diff --git a/README.md b/README.md
index 3b3ceb3..16d2679 100644
--- a/README.md
+++ b/README.md
@@ -55,12 +55,14 @@ This is WIP. Please test and report issues, comments or missing components on ht
 - dm_verity + squashfs immutable, integrity checked root
 - passwd + shadow + group + gshadow decoupled from system in /var
 - bind LUKS2 with tpm2 to machine
+- swap on LUKS2 with tpm2 (no password for resume from disk??)
 - /home and /var on single data partition
 
 ## Known Failures
 - no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
   cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
 - gnome-software: can't update firmware repo
+- systemd: failed to umount /var
 
 ## Create
 
diff --git a/clonedisk.sh b/clonedisk.sh
index 53a4d21..5fd822c 100755
--- a/clonedisk.sh
+++ b/clonedisk.sh
@@ -107,18 +107,21 @@ fi
 
 if ! [[ $UPDATE ]]; then
 
+    udevadm settle
     wipefs --all "$OUT"
 
+    udevadm settle
     sfdisk -W always -w always "$OUT" << EOF
 label: gpt
 	    size=512MiB,  type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
-            size=256M,    type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1",   uuid=$(blkid -o value -s PARTUUID ${IN}2)
+            size=64M,    type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1",   uuid=$(blkid -o value -s PARTUUID ${IN}2)
             size=4GiB,    type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1",  uuid=$(blkid -o value -s PARTUUID ${IN}3)
-            size=256M,    type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
+            size=64M,    type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
             size=4GiB,    type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2"
-            size=${mem}GiB,  type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4f, name="swap"
+            size=${mem}GiB,  type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4e, name="swap"
             type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
 EOF
+    udevadm settle
 fi
 
 OUT_DEV=$OUT
@@ -136,9 +139,11 @@ for i in 1 2 3; do
 done
 
 if ! [[ $UPDATE ]]; then
+    swapoff ${OUT}6 || :
     # ------------------------------------------------------------------------------
     # swap
-    mkswap -L swap ${OUT}6
+    echo -n "zero key" \
+        | cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin
 
     # ------------------------------------------------------------------------------
     # data
diff --git a/excludelist.txt b/excludelist.txt
index 67fc5df..f6381a3 100644
--- a/excludelist.txt
+++ b/excludelist.txt
@@ -3,7 +3,7 @@ systemd-bootchart
 grubby
 grub*
 plymouth
-device-mapper-multipath
 selinux-policy-targeted
 libselinux-utils
 httpd
+gnome-boxes
diff --git a/pkglist.txt b/pkglist.txt
index 9bd19bf..78a12e1 100644
--- a/pkglist.txt
+++ b/pkglist.txt
@@ -66,3 +66,7 @@ nss-mdns
 @development-libs
 @c-development
 man-db
+nautilus
+rpcbind
+nfs-utils
+autofs
diff --git a/pre-pivot.sh b/pre-pivot.sh
index fef151b..1ffb610 100644
--- a/pre-pivot.sh
+++ b/pre-pivot.sh
@@ -39,12 +39,56 @@ done
 
 disk=${d%-part*}
 
+unset FOUND
+for swapdev in $disk*; do
+    [[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
+    FOUND=1
+    break
+done
+
+if [[ $FOUND ]]; then
+    if cryptsetup isLuks --type luks2 "$swapdev"; then
+        luksname=swap
+        luksdev=/dev/mapper/$luksname
+
+        if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then
+            udevadm settle --exit-if-exists=/dev/tpmrm0
+            export TPM2TOOLS_TCTI_NAME=device
+            export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
+
+            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}'; then
+                clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
+                echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
+            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
+                clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
+                echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
+            else
+                warn "Failed to bind swap disk to TPM2"
+            fi
+        else
+            clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
+        fi
+        swapdev="$luksdev"
+    fi
+
+    swaptype=$(blkid -o value -s TYPE "$swapdev")
+    [[ $swaptype == "swsuspend" ]] && \
+        /usr/lib/systemd/systemd-hibernate-resume "$swapdev"
+
+    [[ $swaptype != "swap" ]] && \
+        mkswap "$swapdev"
+
+    swapon "$swapdev"
+fi
+
+
 unset FOUND
 for datadev in $disk*; do
     [[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
     FOUND=1
     break
 done
+[[ $FOUND ]] || die "No data disk found"
 
 if cryptsetup isLuks --type luks2 "$datadev"; then
     #luksname=luks-$(blkid -o value -s UUID "$datadev")
diff --git a/prepare-root.sh b/prepare-root.sh
index a8acd20..e772b35 100755
--- a/prepare-root.sh
+++ b/prepare-root.sh
@@ -7,14 +7,15 @@ Usage: $PROGNAME [OPTION]
 
 Creates a directory with a readonly root on squashfs, a dm_verity file and an EFI executable
 
-  -h, --help             Display this help
-  -p, --pkglist FILE     The packages to install read from FILE (default: pkglist.txt)
-  -e, --excludelist FILE The packages to install read from FILE (default: excludelist.txt)
-  -r, --releasever NUM   Used Fedora release version NUM (default: $VERSION_ID)
-  -o, --outdir DIR       Creates DIR and puts all files in there (default: NAME-NUM-DATE)
-  -n, --name NAME        The NAME of the product (default: FedoraBook)
-  -l, --logo FILE        Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
-  --noupdate             Do not install from Fedora Updates
+  --help             Display this help
+  --pkglist FILE     The packages to install read from FILE (default: pkglist.txt)
+  --excludelist FILE The packages to install read from FILE (default: excludelist.txt)
+  --releasever NUM   Used Fedora release version NUM (default: $VERSION_ID)
+  --outdir DIR       Creates DIR and puts all files in there (default: NAME-NUM-DATE)
+  --name NAME        The NAME of the product (default: FedoraBook)
+  --logo FILE        Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
+  --gpgkey FILE      Use FILE as the signing gpg key
+  --noupdate         Do not install from Fedora Updates
 EOF
 }
 
@@ -25,7 +26,7 @@ BASEDIR=${0%/*}
 WITH_UPDATES=1
 
 TEMP=$(
-    getopt -o 'p:o:n:r:l:e:' \
+    getopt -o '' \
         --long pkglist: \
         --long excludelist: \
         --long outdir: \
@@ -48,7 +49,7 @@ unset NAME
 
 while true; do
     case "$1" in
-        '-p'|'--pkglist')
+        '--pkglist')
             if [[ -f $2 ]]; then
                 PKGLIST=$(<$2)
             else
@@ -56,7 +57,7 @@ while true; do
             fi
             shift 2; continue
             ;;
-        '-e'|'--excludelist')
+        '--excludelist')
             if [[ -f $2 ]]; then
                 EXCLUDELIST=$(<$2)
             else
@@ -64,22 +65,26 @@ while true; do
             fi
             shift 2; continue
             ;;
-        '-o'|'--outdir')
+        '--outdir')
             OUTDIR="$2"
             shift 2; continue
             ;;
-        '-n'|'--name')
+        '--name')
             NAME="$2"
             shift 2; continue
             ;;
-        '-r'|'--releasever')
+        '--releasever')
             RELEASEVER="$2"
             shift 2; continue
             ;;
-        '-l'|'--logo')
+        '--logo')
             LOGO="$2"
             shift 2; continue
             ;;
+        '--gpgkey')
+            GPGKEY="$2"
+            shift 2; continue
+            ;;
         '--noupdates')
             unset WITH_UPDATES
             shift 1; continue
@@ -100,6 +105,7 @@ NAME=${NAME:-"FedoraBook"}
 RELEASEVER=${RELEASEVER:-$VERSION_ID}
 VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
 OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
+GPGKEY=${GPGKEY:-${NAME}.gpg}
 
 [[ $TMPDIR ]] || TMPDIR=/var/tmp
 readonly TMPDIR="$(realpath -e "$TMPDIR")"
@@ -168,6 +174,7 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
     xfsprogs \
     pciutils \
     microcode_ctl \
+    nss-altfiles \
     nss_db \
     keyutils \
     make \
@@ -189,16 +196,34 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
     dbus-broker \
     tar \
     gzip \
+    p11-kit \
+    efibootmgr \
+    jq \
+    gnupg2 \
     $PKGLIST
 
+for i in passwd shadow group gshadow subuid subgid; do
+    [[ -e "$sysroot"/etc/${i}.rpmnew ]] || continue
+    while read line || [[ $line ]]; do
+        IFS=: read user _ <<<$line
+        grep -E -q "^$user:" "$sysroot"/etc/${i} && continue
+        echo "$line" >> "$sysroot"/etc/${i}
+    done <"$sysroot"/etc/${i}.rpmnew
+done
+
+find "$sysroot" -name '*.rpmnew' -print0 | xargs -0 rm -fv
+
 # We need to preserve old uid/gid
 mkdir -p ${BASEDIR}/${NAME}
-for i in passwd shadow group gshadow subuid subgid; do 
+for i in passwd shadow group gshadow subuid subgid; do
     cp "$sysroot"/etc/"$i" ${BASEDIR}/${NAME}
 done
 
 cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
 cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
+cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
+mkdir -p "$sysroot"/etc/pki/${NAME}
+cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY
 
 rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
 mkdir -p "$sysroot"/overlay/efi
@@ -218,12 +243,12 @@ chroot  "$sysroot" \
 	dracut -N --kver $KVER --force \
 	--filesystems "squashfs vfat xfs" \
 	--add-drivers "=drivers/char/tpm" \
-	-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo" \
+	-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume" \
 	--install /usr/lib/systemd/systemd-veritysetup \
 	--install /usr/lib/systemd/system-generators/systemd-veritysetup-generator \
 	--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
 	--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2"  \
-	--install "cryptsetup tail sort pwmake mktemp " \
+	--install "cryptsetup tail sort pwmake mktemp swapon" \
 	--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
 	--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
 	--install "strace" \
@@ -239,7 +264,6 @@ chroot  "$sysroot" \
 	--install /usr/lib/systemd/system/basic.target.wants/rngd.service
 
 rm "$sysroot"/pre-pivot.sh
-#bash -i
 
 umount "$sysroot"/var/cache/dnf
 
@@ -297,24 +321,69 @@ C /var/etc/libvirt - - - - -
 EOF
 fi
 
-. "${BASEDIR}"/quirks/nss_db.sh
+. "${BASEDIR}"/quirks/nss.sh
 
 #---------------
 # resolv.conf
 ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
 echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
-ln -sfrn "$sysroot"/var/etc/hostname "$sysroot"/etc/hostname
-echo "FedoraBook" > "$sysroot"/usr/share/factory/var/etc/hostname
+
+#---------------
+# hostname
+ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname
+echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname
 
 #---------------
 # vconsole.conf
-ln -fsnr "$sysroot"/var/etc/vconsole.conf "$sysroot"/etc/vconsole.conf
-echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/etc/vconsole.conf
+ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf
+echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf
 
 #---------------
 # locale.conf
-ln -fsnr "$sysroot"/var/etc/locale.conf "$sysroot"/etc/locale.conf
-echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/etc/locale.conf
+ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf
+echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
+
+#---------------
+# localtime
+mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
+ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
+
+#---------------
+# adjtime
+mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
+ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime
+
+sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed
+sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' "$sysroot"/usr/lib/systemd/systemd-timedated
+
+sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-localed.service
+sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-timedated.service
+
+cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
+C /var/hostname - - - - -
+C /var/vconsole.conf - - - - -
+C /var/locale.conf - - - - -
+C /var/localtime - - - - -
+C /var/adjtime - - - - -
+EOF
+
+
+#---------------
+# X11
+if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
+    mkdir -p "$sysroot"/usr/share/factory/var/etc
+    mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/var/etc/X11
+    ln -fsnr "$sysroot"/var/etc/X11 "$sysroot"/etc/X11
+    cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
+C /var/etc/X11 - - - - -
+EOF
+fi
+
+#---------------
+# autofs
+if [[ -f "$sysroot"/etc/autofs.conf ]]; then
+    mkdir -p "$sysroot"/net
+fi
 
 #---------------
 # udev dri/card0
@@ -394,7 +463,7 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
 
 # ------------------------------------------------------------------------------
 # make bootx64.efi
-echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID resume=PARTLABEL=swap raid=noautodetect" > "$MY_TMPDIR"/options.txt
+echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID raid=noautodetect" > "$MY_TMPDIR"/options.txt
 echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
 objcopy \
     --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
@@ -416,5 +485,14 @@ mv "$MY_TMPDIR"/root-hash.txt \
    "$MY_TMPDIR"/initrd \
    "$OUTDIR"
 
-tar cf - -C "${OUTDIR%/*}" "${OUTDIR##*/}" | pigz -c > "$OUTDIR".tgz
-echo "$ROOT_HASH ${NAME}-${VERSION_ID}" > "${OUTDIR%/*}/${NAME}-latest.txt"
+chown -R "$USER" "$OUTDIR"
+
+cat > "${OUTDIR%/*}/${NAME}-latest.json" <<EOF
+{
+        "roothash": "$ROOT_HASH",
+        "name" : "${NAME}",
+        "version" : "${VERSION_ID}"
+}
+EOF
+
+chown "$USER" "${OUTDIR%/*}/${NAME}-latest.json"
diff --git a/quirks/nss-altfiles.sh b/quirks/nss-altfiles.sh
new file mode 100644
index 0000000..63031fa
--- /dev/null
+++ b/quirks/nss-altfiles.sh
@@ -0,0 +1,50 @@
+
+sed -i -e 's#^\(passwd:.*\) files#\1 altfiles files#g;s#^\(shadow:.*\) files#\1 altfiles files#g;s#^\(group:.*\) files#\1 altfiles files#g' \
+    "$sysroot"/etc/nsswitch.conf
+
+chroot "$sysroot" bash -c 'useradd -G wheel admin'
+egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
+egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
+
+sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
+sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
+
+chroot "$sysroot" bash -c 'mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
+mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
+mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
+chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
+chroot "$sysroot" bash -c 'passwd -e admin'
+
+mkdir -p "$sysroot"/usr/share/factory/var
+mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
+
+sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
+
+for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
+    ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
+done
+
+sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
+sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
+    "$sysroot"/lib*/libc.so.* \
+    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
+
+[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' "$sysroot"/usr/lib*/librpmostree-1.so.1
+
+mkdir -p "$sysroot"/usr/share/factory/home
+cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
+chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
+
+cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
+C /data/home/admin - - - - -
+C /data/var/passwd - - - - -
+C /data/var/shadow - - - - -
+C /data/var/group - - - - -
+C /data/var/gshadow - - - - -
+C /data/var/subuid - - - - -
+C /data/var/subgid - - - - -
+C /data/var/etc - - - - -
+EOF
diff --git a/quirks/nss.sh b/quirks/nss.sh
new file mode 100644
index 0000000..8d32242
--- /dev/null
+++ b/quirks/nss.sh
@@ -0,0 +1,52 @@
+sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
+    "$sysroot"/etc/nsswitch.conf
+mkdir -p "$sysroot"/usr/db
+sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
+
+chroot "$sysroot" bash -c 'useradd -G wheel admin'
+egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
+egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
+
+sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
+sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
+
+chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
+
+mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
+mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
+chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
+chroot "$sysroot" bash -c 'passwd -e admin'
+
+mkdir -p "$sysroot"/usr/share/factory/var
+mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
+
+sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
+
+for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
+    ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
+done
+
+sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
+sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
+sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
+    "$sysroot"/lib*/libc.so.* \
+    "$sysroot"/usr/lib*/librpmostree-1.so.1 \
+    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
+
+
+mkdir -p "$sysroot"/usr/share/factory/home
+cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
+chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
+
+cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
+C /data/home/admin - - - - -
+C /data/var/passwd - - - - -
+C /data/var/shadow - - - - -
+C /data/var/group - - - - -
+C /data/var/gshadow - - - - -
+C /data/var/subuid - - - - -
+C /data/var/subgid - - - - -
+C /data/var/etc - - - - -
+EOF
diff --git a/quirks/nss_db.sh b/quirks/nss_db.sh
index e46bc1b..8d32242 100644
--- a/quirks/nss_db.sh
+++ b/quirks/nss_db.sh
@@ -1,4 +1,5 @@
-sed -i -e 's#files#files db#g' "$sysroot"/etc/nsswitch.conf
+sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
+    "$sysroot"/etc/nsswitch.conf
 mkdir -p "$sysroot"/usr/db
 sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
 
@@ -9,7 +10,8 @@ egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
 sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
 sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
 
-chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
+chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
+
 mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
 mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
 chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
diff --git a/update.sh b/update.sh
index 56cc25c..1bb90f7 100755
--- a/update.sh
+++ b/update.sh
@@ -45,29 +45,33 @@ fi
 mkdir -p /var/cache/${NAME}
 cd /var/cache/${NAME}
 
-curl ${BASEURL}/${NAME}-latest.txt --output ${NAME}-latest.txt
+curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
 
-RELEASE=$(read a b <${NAME}-latest.txt ; echo -n $b)
-ROOT_HASH=$(read a b <${NAME}-latest.txt; echo -n $a)
+IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
+ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
 
-ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
-HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
-            
-if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]] || [[ ${NAME}-${VERSION_ID} == $RELEASE ]]; then
+if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
     echo "Already up2date"
     exit 1
 fi
 
-curl ${BASEURL}/${RELEASE}.tgz | tar xzf -
+[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
 
-[[ -d ${RELEASE} ]]
+[[ -d ${IMAGE} ]]
 
-cd ${RELEASE}
+cd ${IMAGE}
+
+# check integrity
+gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
+sha512sum -c sha512sum.txt
 
 dd status=progress if=root.verity.img   of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
 dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
 
 # set the new partition uuids
+ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
+HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
+            
 sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
 sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
 
@@ -77,4 +81,4 @@ cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
 
 ## unless proper boot entries set, just force copy to default boot loader
 cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
-mv --backup=numbered /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
+mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi