+##### end network setup #####
+
+
+if ifclass VOL_BULLSEYE_BOOTSTRAP; then
+ fcopy /etc/systemd/system/faicheck.service
+ chroot $FAI_ROOT bash <<'EOFOUTER'
+systemctl enable faicheck.service
+EOFOUTER
+ exit 0 # avoid unnecessary stuff in bootstrap vol
+fi
+
+
+## misc settings
+chroot $FAI_ROOT bash <<'EOFOUTER'
+#### begin .ssh setup ###
+set -x
+set -eE -o pipefail
+mkdir -p /home/iank/.ssh
+f=/root/.ssh/authorized_keys
+if [[ -e $f ]]; then
+ cp $f /home/iank/.ssh
+fi
+chown -R 1000:1000 /home/iank/.ssh
+chmod -R u=Xrw,og= /home/iank/.ssh
+rm -rf /root/.ssh
+# remove broken symlinks or the following cp will fail
+find /home/iank/.ssh -xtype l -exec rm '{}' \;
+cp -rL /home/iank/.ssh /root
+chown -R root:root /root/.ssh
+chmod 700 /root/.ssh
+# https://ticktockhouse.svbtle.com/my-obligatory-ubuntu-ssh-agent-post
+# systemctl --user is not available at fai time, so create the link ourselves
+d=/home/iank/.config/systemd/user/default.target.wants
+sudo -u iank mkdir -p $d
+sudo -u iank ln -sf /usr/lib/systemd/user/ssh-agent.service $d
+#### end .ssh setup ###
+
+## duplicated in ssh-emacs-setup
+# done here so its setup earlier for convenience
+line='AcceptEnv INSIDE_EMACS BRC COLUMNS'
+f=/etc/ssh/sshd_config
+grep -xFq "$line" $f || tee -a $f <<<"$line"
+
+
+# default debian groups (jessie through buster) + adm, sudo, root
+for g in cdrom floppy audio dip video plugdev netdev adm sudo; do
+ if getent gropu $g >/dev/null; then
+ usermod -aG $g iank
+ fi
+done
+
+if getent group systemd-journal >/dev/null; then
+ usermod -aG systemd-journal iank
+fi
+EOFOUTER
+
+rm -f $target/etc/resolv.conf
+ln -s ../run/systemd/resolve/stub-resolv.conf $target/etc/resolv.conf
+# needed for bitfolk image
+if [[ -e /a/bin/fai/fai-wrapper ]]; then
+ systemctl enable systemd-resolved
+ systemctl start systemd-resolved
+fi
+