diff --git a/src/cloudron.js b/src/cloudron.js
index 67a6aa14f..3a2cdd30b 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -71,11 +71,9 @@ CloudronError.SELF_UPGRADE_NOT_SUPPORTED = 'Self upgrade not supported';
 function initialize(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    async.series([
-        reverseProxy.configureDefaultServer,
-        cron.startPreActivationJobs,
-        onActivated
-    ], callback);
+    cron.startPreActivationJobs(callback);
+
+    runStartupTasks();
 }
 
 function uninitialize(callback) {
@@ -88,19 +86,28 @@ function uninitialize(callback) {
 }
 
 function onActivated(callback) {
-    callback = callback || NOOP_CALLBACK;
+    assert.strictEqual(typeof callback, 'function');
 
     // Starting the platform after a user is available means:
     // 1. mail bounces can now be sent to the cloudron owner
     // 2. the restore code path can run without sudo (since mail/ is non-root)
-    users.isActivated(function (error, activated) {
-        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
-        if (!activated) return callback(); // not activated
+    async.series([
+        platform.start,
+        cron.startPostActivationJobs
+    ], callback);
+}
 
-        async.series([
-            platform.start,
-            cron.startPostActivationJobs
-        ], callback);
+// each of these tasks can fail. we will add some routes to fix/re-run them
+function runStartupTasks() {
+    // configure nginx to be reachable by IP
+    reverseProxy.configureDefaultServer(NOOP_CALLBACK);
+
+    // check activation state and start the platform
+    users.isActivated(function (error, activated) {
+        if (error) return debug(error);
+        if (!activated) return debug('initialize: not activated yet'); // not activated
+
+        onActivated(NOOP_CALLBACK);
     });
 }
 
diff --git a/src/platform.js b/src/platform.js
index 2eff12fc9..324acea53 100644
--- a/src/platform.js
+++ b/src/platform.js
@@ -131,7 +131,7 @@ function stopContainers(existingInfra, callback) {
 }
 
 function startApps(existingInfra, callback) {
-    if (existingInfra.version === 'none') {
+    if (existingInfra.version === 'none') { // cloudron is being restored from backup
         debug('startApps: restoring installed apps');
         apps.restoreInstalledApps(callback);
     } else if (existingInfra.version !== infra.version) {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 0fdf5830a..17393eb10 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -55,8 +55,7 @@ var acme2 = require('./cert/acme2.js'),
     util = require('util');
 
 var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
-    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh'),
-    NOOP_CALLBACK = function (error) { if (error) debug(error); };
+    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
 
 function ReverseProxyError(reason, errorOrMessage) {
     assert.strictEqual(typeof reason, 'string');
@@ -565,7 +564,7 @@ function removeAppConfigs() {
 }
 
 function configureDefaultServer(callback) {
-    callback = callback || NOOP_CALLBACK;
+    assert.strictEqual(typeof callback, 'function');
 
     var certFilePath = path.join(paths.NGINX_CERT_DIR,  'default.cert');
     var keyFilePath = path.join(paths.NGINX_CERT_DIR, 'default.key');
diff --git a/src/setup.js b/src/setup.js
index ede540485..ba313e633 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -262,7 +262,7 @@ function activate(username, password, email, displayName, ip, auditSource, callb
                 expires: result.expires
             });
 
-            setTimeout(cloudron.onActivated, 3000); // hack for now to not block the above http response
+            setImmediate(cloudron.onActivated.bind(null, NOOP_CALLBACK)); // hack for now to not block the above http response
         });
     });
 }