+# note:
+# fcopy -i = ignore nonmatching class error, always return 0.
+
+# for lj, this will be empty and fail
+fcopy -riM /home/ian/.ssh
+
+rm -f $FAI_ROOT/etc/apt/sources.list
+
+chroot $FAI_ROOT bash <<'EOF'
+set -eE -o pipefail
+mkdir -p /home/ian/.ssh
+f=/root/.ssh/authorized_keys
+if [[ -e $f ]]; then
+ cp $f /home/ian/.ssh
+fi
+chown -R 1000:1000 /home/ian/.ssh
+chmod -R u=Xrw,og= /home/ian/.ssh
+rm -rf /root/.ssh
+cp -rL /home/ian/.ssh /root
+chown -R root:root /root/.ssh
+chmod 700 /root/.ssh
+
+# default jessie groups + kvm, systemd-journal, adm
+usermod -aG adm,cdrom,floppy,sudo,audio,dip,video,plugdev,netdev,systemd-journal ian