diff --git a/misc/adoptnode.sh b/misc/adoptnode.sh
new file mode 100755
index 00000000..ad230186
--- /dev/null
+++ b/misc/adoptnode.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+TARGNODE=$1
+TARGPROF=$2
+if [ -z "$TARGNODE" ] ; then
+	echo "Target node must be specified"
+	exit 1
+fi
+if [ -z "$TARGPROF" ]; then
+	echo "Target profile must be specified"
+	exit 1
+fi
+nodedefine $TARGNODE deployment.apiarmed=once deployment.profile=$TARGPROF deployment.useinsecureprotocols= deployment.pendingprofile=$TARGPROF
+cat /var/lib/confluent/public/site/ssh/*pubkey | ssh $TARGNODE "mkdir -p /root/.ssh/; cat - >> /root/.ssh/authorized_keys"
+ssh $TARGNODE mkdir -p /etc/confluent /opt/confluent/bin
+cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/confluent/ca.pem"
+cat /var/lib/confluent/public/site/tls/*.pem | ssh $TARGNODE "cat - >> /etc/pki/ca-trust/source/anchors/confluent.pem"
+nodeattrib $TARGNODE id.uuid=$(ssh $TARGNODE cat /sys/devices/virtual/dmi/id/product_uuid)
+scp prepadopt.sh $TARGNODE:/tmp/
+scp finalizeadopt.sh $TARGNODE:/tmp/
+ssh $TARGNODE bash /tmp/prepadopt.sh $TARGNODE $TARGPROF
+nodeattrib $TARGNODE deployment.pendingprofile=
+nodeapply $TARGNODE -k
+ssh $TARGNODE sh /tmp/finalizeadopt.sh
diff --git a/misc/finalizeadopt.sh b/misc/finalizeadopt.sh
new file mode 100644
index 00000000..7b9413d1
--- /dev/null
+++ b/misc/finalizeadopt.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+if ! grep ^HostbasedAuthentication /etc/ssh/sshd_config > /dev/null; then
+    echo HostbasedAuthentication yes >> /etc/ssh/sshd_config
+    echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config
+    echo IgnoreRhosts no >> /etc/ssh/sshd_config
+fi
+for certfile in /etc/ssh/*cert*; do
+	if ! grep $certfile /etc/ssh/sshd_config > /dev/null; then
+		echo HostCertificate $certfile >> /etc/ssh/sshd_config
+	fi
+done
+if [ -d /etc/ssh/ssh_config.d/ ]; then
+	cat > /etc/ssh/ssh_config.d/01-confluent.conf << EOF
+Host *
+    HostbasedAuthentication yes
+    EnableSSHKeysign yes
+    HostbasedKeyTypes *ed25519*
+EOF
+else
+    if ! grep EnableSSHKeysign /etc/ssh/ssh_config > /dev/null; then
+	cat >> /etc/ssh/ssh_config << EOF
+Host *
+    HostbasedAuthentication yes
+    EnableSSHKeysign yes
+    HostbasedKeyTypes *ed25519*
+EOF
+  fi
+fi
+restorecon -r /etc/ssh
+restorecon /root/.shosts
+
+systemctl restart sshd
diff --git a/misc/prepadopt.sh b/misc/prepadopt.sh
new file mode 100644
index 00000000..b47602d8
--- /dev/null
+++ b/misc/prepadopt.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+TARGNODE=$1
+TARGPROF=$2
+TMPDIR=$(mktemp -d)
+cd $TMPDIR
+DEPLOYSRV=$(echo $SSH_CLIENT|awk '{print $1}')
+UDEPLOYSRV=$DEPLOYSRV
+if [[ "$DEPLOYSRV" = *":"* ]]; then
+	UDEPLOYSRV="[$DEPLOYSRV]"
+fi
+update-ca-trust
+mkdir -p /etc/confluent
+curl -sg https://$UDEPLOYSRV/confluent-public/os/$TARGPROF/boot/initramfs/addons.cpio > addons.cpio
+curl -sg https://$UDEPLOYSRV/confluent-public/os/$TARGPROF/scripts/functions > /etc/confluent/functions
+cpio -dumi < addons.cpio
+systemctl status firewalld >& /dev/null && FWACTIVE=1
+if [ "$FWACTIVE" == 1 ]; then systemctl stop firewalld; fi
+opt/confluent/bin/copernicus  > /etc/confluent/confluent.info
+opt/confluent/bin/clortho $TARGNODE $DEPLOYSRV > /etc/confluent/confluent.apikey
+if [ "$FWACTIVE" == 1 ]; then systemctl start firewalld; fi
+cp opt/confluent/bin/apiclient /opt/confluent/bin
+curl -sg -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" -H "CONFLUENT_NODENAME: $TARGNODE" https://$UDEPLOYSRV/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
+# python3 /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
+cd -
+echo rm -rf $TMPDIR