diff --git a/data_bags/credentials/lnd.json b/data_bags/credentials/lnd.json
new file mode 100644
index 0000000..5e61dcb
--- /dev/null
+++ b/data_bags/credentials/lnd.json
@@ -0,0 +1,10 @@
+{
+  "id": "lnd",
+  "password": {
+    "encrypted_data": "etEgstimoXqyD8HhZZ7rKW0+LW3rnYAR3f++AOv6SA==\n",
+    "iv": "g9LA7GpA6eV1ZAJu\n",
+    "auth_tag": "wv67Nliq0HGqAhVeyhNO/g==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}
\ No newline at end of file
diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index 01bd552..1a71313 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "bitcoin-2",
     "os": "linux",
-    "os_version": "5.4.0-58-generic",
+    "os_version": "5.4.0-77-generic",
     "hostname": "bitcoin-2",
     "ipaddress": "192.168.122.148",
     "roles": [
@@ -26,6 +26,8 @@
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
+      "tor-full",
+      "tor-full::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -82,6 +84,7 @@
     "recipe[kosmos-bitcoin::c-lightning]",
     "recipe[kosmos-bitcoin::lnd]",
     "recipe[kosmos-bitcoin::rtl]",
-    "role[btcpay]"
+    "role[btcpay]",
+    "recipe[tor-full]"
   ]
 }
\ No newline at end of file
diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index 812f9c3..1cf96a2 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '0.21.0'
-node.default['bitcoin']['checksum']  = '1a91202c62ee49fb64d57a52b8d6d01cd392fffcbef257b573800f9289655f37'
+node.default['bitcoin']['version']   = '0.21.1'
+node.default['bitcoin']['checksum']  = 'caff23449220cf45753f312cefede53a9eac64000bb300797916526236b6a1e0'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -25,8 +25,11 @@ node.default['bitcoin']['conf'] = {
   zmqpubrawtx: 'tcp://127.0.0.1:8338'
 }
 
+# Also enables Tor for LND
+node.default['bitcoin']['tor_enabled'] = true
+
 node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning'
-node.default['c-lightning']['revision'] = 'v0.9.3'
+node.default['c-lightning']['revision'] = 'v0.10.0'
 node.default['c-lightning']['source_dir'] = '/opt/c-lightning'
 node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning"
 node.default['c-lightning']['alias'] = 'ln3.kosmos.org'
@@ -35,7 +38,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.12.0-beta'
+node.default['lnd']['revision'] = 'v0.13.0-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -45,11 +48,12 @@ node.default['lnd']['public_ip'] = '148.251.237.111'
 node.default['lnd']['public_port'] = '9735'
 node.default['lnd']['port'] = '9736'
 node.default['lnd']['minchansize'] = '1000000'
-node.default['lnd']['basefee'] = '500'
-node.default['lnd']['feerate'] = '1'
+node.default['lnd']['basefee'] = '1000'
+node.default['lnd']['feerate'] = '50'
+node.default['lnd']['auto_unlock'] = true # requires credentials/lnd data bag item
 
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.10.0'
+node.default['rtl']['revision'] = 'v0.11.0'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 
@@ -57,13 +61,13 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'latest'
+node.default['nbxplorer']['revision'] = 'v2.1.52'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'latest'
+node.default['btcpay']['revision'] = 'v1.1.2'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb
index fe6cd0c..c8bb476 100644
--- a/site-cookbooks/kosmos-bitcoin/metadata.rb
+++ b/site-cookbooks/kosmos-bitcoin/metadata.rb
@@ -26,3 +26,4 @@ depends 'kosmos-nginx'
 depends 'kosmos-nodejs'
 depends 'firewall'
 depends 'application_javascript'
+depends 'tor-full'
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
index 562ef67..42cf3c6 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@@ -11,6 +11,7 @@ git node['btcpay']['source_dir'] do
   repository node['btcpay']['repo']
   revision node['btcpay']['revision']
   action :sync
+  notifies :stop, "systemd_unit[btcpayserver.service]", :immediately
   notifies :run, 'bash[build_btcpay]', :immediately
 end
 
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
index 4e2464a..47bbe7e 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
@@ -17,7 +17,7 @@ bash "compile_lnd" do
   cwd node['lnd']['source_dir']
   code <<-EOH
     source /etc/profile.d/golang.sh
-    make clean && make && make install
+    make clean && make && make install tags="signrpc walletrpc chainrpc invoicesrpc"
   EOH
   action :nothing
   notifies :restart, "systemd_unit[lnd.service]", :delayed
@@ -36,6 +36,17 @@ directory lnd_dir do
   action :create
 end
 
+if node['lnd']['auto_unlock']
+  lnd_credentials = Chef::EncryptedDataBagItem.load('credentials', 'lnd')
+
+  file "#{lnd_dir}/.unlock.txt" do
+    content lnd_credentials['password']
+    mode '0600'
+    owner bitcoin_user
+    group bitcoin_group
+  end
+end
+
 template "#{lnd_dir}/lnd.conf" do
   source "lnd.conf.erb"
   owner bitcoin_user
@@ -49,6 +60,8 @@ template "#{lnd_dir}/lnd.conf" do
             lnd_minchansize: node['lnd']['minchansize'],
             lnd_basefee: node['lnd']['basefee'],
             lnd_feerate: node['lnd']['feerate'],
+            lnd_dir: lnd_dir,
+            auto_unlock: node['lnd']['auto_unlock'],
             bitcoin_datadir: node['bitcoin']['datadir'],
             bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'],
             bitcoin_rpc_password: bitcoin_credentials["rpcpassword"],
@@ -58,6 +71,9 @@ template "#{lnd_dir}/lnd.conf" do
   notifies :restart, "systemd_unit[lnd.service]", :delayed
 end
 
+exec_flags = ""
+exec_flags += "--tor.active --tor.v3" if node['bitcoin']['tor_enabled']
+
 systemd_unit 'lnd.service' do
   content({
     Unit: {
@@ -70,7 +86,7 @@ systemd_unit 'lnd.service' do
       User: bitcoin_user,
       Group: bitcoin_group,
       Type: 'simple',
-      ExecStart: '/opt/go/bin/lnd',
+      ExecStart: "/opt/go/bin/lnd #{exec_flags}",
       Restart: 'always',
       RestartSec: '30',
       TimeoutSec: '240',
@@ -95,3 +111,8 @@ firewall_rule 'lnd' do
   protocol :tcp
   command  :allow
 end
+
+if node['bitcoin']['tor_enabled']
+  node.override['tor']['ControlPort'] = 9051
+  node.override['tor']['CookieAuthentication'] = true
+end
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
index 729e076..d771ede 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
@@ -11,6 +11,7 @@ git node['nbxplorer']['source_dir'] do
   repository node['nbxplorer']['repo']
   revision node['nbxplorer']['revision']
   action :sync
+  notifies :stop, "systemd_unit[nbxplorer.service]", :immediately
   notifies :run, 'bash[build_nbxplorer]', :immediately
 end
 
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb
index dfd993b..51df04f 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb
@@ -27,7 +27,6 @@ end
 build_essential
 include_recipe 'ark'
 
-
 %w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
     binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
   apt_package pkg
@@ -82,6 +81,14 @@ user bitcoin_user do
   shell "/bin/bash"
 end
 
+if node['bitcoin']['tor_enabled']
+  group 'debian-tor' do
+    action :modify
+    members bitcoin_user
+    append true
+  end
+end
+
 [bitcoin_datadir, bitcoin_walletdir].each do |path|
   directory path do
     owner bitcoin_user
diff --git a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
index b96f7d8..57c7caf 100644
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
@@ -6,6 +6,7 @@ alias=<%= @lnd_alias %>
 color=<%= @lnd_color %>
 maxpendingchannels=2
 minchansize=<%= @lnd_minchansize %>
+<% if @auto_unlock %>wallet-unlock-password-file=<%= @lnd_dir %>/.unlock.txt<% end %>
 
 [autopilot]
 autopilot.active=0
diff --git a/site-cookbooks/tor-full/README.md b/site-cookbooks/tor-full/README.md
index 6b2a6c4..415cbf7 100644
--- a/site-cookbooks/tor-full/README.md
+++ b/site-cookbooks/tor-full/README.md
@@ -32,6 +32,8 @@ The following platform families are supported:
 * `node['tor']['MinLogLevel']` - The minimum log level to log. Possible values include debug, info, notice, warn, and err.
 * `node['tor']['LogDestination']` - Where logs should be written. Valid values include a path to a file or "syslog"
 * `node['tor']['SocksPorts']` - List of 'address:port' to open tor socks proxy on. Defaults to disabled
+* `node['tor']['ControlPort']` - The port on which Tor will listen for local connections from Tor controller applications
+* `node['tor']['CookieAuthentication']` - Enable this (`true`) when using ControlPort
 
 ### Hidden Services config section
 
diff --git a/site-cookbooks/tor-full/templates/default/torrc.erb b/site-cookbooks/tor-full/templates/default/torrc.erb
index f5dd682..ca07818 100644
--- a/site-cookbooks/tor-full/templates/default/torrc.erb
+++ b/site-cookbooks/tor-full/templates/default/torrc.erb
@@ -65,11 +65,11 @@ DataDirectory <%= node['tor']['DataDirectory'] %>
 
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.
-#ControlPort 9051
+<% if node['tor']['ControlPort'] %>ControlPort <%= node['tor']['ControlPort'] %><% else %>#ControlPort 9051<% end %>
 ## If you enable the controlport, be sure to enable one of these
 ## authentication methods, to prevent attackers from accessing it.
 #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
-#CookieAuthentication 1
+<% if node['tor']['CookieAuthentication'] %>CookieAuthentication 1<% else %>#CookieAuthentication 1<% end %>
 
 ############### This section is just for location-hidden services ###