-first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
-tu /etc/fstab <<EOF
-$first_root_crypt /q btrfs noatime,subvol=q 0 0
-/q/a /a none bind 0 0
+##### begin setup fstab for subvols we care about ######
+root_dev=$(awk '$2 == "/" {print $1}' /etc/mtab)
+if [[ $root_dev == /dev/dm-* ]]; then
+ for d in /dev/mapper/*; do
+ if [[ $(readlink -f $d) == $root_dev ]]; then
+ root_dev=$d
+ break
+ fi
+ done
+fi
+
+if cryptsetup status $root_dev &>/dev/null; then
+ crypt_dev=$root_dev
+else # if we are in a recovery boot, find the next best crypt device
+ noauto=,noauto
+ for dev in $(dmsetup ls --target crypt | awk '{print $1}'); do
+ dev=/dev/mapper/$dev
+ if awk '{print $1}' /etc/mtab | grep -Fx $dev &>/dev/null; then
+ crypt_dev=$dev
+ break
+ fi
+ done
+fi
+
+
+fstab <<EOF
+$crypt_dev /a btrfs noatime,subvol=a$noauto 0 0
+EOF
+
+shopt -s nullglob
+
+# ssh and probably some other things care about parent directory
+# ownership, and ssh doesn\'t allow any group writable parent
+# directories, so we are forced to use a directory structure similar
+# to home directories
+f=(/mnt/root/btrbk/q.*)
+if [[ -e $f ]]; then
+ fstab <<EOF
+$crypt_dev /q btrfs noatime,subvol=q,gid=1000$noauto 0 0
+/q/p /p none bind$noauto 0 0