diff --git a/dind/Dockerfile b/dind/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..13c57db79cf9098556ac68e6ecd1bf6ab7bf2b91
--- /dev/null
+++ b/dind/Dockerfile
@@ -0,0 +1,79 @@
+FROM registry.e-biz.fr/deadlock-public/deadlock-theia:latest
+
+
+# RUN apk add --no-cache \
+		# ca-certificates \
+# DOCKER_HOST=ssh://... -- https://github.com/docker/cli/pull/1014
+		# openssh-client
+
+RUN apt update
+
+RUN	apt install \
+    apt-transport-https \
+    ca-certificates \
+	openssh-client \
+    curl \
+    gnupg-agent \
+    software-properties-common -y
+
+# set up nsswitch.conf for Go's "netgo" implementation (which Docker explicitly uses)
+# - https://github.com/docker/docker-ce/blob/v17.09.0-ce/components/engine/hack/make.sh#L149
+# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
+# - docker run --rm debian:stretch grep '^hosts:' /etc/nsswitch.conf
+# RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+# already present on ubuntu image
+
+# ENV DOCKER_VERSION 20.10.0-rc1
+# TODO ENV DOCKER_SHA256
+# https://github.com/docker/docker-ce/blob/5b073ee2cf564edee5adca05eee574142f7627bb/components/packaging/static/hash_files !!
+# (no SHA file artifacts on download.docker.com yet as of 2017-06-07 though)
+
+RUN set -eux; \
+	\
+	apkArch="$(uname -m)"; \
+	case "$apkArch" in \
+		'x86_64') \
+			url='https://download.docker.com/linux/static/test/x86_64/docker-20.10.0-rc1.tgz'; \
+			;; \
+		'armhf') \
+			url='https://download.docker.com/linux/static/test/armel/docker-20.10.0-rc1.tgz'; \
+			;; \
+		'armv7') \
+			url='https://download.docker.com/linux/static/test/armhf/docker-20.10.0-rc1.tgz'; \
+			;; \
+		'aarch64') \
+			url='https://download.docker.com/linux/static/test/aarch64/docker-20.10.0-rc1.tgz'; \
+			;; \
+		*) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;; \
+	esac; \
+	\
+	wget -O docker.tgz "$url"; \
+	\
+	tar --extract \
+		--file docker.tgz \
+		--strip-components 1 \
+		--directory /usr/local/bin/ \
+	; \
+	rm docker.tgz; \
+	\
+	dockerd --version; \
+	docker --version
+
+# COPY modprobe.sh /usr/local/bin/modprobe
+COPY docker-entrypoint.sh /usr/local/bin/
+
+# https://github.com/docker-library/docker/pull/166
+#   dockerd-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-generating TLS certificates
+#   docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
+# (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
+ENV DOCKER_TLS_CERTDIR=/certs
+# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
+
+RUN mkdir -p /home/theia/.ssh
+RUN eval "$(ssh-agent -s)" && ssh-keyscan -H 149.202.162.248 >> /home/theia/.ssh/known_hosts
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+# ENTRYPOINT ["bash", "echo", "$PATH"]
+CMD ["bash"]
\ No newline at end of file
diff --git a/dind/README.md b/dind/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..47f9d71a629dd163894e3c41929182e60b4fd9c5
--- /dev/null
+++ b/dind/README.md
@@ -0,0 +1,26 @@
+
+
+
+# What work ?
+
+| Docker        |               |                                           |
+| ------------- |:-------------:|:-----------------------------------------:|
+| run           |      OK       |                                           |
+| build         |      OK       |                                           |
+| volume        |      KO       | S1: Create nfs VPS <-> container          |
+| network       |      OK~      | Must bind external VPS ip to localhost    |
+|               |               | but expose everything user run on ethernet|
+|               |               | or create a VPN for each container <-> VPS|
+
+
+## Attempts
+
+### Try to create nfs between VPS <-> container
+#### With SSHFS
+
+*Resources*
+* https://github.com/libfuse/sshfs
+* https://www.server-world.info/en/note?os=CentOS_8&p=ssh&f=8
+* `sshfs centos@149.202.162.248:/home/centos/toast toast`
+
+--> Does not work because we need to run container with privileged.
diff --git a/dind/docker-entrypoint.sh b/dind/docker-entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d41cef8e3cda93268166052287c6c3b850ce1b54
--- /dev/null
+++ b/dind/docker-entrypoint.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -eu
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- docker "$@"
+fi
+
+# if our command is a valid Docker subcommand, let's invoke it through Docker instead
+# (this allows for "docker run docker ps", etc)
+if docker help "$1" > /dev/null 2>&1; then
+	set -- docker "$@"
+fi
+
+_should_tls() {
+	[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
+}
+
+# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
+if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
+	export DOCKER_HOST=unix:///var/run/docker.sock
+elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
+	export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
+fi
+
+# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
+if [ -z "${DOCKER_HOST:-}" ]; then
+	if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
+		export DOCKER_HOST='tcp://docker:2376'
+	else
+		export DOCKER_HOST='tcp://docker:2375'
+	fi
+fi
+if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
+	&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
+	&& [ -z "${DOCKER_CERT_PATH:-}" ] \
+	&& _should_tls \
+; then
+	export DOCKER_TLS_VERIFY=1
+	export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
+fi
+
+if [ "$1" = 'dockerd' ]; then
+	cat >&2 <<-'EOW'
+
+		📎 Hey there!  It looks like you're trying to run a Docker daemon.
+
+		   You probably should use the "dind" image variant instead, something like:
+
+		     docker run --privileged --name some-docker ... docker:dind ...
+
+		   See https://hub.docker.com/_/docker/ for more documentation and usage examples.
+
+	EOW
+	sleep 3
+fi
+
+exec "$@"
diff --git a/dind/modprobe.sh b/dind/modprobe.sh
new file mode 100644
index 0000000000000000000000000000000000000000..45033ff37f3c612eecd0ec8d699aba85b70d4d91
--- /dev/null
+++ b/dind/modprobe.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -eu
+
+# "modprobe" without modprobe
+# https://twitter.com/lucabruno/status/902934379835662336
+
+# this isn't 100% fool-proof, but it'll have a much higher success rate than simply using the "real" modprobe
+
+# Docker often uses "modprobe -va foo bar baz"
+# so we ignore modules that start with "-"
+for module; do
+	if [ "${module#-}" = "$module" ]; then
+		ip link show "$module" || true
+		lsmod | grep "$module" || true
+	fi
+done
+
+# remove /usr/local/... from PATH so we can exec the real modprobe as a last resort
+export PATH='/usr/sbin:/usr/bin:/sbin:/bin'
+exec modprobe "$@"
\ No newline at end of file