diff --git a/AppDir/etc/daemon.yml b/AppDir/etc/daemon.yml
index d085dd0..6674677 100644
--- a/AppDir/etc/daemon.yml
+++ b/AppDir/etc/daemon.yml
@@ -71,6 +71,6 @@ storage:
     #- data_path: /foo/bar/data
     #  meta_path: /foo/bar/meta
     #  capacity: 1200
-    #  api_port: 3900
-    #  rpc_port: 3901
-    #  admin_port: 3902
+    #  s3_api_port: 3900
+    #  rpc_port:    3901
+    #  admin_port:  3902
diff --git a/entrypoint/default.nix b/entrypoint/default.nix
index e78a46c..0f8c23c 100644
--- a/entrypoint/default.nix
+++ b/entrypoint/default.nix
@@ -7,7 +7,7 @@
   pname = "cryptic-net-entrypoint";
   version = "unstable";
   src = ./src;
-  vendorSha256 = "sha256-URmrK9Sd/5yhXrWxXZq05TS7aY7IWptQFMKfXKJY7Hc=";
+  vendorSha256 = "sha256-1mHD0tmITlGjeo6F+Dvd2TdEPzxWtndy/J+uGHWKen4=";
   subPackages = [
     "cmd/entrypoint"
   ];
diff --git a/entrypoint/src/cmd/entrypoint/admin.go b/entrypoint/src/cmd/entrypoint/admin.go
index 29048fe..64bdb36 100644
--- a/entrypoint/src/cmd/entrypoint/admin.go
+++ b/entrypoint/src/cmd/entrypoint/admin.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	crypticnet "cryptic-net"
 	"cryptic-net/admin"
 	"cryptic-net/bootstrap"
 	"cryptic-net/garage"
@@ -115,6 +116,8 @@ var subCmdAdminCreateNetwork = subCmd{
 
 			if err := os.MkdirAll(runtimeDirPath, 0700); err != nil {
 				return fmt.Errorf("creating directory %q: %w", runtimeDirPath, err)
+			} else if err := crypticnet.NewProcLock(runtimeDirPath).WriteLock(); err != nil {
+				return err
 			}
 
 			defer func() {
@@ -158,6 +161,7 @@ var subCmdAdminCreateNetwork = subCmd{
 			HostName:                           *hostName,
 			NebulaHostCert:                     nebulaHostCert,
 			GarageRPCSecret:                    randStr(32),
+			GarageAdminToken:                   randStr(32),
 			GarageGlobalBucketS3APICredentials: garage.NewS3APICredentials(),
 		}
 
@@ -165,14 +169,6 @@ var subCmdAdminCreateNetwork = subCmd{
 			return fmt.Errorf("merging daemon.yml into bootstrap data: %w", err)
 		}
 
-		// TODO this can be gotten rid of once nebula-entrypoint is rolled into
-		// daemon itself
-		for key, val := range env.ToMap() {
-			if err := os.Setenv(key, val); err != nil {
-				return fmt.Errorf("failed to set %q to %q: %w", key, val, err)
-			}
-		}
-
 		nebulaPmuxProcConfig, err := nebulaPmuxProcConfig(env)
 		if err != nil {
 			return fmt.Errorf("generating nebula config: %w", err)
@@ -197,7 +193,9 @@ var subCmdAdminCreateNetwork = subCmd{
 
 		fmt.Fprintln(os.Stderr, "starting child processes")
 		go func() {
-			pmuxlib.Run(ctx, pmuxConfig)
+			// NOTE both stdout and stderr are sent to stderr, so that the user
+			// can pipe the resulting admin.tgz to stdout.
+			pmuxlib.Run(ctx, os.Stderr, os.Stderr, pmuxConfig)
 			close(pmuxDoneCh)
 		}()
 
@@ -218,7 +216,12 @@ var subCmdAdminCreateNetwork = subCmd{
 		}
 
 		fmt.Fprintln(os.Stderr, "initializing garage shared global bucket")
-		if err := garageInitializeGlobalBucket(ctx, env); err != nil {
+		err = garageInitializeGlobalBucket(ctx, env)
+
+		if cErr := (garage.AdminClientError{}); errors.As(err, &cErr) && cErr.StatusCode == 409 {
+			return fmt.Errorf("shared global bucket has already been created, are the storage allocations from a previously initialized cryptic-net being used?")
+
+		} else if err != nil {
 			return fmt.Errorf("initializing garage shared global bucket: %w", err)
 		}
 
@@ -329,6 +332,7 @@ var subCmdAdmin = subCmd{
 	descr: "Sub-commands which only admins can run",
 	do: func(subCmdCtx subCmdCtx) error {
 		return subCmdCtx.doSubCmd(
+			subCmdAdminCreateNetwork,
 			subCmdAdminMakeBootstrap,
 		)
 	},
diff --git a/entrypoint/src/cmd/entrypoint/daemon.go b/entrypoint/src/cmd/entrypoint/daemon.go
index bad5699..2d2581a 100644
--- a/entrypoint/src/cmd/entrypoint/daemon.go
+++ b/entrypoint/src/cmd/entrypoint/daemon.go
@@ -129,7 +129,7 @@ func runDaemonPmuxOnce(env crypticnet.Env) (crypticnet.Env, error) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		pmuxlib.Run(ctx, pmuxConfig)
+		pmuxlib.Run(ctx, os.Stdout, os.Stderr, pmuxConfig)
 	}()
 
 	wg.Add(1)
diff --git a/entrypoint/src/cmd/entrypoint/garage_util.go b/entrypoint/src/cmd/entrypoint/garage_util.go
index e4ce8a5..d912d8a 100644
--- a/entrypoint/src/cmd/entrypoint/garage_util.go
+++ b/entrypoint/src/cmd/entrypoint/garage_util.go
@@ -213,6 +213,7 @@ func garageApplyLayout(ctx context.Context, env crypticnet.Env) error {
 			clusterLayout[peer.RPCPeerID()] = peerLayout{
 				Capacity: alloc.Capacity / 100,
 				Zone:     hostName,
+				Tags:     []string{},
 			}
 		}
 
diff --git a/entrypoint/src/garage/admin_client.go b/entrypoint/src/garage/admin_client.go
index 988ceac..b4e5bb5 100644
--- a/entrypoint/src/garage/admin_client.go
+++ b/entrypoint/src/garage/admin_client.go
@@ -9,6 +9,17 @@ import (
 	"net/http"
 )
 
+// AdminClientError gets returned from AdminClient's Do method for non-200
+// errors.
+type AdminClientError struct {
+	StatusCode int
+	Body       []byte
+}
+
+func (e AdminClientError) Error() string {
+	return fmt.Sprintf("%d response from admin: %q", e.StatusCode, e.Body)
+}
+
 // AdminClient is a helper type for performing actions against the garage admin
 // interface.
 type AdminClient struct {
@@ -64,7 +75,11 @@ func (c *AdminClient) Do(
 	defer res.Body.Close()
 
 	if res.StatusCode != 200 {
-		return fmt.Errorf("unexpected %s response returned", res.Status)
+		body, _ := io.ReadAll(res.Body)
+		return AdminClientError{
+			StatusCode: res.StatusCode,
+			Body:       body,
+		}
 	}
 
 	if rcv == nil {
diff --git a/entrypoint/src/go.mod b/entrypoint/src/go.mod
index 6979fec..daa9d8e 100644
--- a/entrypoint/src/go.mod
+++ b/entrypoint/src/go.mod
@@ -3,7 +3,7 @@ module cryptic-net
 go 1.17
 
 require (
-	code.betamike.com/cryptic-io/pmux v0.0.0-20221020185531-7a7868003822
+	code.betamike.com/cryptic-io/pmux v0.0.0-20221025185405-29241f144a2d
 	github.com/adrg/xdg v0.4.0
 	github.com/imdario/mergo v0.3.12
 	github.com/minio/minio-go/v7 v7.0.28
diff --git a/entrypoint/src/go.sum b/entrypoint/src/go.sum
index 6e763ab..55b7003 100644
--- a/entrypoint/src/go.sum
+++ b/entrypoint/src/go.sum
@@ -1,5 +1,7 @@
 code.betamike.com/cryptic-io/pmux v0.0.0-20221020185531-7a7868003822 h1:c7Eu2h8gXOpOfhC1LvSYLNfiSsWTyvdI1XVpUuqMFHE=
 code.betamike.com/cryptic-io/pmux v0.0.0-20221020185531-7a7868003822/go.mod h1:cBuEN/rkaM/GH24uQroX/++qDmte+mLudDUqMt6XJWs=
+code.betamike.com/cryptic-io/pmux v0.0.0-20221025185405-29241f144a2d h1:s6nDTg23o9ujZZnl8ohZBDoG4SqPUyFfvod9DQjwmNU=
+code.betamike.com/cryptic-io/pmux v0.0.0-20221025185405-29241f144a2d/go.mod h1:cBuEN/rkaM/GH24uQroX/++qDmte+mLudDUqMt6XJWs=
 github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls=
 github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/nix/garage.nix b/nix/garage.nix
index 5b521e7..3b8110c 100644
--- a/nix/garage.nix
+++ b/nix/garage.nix
@@ -24,7 +24,7 @@ in rec {
   env = buildEnv {
     name = "cryptic-net-garage";
     paths = [
-      garage
+      garage.pkgs.amd64.release
       minioClient
     ];
   };