diff --git a/rip_docker/.gitignore b/rip_docker/.gitignore
index b62a8bd..73b3d4e 100644
--- a/rip_docker/.gitignore
+++ b/rip_docker/.gitignore
@@ -1,6 +1 @@
-bin
-dangerzone-cmdline
-dangerzone-initrd.img
-dangerzone-kernel
-dangerzone-state
-stdout.log
\ No newline at end of file
+vm
diff --git a/rip_docker/README.md b/rip_docker/README.md
index 0915f13..4f741b8 100644
--- a/rip_docker/README.md
+++ b/rip_docker/README.md
@@ -1,80 +1,23 @@
-# RIP Docker
+# Build the Dangerzone VM for running podman
 
-Notes for removing the Docker Desktop dependency from Dangerzone.
+## Build the podman container storage (with vagrant)
 
-## macOS
+You need vagrant: `brew install vagrant`
 
-The most promising path forward is with [LinuxKit](https://github.com/linuxkit/linuxkit) and [HyperKit](https://github.com/moby/hyperkit). This is super helpful, a [LinuxKit config for Docker for Mac](https://github.com/linuxkit/linuxkit/blob/master/examples/docker-for-mac.md).
-
-### Install Docker Desktop
-
-Docker is required for linuxkit to build the VM image.
-
-### Collect the binaries
+## Build the ISO image (with docker)
 
 ```sh
-mkdir -p bin
-
-# download pre-built LinuxKit binary
-cd bin
-wget https://github.com/linuxkit/linuxkit/releases/download/v0.8/linuxkit-darwin-amd64
-chmod +x linuxkit-darwin-amd64 
-mv linuxkit-darwin-amd64 linuxkit
-cd ..
-
-# copy binaries from Docker Desktop
-cp /Applications/Docker.app/Contents/Resources/bin/com.docker.hyperkit bin/hyperkit
-cp /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit bin/vpnkit
-cp /Applications/Docker.app/Contents/Resources/bin/com.docker.cli bin/docker
+docker run -v $(pwd):/build alpine:latest /build/build-iso.sh
 ```
 
-### Build the dangerzone VM image and see if it works
-
-When building the image, use `linuxkit` from homebrew to avoid a problem with expired certificates:
-
-```
-brew tap linuxkit/linuxkit
-brew install --HEAD linuxkit
-```
-
-Then use it:
+## Run the VM
 
 ```sh
-/usr/local/bin/linuxkit build -format kernel+initrd dangerzone.yml
+./run-vm.sh
 ```
 
-And then try running it (using `linuxkit` from bin):
+You can ssh in as the unprivileged user like this:
 
 ```sh
-./bin/linuxkit run hyperkit \
-    -hyperkit ./bin/hyperkit \
-    -vpnkit ./bin/vpnkit \
-    -cpus 2 \
-    -data-file ./metadata.json \
-    -networking=vpnkit \
-    -vsock-ports=2376 \
-    -disk size=4096M \
-    -mem 2048 \
-    -kernel dangerzone
-```
-
-And see if it works:
-
-```sh
-./bin/docker -H unix://dangerzone-state/guest.00000948 ps
-```
-
-Inside the VM you can shutdown with `poweroff`.
-
-### Ooh, almost there
-
-```
-$ ./bin/docker -H unix://dangerzone-state/guest.00000948 run hello-world
-Unable to find image 'hello-world:latest' locally
-latest: Pulling from library/hello-world
-b8dfde127a29: Pull complete 
-Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c
-Status: Downloaded newer image for hello-world:latest
-docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:432: running prestart hook 0 caused \\\"fork/exec /proc/7/exe: no such file or directory\\\"\"": unknown.
-ERRO[0003] error waiting for container: context canceled
+ssh -i ./ssh-key/id_ed25519 -o StrictHostKeyChecking=no user@192.168.65.3
 ```
diff --git a/rip_docker/Vagrantfile b/rip_docker/Vagrantfile
new file mode 100644
index 0000000..5dd1c8a
--- /dev/null
+++ b/rip_docker/Vagrantfile
@@ -0,0 +1,14 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/alpine313"
+  config.vm.synced_folder "../../dangerzone-converter", "/opt/dangerzone-converter"
+  config.vm.synced_folder ".", "/opt/build"
+  config.vm.provision "shell", inline: <<-SHELL
+    apk update
+    apk add alpine-sdk build-base apk-tools alpine-conf busybox fakeroot syslinux xorriso squashfs-tools sudo
+    apk add mtools dosfstools grub-efi
+    apk add p7zip
+  SHELL
+end
diff --git a/rip_docker/vm-image-builder/build-iso.sh b/rip_docker/build-iso.sh
similarity index 100%
rename from rip_docker/vm-image-builder/build-iso.sh
rename to rip_docker/build-iso.sh
diff --git a/rip_docker/vm-image-builder/configure.sh b/rip_docker/configure.sh
similarity index 100%
rename from rip_docker/vm-image-builder/configure.sh
rename to rip_docker/configure.sh
diff --git a/rip_docker/dangerzone.yml b/rip_docker/dangerzone.yml
deleted file mode 100644
index 739cff0..0000000
--- a/rip_docker/dangerzone.yml
+++ /dev/null
@@ -1,115 +0,0 @@
-# Thanks: https://github.com/linuxkit/linuxkit/blob/master/examples/docker-for-mac.yml
-
-# This is an example for building the open source components of Docker for Mac
-kernel:
-  image: linuxkit/kernel:5.10.39
-  cmdline: "console=ttyS0 page_poison=1"
-init:
-  - linuxkit/vpnkit-expose-port:b0a5ede4c53aa718b48fb9a86e4725ab6ae7f96e # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:78fb57c7da07c4e43c3a37b27755581da087a3b6
-  - linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
-  - linuxkit/containerd:cc02c2af9c928c2faeccbe4edc78bd297ad91866
-  - linuxkit/ca-certificates:4df823737c9bf6a9564b736f1a19fd25d60e909a
-onboot:
-  # support metadata for optional config in /run/config
-  - name: metadata
-    image: linuxkit/metadata:91125438842110e7709811997815b7b33dc18d1d
-  - name: sysctl
-    image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a
-  - name: sysfs
-    image: linuxkit/sysfs:3498aa99c90a29439b5a1926f6ffcd75c270372c
-  - name: binfmt
-    image: linuxkit/binfmt:5567917e7de481e4867d31c7490a0ebdb70e04a5
-  # Format and mount the disk image in /var/lib/docker
-  - name: format
-    image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
-  - name: mount
-    image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
-    command: ["/usr/bin/mountie", "/var/lib"]
-  # make a swap file on the mounted disk
-  - name: swap
-    image: linuxkit/swap:0028aeae2741d28120e4d2c6efcc5af003eae395
-    command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
-  # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
-  - name: mount-vpnkit
-    image: alpine:3.11
-    binds:
-        - /var/:/host_var:rbind,rshared
-    capabilities:
-        - CAP_SYS_ADMIN
-    rootfsPropagation: shared
-    command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
-  # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes)
-  - name: move-logs
-    image: alpine:3.11
-    binds:
-        - /var:/host_var
-    command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-services:
-  # Enable acpi to shutdown on power events
-  - name: acpid
-    image: linuxkit/acpid:d2ddd88c7918466f875e7c5c3e527b51dfb0b0ea
-  # Enable getty for easier debugging
-  - name: getty
-    image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
-    env:
-        - INSECURE=true
-  # Run ntpd to keep time synchronised in the VM
-  - name: ntpd
-    image: linuxkit/openntpd:66f25a516c7460f5e49195309cf276903741c428
-  # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
-  # to a socket on the host.
-  - name: vsudd
-    image: linuxkit/vsudd:8b442fc9296ce581e8755675eadc928c13ac79c9
-    binds:
-        - /var/run:/var/run
-    command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
-  # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
-  # It needs access to the vpnkit 9P coordination share 
-  - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:56ed525d212ca17e01b54d9b66c39b534a4392bc
-    binds:
-        - /var/vpnkit:/port
-    net: host
-    command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
-  # Monitor for image deletes and invoke a TRIM on the container filesystem
-  - name: trim-after-delete
-    image: linuxkit/trim-after-delete:ac6307a62c926a49a067d4de8667c2789b5ce2c9
-  # When the host resumes from sleep, force a clock resync
-  - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:32fec3fc7d03e5600ef88526c8f187cf21e8e0cc
-  # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
-  # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
-  # for vpnkit coordination and /run/config/docker for the configuration file.
-  - name: docker-dfm
-    image: docker:18-dind # docker-in-docker 19 and 20 won't run containers
-    capabilities:
-     - all
-    net: host
-    mounts:
-     - type: cgroup
-       options: ["rw","nosuid","noexec","nodev","relatime"]
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-     - /var/lib/docker:/var/lib/docker
-     - /lib/modules:/lib/modules
-     - /var/vpnkit:/port # vpnkit control 9p mount
-     - /var/run:/var/run
-     - /run/config/docker:/var/config/docker
-     - /usr/bin/vpnkit-expose-port:/usr/bin/vpnkit-expose-port # userland proxy
-     - /usr/bin/vpnkit-iptables-wrapper:/usr/bin/iptables # iptables wrapper
-    command: [ "/usr/local/bin/docker-init", "/usr/local/bin/dockerd", "--",
-            "--config-file", "/var/config/docker/daemon.json",
-            "--swarm-default-advertise-addr=eth0",
-            "--userland-proxy-path", "/usr/bin/vpnkit-expose-port",
-            "--storage-driver", "overlay2" ]
-    runtime:
-      mkdir: ["/var/lib/docker"]
-
-trust:
-    org:
-        - linuxkit
-        - library
diff --git a/rip_docker/vm-image-builder/genapkovl-dangerzone.sh b/rip_docker/genapkovl-dangerzone.sh
similarity index 100%
rename from rip_docker/vm-image-builder/genapkovl-dangerzone.sh
rename to rip_docker/genapkovl-dangerzone.sh
diff --git a/rip_docker/metadata.json b/rip_docker/metadata.json
deleted file mode 100644
index 875b2ff..0000000
--- a/rip_docker/metadata.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "docker": {
-        "entries": {
-            "daemon.json": {
-                "content": "{\"debug\": true, \"experimental\": false, \"live-restore\": true}"
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/rip_docker/vm-image-builder/mkimg.dangerzone.sh b/rip_docker/mkimg.dangerzone.sh
similarity index 100%
rename from rip_docker/vm-image-builder/mkimg.dangerzone.sh
rename to rip_docker/mkimg.dangerzone.sh
diff --git a/rip_docker/vm-image-builder/run-vm.sh b/rip_docker/run-vm.sh
similarity index 100%
rename from rip_docker/vm-image-builder/run-vm.sh
rename to rip_docker/run-vm.sh
diff --git a/rip_docker/vm-image-builder/ssh-key/README.md b/rip_docker/ssh-key/README.md
similarity index 100%
rename from rip_docker/vm-image-builder/ssh-key/README.md
rename to rip_docker/ssh-key/README.md
diff --git a/rip_docker/vm-image-builder/ssh-key/id_ed25519 b/rip_docker/ssh-key/id_ed25519
similarity index 100%
rename from rip_docker/vm-image-builder/ssh-key/id_ed25519
rename to rip_docker/ssh-key/id_ed25519
diff --git a/rip_docker/vm-image-builder/ssh-key/id_ed25519.pub b/rip_docker/ssh-key/id_ed25519.pub
similarity index 100%
rename from rip_docker/vm-image-builder/ssh-key/id_ed25519.pub
rename to rip_docker/ssh-key/id_ed25519.pub
diff --git a/rip_docker/vm-image-builder/.gitignore b/rip_docker/vm-image-builder/.gitignore
deleted file mode 100644
index 73b3d4e..0000000
--- a/rip_docker/vm-image-builder/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-vm
diff --git a/rip_docker/vm-image-builder/README.md b/rip_docker/vm-image-builder/README.md
deleted file mode 100644
index 4f741b8..0000000
--- a/rip_docker/vm-image-builder/README.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# Build the Dangerzone VM for running podman
-
-## Build the podman container storage (with vagrant)
-
-You need vagrant: `brew install vagrant`
-
-## Build the ISO image (with docker)
-
-```sh
-docker run -v $(pwd):/build alpine:latest /build/build-iso.sh
-```
-
-## Run the VM
-
-```sh
-./run-vm.sh
-```
-
-You can ssh in as the unprivileged user like this:
-
-```sh
-ssh -i ./ssh-key/id_ed25519 -o StrictHostKeyChecking=no user@192.168.65.3
-```