From 42ed5696a9fecfb32d0637ae25ee398ecffbfe9d Mon Sep 17 00:00:00 2001
From: Harald Sitter <sitter@kde.org>
Date: Thu, 29 Feb 2024 01:51:52 +0100
Subject: [PATCH] grand refactor

- add ci builds
- add some scripting surrounding spinning up local containers
- use btrfs send-receive to populate the image for both speed, precision
and reliablity (won't miss ENSPC or something)
- no longer generate bootable images through mkosi, we generate two UKIs
anyway, mkosis extra work is entirely pointless and as it turns out
produces vastly larger UKIs for some reason. probably worth inspecting
at some point why that is
- the entire build has been moved from relying on arch packages to using
kde-builder. this effectively turns the way we build in development also
in the way we build for deployment, giving greater familiarity and
exercise of code paths
- move initrd from dracut to mkinitcpio as it is better integrating with
the arch base
- the initrd system is still driven by systemd rather than busybox (the
initcpio default)
- calamares tech still doesn't work entirely but got a bit of polish
- basic session blessing support (tracking whether an image is good or
not)
- boot failure tracking via the UKI filename (foo_1+3-1.efi etc)
- pam files imported from arch
- font files imported from neon
- aggressive debugging via systemd is on for the time being to aid with
development
- snapd support
- general AUR support (really cruddy because we are inside a bwrap that
runs with no-new-priviledges which means we can't sudo but arch tools
don't want to run as root - so everything is awkwardly detangled with
dependency installation happening manually in root scope, then the build
as a temporary user, then the installation in root scope again)
-
---
 .gitignore                                    |   3 +
 .gitlab-ci.yml                                |  19 +
 bootstrap.sh                                  |  15 +
 btrfs-copy.sh                                 |  32 +
 btrfs-send-receive.sh                         |  36 +
 btrfs.sh                                      |  27 -
 build.sh                                      |  72 +-
 build_docker.sh                               |  18 +
 in_docker.sh                                  |   8 +
 mkosi.build.chroot                            |   5 +
 mkosi.conf                                    |  25 +-
 mkosi.conf.d/00-packages-core.conf            |   7 +-
 mkosi.conf.d/99-packages-development.conf     |   2 +
 .../calamares/desktop/modules/partition.conf  |   2 +-
 .../desktop/modules/shellprocess@subvol.conf  |   2 +-
 .../desktop/modules/shellprocess@uki.conf     |   3 +-
 .../calamares/desktop/modules/unpackfs.conf   |   2 +-
 .../etc/fonts/conf.d/56-kdeos-hack.conf       |   1 +
 .../etc/fonts/conf.d/56-kdeos-noto.conf       |   1 +
 mkosi.extra/etc/pam.d/kde                     |  12 +
 mkosi.extra/etc/pam.d/kde-fingerprint         |  17 +
 mkosi.extra/etc/pam.d/kde-smartcard           |  17 +
 .../{calamares@subvol => _calamares@subvol}   |   3 +-
 mkosi.extra/usr/bin/_kdeos-bless-session      |  10 +
 mkosi.extra/usr/bin/_kdeos-bless-userspace    |  18 +
 mkosi.extra/usr/bin/_kdeos-overlay            |  27 +
 .../lib/initcpio/install/systemd-extension    |  14 +
 .../lib/sddm/sddm.conf.d/00-kdeos-theme.conf  |   5 +
 .../system-generators/kdeos-live-generator    |  15 +
 .../systemd/system-preset/50-systemdos.preset |   6 +-
 .../kdeos-overlay.service                     |   1 +
 .../kdeos-overlay.service                     |   1 +
 .../lib/systemd/system/kdeos-bless-boot.path  |   9 +
 .../systemd/system/kdeos-bless-boot.service   |  12 +
 .../system/kdeos-bless-userspace.service      |  16 +
 .../lib/systemd/system/kdeos-overlay.service  |  18 +
 .../usr/lib/systemd/system/live-user.service  |   2 +-
 .../kdeos-bless-userspace.service             |   1 +
 .../kdeos-bless-session.service               |   1 +
 .../systemd/user/kdeos-bless-session.service  |  14 +
 .../usr/lib/sysupdate.d/50-root-x86-64.conf   |  10 +-
 mkosi.extra/usr/lib/sysupdate.d/60-esp.conf   |  14 +-
 .../conf.default/56-kdeos-hack.conf           |  15 +
 .../conf.default/56-kdeos-noto.conf           | 943 ++++++++++++++++++
 mkosi.finalize.chroot                         |  22 +
 mkosi.postinst                                |  45 -
 mkosi.postinst.chroot                         | 218 ++++
 mkosi.prepare.chroot                          |  37 +-
 mkosi.repart/00-esp.conf                      |   6 +-
 mkosi.repart/50-root.conf                     |  20 +-
 upload.sh                                     |  26 +
 51 files changed, 1709 insertions(+), 146 deletions(-)
 create mode 100644 .gitlab-ci.yml
 create mode 100755 bootstrap.sh
 create mode 100755 btrfs-copy.sh
 create mode 100755 btrfs-send-receive.sh
 delete mode 100755 btrfs.sh
 create mode 100755 build_docker.sh
 create mode 100755 in_docker.sh
 create mode 100755 mkosi.build.chroot
 create mode 120000 mkosi.extra/etc/fonts/conf.d/56-kdeos-hack.conf
 create mode 120000 mkosi.extra/etc/fonts/conf.d/56-kdeos-noto.conf
 create mode 100644 mkosi.extra/etc/pam.d/kde
 create mode 100644 mkosi.extra/etc/pam.d/kde-fingerprint
 create mode 100644 mkosi.extra/etc/pam.d/kde-smartcard
 rename mkosi.extra/usr/bin/{calamares@subvol => _calamares@subvol} (90%)
 create mode 100755 mkosi.extra/usr/bin/_kdeos-bless-session
 create mode 100755 mkosi.extra/usr/bin/_kdeos-bless-userspace
 create mode 100755 mkosi.extra/usr/bin/_kdeos-overlay
 create mode 100644 mkosi.extra/usr/lib/initcpio/install/systemd-extension
 create mode 100644 mkosi.extra/usr/lib/sddm/sddm.conf.d/00-kdeos-theme.conf
 create mode 100755 mkosi.extra/usr/lib/systemd/system-generators/kdeos-live-generator
 create mode 120000 mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.requires/kdeos-overlay.service
 create mode 120000 mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.wants/kdeos-overlay.service
 create mode 100644 mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.path
 create mode 100644 mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.service
 create mode 100644 mkosi.extra/usr/lib/systemd/system/kdeos-bless-userspace.service
 create mode 100644 mkosi.extra/usr/lib/systemd/system/kdeos-overlay.service
 create mode 120000 mkosi.extra/usr/lib/systemd/system/systemd-bless-boot.service.requires/kdeos-bless-userspace.service
 create mode 120000 mkosi.extra/usr/lib/systemd/user/graphical-session.target.wants/kdeos-bless-session.service
 create mode 100644 mkosi.extra/usr/lib/systemd/user/kdeos-bless-session.service
 create mode 100644 mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-hack.conf
 create mode 100644 mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-noto.conf
 delete mode 100755 mkosi.postinst
 create mode 100755 mkosi.postinst.chroot
 create mode 100755 upload.sh

diff --git a/.gitignore b/.gitignore
index d8ee30d..7322803 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,6 @@
 /*.raw
 /*.tar
 /*.efi
+/pacman-cache/
+/systemdOS_*/
+/kde-builder/
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..edeef43
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: BSD-2-Clauses
+# SPDX-FileCopyrightText: None
+
+stages:
+  - start
+
+start:
+  stage: start
+  allow_failure: false
+  image: archlinux:latest
+  script:
+    - ./in_docker.sh --force --debug
+    - ./upload.sh
+  artifacts:
+    expire_in: 7 days
+    when: always
+    paths:
+      - 'kde-builder/kde/src/log/*'
+      - 'systemdOS_*/kde-builder/kde/src/log/*'
diff --git a/bootstrap.sh b/bootstrap.sh
new file mode 100755
index 0000000..6857834
--- /dev/null
+++ b/bootstrap.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+# For bootstrapping of a basic arch system so it can build stuff.
+
+set -ex
+
+echo 'https://mirror.23m.com/archlinux/' > /etc/pacman.d/mirrorlist.new
+cat /etc/pacman.d/mirrorlist >> /etc/pacman.d/mirrorlist.new
+mv /etc/pacman.d/mirrorlist.new /etc/pacman.d/mirrorlist
+
+pacman --sync --refresh --noconfirm --sysupgrade
+pacman --sync --refresh --noconfirm mkosi git base-devel ukify vim cpio tree \
+    rsync btrfs-progs s3cmd dosfstools qemu-img erofs-utils squashfs-tools
diff --git a/btrfs-copy.sh b/btrfs-copy.sh
new file mode 100755
index 0000000..20d012b
--- /dev/null
+++ b/btrfs-copy.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
+
+# Executed inside an image to populate the subvolume via plain old copy
+
+set -ex
+
+OUTPUT_ABS=$1
+OUTPUT=$2
+
+[ "$OUTPUT_ABS" = "" ] && exit 1
+[ "$OUTPUT" = "" ] && exit 1
+
+cleanup() {
+    [ -d @import ] && btrfs subvolume delete @import
+    return 0
+}
+trap cleanup INT TERM EXIT
+cleanup
+
+mount -o remount,compress-force=zstd "$PWD"
+btrfs property set . compression zstd
+btrfs balance start --force -mconvert=single -dconvert=single .
+
+btrfs subvolume create @import
+cp -ra "$OUTPUT_ABS/." @import/
+btrfs subvolume snapshot -r @import "@$OUTPUT"
+btrfs subvolume delete @import
+
+ln -svf "@$OUTPUT" "$ID"
+btrfs subvolume set-default "$ID"
diff --git a/btrfs-send-receive.sh b/btrfs-send-receive.sh
new file mode 100755
index 0000000..c624bf4
--- /dev/null
+++ b/btrfs-send-receive.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
+
+# Executed inside an image to populate the subvolume via btrfs snapshot magic
+
+set -ex
+
+OUTPUT_ABS=$1
+OUTPUT=$2
+ID=$3
+
+[ "$OUTPUT_ABS" = "" ] && exit 1
+[ "$OUTPUT" = "" ] && exit 1
+[ "$ID" = "" ] && exit 1
+
+EXPORT="$OUTPUT.export"
+
+cleanup() {
+    [ -d "$EXPORT" ] && btrfs subvolume delete "$EXPORT"
+    return 0
+}
+trap cleanup INT TERM EXIT
+cleanup
+
+mount -o remount,compress-force=zstd "$PWD"
+btrfs property set . compression zstd
+btrfs balance start --force -mconvert=single -dconvert=single .
+
+btrfs receive -f "$OUTPUT_ABS.btrfs" .
+btrfs subvolume snapshot -r "$EXPORT" "@$OUTPUT"
+btrfs subvolume delete "$EXPORT"
+rm -f "$OUTPUT_ABS.btrfs"
+
+ln -svf "@$OUTPUT" "$ID"
+btrfs subvolume set-default "$ID"
diff --git a/btrfs.sh b/btrfs.sh
deleted file mode 100755
index 79a69dd..0000000
--- a/btrfs.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
-# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
-
-# Executed inside an image to reshuffle the subvolumes.
-
-set -ex
-
-NAME=$1
-VERSION=$2
-ID=$3
-
-[ "$NAME" = "" ] && exit 1;
-[ "$VERSION" = "" ] && exit 1;
-[ "$ID" = "" ] && exit 1;
-
-btrfs subvolume create "@$ID.import"
-rsync --archive --update --remove-source-files "@$NAME/" "@$ID.import/"
-btrfs subvolume snapshot -r "@$ID.import/" "@$ID"
-btrfs subvolume delete "@$ID.import/"
-rm -rf "@$NAME"
-ln -sv "@$ID" "@$NAME"
-btrfs subvolume create @home
-btrfs subvolume create @var-overlay
-btrfs subvolume create @etc-overlay
-mkdir @var-overlay/upper @var-overlay/work @etc-overlay/upper @etc-overlay/work
-btrfs subvolume set-default "@$NAME"
diff --git a/build.sh b/build.sh
index 26a88cf..8228b04 100755
--- a/build.sh
+++ b/build.sh
@@ -2,15 +2,18 @@
 # SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
 # SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
 
-# Build image using mkosi, well, somehwat. mkosi is actually a bit too inflexible for our purposes so we generate a OS
+# Build image using mkosi, well, somewhat. mkosi is actually a bit too inflexible for our purposes so we generate a OS
 # tree using mkosi and then construct shipable raw images (for installation) and tarballs (for systemd-sysupdate)
 # ourselves.
 
+# TODO port to ruby or python or something. it's getting too long for sh
+
 set -ex
 
-NAME=systemdOS
-_DATE=$(date +%Y%m%d)
-_TIME=$(date +%H%M)
+NAME=kdeos
+_EPOCH=$(date +%s)
+_DATE=$(date --date="@$_EPOCH" +%Y%m%d)
+_TIME=$(date --date="@$_EPOCH" +%H%M)
 DATETIME="${_DATE}${_TIME}"
 VERSION="$DATETIME"
 OUTPUT=${NAME}_$VERSION
@@ -18,31 +21,66 @@ EFI=$OUTPUT.efi
 TAR=${OUTPUT}_root-x86-64.tar
 IMG=$OUTPUT.raw
 
+export SYSTEMD_LOG_LEVEL=debug
+
 echo "$VERSION" > ./mkosi.extra/usr/lib/image_version
 
 mkosi --distribution arch --image-id "$NAME" --image-version "$VERSION" "$@"
 
-rm -rv "${OUTPUT}"/efi/EFI/Linux/
-mkdir -p "${OUTPUT}"/efi/EFI/Linux/
-mv -v "${OUTPUT}"/${NAME}*.efi "${OUTPUT}/efi/EFI/Linux/$EFI"
-mv -v "${OUTPUT}"/live.efi .
+# NOTE: /efi must be empty so auto mounting can happen. As such we put our templates in a different directory
+rm -rv "${OUTPUT}/efi"
+[ -d "${OUTPUT}/efi" ] || mkdir --mode 0700 "${OUTPUT}/efi"
+[ -d "${OUTPUT}/efi-template" ] || mkdir --mode 0700 "${OUTPUT}/efi-template"
+[ -d "${OUTPUT}/efi-template/EFI" ] || mkdir --mode 0700 "${OUTPUT}/efi-template/EFI"
+[ -d "${OUTPUT}/efi-template/EFI/Linux" ] || mkdir --mode 0700 "${OUTPUT}/efi-template/EFI/Linux"
+cp -v "${OUTPUT}"/${NAME}*.efi "$OUTPUT.efi"
+mv -v "${OUTPUT}"/${NAME}*.efi "${OUTPUT}/efi-template/EFI/Linux/$EFI"
+mv -v "${OUTPUT}"/live.efi "${OUTPUT}_live.efi"
+
+rm -f "${OUTPUT}/var/cache/pacman/pkg/*"
+rm -rf "${OUTPUT}/usr/share/doc/qt6/examples"
 
 rm -rf "$TAR" ./*.tar
 tar -C "${OUTPUT}"/ -cf "$TAR" .
+SIZE=$(stat --format %s "$TAR") # the apparent size of all data
+zstd -T0 --rm "$TAR"
+
+OUTPUT_IS_BTRFS_SUBVOLUME=false
+if [ "$(stat --file-system --format %T "$OUTPUT")" = "btrfs" ] && [ "$(stat --format %i "$OUTPUT")" = "256" ]; then
+    OUTPUT_IS_BTRFS_SUBVOLUME=true
+fi
+
+# Accurate sizing is a bit of a challenge. In the most ideal scenario we'll be working on btrfs and are able to
+# compress the entire subvolume into a file. This file size will then be more or less the DATA size in the filesystem.
+# On top of that we have the btrfs meta data and system data, these are kind of dependent on the actual partition size
+# but will generally be ~256M and <50M for partitions <50G.
+if $OUTPUT_IS_BTRFS_SUBVOLUME; then
+    btrfs filesystem defrag -czstd -r "$OUTPUT"
+    btrfs subvolume snapshot -r "$OUTPUT" "$OUTPUT.export"
+    btrfs send --compressed-data -f "$OUTPUT.btrfs" "$OUTPUT.export"
+    btrfs subvolume delete "$OUTPUT.export"
+    SIZE=$(stat --format %s "$OUTPUT.btrfs") # the actual size of all data
+    SIZE=$((SIZE+268435456)) # 256M slack
+else
+    SIZE=$((SIZE+4294967296)) # 4G slack (our guess is less precise without btrfs)
+fi
+SIZE=$((SIZE+314572800)) # 256M for btrfs metadata, 44M for system block
+SIZE=$((SIZE+536870912)) # 512M for ESP
 
 rm -f "$IMG" ./*.raw
 touch "$IMG"
-# The root partition contains the shipable efi image.
-systemd-repart --no-pager --empty=allow --size=auto --dry-run=no --root="${OUTPUT}" --definitions=mkosi.repart --defer-partitions=esp "$IMG"
-systemd-dissect --with "$IMG" "$(pwd)/btrfs.sh" $NAME "$VERSION" "$OUTPUT"
+# The root partition contains the shipable efi image for use on the installed system.
+systemd-repart --no-pager --empty=allow --size="$SIZE" --dry-run=no --root="${OUTPUT}" --definitions=mkosi.repart --defer-partitions=esp "$IMG"
+if $OUTPUT_IS_BTRFS_SUBVOLUME; then # btrfs subvolume
+    systemd-dissect --with "$IMG" "$(pwd)/btrfs-send-receive.sh" "$PWD/$OUTPUT" "$OUTPUT" "@$NAME"
+else # do a raw copy
+    systemd-dissect --with "$IMG" "$(pwd)/btrfs-copy.sh" "$PWD/$OUTPUT" "$OUTPUT" "@$NAME"
+fi
 # The esp of the image contains the live efi image (divergent cmdline).
-cp -v live.efi "${OUTPUT}/efi/EFI/Linux/$EFI"
+# We copy into efi-template for convenience, it won't actually be used from there, just copied by systemd-repart.
+cp -v "${OUTPUT}_live.efi" "${OUTPUT}/efi-template/EFI/Linux/$EFI"
 systemd-repart --no-pager --empty=allow --size=auto --dry-run=no --root="${OUTPUT}" --definitions=mkosi.repart --defer-partitions=root "$IMG"
 
 # TODO before accepting new uploads perform sanity checks on the artifacts (e.g. the tar being well formed)
 chmod go+r ./*.efi # efi images are 700, make them readable so the server can serve them
-scp "image/efi/EFI/Linux/$EFI" root@web.local:/var/www/html
-scp "$TAR" root@web.local:/var/www/html
-scp "$IMG" root@web.local:/var/www/html
-scp "live.efi" root@web.local:/var/www/html
-ssh root@web.local -- /bin/sh -c "'cd /var/www/html/ && ./update.sh'"
+ls -lah
diff --git a/build_docker.sh b/build_docker.sh
new file mode 100755
index 0000000..c76130b
--- /dev/null
+++ b/build_docker.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+# Build inside docker
+
+set -ex
+
+docker run \
+  --privileged \
+  --env CI_PROJECT_DIR=/workspace \
+  --volume "$(pwd):/workspace" \
+  --volume "$(pwd)/pacman-cache:/var/cache/pacman/pkg" \
+  --volume "/dev:/dev" \
+  --workdir /workspace \
+  --rm=true \
+  archlinux:latest \
+  /workspace/in_docker.sh "$@"
diff --git a/in_docker.sh b/in_docker.sh
new file mode 100755
index 0000000..c14cbd0
--- /dev/null
+++ b/in_docker.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+set -ex
+
+./bootstrap.sh
+./build.sh "$@"
diff --git a/mkosi.build.chroot b/mkosi.build.chroot
new file mode 100755
index 0000000..f2e5809
--- /dev/null
+++ b/mkosi.build.chroot
@@ -0,0 +1,5 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
+
+set -ex
diff --git a/mkosi.conf b/mkosi.conf
index b5b7a40..4032673 100644
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -3,26 +3,24 @@
 
 [Distribution]
 Distribution=arch
-Mirror=https://geo.mirror.pkgbuild.com
+Mirror=https://mirror.23m.com/archlinux/
 
 [Output]
 Format=directory
-Bootable=yes
 SplitArtifacts=yes
-KernelCommandLine=
 
 [Content]
+# We do not want an initrd or any other boot artifacts, we generate all this stuff ourselves since we need more
+# control than mkosi gives us. Bootable also has the unfortunate side effect that the os-release file gets eaten
+# for some reason (supposedly as a side effect of the initrd creation?)
+Bootable=no
+KernelCommandLine=
 Packages=sddm
-         kwallet-pam
-         plasma-desktop
-         plasma-nm
-         plasma-pa
-         powerdevil
          bash-completion
          pacman
          mesa
          pipewire
-         pipewire-jack
+         pipewire-pulse
          noto-fonts
          acpid
          busybox
@@ -30,19 +28,18 @@ Packages=sddm
          bind
          dmidecode
          ntfs-3g
-         partitionmanager
          iproute2
          tpm2-tss
          xz
-         konsole
          wireplumber
-         phonon-qt5-vlc
          flatpak
          apparmor
 WithNetwork=true
-RootPassword=asdf
+# No root login thank you very much. We'll provision a live user as part of spinup
+# RootPassword=
 # Make sure kernel-install knows where we expect the ESP to be mounted so it can create correct loader entries.
-Environment=BOOT_MNT=/efi
+@Environment=BOOT_MNT=/efi-template
+@Environment=KDE_BUILDER_TARGET="workspace dolphin konsole kpmcore kate"
 
 [Host]
 QemuGui=yes
diff --git a/mkosi.conf.d/00-packages-core.conf b/mkosi.conf.d/00-packages-core.conf
index a062a44..d23c7fb 100644
--- a/mkosi.conf.d/00-packages-core.conf
+++ b/mkosi.conf.d/00-packages-core.conf
@@ -8,8 +8,13 @@ Packages=linux
          systemd
          systemd-sysvcompat
          systemd-resolvconf
-         dracut
+         mkinitcpio
+         mkinitcpio-systemd-tool
          base
          archlinux-keyring
          kernel-modules-hook
          kmod
+         noto-fonts
+         noto-fonts-cjk
+         noto-fonts-emoji
+         plymouth
diff --git a/mkosi.conf.d/99-packages-development.conf b/mkosi.conf.d/99-packages-development.conf
index 19dccf5..e7d0dee 100644
--- a/mkosi.conf.d/99-packages-development.conf
+++ b/mkosi.conf.d/99-packages-development.conf
@@ -8,3 +8,5 @@ Packages=cmake
          base-devel
          clang
          tree
+         clazy
+         ccache
diff --git a/mkosi.extra/calamares/desktop/modules/partition.conf b/mkosi.extra/calamares/desktop/modules/partition.conf
index e35b9ea..0d4d355 100644
--- a/mkosi.extra/calamares/desktop/modules/partition.conf
+++ b/mkosi.extra/calamares/desktop/modules/partition.conf
@@ -15,7 +15,7 @@ defaultFileSystemType: btrfs
 enableLuksAutomatedPartitioning: false
 
 partitionLayout:
-    - name: "systemdOS"
+    - name: "KDEOS"
       type: "Linux root-x86-64"
       filesystem: "btrfs"
       mountPoint: "/"
diff --git a/mkosi.extra/calamares/desktop/modules/shellprocess@subvol.conf b/mkosi.extra/calamares/desktop/modules/shellprocess@subvol.conf
index 0a8d6c4..0486899 100644
--- a/mkosi.extra/calamares/desktop/modules/shellprocess@subvol.conf
+++ b/mkosi.extra/calamares/desktop/modules/shellprocess@subvol.conf
@@ -7,4 +7,4 @@
 dontChroot: true
 timeout: 300
 script:
-    - calamares@subvol ${ROOT}
+    - _calamares@subvol ${ROOT}
diff --git a/mkosi.extra/calamares/desktop/modules/shellprocess@uki.conf b/mkosi.extra/calamares/desktop/modules/shellprocess@uki.conf
index 28d62ae..d244a07 100644
--- a/mkosi.extra/calamares/desktop/modules/shellprocess@uki.conf
+++ b/mkosi.extra/calamares/desktop/modules/shellprocess@uki.conf
@@ -6,7 +6,8 @@
 dontChroot: false
 timeout: 300
 script:
-    - echo "timeout 10" >> /efi/loader/loader.conf
+# TODO this is daft, why dont we copy the efi template?
+    - echo "timeout 5" >> /efi/loader/loader.conf
     - rm -rfv /efi/loader/entries/* /efi/systemdOS/
 # TODO move elsewhere
     - rm -rfv /usr/lib/systemd/system/live-user.service
diff --git a/mkosi.extra/calamares/desktop/modules/unpackfs.conf b/mkosi.extra/calamares/desktop/modules/unpackfs.conf
index 1676e4f..9b31725 100644
--- a/mkosi.extra/calamares/desktop/modules/unpackfs.conf
+++ b/mkosi.extra/calamares/desktop/modules/unpackfs.conf
@@ -5,6 +5,6 @@
 ---
 unpack:
     # NOTE: this unpacks the default subvolume, not the / of the btrfs!
-    -   source: "/dev/disk/by-label/root-x86-64"
+    -   source: "/dev/disk/by-label/KDEOSLive"
         sourcefs: "btrfs"
         destination: ""
diff --git a/mkosi.extra/etc/fonts/conf.d/56-kdeos-hack.conf b/mkosi.extra/etc/fonts/conf.d/56-kdeos-hack.conf
new file mode 120000
index 0000000..5dc0a6a
--- /dev/null
+++ b/mkosi.extra/etc/fonts/conf.d/56-kdeos-hack.conf
@@ -0,0 +1 @@
+/usr/share/fontconfig/conf.default/56-kdeos-hack.conf
\ No newline at end of file
diff --git a/mkosi.extra/etc/fonts/conf.d/56-kdeos-noto.conf b/mkosi.extra/etc/fonts/conf.d/56-kdeos-noto.conf
new file mode 120000
index 0000000..25215a1
--- /dev/null
+++ b/mkosi.extra/etc/fonts/conf.d/56-kdeos-noto.conf
@@ -0,0 +1 @@
+/usr/share/fontconfig/conf.default/56-kdeos-noto.conf
\ No newline at end of file
diff --git a/mkosi.extra/etc/pam.d/kde b/mkosi.extra/etc/pam.d/kde
new file mode 100644
index 0000000..eb5b63d
--- /dev/null
+++ b/mkosi.extra/etc/pam.d/kde
@@ -0,0 +1,12 @@
+#% PAM - 1.0
+
+# SPDX-License-Identifier: LGPL-2.0-or-later
+# SPDX-FileCopyrightText: 2024 Antonio Rojas <arojas@archlinux.org>
+
+auth       include                     system-local-login
+
+account    include                     system-local-login
+
+password   include                     system-local-login
+
+session    include                     system-local-login
diff --git a/mkosi.extra/etc/pam.d/kde-fingerprint b/mkosi.extra/etc/pam.d/kde-fingerprint
new file mode 100644
index 0000000..4ae772d
--- /dev/null
+++ b/mkosi.extra/etc/pam.d/kde-fingerprint
@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+# SPDX-License-Identifier: LGPL-2.0-or-later
+# SPDX-FileCopyrightText: 2024 Antonio Rojas <arojas@archlinux.org>
+
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       requisite                   pam_faillock.so      preauth
+-auth      required                    pam_fprintd.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+
+account    include                     system-local-login
+
+password   required                    pam_deny.so
+
+session    include                     system-local-login
diff --git a/mkosi.extra/etc/pam.d/kde-smartcard b/mkosi.extra/etc/pam.d/kde-smartcard
new file mode 100644
index 0000000..085949f
--- /dev/null
+++ b/mkosi.extra/etc/pam.d/kde-smartcard
@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+# SPDX-License-Identifier: LGPL-2.0-or-later
+# SPDX-FileCopyrightText: 2024 Antonio Rojas <arojas@archlinux.org>
+
+auth       requisite                   pam_nologin.so
+auth       requisite                   pam_faillock.so      preauth
+-auth      required                    pam_pkcs11.so        wait_for_card card_only
+auth       required                    pam_shells.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+
+account    include                     system-local-login
+
+password   required                    pam_deny.so
+
+session    include                     system-local-login
diff --git a/mkosi.extra/usr/bin/calamares@subvol b/mkosi.extra/usr/bin/_calamares@subvol
similarity index 90%
rename from mkosi.extra/usr/bin/calamares@subvol
rename to mkosi.extra/usr/bin/_calamares@subvol
index 479d1ea..865cec9 100755
--- a/mkosi.extra/usr/bin/calamares@subvol
+++ b/mkosi.extra/usr/bin/_calamares@subvol
@@ -20,7 +20,8 @@ mv @systemdOS @systemdOS_0
 ln -s @systemdOS_0 @systemdOS
 btrfs subvolume set-default @systemdOS
 
-# @home created by calamares
+# @home gets created by calamares' mount module
+btrfs subvolume create @snap
 btrfs subvolume create @var-overlay
 btrfs subvolume create @etc-overlay
 mkdir @var-overlay/upper @var-overlay/work @etc-overlay/upper @etc-overlay/work
diff --git a/mkosi.extra/usr/bin/_kdeos-bless-session b/mkosi.extra/usr/bin/_kdeos-bless-session
new file mode 100755
index 0000000..21934b5
--- /dev/null
+++ b/mkosi.extra/usr/bin/_kdeos-bless-session
@@ -0,0 +1,10 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+# Bless Session.
+# Also see _kdeos-bless-userspace
+
+set -ex
+
+touch "${XDG_RUNTIME_DIR}/kdeos-bless-session"
diff --git a/mkosi.extra/usr/bin/_kdeos-bless-userspace b/mkosi.extra/usr/bin/_kdeos-bless-userspace
new file mode 100755
index 0000000..fd80a5b
--- /dev/null
+++ b/mkosi.extra/usr/bin/_kdeos-bless-userspace
@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+# Bless userspace.
+# Blessing of a boot on KDEOS is a three step process.
+# 1) the userspace gets blessed here via a /run marker (means system-wide middleware services are up - such as networkmanager)
+# 2) the user logs in and a complete session startup blesses the session
+# 3) when all requirements are met the boot gets actually blessed
+
+set -ex
+
+systemctl mask --runtime systemd-bless-boot.service
+systemctl daemon-reload
+
+/usr/lib/systemd/systemd-bless-boot indeterminate
+
+touch /run/kdeos-bless-userspace
diff --git a/mkosi.extra/usr/bin/_kdeos-overlay b/mkosi.extra/usr/bin/_kdeos-overlay
new file mode 100755
index 0000000..f075bfe
--- /dev/null
+++ b/mkosi.extra/usr/bin/_kdeos-overlay
@@ -0,0 +1,27 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023-2024 Harald Sitter <sitter@kde.org>
+
+set -ex
+
+[ -f /etc/initrd-release ] || false
+
+sysroot=/sysroot
+rootdisk=/dev/disk/by-partlabel/KDEOS
+
+mount -v -o subvol=/ "$rootdisk" "${sysroot}/system"
+
+mount -v \
+    -o subvol=@home \
+    "$rootdisk" "${sysroot}/home"
+mount -v \
+    -o subvol=@snap \
+    "$rootdisk" "${sysroot}/snap"
+mount -v \
+    -t overlay \
+    -o "lowerdir=${sysroot}/etc,upperdir=${sysroot}/system/@etc-overlay/upper,workdir=${sysroot}/system/@etc-overlay/work,index=off,metacopy=off" \
+    overlay "${sysroot}/etc"
+mount -v \
+    -t overlay \
+    -o "lowerdir=${sysroot}/var,upperdir=${sysroot}/system/@var-overlay/upper,workdir=${sysroot}/system/@var-overlay/work,index=off,metacopy=off" \
+    overlay "${sysroot}/var"
diff --git a/mkosi.extra/usr/lib/initcpio/install/systemd-extension b/mkosi.extra/usr/lib/initcpio/install/systemd-extension
new file mode 100644
index 0000000..d399b51
--- /dev/null
+++ b/mkosi.extra/usr/lib/initcpio/install/systemd-extension
@@ -0,0 +1,14 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023-2024 Harald Sitter <sitter@kde.org>
+
+build() {
+    map add_binary \
+        /usr/lib/systemd/systemd-volatile-root \
+        /usr/bin/_kdeos-overlay \
+        /usr/lib/systemd/system-generators/kdeos-live-generator
+
+    map add_systemd_unit \
+        systemd-volatile-root.service \
+        kdeos-overlay.service
+}
diff --git a/mkosi.extra/usr/lib/sddm/sddm.conf.d/00-kdeos-theme.conf b/mkosi.extra/usr/lib/sddm/sddm.conf.d/00-kdeos-theme.conf
new file mode 100644
index 0000000..56e84aa
--- /dev/null
+++ b/mkosi.extra/usr/lib/sddm/sddm.conf.d/00-kdeos-theme.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2020 Jonathan Riddell <jr@jriddell.org>
+
+[Theme]
+Current=breeze
diff --git a/mkosi.extra/usr/lib/systemd/system-generators/kdeos-live-generator b/mkosi.extra/usr/lib/systemd/system-generators/kdeos-live-generator
new file mode 100755
index 0000000..bb4fd2c
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system-generators/kdeos-live-generator
@@ -0,0 +1,15 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+if ! /proc/cmdline | grep 'KDEOSLive'; then
+    echo "Not running kdeos-live-generator" > /dev/kmsg
+    exit 0
+fi
+
+ls -lahR /dev/disk > /dev/kmsg
+
+if [ -f /dev/disk/by-label/KDEOSLive ]; then
+    echo "Found by label" > /dev/kmsg
+fi
+
diff --git a/mkosi.extra/usr/lib/systemd/system-preset/50-systemdos.preset b/mkosi.extra/usr/lib/systemd/system-preset/50-systemdos.preset
index 2593b75..f7af1b1 100644
--- a/mkosi.extra/usr/lib/systemd/system-preset/50-systemdos.preset
+++ b/mkosi.extra/usr/lib/systemd/system-preset/50-systemdos.preset
@@ -4,7 +4,9 @@
 enable sddm.service
 enable accounts-daemon.service
 enable NetworkManager.service
-# TODO disable
-enable sshd.service
+enable snapd.socket
+enable snapd.apparmor
+enable apparmor.service
 
 enable live-user.service
+enable kdeos-overlay.service
diff --git a/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.requires/kdeos-overlay.service b/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.requires/kdeos-overlay.service
new file mode 120000
index 0000000..bf54411
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.requires/kdeos-overlay.service
@@ -0,0 +1 @@
+../kdeos-overlay.service
\ No newline at end of file
diff --git a/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.wants/kdeos-overlay.service b/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.wants/kdeos-overlay.service
new file mode 120000
index 0000000..bf54411
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/initrd-root-fs.target.wants/kdeos-overlay.service
@@ -0,0 +1 @@
+../kdeos-overlay.service
\ No newline at end of file
diff --git a/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.path b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.path
new file mode 100644
index 0000000..eed3d76
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.path
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+[Unit]
+Description=Mark the Current Boot Loader Entry as Good
+
+[Path]
+PathExistsGlob=/run/kdeos-bless-userspace
+PathExistsGlob=/run/user/*/kdeos-bless-session
diff --git a/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.service b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.service
new file mode 100644
index 0000000..66d9ef9
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-boot.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+[Unit]
+Description=Mark the Current Boot Loader Entry as Good
+Conflicts=shutdown.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/systemd/systemd-bless-boot good
diff --git a/mkosi.extra/usr/lib/systemd/system/kdeos-bless-userspace.service b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-userspace.service
new file mode 100644
index 0000000..4197c0b
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/kdeos-bless-userspace.service
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+[Unit]
+Description=Check if Userspace is in a Good State
+Requires=boot-complete.target display-manager.service user.slice
+Conflicts=shutdown.target
+Before=shutdown.target systemd-bless-boot.service
+Wants=kdeos-bless-boot.path
+
+[Service]
+Type=oneshot
+ExecStart=/bin/_kdeos-bless-userspace
+
+[Install]
+RequiredBy=systemd-bless-boot.service
diff --git a/mkosi.extra/usr/lib/systemd/system/kdeos-overlay.service b/mkosi.extra/usr/lib/systemd/system/kdeos-overlay.service
new file mode 100644
index 0000000..525de31
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/kdeos-overlay.service
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+[Unit]
+Description=Overlay Root File System
+DefaultDependencies=no
+Requires=sysroot.mount
+Conflicts=shutdown.target
+After=sysroot.mount systemd-repart.service
+Before=initrd-root-fs.target initrd-parse-etc.service shutdown.target
+AssertPathExists=/etc/initrd-release
+# On the live system we let systemd.volatile handle the overlay since we want to discard changes
+ConditionKernelCommandLine=!kdeos.live=1
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/_kdeos-overlay
diff --git a/mkosi.extra/usr/lib/systemd/system/live-user.service b/mkosi.extra/usr/lib/systemd/system/live-user.service
index 25eee2e..0fbc012 100644
--- a/mkosi.extra/usr/lib/systemd/system/live-user.service
+++ b/mkosi.extra/usr/lib/systemd/system/live-user.service
@@ -4,7 +4,7 @@
 [Unit]
 Requires=systemd-logind.service
 After=systemd-logind.service systemd-homed.service
-ConditionKernelCommandLine=systemdOS.live
+ConditionKernelCommandLine=kdeos.live=1
 
 [Service]
 ExecStartPre=/usr/bin/useradd --create-home live
diff --git a/mkosi.extra/usr/lib/systemd/system/systemd-bless-boot.service.requires/kdeos-bless-userspace.service b/mkosi.extra/usr/lib/systemd/system/systemd-bless-boot.service.requires/kdeos-bless-userspace.service
new file mode 120000
index 0000000..45861e1
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/system/systemd-bless-boot.service.requires/kdeos-bless-userspace.service
@@ -0,0 +1 @@
+../kdeos-bless-userspace.service
\ No newline at end of file
diff --git a/mkosi.extra/usr/lib/systemd/user/graphical-session.target.wants/kdeos-bless-session.service b/mkosi.extra/usr/lib/systemd/user/graphical-session.target.wants/kdeos-bless-session.service
new file mode 120000
index 0000000..14a5798
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/user/graphical-session.target.wants/kdeos-bless-session.service
@@ -0,0 +1 @@
+../kdeos-bless-session.service
\ No newline at end of file
diff --git a/mkosi.extra/usr/lib/systemd/user/kdeos-bless-session.service b/mkosi.extra/usr/lib/systemd/user/kdeos-bless-session.service
new file mode 100644
index 0000000..d9168d1
--- /dev/null
+++ b/mkosi.extra/usr/lib/systemd/user/kdeos-bless-session.service
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+[Unit]
+Description=Check if Userspace is in a Good State
+After=graphical-session.target plasma-core.target
+Requires=graphical-session.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/_kdeos-bless-session
+
+[Install]
+WantedBy=graphical-session.target
diff --git a/mkosi.extra/usr/lib/sysupdate.d/50-root-x86-64.conf b/mkosi.extra/usr/lib/sysupdate.d/50-root-x86-64.conf
index 6cf054e..718cc43 100644
--- a/mkosi.extra/usr/lib/sysupdate.d/50-root-x86-64.conf
+++ b/mkosi.extra/usr/lib/sysupdate.d/50-root-x86-64.conf
@@ -6,13 +6,13 @@ ProtectVersion=%A
 
 [Source]
 Type=url-tar
-Path=http://mellon.nerdpol.ovh/
-MatchPattern=systemdOS_root-x86-64_@v.tar \
-             systemdOS_@v_root-x86-64.tar
+Path=http://kdeos.haraldsitter.eu
+MatchPattern=kdeos_root-x86-64_@v.tar.zst \
+             kdeos_@v_root-x86-64.tar.zst
 
 [Target]
 Type=subvolume
 Path=/system
-MatchPattern=@@systemdOS_@v
+MatchPattern=@@kdeos_@v
 ReadOnly=yes
-CurrentSymlink=@@systemdOS
+CurrentSymlink=@kdeos
diff --git a/mkosi.extra/usr/lib/sysupdate.d/60-esp.conf b/mkosi.extra/usr/lib/sysupdate.d/60-esp.conf
index 7f78339..524fc40 100644
--- a/mkosi.extra/usr/lib/sysupdate.d/60-esp.conf
+++ b/mkosi.extra/usr/lib/sysupdate.d/60-esp.conf
@@ -6,16 +6,16 @@ ProtectVersion=%A
 
 [Source]
 Type=url-file
-Path=http://mellon.nerdpol.ovh/
-MatchPattern=systemdOS_@v.efi
+Path=http://kdeos.haraldsitter.eu
+MatchPattern=kdeos_@v.efi
 
 [Target]
 Type=regular-file
 Path=/efi/EFI/Linux
-MatchPattern=systemdOS_@v.efi \
-             systemdOS_@v+@l.efi \
-             systemdOS_@v+@l-@d.efi
-Mode=0444
+MatchPattern=kdeos_@v+@l-@d.efi \
+             kdeos_@v+@l.efi \
+             kdeos_@v.efi
+Mode=0400
 TriesLeft=3
 TriesDone=0
-InstancesMax=2
+InstancesMax=4
diff --git a/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-hack.conf b/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-hack.conf
new file mode 100644
index 0000000..d4e4542
--- /dev/null
+++ b/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-hack.conf
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+<!--
+  SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+  SPDX-FileCopyrightText: 2018 Harald Sitter <sitter@kde.org>
+-->
+<fontconfig>
+  <!-- Set preference for Hack in monospace (this is > noto mono) -->
+  <alias>
+    <family>monospace</family>
+    <prefer>
+      <family>Hack</family>
+    </prefer>
+  </alias>
+</fontconfig>
diff --git a/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-noto.conf b/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-noto.conf
new file mode 100644
index 0000000..105608a
--- /dev/null
+++ b/mkosi.extra/usr/share/fontconfig/conf.default/56-kdeos-noto.conf
@@ -0,0 +1,943 @@
+<?xml version="1.0"?>
+<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+<!--
+  SPDX-License-Identifier: BSD-3-Clause
+  SPDX-FileCopyrightText: 2006-2010 The Chromium OS Authors
+-->
+<fontconfig>
+  <!-- Font directory list -->
+  <dir>/usr/share/fonts/croscore</dir>
+  <dir>/usr/share/fonts/crosextra</dir>
+  <dir>/usr/share/fonts/dejavu</dir>
+  <dir>/usr/share/fonts/ko-nanum</dir>
+  <dir>/usr/share/fonts/lohit-cros</dir>
+  <dir>/usr/share/fonts/monotype</dir>
+  <dir>/usr/share/fonts/noto</dir>
+  <dir>/usr/share/fonts/notocjk</dir>
+  <dir>/usr/share/fonts/tibt-jomolhari</dir>
+  <!-- Set preference for Noto, Droid and Monotype fonts -->
+  <alias>
+    <family>serif</family>
+    <prefer>
+      <family>Tinos</family>
+      <family>Noto Serif</family>
+      <family>Noto Serif CJK SC</family>
+      <family>Noto Naskh Arabic</family>
+      <family>Noto Serif Thai</family>
+      <family>Noto Serif Armenian</family>
+      <family>Noto Serif Georgian</family>
+      <family>Noto Serif Devanagari</family>
+      <family>Noto Serif Hebrew</family>
+      <family>Noto Serif Bangali</family>
+      <family>Noto Serif Gujarati</family>
+      <family>Noto Serif Kannada</family>
+      <family>Noto Serif Malayalam</family>
+      <family>Noto Serif Tamil</family>
+      <family>Noto Serif Telugu</family>
+      <family>Lohit Punjabi</family>
+      <family>Lohit Oriya</family>
+      <family>Noto Serif Khmer</family>
+      <family>Noto Serif Lao</family>
+      <family>Noto Serif Ethiopic</family>
+      <family>Noto Serif Myanmar</family>
+      <family>Noto Serif Sinhala</family>
+      <family>Jomolhari</family>
+      <family>Noto Color Emoji</family>
+      <family>Noto Sans Symbols</family>
+      <family>Noto Sans Symbols2</family>
+      <family>DejaVu Serif</family>
+    </prefer>
+  </alias>
+  <alias>
+    <family>sans-serif</family>
+    <prefer>
+      <family>Arimo</family>
+      <family>Noto Sans</family>
+      <family>Noto Sans CJK SC</family>
+      <family>Noto Sans Arabic</family>
+      <family>Noto Sans Thai</family>
+      <family>Noto Sans Devanagari</family>
+      <family>Noto Sans Tamil</family>
+      <family>Noto Sans Hebrew</family>
+      <family>Noto Sans Bengali</family>
+      <family>Noto Sans Telugu</family>
+      <family>Noto Sans Kannada</family>
+      <family>Noto Sans Malayalam</family>
+      <family>Noto Sans Gurmukhi</family>
+      <family>Noto Sans Gujarati</family>
+      <family>Noto Sans Oriya</family>
+      <family>Noto Sans Armenian</family>
+      <family>Noto Sans Georgian</family>
+      <family>Noto Sans Khmer</family>
+      <family>Noto Sans Lao</family>
+      <family>Noto Sans Ethiopic</family>
+      <family>Noto Sans Myanmar</family>
+      <family>Noto Sans Sinhala</family>
+      <family>Jomolhari</family>
+      <family>Noto Sans Coptic</family>
+      <family>Noto Sans Deseret</family>
+      <family>Noto Sans TaiTham</family>
+      <family>Noto Sans CanadianAboriginal</family>
+      <family>Noto Sans Yi</family>
+      <family>Noto Sans Tifinagh</family>
+      <family>Noto Sans Adlam</family>
+      <family>Noto Sans Cherokee</family>
+      <family>Noto Sans Chakma</family>
+      <family>Noto Sans Osage</family>
+      <family>Noto Color Emoji</family>
+      <family>Noto Sans Symbols</family>
+      <family>Noto Sans Symbols2</family>
+      <family>DejaVu Sans</family>
+    </prefer>
+  </alias>
+  <alias>
+    <family>monospace</family>
+    <prefer>
+      <family>Cousine</family>
+      <family>Noto Sans Mono</family>
+      <family>Noto Sans Mono CJK SC</family>
+      <family>Noto Naskh Arabic</family>
+      <family>Noto Sans Thai</family>
+      <family>Noto Sans Devanagari</family>
+      <family>Noto Sans Tamil</family>
+      <family>Noto Sans Bengali</family>
+      <family>Noto Sans Telugu</family>
+      <family>Noto Sans Kannada</family>
+      <family>Noto Sans Malayalam</family>
+      <family>Noto Sans Gurmukhi</family>
+      <family>Noto Sans Gujarati</family>
+      <family>Noto Sans Oriya</family>
+      <family>Noto Sans Armenian</family>
+      <family>Noto Sans Georgian</family>
+      <family>Noto Sans Ethiopic</family>
+      <family>Noto Sans Myanmar</family>
+      <family>Noto Sans Sinhala</family>
+      <family>Noto Sans Tibetan</family>
+      <family>Noto Sans Coptic</family>
+      <family>Noto Sans Deseret</family>
+      <family>Noto Sans TaiTham</family>
+      <family>Noto Sans Cherokee</family>
+      <family>Noto Sans Chakma</family>
+      <family>Noto Sans Osage</family>
+      <family>Noto Color Emoji</family>
+      <family>Noto Sans Symbols</family>
+      <family>Noto Sans Symbols2</family>
+      <family>Droid Sans Fallback</family>
+      <family>DejaVu Sans Mono</family>
+    </prefer>
+  </alias>
+  <alias>
+    <family>ui-sans</family>
+    <prefer>
+      <family>Noto Sans UI</family>
+      <family>Noto Sans CJK SC</family>
+      <family>Noto Naskh Arabic UI</family>
+      <family>Noto Sans Thai UI</family>
+      <family>Noto Sans Devanagari UI</family>
+      <family>Noto Sans Tamil UI</family>
+      <family>Noto Sans Hebrew</family>
+      <family>Noto Sans Bengali UI</family>
+      <family>Noto Sans Telugu UI</family>
+      <family>Noto Sans Kannada UI</family>
+      <family>Noto Sans Malayalam UI</family>
+      <family>Noto Sans Gurmukhi UI</family>
+      <family>Noto Sans Gujarati UI</family>
+      <family>Noto Sans Oriya UI</family>
+      <family>Noto Sans Armenian</family>
+      <family>Noto Sans Georgian</family>
+      <family>Noto Sans Khmer UI</family>
+      <family>Noto Sans Lao UI</family>
+      <family>Noto Sans Ethiopic</family>
+      <family>Noto Sans Myanmar UI</family>
+      <family>Noto Color Emoji</family>
+      <family>Noto Symbols</family>
+      <family>Droid Sans Fallback</family>
+      <family>DejaVu Sans</family>
+    </prefer>
+  </alias>
+ <!-- Set minimum font pixel size for cjk to 14px,
+       which is 10.5pt under 96dpi. -->
+  <match target="font">
+    <test name="lang" compare="contains">
+      <string>zh</string>
+    </test>
+    <test compare="less_eq" name="pixelsize" >
+      <int>14</int>
+    </test>
+    <edit mode="assign" name="pixelsize" >
+      <int>14</int>
+    </edit>
+  </match>
+  <!-- TODO(jungshik): use 'OR' operator to turn on BCI on for
+      multiple fonts after making sure that it works correctly -->
+  <match target="font">
+    <!-- Turn on BCI (turn off autohint) for Arimo -->
+    <test name="family"><string>Arimo</string></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+  </match>
+  <match target="font">
+    <!-- Turn on light autohinting for Chrome Droid Sans -->
+    <test name="family"><string>Chrome Droid Sans</string></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintslight</const></edit>
+    <edit name="autohint" mode="assign"><bool>true</bool></edit>
+  </match>
+  <match target="font">
+    <!-- Turn on BCI (turn off autohint) for Cousine -->
+    <test name="family"><string>Cousine</string></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+  </match>
+  <match target="font">
+    <!-- Turn on BCI (turn off autohint) for Tinos -->
+    <test name="family"><string>Tinos</string></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+  </match>
+  <match target="font">
+    <!-- Turn on BCI (turn off autohint) for NanumGothic.
+         We don't do that for NanumMyeongjo because somehow
+         its BCI hint leads to a very poor rendering with freetype. -->
+    <test name="family"><string>NanumGothic</string></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+  </match>
+  <!--  Make Noto Sans CJK JP fonts to aliases of the
+        corresponding Windows Japanese fonts -->
+  <alias binding="same">
+    <family>Noto Sans CJK JP</family>
+    <default>
+      <family>MS PGothic</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Sans CJK JP</family>
+    <default>
+      <family>ＭＳ Ｐゴシック</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>MS PGothic</family>
+    <accept>
+      <family>Noto Sans CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>ＭＳ Ｐゴシック</family>
+    <accept>
+      <family>Noto Sans CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Sans Mono CJK JP</family>
+    <default>
+      <family>MS Gothic</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Sans Mono CJK JP</family>
+    <default>
+      <family>ＭＳ ゴシック</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>MS Gothic</family>
+    <accept>
+      <family>Noto Sans Mono CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>ＭＳ ゴシック</family>
+    <accept>
+      <family>Noto Sans Mono CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK JP</family>
+    <default>
+      <family>MS Mincho</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK JP</family>
+    <default>
+      <family>ＭＳ 明朝</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>MS Mincho</family>
+    <accept>
+      <family>Noto Serif CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>ＭＳ 明朝</family>
+    <accept>
+      <family>Noto Serif CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK JP</family>
+    <default>
+      <family>MS PMincho</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK JP</family>
+    <default>
+      <family>ＭＳ Ｐ明朝</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>MS PMincho</family>
+    <accept>
+      <family>Noto Serif CJK JP</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>ＭＳ Ｐ明朝</family>
+    <accept>
+      <family>Noto Serif CJK JP</family>
+    </accept>
+  </alias>
+  <!-- Aliases for Simplified Chinese Windows fonts -->
+  <alias binding="same">
+    <family>Noto Serif CJK SC</family>
+    <default>
+      <family>Simsun</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK SC</family>
+    <default>
+      <family>宋体</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Simsun</family>
+    <accept>
+    <family>Noto Serif CJK SC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>宋体</family>
+    <accept>
+    <family>Noto Serif CJK SC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK SC</family>
+    <default>
+      <family>NSimsun</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK SC</family>
+    <default>
+      <family>新宋体</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>NSimsun</family>
+    <accept>
+    <family>Noto Serif CJK SC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>新宋体</family>
+    <accept>
+    <family>Noto Serif CJK SC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Sans CJK SC</family>
+    <default>
+      <family>SimHei</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Sans CJK SC</family>
+    <default>
+      <family>黑体</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>SimHei</family>
+    <accept>
+      <family>Noto Sans CJK SC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>黑体</family>
+    <accept>
+      <family>Noto Sans CJK SC</family>
+    </accept>
+  </alias>
+  <!-- Aliases for Traditional Chinese Windows fonts. -->
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>PMingLiU</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>PMingLiU_HKSCS</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>新細明體</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>新細明體_HKSCS</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>PMingLiU</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>PMingLiU_HKSCS</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>新細明體</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>新細明體_HKSCS</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>MingLiU</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>MingLiU_HKSCS</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>細明體</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Noto Serif CJK TC</family>
+    <default>
+      <family>細明體_HKSCS</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>MingLiU</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>MingLiU_HKSCS</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>細明體</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <alias binding="same">
+    <family>細明體_HKSCS</family>
+    <accept>
+    <family>Noto Serif CJK TC</family>
+    </accept>
+  </alias>
+  <!-- Map Caladea (metric compaitble with Cambria) to Cambria -->
+  <alias binding="same">
+    <family>Caladea</family>
+    <default>
+      <family>Cambria</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Cambria</family>
+    <accept>
+      <family>Caladea</family>
+    </accept>
+  </alias>
+  <!-- Map Carlito (metric compaitble with Calibri) to Calibri -->
+  <alias binding="same">
+    <family>Carlito</family>
+    <default>
+      <family>Calibri</family>
+    </default>
+  </alias>
+  <alias binding="same">
+    <family>Calibri</family>
+    <accept>
+      <family>Carlito</family>
+    </accept>
+  </alias>
+  <!-- Aliases for Korean Windows fonts.
+       TODO(jungshik): Shuld we get NanumGothic aliased to
+       Windows fonts with binding=same?
+  -->
+  <alias>
+    <family>Gulim</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>굴림</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>굴림체</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>Gulimche</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>Dotum</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>돋움</family>
+    <accept>
+      <family>Noto Sans CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>Dotumche</family>
+    <accept>
+      <family>Noto Sans Mono CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>돋움체</family>
+    <accept>
+      <family>Noto Sans Mono CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>MalgunGothic</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>맑은고딕</family>
+    <accept>
+      <family>NanumGothic</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>Batang</family>
+    <accept>
+      <family>Noto Serif CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>바탕</family>
+    <accept>
+      <family>Noto Serif CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>Batangche</family>
+    <accept>
+      <family>Noto Serif CJK KR</family>
+    </accept>
+  </alias>
+  <alias>
+    <family>바탕체</family>
+    <accept>
+      <family>Noto Serif CJK KR</family>
+    </accept>
+  </alias>
+  <!-- Preferred fonts for Simplified Chinese -->
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-CN</string>
+    </test>
+    <test name="family">
+      <string>serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Serif CJK SC</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-CN</string>
+    </test>
+    <test name="family">
+      <string>sans-serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans CJK SC</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-CN</string>
+    </test>
+    <test name="family">
+      <string>monospace</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans Mono CJK SC</string>
+    </edit>
+  </match>
+  <!-- Preferred fonts for Traditional Chinese -->
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-TW</string>
+    </test>
+    <test name="family">
+      <string>serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Serif CJK TC</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-TW</string>
+    </test>
+    <test name="family">
+      <string>sans-serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans CJK TC</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>zh-TW</string>
+    </test>
+    <test name="family">
+      <string>monospace</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans Mono CJK TC</string>
+    </edit>
+  </match>
+  <!-- Preferred fonts for Japanese -->
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ja</string>
+    </test>
+    <test name="family">
+      <string>serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Serif CJK JP</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ja</string>
+    </test>
+    <test name="family">
+      <string>sans-serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans CJK JP</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ja</string>
+    </test>
+    <test name="family">
+      <string>monospace</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans Mono CJK JP</string>
+    </edit>
+  </match>
+  <!-- Preferred fonts for Korean -->
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ko</string>
+    </test>
+    <test name="family">
+      <string>serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Serif CJK KR</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ko</string>
+    </test>
+    <test name="family">
+      <string>sans-serif</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans CJK KR</string>
+    </edit>
+  </match>
+  <match target="pattern">
+    <test name="lang" compare="contains">
+      <string>ko</string>
+    </test>
+    <test name="family">
+      <string>monospace</string>
+    </test>
+    <edit name="family" mode="prepend" binding="strong">
+      <string>Noto Sans Mono CJK KR</string>
+    </edit>
+  </match>
+  <!-- TODO(jshin): Once fontconfig has a better way of OR'ing tests,
+       switch to that method. See
+       https://bugs.freedesktop.org/show_bug.cgi?id=82582
+  -->
+  <match target="font">
+    <edit mode="assign" name="noto_cjk"><bool>true</bool></edit>
+  </match>
+  <match target="font">
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans CJK KR</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans CJK SC</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans CJK JP</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans CJK TC</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Mono CJK KR</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Mono CJK SC</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Mono CJK JP</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Mono CJK TC</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif CJK KR</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif CJK SC</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif CJK JP</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif CJK TC</string>
+    </test>
+    <edit mode="assign" name="noto_cjk"><bool>false</bool></edit>
+  </match>
+  <match target="font">
+    <test name="noto_cjk"><bool>true</bool></test>
+    <!-- Turn on the native CFF hint -->
+    <!-- Turn off sub-pixel anti-aliasing because Adobe's CFF
+	 rasterizer is for gray-scale rendering. -->
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintslight</const></edit>
+    <edit name="antialias" mode="assign"><bool>true</bool></edit>
+    <edit name="rgba" mode="assign"><const>none</const></edit>
+  </match>
+  <match target="font">
+    <edit mode="assign" name="noto_hinted"><bool>true</bool></edit>
+  </match>
+  <match target="font">
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Thai</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Thai UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Thai</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Thai UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Devanagari</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Devanagari UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Tamil</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Tamil UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Tamil</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Gujarati</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Gujarati UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Gurumukhi</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Gujarati</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Gurumukhi UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Kannada</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Kannada UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Kannada</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Telugu</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Telugu UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Telugu</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Bengali</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Bengali UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Bengali</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Malayalam</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Malayalam UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Malayalam</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Kufi Arabic</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Naskh Arabic</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Naskh Arabic UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Armenian</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Armenian</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Georgian</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Georgian</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Hebrew</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Hebrew</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Ethiopic</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Khmer</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Khmer UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Khmer</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Lao</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Lao UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Serif Lao</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Sinhala</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Myanmar</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Myanmar UI</string>
+    </test>
+    <test name="family" qual="all" compare="not_eq">
+      <string>Noto Sans Tibetan</string>
+    </test>
+    <edit mode="assign" name="noto_hinted"><bool>false</bool></edit>
+  </match>
+  <match target="font">
+    <test name="noto_hinted"><bool>true</bool></test>
+    <edit name="hinting" mode="assign"><bool>true</bool></edit>
+    <edit name="autohint" mode="assign"><bool>false</bool></edit>
+    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+    <edit name="antialias" mode="assign"><bool>true</bool></edit>
+  </match>
+  <!-- Treat Noto Color Emoji as scalable. It's scalable even though
+       it's a bitmap font. -->
+  <match target="scan">
+    <test name="family"><string>Noto Color Emoji</string></test>
+    <edit name="scalable" mode="assign"><bool>true</bool></edit>
+  </match>
+
+</fontconfig>
diff --git a/mkosi.finalize.chroot b/mkosi.finalize.chroot
index f2e5809..6d7acfa 100755
--- a/mkosi.finalize.chroot
+++ b/mkosi.finalize.chroot
@@ -3,3 +3,25 @@
 # SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
 
 set -ex
+
+# mkosi might have eaten the file, restore it
+cat <<- EOF > /usr/lib/os-release
+NAME="KDE OS"
+PRETTY_NAME="KDE OS"
+ID=kdeos
+BUILD_ID=$(cat /usr/lib/image_version)
+ANSI_COLOR="38;2;23;147;209"
+HOME_URL="https://os.kde.org/"
+DOCUMENTATION_URL="https://userbase.kde.org/KDEOS"
+SUPPORT_URL="https://kde.org/support/"
+BUG_REPORT_URL="https://bugs.kde.org/enter_bug.cgi?product=KDEOS"
+PRIVACY_POLICY_URL="https://kde.org/privacypolicy-apps/"
+LOGO=kde-symbolic
+IMAGE_VERSION=$(cat /usr/lib/image_version)
+EOF
+[ -f /usr/lib/os-release ] || false
+cat /usr/lib/os-release
+
+deluser --remove builder || true
+passwd --delete root
+passwd --lock root
diff --git a/mkosi.postinst b/mkosi.postinst
deleted file mode 100755
index 919b30f..0000000
--- a/mkosi.postinst
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
-# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
-
-set -ex
-
-env
-
-if [ "$container" != "mkosi" ]; then
-    exec mkosi-chroot "$CHROOT_SCRIPT" "$@"
-fi
-
-cat <<-EOF > /usr/lib/os-release
-NAME="systemdOS"
-PRETTY_NAME="systemdOS"
-ID=systemdOS
-BUILD_ID=build1
-ANSI_COLOR="38;2;23;147;209"
-HOME_URL="https://archlinux.org/"
-DOCUMENTATION_URL="https://wiki.archlinux.org/"
-SUPPORT_URL="https://bbs.archlinux.org/"
-BUG_REPORT_URL="https://bugs.archlinux.org/"
-PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
-LOGO=kde-symbolic
-IMAGE_VERSION=$(cat /usr/lib/image_version)
-EOF
-
-export SYSTEMD_ESP_PATH=/efi
-bootctl install
-echo 'timeout 30' >> /efi/loader/loader.conf
-cp /usr/share/edk2-shell/x64/Shell.efi /efi/shellx64.efi
-
-kernel_version=""
-for f in /usr/lib/modules/*/vmlinuz
-do
-  kernel_version="$(basename "$(dirname "$f")")"
-done
-# dracut --uefi --no-machineid --kernel-cmdline "native ro" --kver "$kernel_version" systemdOS.efi
-# kernel-install add --verbose add "$kernel_version" "/usr/lib/modules/$kernel_version/vmlinuz" systemdOS.efi
-
-cd /
-rm -fv live.efi
-dracut --uefi --no-machineid --kernel-cmdline "native ro systemd.volatile=overlay systemd.firstboot=false systemd.hostname=systemdOS systemdOS.live" --kver "$kernel_version" live.efi
-rm -rfv systemdOS.efi
-dracut --uefi --no-machineid --kernel-cmdline "ro" --kver "$kernel_version" systemdOS.efi
diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot
new file mode 100755
index 0000000..53da064
--- /dev/null
+++ b/mkosi.postinst.chroot
@@ -0,0 +1,218 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
+
+set -ex
+
+env
+
+mkdir --mode 0700 /system # for the kdeos-overlay.service
+mkdir /snap # for snapd
+
+export SYSTEMD_ESP_PATH="$BOOT_MNT"
+mkdir --mode 0700 "$SYSTEMD_ESP_PATH"
+bootctl install
+echo 'timeout 5' >> "$SYSTEMD_ESP_PATH/loader/loader.conf"
+cp /usr/share/edk2-shell/x64/Shell.efi "$SYSTEMD_ESP_PATH/shellx64.efi"
+
+# Make sure our definitions are well formed
+mkdir -pv /efi/EFI/Linux
+/usr/lib/systemd/systemd-sysupdate --verify=no list # verify=no because we only care if the configs are valid
+rm -rfv /efi/
+
+pacman --sync --refresh
+pacman --sync --noconfirm git base-devel cmake yaml-cpp boost-libs boost dosfstools btrfs-progs
+
+# YAY Builder
+# https://preciselab.io/how-to-install-yay-on-pure-archlinux-image/
+pacman --sync --noconfirm go
+mkdir -p /tmp/yay-build
+useradd -m -G wheel builder && passwd -d builder
+chown -R builder:builder /tmp/yay-build
+echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
+su - builder -c "git clone https://aur.archlinux.org/yay.git /tmp/yay-build/yay"
+su - builder -c "cd /tmp/yay-build/yay && makepkg --noconfirm"
+pacman --noconfirm --upgrade /tmp/yay-build/yay/*.pkg.tar.*
+pacman --noconfirm --sync libinih libnsl liburcu lzo python apparmor autoconf-archive go-tools python-docutils squashfs-tools xfsprogs
+su - builder -c "yay --noconfirm --sync --sudo /bin/true snapd steam-devices-git"
+pacman --noconfirm --upgrade /home/builder/.cache/yay/*/*.pkg.tar.*
+userdel --remove builder
+rm /etc/sudoers.d/builder
+rm -rf /home/builder
+
+# KDE Builder
+whoami
+cd /opt
+echo "$PWD"
+env
+export HOME=/tmp/kde-builder
+pacman --sync --noconfirm python-pipenv
+git clone https://invent.kde.org/sdk/kde-builder.git
+cd kde-builder
+pipenv --python /usr/bin/python install
+# Hack for https://invent.kde.org/sdk/kde-builder/-/issues/16
+pacman --sync --noconfirm cairo
+pipenv install pycairo
+#
+export PATH="$PWD":"$PATH"
+pipenv run kde-builder --install-distro-packages
+pipenv run kde-builder --generate-config
+cat <<- EOF > /tmp/kde-builder/.config/kdesrc-buildrc
+global
+    branch-group kf6-qt6
+
+    # Finds and includes *KDE*-based dependencies into the build.  This makes
+    # it easier to ensure that you have all the modules needed, but the
+    # dependencies are not very fine-grained so this can result in quite a few
+    # modules being installed that you didn't need.
+    include-dependencies true
+
+    # Install directory for KDE software
+    install-dir /usr
+
+    # Directory for downloaded source code
+    source-dir /tmp/kde-builder/kde/src
+
+    # Directory to build KDE into before installing
+    # relative to source-dir by default
+    build-dir /tmp/kde-builder/kde/build
+
+    # qt-install-dir ~/kde/qt # Where to install Qt6 if kde-builder supplies it
+
+    cmake-options -DBUILD_TESTING=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo
+
+    # kde-builder sets 2 options which is used in options like make-options or set-env
+    # to help manage the number of compile jobs that happen during a build:
+    #
+    # 1. num-cores, which is just the number of detected CPU cores, and can be passed
+    #    to tools like make (needed for parallel build) or ninja (completely optional).
+    #
+    # 2. num-cores-low-mem, which is set to largest value that appears safe for
+    #    particularly heavyweight modules based on total memory, intended for
+    #    modules like qtwebengine
+    num-cores $(nproc)
+    num-cores-low-mem $(nproc)
+
+    # kde-builder can install a sample .xsession file for "Custom"
+    # (or "XSession") logins,
+    install-session-driver false
+
+    # or add a environment variable-setting script to
+    # ~/.config/kde-env-master.sh
+    install-environment-driver false
+
+    # Stop the build process on the first failure. If set to false, when kde-builder
+    # encounters a build failure, it will attempt to continue building other modules,
+    # using libraries from the system in cases where they would otherwise be provided
+    # by a module that has failed to build.
+    #
+    # Unless your system has very up-to-date packages, this is probably not what you want.
+    stop-on-failure true
+
+    # Use a flat folder layout under ~/kde/src and ~/kde/build
+    # rather than nested directories
+    directory-layout flat
+
+    # Use Ninja as cmake generator instead of gmake
+    cmake-generator Ninja
+
+    # Build with LSP support for everything that supports it
+    compile-commands-linking false
+    compile-commands-export false
+
+    # Generate .vscode config files in project directories
+    # Enable this if you want to use Visual Studio Code for development
+    generate-vscode-project-config false
+end global
+
+# With base options set, the remainder of the file is used to define modules to build, in the
+# desired order, and set any module-specific options.
+
+#  This line includes module definitions provided in repo-metadata. Do not comment it.
+include \${module-definitions-dir}/kf6-qt6.ksb
+
+# To change options for modules that have already been defined, use an
+# 'options' block. See kf6-common-options.ksb for an example
+
+# kate: syntax kdesrc-buildrc;
+EOF
+
+cat ~/.config/kdesrc-buildrc
+# We want word splitting here because KDE_BUILDER_TARGET contains multiple things
+# shellcheck disable=SC2086
+pipenv run kde-builder ${KDE_BUILDER_TARGET} || (mv /tmp/kde-builder "$CHROOT_SRCDIR"; false)
+
+# Calamares
+cd /tmp
+git clone --depth 1 https://github.com/calamares/calamares
+cmake -S calamares -B calamares/build -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_TESTING=OFF -DWITH_QT6=ON
+cmake --build calamares/build "-j$(nproc)"
+cmake --install calamares/build
+
+cat <<- EOF > /usr/share/icons/default/index.theme
+[Icon Theme]
+Inherits=Breeze
+EOF
+
+# WARNING: only set up os-release after the build otherwise kde-build doesn't know how to handle the system currently
+cat <<- EOF > /usr/lib/os-release
+NAME="KDE OS"
+PRETTY_NAME="KDE OS"
+ID=kdeos
+BUILD_ID=$(cat /usr/lib/image_version)
+ANSI_COLOR="38;2;61;174;233"
+HOME_URL="https://os.kde.org/"
+DOCUMENTATION_URL="https://userbase.kde.org/KDEOS"
+SUPPORT_URL="https://kde.org/support/"
+BUG_REPORT_URL="https://bugs.kde.org/enter_bug.cgi?product=KDEOS"
+PRIVACY_POLICY_URL="https://kde.org/privacypolicy-apps/"
+LOGO=kde-symbolic
+IMAGE_VERSION=$(cat /usr/lib/image_version)
+EOF
+[ -f /usr/lib/os-release ] || false
+cat /usr/lib/os-release
+
+kernel_version=""
+for f in /usr/lib/modules/*/vmlinuz
+do
+  kernel_version="$(basename "$(dirname "$f")")"
+done
+
+plymouth-set-default-theme bgrt
+
+# cd /tmp
+# rm -fv live.efi
+# echo "native ro root=PARTLABEL=KDEOSLive systemd.volatile=overlay systemd.firstboot=false systemd.hostname=kdeos kdeos.live=1 \
+#   console=ttyS0 console=tty0 \
+#   systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M printk.devkmsg=on" > cmdline
+# mkinitcpio --uki live.efi --addhooks "systemd,systemd-extension" --cmdline cmdline --kernel "$kernel_version"
+# rm -fv systemdOS.efi
+# echo "native ro root=PARTLABEL=KDEOS" > cmdline
+# mkinitcpio --uki systemdOS.efi --addhooks "systemd,systemd-extension" --cmdline cmdline --kernel "$kernel_version"
+# mv -v ./*.efi /
+# rm -f cmdline
+
+# Could move to config instead of manual command passing
+# NOTE: plymouth MUST be after systemd as per the wiki!
+cd /tmp
+echo "native ro root=PARTLABEL=KDEOSLive systemd.volatile=overlay systemd.firstboot=false systemd.hostname=kdeos kdeos.live=1 \
+  rd.systemd.debug_shell=on systemd.debug_shell=on SYSTEMD_SULOGIN_FORCE=1 \
+  console=ttyS0 console=tty0 \
+  systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M printk.devkmsg=on" > cmdline
+mkinitcpio --addhooks "systemd,systemd-extension,plymouth" --generate initrd --kernel "$kernel_version"
+ukify build \
+  --linux /boot/vmlinuz-linux \
+  --initrd initrd \
+  --cmdline @cmdline \
+  --output live.efi
+echo "native ro root=PARTLABEL=KDEOS rootflags=subvol=@kdeos_$(cat /usr/lib/image_version) \
+  rd.systemd.debug_shell=on systemd.debug_shell=on SYSTEMD_SULOGIN_FORCE=1 \
+  console=ttyS0 console=tty0 \
+  systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M printk.devkmsg=on" > cmdline
+mkinitcpio --addhooks "systemd,systemd-extension,plymouth" --generate initrd --kernel "$kernel_version"
+ukify build \
+  --linux /boot/vmlinuz-linux \
+  --initrd initrd \
+  --cmdline @cmdline \
+  --output kdeos.efi
+mv -v ./*.efi /
diff --git a/mkosi.prepare.chroot b/mkosi.prepare.chroot
index 014e59b..1dfc778 100755
--- a/mkosi.prepare.chroot
+++ b/mkosi.prepare.chroot
@@ -2,24 +2,29 @@
 # SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
 # SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>
 
+# If mkosi.prepare (PrepareScripts=) exists, it is first called with the final
+# argument, right after the software packages are installed. It is called a
+# second time with the build command line parameter, right after the build
+# packages are installed and the build overlay mounted on top of the image's
+# root directory .
+
 set -ex
 
-# systemd-machine-id-setup
-# systemd-id128 machine-id
-# root_uuid=$(systemd-id128 --uuid --app-specific=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709 machine-id)
-# sed -i "s%@ROOT@%${root_uuid}%g" /etc/kernel/cmdline
+echo "$@"
 
-env
-pacman-key --init
-pacman-key --populate
-
-pacman --sync --noconfirm git base-devel cmake yaml-cpp extra-cmake-modules boost-libs boost
-cd /tmp
-git clone --depth 1 https://github.com/calamares/calamares
-cmake -S calamares -B calamares/build -DBUILD_TESTING=OFF
-cmake --build calamares/build -j12
-cmake --install calamares/build
-
-flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+if [ "$1" = "final" ]; then
+  env
+  pacman-key --init
+  pacman-key --populate
 
+  # Insert a fallback for starters
+  # shellcheck disable=SC2016
+  echo 'Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch' >> /etc/pacman.d/mirrorlist
+  # Then use fastest servers we can find
+  pacman --sync --refresh --noconfirm reflector
+  reflector --country de --score 10 --fastest 3 > /etc/pacman.d/mirrorlist
 
+  # Flatpak
+  pacman --sync --noconfirm flatpak
+  flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+fi
diff --git a/mkosi.repart/00-esp.conf b/mkosi.repart/00-esp.conf
index 4d7b47d..736216e 100644
--- a/mkosi.repart/00-esp.conf
+++ b/mkosi.repart/00-esp.conf
@@ -4,6 +4,8 @@
 [Partition]
 Type=esp
 Format=vfat
-SizeMinBytes=512M
-CopyFiles=/efi:/
+# Tight fit. Would be better if we calculated this from the actual artifact size
+SizeMinBytes=256M
+SizeMaxBytes=256M
+CopyFiles=/efi-template:/
 SplitName=esp
diff --git a/mkosi.repart/50-root.conf b/mkosi.repart/50-root.conf
index 9926fe3..9037751 100644
--- a/mkosi.repart/50-root.conf
+++ b/mkosi.repart/50-root.conf
@@ -4,8 +4,20 @@
 [Partition]
 Type=root
 Format=btrfs
-SizeMinBytes=7G
-CopyFiles=/:/@systemdOS
-# NOTE: the FS isn't read only because we have mutable subvolumes. Individual subvolumes are readonly though.
-# ReadOnly=true
+SizeMinBytes=1G
+Label=KDEOSLive
 SplitName=root
+# NOTE: the FS isn't read only because we have mutable subvolumes. Individual subvolumes may be readonly though.
+# ReadOnly=true
+
+Subvolumes=/@home
+MakeDirectories=/@home
+
+Subvolumes=/@snap
+MakeDirectories=/@snap
+
+Subvolumes=/@etc-overlay
+MakeDirectories=/@etc-overlay /@etc-overlay/upper /@etc-overlay/work
+
+Subvolumes=/@var-overlay
+MakeDirectories=/@var-overlay /@var-overlay/upper /@var-overlay/work
diff --git a/upload.sh b/upload.sh
new file mode 100755
index 0000000..2603980
--- /dev/null
+++ b/upload.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: 2024 Harald Sitter <sitter@kde.org>
+
+set -e
+
+s3="s3cmd \
+  --access_key=$AWS_ACCESS_KEY_ID \
+  --secret_key=$AWS_SECRET_ACCESS_KEY \
+  --host fra1.digitaloceanspaces.com \
+  --host-bucket=%(bucket)s.fra1.digitaloceanspaces.com \
+  --no-progress"
+
+$s3 get s3://kdeos/SHA256SUMS SHA256SUMS || true
+[ -f SHA256SUMS ] || touch SHA256SUMS
+
+# More readable this way.
+# shellcheck disable=SC2129
+sha256sum -- *.efi >> SHA256SUMS
+sha256sum -- *.raw >> SHA256SUMS
+sha256sum -- *.tar.zst >> SHA256SUMS
+
+$s3 --acl-public put ./*.efi s3://kdeos
+$s3 --acl-public put ./*.raw s3://kdeos
+$s3 --acl-public put ./*.tar.zst s3://kdeos
+$s3 --acl-public put SHA256SUMS s3://kdeos