diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md
index 5869ae9693..6b67a15af4 100644
--- a/docs/tre-templates/shared-services/nexus.md
+++ b/docs/tre-templates/shared-services/nexus.md
@@ -87,10 +87,12 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET.
| Ubuntu Security Packages | apt | [http://security.ubuntu.com/ubuntu/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/ubuntu-security/` | Provide access to Ubuntu Security apt packages on Ubuntu systems. |
| Almalinux | yum | [https://repo.almalinux.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/almalinux` | Install Almalinux packages |
| R-Proxy | r | [https://cran.r-project.org/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-proxy` | Provide access to CRAN packages for R |
+| R-Studio Download | raw | [https://download1.rstudio.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-studio-download` | Provide access to download R Studio |
| Fedora Project | yum | [https://download-ib01.fedoraproject.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/fedoraproject` | Install Fedora Project Linux packages |
| Microsoft Apt | apt | [https://packages.microsoft.com] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-apt` | Provide access to Microsoft Apt packages |
| Microsoft Keys | raw | [https://packages.microsoft.com/keys/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-keys` | Provide access to Microsoft keys |
| Microsoft Yum | yum | [https://packages.microsoft.com/yumrepos] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-yum` | Provide access to Microsoft Yum packages |
+| Microsoft Download | raw | [https://download.microsoft.com/download] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-download` | Provide access to Microsoft Downloads |
### Migrate from an existing V1 Nexus service (hosted on App Service)
@@ -111,3 +113,18 @@ If you still have an existing Nexus installation based on App Service (from the
The Nexus service checks Key Vault regularly for the latest certificate matching the name you passed on deploy (`nexus-ssl` by default).
When approaching expiry, you can either provide an updated certificate into the TRE core KeyVault (with the name you specified when installing Nexus) if you brought your own, or if you used the certs shared service to generate one, just call the `renew` custom action on that service. This will generate a new certificate and persist it to the Key Vault, replacing the expired one.
+
+## Updating to v3.0.0
+The newest version of Nexus is a significant update for the service.
+As a result, a new installation of Nexus will be necessary.
+
+We are currently in the process of developing an upgrade path for upcoming releases.
+
+## Using Docker Hub
+When using Docker with a VM, the image URL should be constructed as follows: {NEXUS_URL}:{port}/docker-image
+
+```bash
+sudo docker pull {NEXUS_URL}:8083/hello-world
+```
+
+the default port out of the box is 8083
\ No newline at end of file
diff --git a/docs/tre-templates/user-resources/custom.md b/docs/tre-templates/user-resources/custom.md
new file mode 100644
index 0000000000..9ff7131d73
--- /dev/null
+++ b/docs/tre-templates/user-resources/custom.md
@@ -0,0 +1,80 @@
+# Guacamole User Resources
+
+- linuxvm - a Linux-based virtual machine
+- windowsvm - A Windows-based virtual machine
+
+## Customising the user resources
+
+The `guacamole-azure-linuxvm` and `guacamole-azure-windowsvm` folders follow a consistent layout.
+To update one of these templates (or to create a new template based on these folders) to use different image details or VM sizes, there are a few files that need to be updated:
+
+| File | Description |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `porter.yaml` | This file describes the template and the name should be updated when creating a template based on the folder.
This file also contains a `custom` data section that describes the VM properties.
Additionally, the version needs to be updated to deploy an updated version |
+| `template_schema.json` | This file controls the validation applied to the template, for example specifying the valid options for fields such as size and image |
+
+### Configuration
+
+In `porter.yaml`, the `custom` section contains a couple of sub-sections (shown below)
+
+```yaml
+custom:
+ vm_sizes:
+ "2 CPU | 8GB RAM": Standard_D2s_v5
+ "4 CPU | 16GB RAM": Standard_D4s_v5
+ "8 CPU | 32GB RAM": Standard_D8s_v5
+ "16 CPU | 64GB RAM": Standard_D16s_v5
+ image_options:
+ "Ubuntu 22.04 LTS":
+ source_image_reference:
+ publisher: canonical
+ offer: 0001-com-ubuntu-server-jammy
+ sku: 22_04-lts-gen2
+ version: latest
+ apt_sku: 22.04
+ install_ui: true
+ conda_config: false
+ "Ubuntu 20.04 LTS":
+ source_image_reference:
+ publisher: canonical
+ offer: 0001-com-ubuntu-server-focal
+ sku: 20_04-lts-gen2
+ version: latest
+ apt_sku: 20.04
+ install_ui: true
+ conda_config: false
+ "Ubuntu 20.04 LTS Data Science VM":
+ source_image_reference:
+ publisher: microsoft-dsvm
+ offer: ubuntu-2004
+ sku: 2004-gen2
+ version: latest
+ apt_sku: 20.04
+ install_ui: true
+ conda_config: true
+ # "Custom Image From Gallery":
+ # source_image_name: your-image
+ # install_ui: true
+ # conda_config: true
+```
+
+The `vm_sizes` section is a map of a custom SKU description to the SKU identifier.
+
+The `image_options` section defined the possible image choices for the template (note that the name of the image used here needs to be included in the corresponding enum in `template_schema.json`).
+
+Within the image definition in `image_options` there are a few properties that can be specified:
+
+| Name | Description |
+| ------------------------ | -------------------------------------------------------------------------------------------------------- |
+| `source_image_name` | Specify VM image to use by name (see notes below for identifying the image gallery containing the image) |
+| `source_image_reference` | Specify VM image to use by `publisher`, `offer`, `sku` & `version` (e.g. for Azure Marketplace images) |
+| `install_ui` | (Linux only) Set `true` to install desktop environment |
+| `conda_config` | Set true to configure conda |
+
+When specifying images using `source_image_name`, the image must be stored in an [image gallery](https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery).
+To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE.
+The `RP_BUNDLE_VALUES` variable is a JSON object, and the `image_gallery_id` property within it identifies the image gallery that contains the images specified by `source_image_name`:
+
+```bash
+RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups//providers/Microsoft.Compute/galleries/"}
+```
diff --git a/docs/tre-templates/user-resources/guacamole-linux-vm.md b/docs/tre-templates/user-resources/guacamole-linux-vm.md
index 8cf7b55906..f0ebb090e8 100644
--- a/docs/tre-templates/user-resources/guacamole-linux-vm.md
+++ b/docs/tre-templates/user-resources/guacamole-linux-vm.md
@@ -7,3 +7,12 @@ It blocks all inbound and outbound traffic to the internet and allows only RDP c
- [A base workspace bundle installed](../workspaces/base.md)
- [A guacamole workspace service bundle installed](../workspace-services/guacamole.md)
+- [A Nexus shared service has been deployed](../shared-services/nexus.md)
+
+## Notes
+- Nexus is a prerequisite of installing the Linux VMs given the additional commands in the bootstrap scripts.
+- In production we recommend using VM images to avoid transient issues downloading and installing packages.
+- Snap hasn't been configured to work via the nexus proxy
+
+## Using Custom Images
+For custom image usage, visit this [page](./custom.md).
diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh
new file mode 100644
index 0000000000..d63fe70bf2
--- /dev/null
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+set -o xtrace
+
+# Remove apt sources not included in sources.list file
+sudo rm -f /etc/apt/sources.list.d/*
+
+# Update apt packages from configured Nexus sources
+echo "init_vm.sh: START"
+sudo apt update || true
+sudo apt upgrade -y
+sudo apt install -y gnupg2 software-properties-common apt-transport-https wget dirmngr gdebi-core
+sudo apt-get update || true
+
+## Install xrdp so Guacamole can connect via RDP
+echo "init_vm.sh: xrdp"
+sudo apt install -y xrdp xorgxrdp xfce4-session
+sudo adduser xrdp ssl-cert
+sudo -u "${VM_USER}" -i bash -c 'echo xfce4-session > ~/.xsession'
+sudo -u "${VM_USER}" -i bash -c 'echo xset s off >> ~/.xsession'
+sudo -u "${VM_USER}" -i bash -c 'echo xset -dpms >> ~/.xsession'
+
+# Make sure xrdp service starts up with the system
+sudo systemctl enable xrdp
+sudo service xrdp restart
+
+if [ "${SHARED_STORAGE_ACCESS}" -eq 1 ]; then
+ # Install required packages
+ sudo apt-get install autofs -y
+
+ # Pass in required variables
+ storageAccountName="${STORAGE_ACCOUNT_NAME}"
+ storageAccountKey="${STORAGE_ACCOUNT_KEY}"
+ httpEndpoint="${HTTP_ENDPOINT}"
+ fileShareName="${FILESHARE_NAME}"
+ mntRoot="/fileshares"
+ credentialRoot="/etc/smbcredentials"
+
+ mntPath="$mntRoot/$fileShareName"
+ # shellcheck disable=SC2308
+ smbPath=$(echo "$httpEndpoint" | cut -c7-"$(expr length "$httpEndpoint")")$fileShareName
+ smbCredentialFile="$credentialRoot/$storageAccountName.cred"
+
+ # Create required file paths
+ sudo mkdir -p "$mntPath"
+ sudo mkdir -p "/etc/smbcredentials"
+ sudo mkdir -p $mntRoot
+
+ ### Auto FS to persist storage
+ # Create credential file
+ if [ ! -f "$smbCredentialFile" ]; then
+ echo "username=$storageAccountName" | sudo tee "$smbCredentialFile" > /dev/null
+ echo "password=$storageAccountKey" | sudo tee -a "$smbCredentialFile" > /dev/null
+ else
+ echo "The credential file $smbCredentialFile already exists, and was not modified."
+ fi
+
+ # Change permissions on the credential file so only root can read or modify the password file.
+ sudo chmod 600 "$smbCredentialFile"
+
+ # Configure autofs
+ echo "$fileShareName -fstype=cifs,rw,dir_mode=0777,credentials=$smbCredentialFile :$smbPath" | sudo tee /etc/auto.fileshares > /dev/null
+ echo "$mntRoot /etc/auto.fileshares --timeout=60" | sudo tee /etc/auto.master > /dev/null
+
+ # Restart service to register changes
+ sudo systemctl restart autofs
+
+ # Autofs mounts when accessed for 60 seconds. Folder created for constant visible mount
+ sudo ln -s "$mntPath" "/$fileShareName"
+fi
+
+## Cleanup
+echo "init_vm.sh: Cleanup"
+sudo shutdown -r now