf")
+args=(-conf "$XDG_CONFIG_DIRS/coredns-${mode}${with_tls}${with_mdns}.conf")
 
 normalized_log_level="$(printf "%s" "$LOG_LEVEL" | tr '[:upper:]' '[:lower:]')"
 [ "$normalized_log_level" != "error" ] && [ "$normalized_log_level" != "warning" ]  || args+=(-quiet)
diff --git a/context/runtime/boot/mdns.sh b/context/runtime/boot/mdns.sh
index 02242e6..9462d76 100755
--- a/context/runtime/boot/mdns.sh
+++ b/context/runtime/boot/mdns.sh
@@ -90,7 +90,7 @@ mdns::start::avahi(){
   [ "$LOG_LEVEL" != "debug" ] || args+=(--debug)
 
   # -D/--daemonize implies -s/--syslog that we do not want, so, just background it
-  avahi-daemon -f /config/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" &
+  avahi-daemon -f "$XDG_CONFIG_DIRS"/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" &
 
   local tries=1
   # Wait until the socket is there
@@ -109,11 +109,9 @@ mdns::start::dbus(){
   # https://man7.org/linux/man-pages/man3/sd_bus_default.3.html
   # https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
 
-  # $XDG_RUNTIME_DIR=/tmp/runtime
+  local dbussocket=/magnetar/runtime/dbus/system_bus_socket
   # Configuration file also has that ^ hardcoded, so, cannot use the variable...
 
-  local dbussocket=/tmp/runtime/dbus/system_bus_socket
-
   # Ensure directory exists
   helpers::dir::writable "$(dirname "$dbussocket")" create
 
@@ -122,7 +120,7 @@ mdns::start::dbus(){
   export DBUS_SESSION_BUS_ADDRESS=unix:path="$dbussocket"
 
   # Start it, without a PID file
-  dbus-daemon --nopidfile --config-file /config/dbus/main.conf
+  dbus-daemon --nopidfile --config-file "$XDG_CONFIG_DIRS"/dbus/main.conf
 
   local tries=1
   # Wait until the socket is there
diff --git a/context/runtime/config/coredns-forward+mdns.conf b/context/runtime/magnetar/system/config/coredns-forward+mdns.conf
similarity index 100%
rename from context/runtime/config/coredns-forward+mdns.conf
rename to context/runtime/magnetar/system/config/coredns-forward+mdns.conf
diff --git a/context/runtime/config/coredns-forward+tls.conf b/context/runtime/magnetar/system/config/coredns-forward+tls.conf
similarity index 73%
rename from context/runtime/config/coredns-forward+tls.conf
rename to context/runtime/magnetar/system/config/coredns-forward+tls.conf
index f9f721f..301f7c0 100644
--- a/context/runtime/config/coredns-forward+tls.conf
+++ b/context/runtime/magnetar/system/config/coredns-forward+tls.conf
@@ -1,5 +1,5 @@
 tls://.:{$DNS_OVER_TLS_PORT} {
-  tls /certs/certificates/{$DOMAIN}.crt /certs/certificates/{$DOMAIN}.key /certs/certificates/{$DOMAIN}.issuer.crt
+  tls {$XDG_DATA_HOME}/certificates/{$DOMAIN}.crt {$XDG_DATA_HOME}/certificates/{$DOMAIN}.key {$XDG_DATA_HOME}/certificates/{$DOMAIN}.issuer.crt
 
   import snips/hosts.conf
   import snips/forward.conf
diff --git a/context/runtime/config/coredns-forward.conf b/context/runtime/magnetar/system/config/coredns-forward.conf
similarity index 100%
rename from context/runtime/config/coredns-forward.conf
rename to context/runtime/magnetar/system/config/coredns-forward.conf
diff --git a/context/runtime/config/coredns-recursive+tls.conf b/context/runtime/magnetar/system/config/coredns-recursive+tls.conf
similarity index 69%
rename from context/runtime/config/coredns-recursive+tls.conf
rename to context/runtime/magnetar/system/config/coredns-recursive+tls.conf
index 1ad19e8..86d5ff9 100644
--- a/context/runtime/config/coredns-recursive+tls.conf
+++ b/context/runtime/magnetar/system/config/coredns-recursive+tls.conf
@@ -1,5 +1,5 @@
 tls://.:{$DNS_OVER_TLS_PORT} {
-  tls /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.crt /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.key /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.issuer.crt
+  tls {$XDG_DATA_HOME}/certificates/{$DNS_OVER_TLS_DOMAIN}.crt {$XDG_DATA_HOME}/certificates/{$DNS_OVER_TLS_DOMAIN}.key {$XDG_DATA_HOME}/certificates/{$DNS_OVER_TLS_DOMAIN}.issuer.crt
 
   import snips/hosts.conf
   import snips/recursive.conf
diff --git a/context/runtime/config/coredns-recursive.conf b/context/runtime/magnetar/system/config/coredns-recursive.conf
similarity index 100%
rename from context/runtime/config/coredns-recursive.conf
rename to context/runtime/magnetar/system/config/coredns-recursive.conf
diff --git a/context/runtime/config/snips/cache.conf b/context/runtime/magnetar/system/config/snips/cache.conf
similarity index 100%
rename from context/runtime/config/snips/cache.conf
rename to context/runtime/magnetar/system/config/snips/cache.conf
diff --git a/context/runtime/config/snips/forward.conf b/context/runtime/magnetar/system/config/snips/forward.conf
similarity index 100%
rename from context/runtime/config/snips/forward.conf
rename to context/runtime/magnetar/system/config/snips/forward.conf
diff --git a/context/runtime/config/snips/hosts.conf b/context/runtime/magnetar/system/config/snips/hosts.conf
similarity index 100%
rename from context/runtime/config/snips/hosts.conf
rename to context/runtime/magnetar/system/config/snips/hosts.conf
diff --git a/context/runtime/config/snips/mdns.conf b/context/runtime/magnetar/system/config/snips/mdns.conf
similarity index 100%
rename from context/runtime/config/snips/mdns.conf
rename to context/runtime/magnetar/system/config/snips/mdns.conf
diff --git a/context/runtime/config/snips/monitor.conf b/context/runtime/magnetar/system/config/snips/monitor.conf
similarity index 100%
rename from context/runtime/config/snips/monitor.conf
rename to context/runtime/magnetar/system/config/snips/monitor.conf
diff --git a/context/runtime/config/snips/recursive.conf b/context/runtime/magnetar/system/config/snips/recursive.conf
similarity index 100%
rename from context/runtime/config/snips/recursive.conf
rename to context/runtime/magnetar/system/config/snips/recursive.conf
diff --git a/context/runtime/config/snips/todo.conf b/context/runtime/magnetar/system/config/snips/todo.conf
similarity index 100%
rename from context/runtime/config/snips/todo.conf
rename to context/runtime/magnetar/system/config/snips/todo.conf