diff --git a/roles/baseline/tasks/firewall.yml b/roles/baseline/tasks/firewall.yml
index e5ad359..dda5981 100644
--- a/roles/baseline/tasks/firewall.yml
+++ b/roles/baseline/tasks/firewall.yml
@@ -14,3 +14,12 @@
     mode: "0755"
     src: firewall.j2
   notify: Restart firewall
+
+- name: Firewall for mosh
+  ansible.builtin.template:
+    dest: /etc/firewall.d/mosh
+    group: root
+    owner: root
+    mode: "0755"
+    src: mosh.j2
+  notify: Restart firewall
diff --git a/roles/baseline/tasks/packages.yml b/roles/baseline/tasks/packages.yml
index 5d2cb57..2d5ec7f 100644
--- a/roles/baseline/tasks/packages.yml
+++ b/roles/baseline/tasks/packages.yml
@@ -40,12 +40,5 @@
       - acl
       - sudo
       - ntpsec-ntpdate
-
-- name: Firewall for mosh
-  ansible.builtin.template:
-    dest: /etc/firewall.d/mosh
-    group: root
-    owner: root
-    mode: "0755"
-    src: mosh.j2
-  notify: Restart firewall
+      - openssh-server
+      - ifupdown
diff --git a/roles/ppm/tasks/oneapp.yml b/roles/ppm/tasks/oneapp.yml
index e148794..d0c471e 100644
--- a/roles/ppm/tasks/oneapp.yml
+++ b/roles/ppm/tasks/oneapp.yml
@@ -57,6 +57,16 @@
   ansible.builtin.include_tasks: updateappdef.yml
   when: ppm_app.chicken_egg_appdefinition is defined
 
+- name: "Ensure parent directories for extra files exist ({{ ppm_app.user }})"
+  ansible.builtin.file:
+    path: "{{ ppm_app_user.home }}/{{ item.to | dirname }}"
+    state: directory
+    owner: "{{ ppm_app_user.name }}"
+    group: "{{ ppm_app_user.group }}"
+    mode: "0755"
+  loop: "{{ ppm_app.extra_files | default([]) }}"
+  when: (item.to | dirname) not in ['', '.']
+
 - name: "Set up extra files for {{ ppm_app.user }}"
   ansible.builtin.copy:
     src: "{{ item.from }}"