diff --git a/apply.sh b/apply.sh
index 2f40dd2..42b09a5 100755
--- a/apply.sh
+++ b/apply.sh
@@ -2,5 +2,17 @@
 # the script executes updates to a nakamochi system.
 # it must be run as root or a user with equivalent privileges.
 
-# nothing yet
-exit 0
+exit_code=0
+
+# base os
+./base/void-pkg.sh || exit 1
+
+# lnd lightning
+. ./lnd/env
+lnd_apply || exit_code=$?
+
+# TODO: bitcoind
+# TODO: electrs
+# TODO: nd and ngui
+
+exit $exit_code
diff --git a/base/void-pkg.sh b/base/void-pkg.sh
new file mode 100755
index 0000000..de51425
--- /dev/null
+++ b/base/void-pkg.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+xbps-install -y opendoas tar curl diffutils
+
+if [ ! -f /etc/doas.conf ]; then
+    cat <<EOF > /etc/doas.conf
+permit nopass root
+permit setenv { -ENV PS1=\$DOAS_PS1 SSH_AUTH_SOCK } :wheel
+EOF
+fi
diff --git a/lnd/env b/lnd/env
new file mode 100644
index 0000000..6588118
--- /dev/null
+++ b/lnd/env
@@ -0,0 +1,56 @@
+LND_VERSION_DIR_AARCH64=lnd-linux-arm64-v0.15.2-beta
+LND_URL_AARCH64=https://github.com/lightningnetwork/lnd/releases/download/v0.15.2-beta/lnd-linux-arm64-v0.15.2-beta.tar.gz
+LND_SHA256_AARCH64=e35e81dca504a88d87552d26a06a58ea8515faf629e187e5e5a3dde4cc463cca
+
+LND_HOME=/home/lnd
+
+lnd_bin_install() {
+    cd $LND_HOME
+    local lnd_targz=$LND_VERSION_DIR_AARCH64.tar.gz
+    test -f $LND_VERSION_DIR_AARCH64/lnd && return 0;
+    curl -sSL -o $lnd_targz "$LND_URL_AARCH64"
+    if [ $? -ne 0 ]; then
+        printf "ERROR: unable to download $LND_URL_AARCH64\n" 1>&2
+        return 1
+    fi
+    printf "$LND_SHA256_AARCH64 $lnd_targz" | sha256sum --check
+    [ $? -ne 0 ] && return 1
+    tar -C $LND_HOME --no-same-owner -xf $lnd_targz
+    rm -f $lnd_targz
+    return $?
+}
+
+lnd_svc_install() {
+    mkdir -p /etc/sv/lnd
+    cat <<EOF > /etc/sv/lnd/run.new
+#!/bin/sh
+[ -r conf ] && . ./conf
+sv start bitcoind || exit 1
+exec chpst -u lnd $LND_HOME/$LND_VERSION_DIR_AARCH64/lnd -C /home/lnd/lnd.mainnet.conf 2>&1
+EOF
+    chmod +x /etc/sv/lnd/run
+    test -f /etc/sv/lnd/run && diff /etc/sv/lnd/run /etc/sv/lnd/run.new
+    if [ $? -ne 0 ]; then
+        sv -w 600 stop lnd || printf "ERROR: sv stop lnd failed\n" 1>&2
+        mv /etc/sv/lnd/run.new /etc/sv/lnd/run
+        sv start lnd || printf "ERROR: sv start lnd failed\n" 1>&2
+    fi
+    rm -f /etc/sv/lnd/run.new
+}
+
+lnd_cli_install() {
+    mkdir -p /opt/bin
+    cat <<EOF > /opt/bin/lncli.sh
+#!/bin/sh
+set -e
+cli=$LND_HOME/$LND_VERSION_DIR_AARCH64/lncli
+exec doas -u lnd \$cli --macaroonpath /ssd/lnd/data/chain/bitcoin/mainnet/admin.macaroon "\$@"
+EOF
+    chmod +x /opt/bin/lncli.sh
+}
+
+lnd_apply() {
+    lnd_bin_install || return 1
+    lnd_svc_install || return 1
+    lnd_cli_install || return 1
+}