diff --git a/provision.sh b/provision.sh
index 3ede187..4b4acad 100644
--- a/provision.sh
+++ b/provision.sh
@@ -3,6 +3,7 @@
 # [!sudo_password!] - the sudo password to set
 # [!server_id!] - the servers id
 # [!keystonepublickey!] - keystone's public key
+# [!callback!] - callback url
 
 apt_wait() {
     while fuser /var/lib/dpkg/lock >/dev/null 2>&1; do
@@ -126,4 +127,4 @@ EOF
 
 
 # Callback that the server is installed
-curl --insecure --data "server_id=[!server_id!]&sudo_password=[!sudo_password!] https://keystone.test/provisioning/callback/app
\ No newline at end of file
+curl --insecure --data "server_id=[!server_id!] [!callback!]
\ No newline at end of file
diff --git a/routes/web.php b/routes/web.php
index fd70820..c98084a 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -1,9 +1,11 @@
 <?php
 
+use App\Enums\ServerStatus;
 use App\Http\Controllers\ApplicationController;
 use App\Http\Controllers\EnvironmentController;
 use App\Http\Controllers\OrganisationController;
 use App\Http\Controllers\ServerController;
+use App\Models\Server;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Route;
 use Inertia\Inertia;
@@ -52,10 +54,33 @@ Route::get('/provision-script', function (Request $request) {
     $script = str_replace('[!sudo_password!]', $validated['sudo_password'], $script);
     $script = str_replace('[!server_id!]', $validated['server_id'], $script);
     $script = str_replace('[!keystonepublickey!]', $keystonePublicKey, $script);
+    $script = str_replace('[!callback!]', route('provision.callback'), $script);
 
     return response($script)
         ->header('Content-Type', 'text/plain');
 })->name('provision-script');
 
+Route::get('/provision-callback', function (Request $request) {
+    $validated = $request->validate([
+        'server_id' => ['required', 'integer', 'exists:servers,id'],
+        'sudo_password' => ['required', 'string'],
+    ]);
+
+    $server = Server::find($validated['server_id']);
+
+    if (! in_array($request->ip(), [$server->ipv4, $server->ipv6])) {
+        logger('someone tried to callback from an invalid IP');
+        logger(' server ip: ' . $server->ipv4);
+        logger(' server ipv6: ' . $server->ipv6);
+        logger(' callback ip: ' . $request->ip());
+        logger(' server id: ' . $server->id);
+        return response('Unauthorized', 401);
+    }
+
+    $server->update([
+        'status' => ServerStatus::ACTIVE,
+    ]);
+})->name('provision.callback');
+
 require __DIR__ . '/settings.php';
 require __DIR__ . '/auth.php';