diff --git a/conf/bootstrap_apt b/conf/bootstrap_apt
index e726c6c5..61091af2 100755
--- a/conf/bootstrap_apt
+++ b/conf/bootstrap_apt
@@ -25,7 +25,7 @@ mkdir -p $SOURCES_LIST $PREFS_LIST
 
 # Default Debian PHP version. This should return the current:
 #   apt-cache policy php | sed -n "\|Candidate:|s|.*:\([0-9]\.[0-9]*\)+.*|\1|p"
-DEBIAN_PHP_V=7.3
+DEBIAN_PHP_V=7.4
 
 # keys are provided as ascii armoured for transparency; but secure apt requires
 # gpg keyring files
@@ -42,6 +42,12 @@ done
 kill -9 $(pidof gpg-agent) || true
 rm -rf $HOME/.gnupg
 
+if [[ "$CODENAME" == "stretch" ]] || [[ "$CODENAME" == "buster" ]];then
+    sec_repo="$CODENAME/updates"
+else
+    sec_repo="$CODENAME-security"
+fi
+
 cat > $SOURCES_LIST/sources.list <<EOF
 deb [signed-by=$key_dir/tkl-$CODENAME-main.gpg] http://archive.turnkeylinux.org/debian $CODENAME main
 
@@ -53,9 +59,9 @@ EOF
 cat > $SOURCES_LIST/security.sources.list <<EOF
 deb [signed-by=$key_dir/tkl-$CODENAME-security.gpg] http://archive.turnkeylinux.org/debian $CODENAME-security main
 
-deb http://security.debian.org/ $CODENAME/updates main
-deb http://security.debian.org/ $CODENAME/updates contrib
-#deb http://security.debian.org/ $CODENAME/updates non-free
+deb http://security.debian.org/ $sec_repo main
+deb http://security.debian.org/ $sec_repo contrib
+#deb http://security.debian.org/ $sec_repo non-free
 EOF
 
 TKL_TESTING_LIST=$SOURCES_LIST/turnkey-testing.list
diff --git a/conf/nginx-modsecurity b/conf/nginx-modsecurity
new file mode 100755
index 00000000..5273b9e4
--- /dev/null
+++ b/conf/nginx-modsecurity
@@ -0,0 +1,79 @@
+#!/bin/bash -e
+
+# This script generates the require libmodsecurity module
+# for Nginx - assumes that Nginx is already installed via apt
+
+# only need CODENAME, but gather RELEASE if set
+RELEASE=${RELEASE:-debian/$(lsb_release -sc)}
+CODENAME=$(basename $RELEASE)
+
+# as the name suggests, BUILD_DEPS are needed during the build and will be
+# removed later
+DEPS="libmodsecurity3"
+BUILD_DEPS="build-essential libmodsecurity-dev libpcre3-dev libxslt1-dev \
+            libgd-dev libgeoip-dev"
+
+# create and enter dev directory
+DEV_DIR=/tmp/nginx-dev
+mkdir -p $DEV_DIR
+cd $DEV_DIR
+
+# enable src repo, install deps and download nginx source
+cat > /etc/apt/sources.list.d/src.sources.list <<EOF
+# Debian source package repos
+deb-src http://deb.debian.org/debian $CODENAME main
+EOF
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y $DEPS $BUILD_DEPS
+DEBIAN_FRONTEND=noninteractive apt-get source nginx
+
+# collect default Debian build options and tweak as required
+OPTS=$(/usr/sbin/nginx -V 2>&1 | \
+    sed -n "s|--|\n--|g; s|^configure arguments: \n||p;")
+CC_OPTS=$(echo "$OPTS" | sed -n "\|^--with-cc-opt| s|^.*='\(.*\)'|\1|"p)
+LD_OPTS=$(echo "$OPTS" | sed -n "\|^--with-ld-opt| s|^.*='\(.*\)'|\1|"p)
+
+OPTS=$(echo "$OPTS" | grep -v -- ^--with-cc-opt)
+OPTS=$(echo "$OPTS" | grep -v -- ^--with-ld-opt)
+# remove default modules see
+# https://github.com/SpiderLabs/ModSecurity-nginx/issues/159 and
+# https://github.com/SpiderLabs/ModSecurity-nginx/issues/117
+OPTS=$(echo "$OPTS" | grep -v -- ^--add-dynamic-module)
+
+# clone req'd repo and compile, setup and enable nginx modsecurity
+git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
+cd nginx-1.*
+./configure --with-cc-opt="$CC_OPTS" --with-ld-opt="$LD_OPTS" $OPTS \
+    --add-dynamic-module=../ModSecurity-nginx
+make modules
+mkdir -p /etc/nginx/{modules,modsec}
+cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/
+echo "load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;" \
+    > /etc/nginx/modules-available/modsecurity.conf
+ln -sf /etc/nginx/modules-available/modsecurity.conf /etc/nginx/modules-enabled/
+curl -o /etc/nginx/modsec/modsecurity.conf \
+    https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
+curl -o /etc/nginx/modsec/unicode.mapping \
+    https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping
+cat > /etc/nginx/modsec/main.conf <<EOF
+Include "/etc/nginx/modsec/modsecurity.conf"
+SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
+EOF
+cat > /etc/nginx/include/modsecurity.conf <<EOF
+modsecurity on;
+modsecurity_rules_file /etc/nginx/modsec/main.conf;
+EOF
+
+# add modsecurity to default nginx.conf
+if ! grep -q modsecurity.conf /etc/nginx/nginx.conf; then
+    match_line="include /etc/nginx/sites-enabled/\*;"
+    new_line="include /etc/nginx/include/modsecurity.conf;"
+    sed -i "\|${match_line}| s|^\(\s*\).*|\1${match_line}\n\1${new_line}|" \
+        /etc/nginx/nginx.conf
+fi
+
+# cleanup
+rm -f /etc/apt/sources.list.d/src.sources.list
+rm -rf $DEV_DIR
+DEBIAN_FRONTEND=noninteractive apt-get purge -y $BUILD_DEPS
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
diff --git a/conf/turnkey.d/motd b/conf/turnkey.d/motd
index 3df7be76..2439699e 100755
--- a/conf/turnkey.d/motd
+++ b/conf/turnkey.d/motd
@@ -12,7 +12,7 @@ EOF
 cat >$MOTD_DIR/07-check-inithooks<<'EOF'
 #!/bin/sh
 
-if grep RUN_FIRSTBOOT /etc/default/inithooks | grep -i RUN_FIRSTBOOT=true; then
+if grep RUN_FIRSTBOOT /etc/default/inithooks | grep -iq RUN_FIRSTBOOT=true; then
     if ! grep -q boot=casper /proc/cmdline || grep -q boot=live /proc/cmdline; then
         if [ -z "$TERM" ]; then
             _term=linux
diff --git a/conf/turnkey.d/zz-ssl-ciphers b/conf/turnkey.d/zz-ssl-ciphers
index a14e0155..79e9f054 100755
--- a/conf/turnkey.d/zz-ssl-ciphers
+++ b/conf/turnkey.d/zz-ssl-ciphers
@@ -27,7 +27,7 @@ fatal() {
 # Apache2
 CONF="/etc/apache2/mods-available/ssl.conf"
 if [ -f "$CONF" ]; then
-    sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF    
+    sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF
     a2enmod ssl
     a2enconf security
 fi
diff --git a/keys/tkl-bullseye-images.asc b/keys/tkl-bullseye-images.asc
new file mode 100644
index 00000000..ffe6db6d
--- /dev/null
+++ b/keys/tkl-bullseye-images.asc
@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGEKinMBEADLFpslObFU2N64Q+6XFLZH4m5umrMKzS3lfFdFIuI6YLG56QD+
+IDSHk+6ZxHxfsCyTZ2aHyzaE72KYmIAdK7EoHORJy1n4NM+STMVesVw7cmqDcGwx
+6pn0iUCMZzoEZ0t/jwz1loW/7OJPVtmRL+BRl6w0Hwv1ViY7lUJLfrppaWgbxuPP
+gScWwg+GLbbn1bMJKHMEsZ7azgcGjpojq+7EnQ+ibFshKJcaGyIKeUjMItjjg6B9
+iuJQlYo2jw7iGsWk+IPRNE4aPHkO9lg7qCjMy5d5ldQ98ayugv+MX7PcufMUcKbr
+0FsHOhDfPL9Bvej0GDy3Coso67ONgmgLHFk+kOcdna9ogUdF/00FnBexr4WhVPvg
+If1mXci7y5OFRqAimLJC2n1BH2monGT4ytUtNXKS88kNo/P/yfMZ99eVJGf/guxZ
+AZ6WNIUz8xsjxZUKRHqXOvrr/KlWAfiKy0mGQgSAd5mfYXM7hQLHI6ppkfy4MryG
+l+yaHsS/zWr136vpcPUMCEiBJFeutoxlNbiolH4K1cKVRw6dXwBpGakJ+9EDExal
+XisvkK80Zo7BwDJygOg+f1rTGB+C54PC9n5PjW05NrPuYLj6CZGHJg2iZNsJVja9
+P702WCSxML4ZCeRXoUiuQdI7C/ibxRvRA8SV0GiMng8l2YT5SONBFK6IcQARAQAB
+tIBUdXJuS2V5IEdOVS9MaW51eCBCdWxsc2V5ZSBJbWFnZXMgKEdQRyBzaWduaW5n
+IGtleSBmb3IgVHVybktleSBMaW51eCBCdWxsc2V5ZSBJbWFnZXMpIDxyZWxlYXNl
+LWJ1bGxzZXllLWltYWdlc0B0dXJua2V5bGludXgub3JnPokCVAQTAQoAPhYhBOEP
+ZWcMjr5C7Qw6ScylEXRGj5BzBQJhCopzAhsDBQklmAYABQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAAoJEMylEXRGj5Bz7rUP/1coBoqVp3MDNWTBtRrjlKwjZJ/ccb0H
+bw8CmKu+9y5XexUl+kZVQvRBPoukRUsFp7qyjfGBIsaEqf0zaTwcY85iMrI6tjtu
+pme6F/U6rb8FCqJAggB5OmBrDKFl/VqsWodC9pyD/1lFQAxefWWCXQYA9W2v5pV2
+ZIzuof5VwpWC/XJHdrGll0nW9ZHu+Ub9Snr81sSxbXuPEBBA/P/XOgE918koum3R
+6ZUdoaarNjTwemrYQ/LNvpW/ATsegbFLBty1GNKIVom96sPmPN5b04tUX52BMWpk
+t7Eib2zu2t0P256qTYd/ijSNaBoaXrh2ZUucgJ6YWG5P9ZOqed0cW9tpzRKi2/3k
+yhHfGgzQZqkfirMnsNsMzTIql/WiMjc+sH4Gah7joAneBJWCKvrbXY3zpWkcL8fm
+l+KD9K+fG2ZNUwmTj1HPwEuqInCfBFmLepoAHPAXBMnnFutZRNyQyOfhMPbcNn4h
+D54nleR2hzXqMImcLczJKOBVIpIdLDy/Y+7GA7EMJlL8k3SihFG7NOkP3mIpqeHp
+EgfIKAf7CW19V0RBMIrh447jUifCbXbSagGcm/a31PrhOHc5y8d9c1KAN6vtY6dj
+GRQ1aHZKoeEYZHK0aBTIi6bs3ZJ+MAtwLKSVtER7NM4LPMFUqwTy4ytE52AdnE5F
+9GAzsGOpVteOuQINBGEKinMBEAC03esA0g31OsUhvkiPYigCGJRf3r1BkdnReQg3
+3+o9ygsHFcX47/KEPneZSM2200AVC3wq3q6Aua2WnzTsYAiYwdC9xsPe+HDcIVcN
+7ItA4Vq9X0uRwcpRo+cPcwGH10T9eamav3bKVI9/qTjuIpLosTd4WKE1OSP4PP2v
+VkWMkuZ5P3s94I3TxIAGooZbXUJV2XOAv5iRgzfmAaMiq2lnEa0cV9YdiqdKAps3
+8nj+D19EwlZBFk6o1L15c1R3HczFbMaayp/4dLqtnKrnokHu+VWzper8gLkBc02P
+eGYvMqiln87KobqpIn+cAuxrcow+atA1/3au1mtP1YIIUaq3LbZnQfL4by4A7r8M
+URox/9/ddFcD/VbF1rs+rIsS/jXIOT0PNiDQ1mbEZElX2GvssZlInJb2ttovn4t/
+BXSYZtvu1hWEELt27dab9csvtE15qCzyAiAtH+SD2O3ywoXt8Iiuz9M7Amf/gtLp
+yhivMVWvASqPlRoi2mEAcaXYfgvrJeGRvDEd308lYBYdRNwZCGN4Y8M/Gs9LbeL+
+GLsC29FYKX1Lf/YoEOnn2kS7QucIJS/nGKzjjAxLYKW8wGStIfcD+6v34C+s1Tez
+nD+JtIDzJQPd8/3/N8kA00okgxpafUksTZ6A2RTKH+nEbelk1bLDd0S5/4KcVhWO
+2bCbSwARAQABiQRyBBgBCgAmFiEE4Q9lZwyOvkLtDDpJzKURdEaPkHMFAmEKinMC
+GwIFCSWYBgACQAkQzKURdEaPkHPBdCAEGQEKAB0WIQTdg/674la5Kin8G4IeSHpG
+Mdb+tgUCYQqKcwAKCRAeSHpGMdb+tp3qEACg2eoWdtSYdwQbWLZv68YHB3jA5flb
+N2RLfmvLh4wcv2Z1t+uxdoTywep35idg8hs44eQ4M0YQ89QRCA919njyYuJi8TtZ
+VRC32oaruAXTAIhAkzPsrsNOHUDDgpQAsvOYUDvdkBJckMObLdOvPBFTxOwjynd2
+C8mz7rBqsMnJmSywPbsQJt+OlHUbRPiRwDsODO1/kUDmj5FrJRL7HDzl7FqWOL0I
+TWIrytoBvz79gli4XNJB4l+NFFaYp28u6qtc9JtL2WQoSOVVTo+8Dn9rBF2J+RrA
+91+J0m6pCJq+vAF7Sl+b4iHb63L9Hc2PV5AG2w7iHYvCTnwFTJTais8msHvsBQsP
+J7YzntgKdpu09Q/uM8GY+hoLTC3UycbkRj8Fgxhytw7mY8cb29eXGHNo1DVDJqzA
+z62hbcCKylB8Nor/OmHQTY+Rtg7Z62rBrsAzmawfgSgBC3AblnqSnzwk5vB3v18K
+1/2fsdcGkYi52PCD+xhm5vxyht0YR3z92k2gafi6NdX3XQsRLT8ucezc/fJ90dZZ
+hrezrQqwlcjwK5kgbQh3TT4OkD5becvx/6KqSTfeMKA879+8BoiqC3HDHj7s3AE7
+ahBVqtkFKfRb0sA75+afFMgUuUQkbFdk5LfSEo6qoIISGSZJKFGMt6brw81kmGBm
+hMuHPSJ78U9ZoZnwEACv80nRbcG5Bn7hmMezYyCtvBmUv5YYJSUuejeHdMyWYMhi
+qvvA/Ip86PK/5n/SNWzYlrIJitoSusFcE8ONf6C5w/wmy65WVdj05hnMVaO8WxKs
+ZYMDk4nIaesRJDsD50ZHKA1lUx+5cWLZtZweQA7JEWLu14KPEwzcrnlqCzSl0+7D
+02ZkNeXIF2UaZORemUomUmgkCtZWaVu/w0RCVWPYGMMfFJF/erUnFRQhcjgXfvbR
+JmCCDs5ost5kl/l9xP7Aj8VrijTKibqBQNwicGKQOLfkZk1opQdFMUJkAybYwJTq
+uvu76eCLC8qYY8chZOnIGNXSch9QnWmxb9ypp1qCnpCqE/EUM4uwpLtvYy4BorYP
+BeFf+v8JiIbMTjZX0c8KlBMWB4i733tCiaWSu10xf2GfjUjlbwJfVSfbMQ06Ht3K
+MtadSJcR6FWYvgWr/x7306Dl9R7N9WGPOLi9QxAN4kB3DS8H3vRbO6RxGOF7Fn4n
+mkh1kCwYskhSTLs5Wo6uIYvkvPHDvPRzCRTWbXKVMaJJqu8oGrG4K30M+1jMyoKl
+qcga/qHUMxpzdZtYyvIZDaEkZt6yJEPGIwVWZ2aFjsrt/V2RBvyJSEmmTLJ6V/Dl
+snTa4MQrzWKQC70VOeK+X6yxX1BdGg5A2zrKkr9y1aAKcnqfNvvcI7y8oR3GkQ==
+=ATRZ
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/keys/tkl-bullseye-main.asc b/keys/tkl-bullseye-main.asc
new file mode 120000
index 00000000..71cf1a99
--- /dev/null
+++ b/keys/tkl-bullseye-main.asc
@@ -0,0 +1 @@
+../overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-main.asc
\ No newline at end of file
diff --git a/keys/tkl-bullseye-security.asc b/keys/tkl-bullseye-security.asc
new file mode 120000
index 00000000..aee4ccfd
--- /dev/null
+++ b/keys/tkl-bullseye-security.asc
@@ -0,0 +1 @@
+../overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-security.asc
\ No newline at end of file
diff --git a/keys/tkl-bullseye-testing.asc b/keys/tkl-bullseye-testing.asc
new file mode 120000
index 00000000..aee4ccfd
--- /dev/null
+++ b/keys/tkl-bullseye-testing.asc
@@ -0,0 +1 @@
+../overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-security.asc
\ No newline at end of file
diff --git a/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-main.asc b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-main.asc
new file mode 100644
index 00000000..6982fb10
--- /dev/null
+++ b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-main.asc
@@ -0,0 +1,66 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGEKew4BEADhXIcvTzznjS6YFUgJ4WLWE+yfDMajw3ayIQy+31BMb3rTi6dQ
+4bCFvHt5Jm+u38nWeeGIHVWpTVN76hbcNnYK76+otNk73GDadKhAO6gT0l1SY/79
+O8mVOTwIHGqNf8nbzYKD+Nrctk/tAbL96a2j9nuEh3jP7i2eD90LXEN507622+3J
+kdcMLemwzfTK+KJynNZrcR5clCiufck36aCwrHWZrekiCjD2r8LgFW8lxtaGuV3R
+xfwyD8bYsZglu5PEO0ItE5tsFt6m8MsI23apnQIZ36jQuLQxX1eXYuMLMnSLK6xI
+BeI20zt9GZ5jyhDWogPD4Cv1qyxQqONQMLsRGmAmMBjAtcIGGD3mYm5KexzN6g0W
+OA3eg0BYUlBslP0C8i6YHF/6sU4DnTZGsAHuEnW7a/05fnX+kLhec3rHuoDEtvLc
+5Sg23PqE2JAeZ9c9A7bOOEoQDAvuZjAPBoWqkIc16sJo+HKauhUDg6w7wgMUhk8Y
+EqBUsyXwAGni3NRDtO1X5UzWIVeJy3dnXV7qRKt4mQ6G1NZiiXlSQD9kjhBMBnsR
+QQlcf73XeHh87zLwmb5aU5pJvn3kvkp0U+vbAViU10qbeSMLdjr6G3cJc289rDr/
+HAnO2iX5miRRHoRllLtcvSgEuIWboIWjiIVGAS193eFJD/s+hjcuyS8zJQARAQAB
+tJJUdXJuS2V5IEdOVS9MaW51eCBCdWxsc2V5ZSBNYWluIGFwdCByZXBvIChHUEcg
+c2lnbmluZyBrZXkgZm9yIFR1cm5LZXkgTGludXggQnVsbHNleWUgTWFpbiBhcHQg
+cmVwb3NpdG9yeSkgPHJlbGVhc2UtYnVsbHNleWUtbWFpbkB0dXJua2V5bGludXgu
+b3JnPokCVAQTAQoAPhYhBE1JAmC8tUEVgxg0y4MQ+1kkTtb6BQJhCnsOAhsDBQkl
+mAYABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEIMQ+1kkTtb6LG0P/jVzE3n9
+2RRgtxry3LFyFtIVJ82lUbEn0wmnbRK2xmMo3jXXjsXU3yY85p8LRtWFKdJrIgSF
+JNIUZsSF6gdPGTtn4dlAxvKms8alexlrs6t+ilwywxhUYZMXOGB0hLytx9oHcrAj
+zPqXj81ulOFyafEAvvELmY7pSRioEyv36fxJ7ByH6r5YGG9mUhtN9Lca4zR12jAc
+GMX849CybpGovLW58KZUAm6EitCadyxgdN/TFlFRAx4gThRjaEpknaZYgACsvRU1
+KC+C1bXA1L3x9Tku0IpvlCv2SE7+jFGTyx3fNjFYBufE/aagbVmiWMAR7F67uGwP
+cm4qAxWNQ/b0PKjVEI8eGmQmee4SwImZ1pQ7qRmBiCVByuKke5Y2TTpxYEA2FsaL
+xmZwmoyxyjFivBj9/22R1rsJ9XVxNKW8enclSg2YHpcAzItnTK2nwVRTWmQ3X454
+6QfJv8PHqlP9w3oh9NLy9adCPKlE1rXzGQeaTqi0ZU/HOroHV/c46YZR8hz8rq02
+sjebHnSQY+nuKX7WylP3ZwDI5/vs5iZX3xGxAIy5G08fHCUnuXtAHEyLauVw489h
+776KgEdIyIRB70+KG1Mz4yd6ZsFaQZ43SmhacdI04iuJlU5mO9cyvXDh/7/UAYF1
+o9GPb/2tTqgkA8kogUHWbLcwSCYDxOspIyFTuQINBGEKew4BEAC+nzUvvD6nTEMg
+LDyXBuWVKNS9z7zsDzAcpNSuae8+VrcHQ2HCn0EYNET/HOdBdhxgQZ5CXO8hxunU
+aW5Le1M/nXU9/rmHS2fADZyOWPgUN0eW2+MWm0PjP3R7fTL/OI6+7Iu01Bn0JYlh
+9Gt+S2fC6nEw47sK2WgGIkeFsZ3NLllh8sOrvyAl1rGIaeMEAaxVtq1KdKy9DaQL
+cCGTu1DBqr5bmJCLsP9Tlcvmp5Gmq86+q2l2RkJJf1AaBb8Tmd77keaUnQSAIisq
+8z+jDCPBFfRXLUl7pNLVgv+PGBniXz6O2GA4rBlnhhjsfwXNRz1gQmyWkyfOeujz
+gc1oL9KMw72LVWfA2CftLreFHala2KxJcv3adofTJqwJtTmQonEuxks3FWpYH1N9
+kHOz9+qX3tXc9uFcMyMp6kB/juI15+8FVqRehbMa0Cn7QMVbrrzNpNxE25NeUOFh
+bjez/2vymO0Edt9561Ovnu0qAcI1aVko6RbqWqtSMHzmtcGckq+6H3TdRh2fOBQX
+M7FAa4cFcof2gEqa9Cs4oGR8KK4FapszGzkm+oMaGyLrGArvQIHzQaCUe+oqC5+n
+DLOpnmOZLCQVIAw3ZGzSepwYnB58K4VIbNaIZAb5qXxuNXgrteLD3stKWDUd5c00
+4FDf+XLhFT4pCr0KTeSvaDX5pnvigwARAQABiQRyBBgBCgAmFiEETUkCYLy1QRWD
+GDTLgxD7WSRO1voFAmEKew4CGwIFCSWYBgACQAkQgxD7WSRO1vrBdCAEGQEKAB0W
+IQRrqA2rqOhA8WnDKd8GMg1sulf2DAUCYQp7DgAKCRAGMg1sulf2DKLDD/46kSu0
+M6/QDANLQCWWfGzj/IPHcOALiUmrEBCVQUf2d8KoOXHx0cXLnOX2QicC6iya5LCy
+wuT2CZkq+auBsngOgg0lE29YeLRjSCY0NwFJnJ0lemCD9Qa80v/1sKnzaHXr2o9x
+I5nwqpQMQ15VKdLJuwCMFR/KBRIz2l2xuXy3HEhZt7VDsNvrMDImkyG7vGAGEGyc
+9hJw657ak4WhwxzYoLzweLSkHWqDfWp3LWKvYp0B0EHtrCnqVesRW5zz3adtCwZ1
+MVdPcn5o0jPX5TP9hzZ/LPSwdcdxS6qKWY0xZnPiy8yKPOk4OoVveUR3JTH5Y/vh
+vlcspIMgACeSRavVVyS/bLfuhEUGrzuJM8tlYl8R+EpXczhWuqxUWa1b4H8XWPmm
+JSSM4xLwOQsHtAM22iAWUFUFsaawp5jJJ4fbfg9LFNe2/Y2Ti73qdryMjLgaWCzX
+keZrsqZP3sTOPoLqsOGptosqntVImYc8UA7LM94EooH5DzKBlQuAIWjmaF7+H99A
+BvgxEgkYkUJWGdXSR60pc902fxIMYYB5YjPqOmRZFtpsiifPuI7/Jl8YNAzM/gsO
+m9FoEMiTpiCFNuK6jB94UcLN8C9ArKfMnosXRHiElNxYJxRNo+ZXplUsw0iVEOj/
+dC9WeYdQuNiic8LgW1Zd44PeaQj6vg2wOh42hvQGEACYL/5934gYpwHSCtABnip8
+CWK6yktTanQ25T/Hb7aviyi6XcNx1FqdFZ7iCCqNgDl1vp6dRM3UB8ly5hW4p8Gj
+mZb8xDbAwdIC52j69d8cbsE/ORFDvwvea7p0XA0ctO0PxojEpXUNBUF0oZXkK14t
+71XT7l9BYHInMbWABRpBJh/DrP0XVX5MuSfOep+ntX0HZHCLXTYlJD6tC+jVHNIn
+ck5LO1auNpb+CDFSdfxkNOnxm+kK5fe+dCVetqub0wf0LAse1QYHK0wb7MIhmDw6
+lndQ0qAJjAQMM54oqf7vR0/YFnAZmQjk1WUxtZFzdzSAEpynCw6IF3KF4zQndr0d
+jZvYr+25bQoUYvwDgbgJnFR+PTv+VseVgoo2OD2ejmGrMcQFVXbXzVNhxpxqLTMu
+tLmHkZ4xmnEYHta93zBkli2GmuZkFrNAn63lRli/ieQwrKWf/PSSEYApajusd4EI
+JhfzQBRbihfYHjR6K3aZf8e4koMGnI429+sXmZLgePaDcJ3GQMq/QE00VE/Pme0a
+q9qer+de5EdBAwzigcm4pwgmdLZ96gxU/cPSS2MK0J9QeHzCgff0F5LUrnra++Ny
+Pm5OC5dGP74xSoncMUA26HlEWOO0tzLsXHbQPTPSkI/8/2RtMI6q4TKCGr4ZaHnz
+vwm9eBMADprFPAZQSe03nQ==
+=/zdB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-security.asc b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-security.asc
new file mode 100644
index 00000000..46b476e9
--- /dev/null
+++ b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-security.asc
@@ -0,0 +1,66 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGEKfgMBEAC9KZT2nNW4Fx/G8khE4ICiubJ2wnvNd1C9iEsMVJHmPApv1Fm7
+TSuT/lGRcCgcfq9Z8tv3D3oS2nqV0bacwNK15K5G9Jq/hCShIm8uiMRasQ/DJZqE
++Srrzo/gKTXjiA/L3RqLrRK7NWxX7lxkvAH4PGbEGcOoNn5czKxqfvDTfTZ6Rj6B
+6OGGqn5O1dJjT5u/J4IyGDG1nE2xXiSFq5hV7J0KiEZ14fjXr/pPD0h4Yusx0tsb
+DOxdhc1DWzcZ+dpMlgYKEmoV8lkeFo7LyDIEOxtEeRfXk9kmrQKOAT7b+I0p1GGA
+e/HEaw8C/HAIARV7GdTEB8hH24p7otalnmBMec6dbRCmZA8J+exyV50ie7kzbOQp
+zbaRD3njnRMbrbAsA6RYKnAFe6+wVzKeyDOsbY/dVQx9uRzu64nbnPGKEhXCVW2m
+Km/yd6Eq9mDo9oDpODui0eL2k+gVp1lc7301vK2atGSE1v+dZ5yv+JU6no7APQ8j
+7dPOcKBU+KC/I6Ts11ull89EsysNL1O7mTa3BtKYPn1MIJbpwh4X322gY27Wef2v
+PdyAB3SCGSewy6nV7WgDa7VgXiYDkqHqzb+BI7kFsl4RIjp4DxP7oqHxaS9Xh1y3
+oK4X7q0QWaXTQM8lVA6GIXxfrSg/0Y5neF0dRICj/fjiYWK5oJvT+FKkSQARAQAB
+tJ5UdXJuS2V5IEdOVS9MaW51eCBCdWxsc2V5ZSBTZWN1cml0eSBhcHQgcmVwbyAo
+R1BHIHNpZ25pbmcga2V5IGZvciBUdXJuS2V5IExpbnV4IEJ1bGxzZXllIFNlY3Vy
+aXR5IGFwdCByZXBvc2l0b3J5KSA8cmVsZWFzZS1idWxsc2V5ZS1zZWN1cml0eUB0
+dXJua2V5bGludXgub3JnPokCVAQTAQoAPhYhBAunCZGPSKtsb3TvZxi3u3DGjrD8
+BQJhCn4DAhsDBQklmAYABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBi3u3DG
+jrD8i9gP/0ae+DD5a/D99lv1GMJlWOvcsr2zjbHTaWSOWPMO1dssI68n5NC797kD
+Nn/DbKqTrNzFHkqc6m3lMZHTk2+g2xnzXhjTp7JM5J/0EioAAIM+hFPEg4us8vCn
+lJUhONgtgl6h7TTMFzR44ReN3JRyyB83SJ0haKpf2HxO8T6ABzPxbrK8D3xFo5L9
+o9XPjD09qBb9UGQqw81MaqZRVpTbBaxHYk+jUTjrF/8JmL5Hr4QnJYk3ezsgvr0A
+Ver8IyFbptQ+LlpHOVqwtS682Kmq//de2WqK6SpJYLk9H8ovrkhjit2PgBDM7p6z
+FJJxNYxWLLGJysmj1lzPYxJy2DnTuWrF935TrziyjyuByo/AnFBDawLShdTcTAWV
+rO07ItjdcLhO7M0k00xchIu3DpOvey5dcjaxoA9PdWHov5qSEzpRtE5srvF3yGMj
+VOozoZwWt4vHQlCl6oAG2OUYilqOB9Q32W+4T3q6fVDKxgLwBn4ZtjRQoLhUFc0s
++rsMNsgw1tDiQJXvbQ78ySsGNlEeS6K/OM1+/Ep7xYVp9aENrqq6EwYLqPGCmT8E
+C+13H05yf76h8IRmfqmzokcVWg9stTCK3MhZj36cO0Ay44XGkp4ak3BhzoBy9G2V
+hLx79MvXFQHYqVBF8o/cS+sHsPLEaZqRyw7ToUCY/VjhI7nDYSS4uQINBGEKfgMB
+EACmVLezISyEkgt/LbUxXvM9YJzloePs/6qjmCdPPl/+DjWPXOtOqKWFvOQV7Pff
+lh+DcvSDTHhkE0fA1rODGYDjOpIeFqNCx34tiV2o3gsvbhQdnK7ABjQ4Qk466QE6
+U7i6UX3R3KbGfdlT88mXJJM6sqHFQLhMiKZM0oohqwbZTfUEV1sGIR7B/qefL/Bf
+sSspamXiMzSUJ2jWN7f+CqRUy3NKF3lqFIIpJvlZW3l0tTqyDzyUaiDfkziplSzN
+RdHb51neHRPGQZFsxY5kgw4JTHn2igCNjmHqMZDtG/BnlZswk6y92v34oqUR3jFQ
+1BEcaQt1LB4xVx1lSMIwCy01Oa3+3cIOA3sURccYvZs2KiaGcD7R0jUWgDf1/Mno
+cIXp5sCrcFJksQq8rdnZ9V0eNXsjQB5YU+NiVkS+IPUgcZyypFrnPZQmZMhY5I5A
+zI9ukr6/VYIUK/anEG+zr4XWji1X6Wx69XGY/6Mzt1j7epqld7fH4o0c4AJmWY0/
+yeV0bgtNDUGokq7coto47TiKAhnh08KI/ZMmv+87asdLuDwhZaoLYYb4qxmPlmIU
+gtDMfS11xkwgYlneFDZb+EhHAf4WAnSJkllJdRtQzKRRdhtmPM0BLVrSi8jFaAYf
+ITgeU9VhTd+fsYX7LFReBURr6mxGVoT+HO+qDSz4DrCr0QARAQABiQRyBBgBCgAm
+FiEEC6cJkY9Iq2xvdO9nGLe7cMaOsPwFAmEKfgMCGwIFCSWYBgACQAkQGLe7cMaO
+sPzBdCAEGQEKAB0WIQQfKcGXz0s0r35xd1/72KALvMQ9RwUCYQp+AwAKCRD72KAL
+vMQ9R681D/oC7AoRGy6J8FIHRQ3ELkeCB15nXy3qzQN9VDfgdDsiLy7zc33Z6pBN
+a5ZXH7OyMvQAKQp3zf9q00QpzO39sqlBRWWWhe2dTrCgXjoboSgK+AMmkvIcVknR
+GBk2ClHWR1ljzXWbOs/iV2oQqEmJqBRvceCpuQKWtL9ax9/ufSnObZatcJyux4qQ
+D8PrTSbbdblEpse+jxDsN8VETkHBtqQWngSIojFeN03FQxiuU9sQmS8axxEk21EJ
+X216tlyFIyfCTi7rBGAjXV8KKKfyWyP8fk2Kf8dasmUngErwqZUGrajHpOSoeUvS
+FQZuu+ABFiBYH6S5owaG0zeGO8H3+JxfnehB5S9OynBzPcOWXTk64StbP8T8zY5j
+oXsMBlxEnbZ7UozQckI0NS3aK0axE9p1ajR1DjjzQTcI7s8IGEbybMHb8t/oYz3O
+ORj7MIGEBU6hwNy6qMF8d9dWN05yQFfrOJqFEaVk7ti9gdyyi1eIEgSKFnM7UBr0
+u9ins6R/RrNOnJ9EibodiW4AXdZ+g3b6Anftgf9RGjWPF2XL9rOLQNT2zTKgANYq
+nvXn5bYvs3H1XSsEmWpf2uNOyNbGX87yCthKpRcQHDWimNZ2+zh+ag8qigzE4hQc
+RLLQUAF49Kj9g5E48DzYsAxw8AypRtyACiPrAHWCw2ySvk9L84qycUd4D/4hTDhx
+8QHT9AJnJ67Cie/d4SoVY1FJRo5FMhPrINtpRxEOYVZlXgLre9rb+1CEN0DhE+QG
+gMkExSMzi6v9KBtzmt0cCnWtouYLeL4g+DCTtn2ioVpXQrsF+6o2rdlGJEuslOyZ
+NIv9c6VGgFkNedgLM8vv9Rz3STENC8l+mTvvFEiDvNYDmltlB57WsivunyINLrUF
+RCJQGAHtV6JREWLeUPRfa11y14kAgriZ2esfTMthagBNB5WanJgT+Ab7pqjORAQ0
+btCVzdgZyDs6poC1S4BgARHUkkB3GZcg6K59oVcVutdoIgS4NCu0mAToeqnJFhD9
+mnqN527S1U7Mf13ESb6un/Ahcz/rQ+NT1dtgIgjOnMK9VKKVSPWmy477A4awZOYR
+mvXgX1pjp+7BcnXcAnoqFGudU8pcyv7YN7Vh3IPKh0UJuQKnPLZBhPSgoMEFE7DO
+ZnTVkYVwJqln9oEsvl1JYq8rwi/NyrpZfo2HoYleQ8GKLceq08mrYeN9pHV6kkY+
+7ydV5yrc7Aew1M9Y4bnzWchBow6QoAt9Whxuoph82mlrEH8gnIIoyWc0RTGROszi
+k6tnt9O+iyyj8W6qp7n0uNR+nMD79Rk7LeHmbr7tNiwfBScQ+5t+Fyt9phpuAjE3
+TrVHK57qIIiF9f4L9UJNBbcCVKPsGdCOhoqcaA==
+=p2Hq
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-testing.asc b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-testing.asc
new file mode 100644
index 00000000..e49b0528
--- /dev/null
+++ b/overlays/bootstrap_apt/usr/share/keyrings/tkl-bullseye-testing.asc
@@ -0,0 +1,66 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGEKg+YBEACypldELMX938IS4hMMQrGSW8QOSCu/EPlOhor6ur4OjYvQDYgg
+C/KjzezgajZKpSgfmCENrv2n/b7+jOh0lvVrXErsWjt2FE/l1p7VlMdRE1EG56pL
+y4iWkEeISRwjck5woXC8RF2vchjzOW1F5/9rgIUUGfIcS9iTuCM8OvoU4Srk4dkq
+QgS1QQgwieQyVmv3sdAZEPBEMc4PZVqIR81CYfvj2Yq6xVI5D+7W8klMilWFHHY+
+Uqp3BuZdPsTSSrdYS9JSUtIiAMSz5HHKs2mhde4bFwt0xYt/yfxzyLiFjB0wilad
+x34Zt7EUOd/TFUf7gNCt7wwtgJc++aMboEA9MIrfWm2ugo8Mab9iXa7sRj5DtV9y
+8GEGFa3a/Aktfk8nh9QwR/3RqhF/P1mYfi+ocrkUAg187kc4USZruYa17b6uCE4r
+Am/erKVyBtDQ/1sHCNcyp9iavL6L1Rgj3LlTBzaCJpBva3ESV2GWsmMvsxoOnnwN
+OqRxi3qZTnr2LjwsPt1bTYXiV4qPzw7+6qpK2VtFZ1UlV6KlhWMhOpSK8xGScYD1
+rZC+ANIj/+Do5d/7NyDmrbR5Jv3ZRP4Mn0uC8TrQ45sPfClcNIHZcxgIT8tj9KwD
+JTU4A6bpfrc0RzFmITb5ERXXa2B1KuXWbjiCvP95/h+bXUxMZxhpSq9IzwARAQAB
+tJtUdXJuS2V5IEdOVS9MaW51eCBCdWxsc2V5ZSBUZXN0aW5nIGFwdCByZXBvIChH
+UEcgc2lnbmluZyBrZXkgZm9yIFR1cm5LZXkgTGludXggQnVsbHNleWUgVGVzdGlu
+ZyBhcHQgcmVwb3NpdG9yeSkgPHJlbGVhc2UtYnVsbHNleWUtdGVzdGluZ0B0dXJu
+a2V5bGludXgub3JnPokCVAQTAQoAPhYhBPMYq96Tdj+O9KblDU2KDmULpnjcBQJh
+CoPmAhsDBQklmAYABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEE2KDmULpnjc
+EF4P/ReuRtNUl+rWAlW9zbKN4En+2dpxiP8WaSbm0IY9Kxev9UpPASrSyw4pnxa7
+ZuA+Se6vCxTTw2anU0zvFFM/+0Jo3uJSqo8Rt/tb2lclRNWJxYVAm0S3PWfpVE+7
+MyvPVCMD8b6LcNDlkT0u8CKrQznNvXNOZXfZer+twk+cXCe9JT7pLVB39b/wjDgm
+AmoICBswVMPQqXTmwjhmhAMJPXF/juXID/X43ldsJkYLrXbY7d4XCiCOXyZ2gpSJ
+Ylybe7A6dQm26lG3AygE+b8lpfpfs4oiY21H5Y+h/IYyECy71bAmm1WX2qOaBOLv
+WYNh5lLjIieGp7Z+n4FI+JS0wRwX2qVTWeKSUAaO/W9MGaavS18ikQZigMVFmy83
+pfpOTsIj4NzLWLmSDPM6314dmpj4tjg/0kHqqotcmJ/MWDSyMq1FeSgrXiv7il/8
+9zrX4duKgyrsa80oDnDTvEwPdKz5k6I4Bb4JoCzIFx674wwaSw095x/0kH+denVd
+/F4U3hRA5NQsNwA/ktJklCucU61ey63ZanxA9C7ZXfSYt0oVea94DwhR2Ch2qr9u
+oZPTaVKc0oQEHfTgzPBASrP1bKM7lAbMEwrG84ozwh8lELGdo/uhEOLsdlz6nJni
+waFcGPxto6ESTO3pObVWmcn9b+vjIPt8dS/pNMm87MhR9plluQINBGEKg+YBEAC4
+FR2rO6v3UWXRIedkHMQZC0SSgBYocMEhRgySY6shk9KVycqJUoKFp5+A5OYVrn0V
+Tz+YziU7qXi3bcrD/+NGrX8DeEEW4GtXKWlxAylwdz85Y1y1I3Jiq99D50tf945b
+UxG3usQzD69PFwNqQtAx64NnShXpqLmjkHINMMTz3TMkVkwqI3rzvyqbGGrGzL6M
+//PklxQRCeFwKGIb0XPp3+lw9lOzdvlZlf/M+2dpQZx4gg7Ub3UzTfxrArh/bmaY
+Vm6BLEevYFwLz14WHR1fadmOaRL3v6swgF+S+zoMGx43DFHKb+k61U+Ukye2ENlK
+QfLD8U8CFIsQEkVK0tHPOL5NNntsbHfao5iHVi7Yblmm93hw/A4HFErctqH4BFdr
+iNw62ec7htwVHVdMR4vKS+nykeQt8Ilhu7dcy8oSbSSiUIYs5ado8nQZfbSh0F3y
+CiAVpa4jAwaRglpGyF0kdfaaPKxYjox1GN/+uDV/8sr2llTlWzqeuKVyXwxBcGKR
+9Eg3jPZ38wYq2bJ3IUuP+IDhIpJixBxnhWfiugp6HyTxO2S/yuNuHcKT/3ap+JmS
+RXs9mMe2dcIj2nPVSkH87lwnD42+2v/ohbXVqLqbGw4W+JjyfJDbnXscDFAKm6hJ
+6255GLGhyz7tkFxqrC5LX/MTaVHLsZDJfPSGYhtOFwARAQABiQRyBBgBCgAmFiEE
+8xir3pN2P470puUNTYoOZQumeNwFAmEKg+YCGwIFCSWYBgACQAkQTYoOZQumeNzB
+dCAEGQEKAB0WIQRH9Bhiw7/7i4+/g/+3H1dmc+fXrwUCYQqD5gAKCRC3H1dmc+fX
+r8LVD/9s/LDWkT/w0qe/J7dArnYCRMwx0Mhm4tflBsQuxXopuf5L6oDsxewGPx6J
+BUVKozDpC/5LmhbvXLUiuCkXDG9ZAOP8Vl8lWleSPCUVUimCx83QTYHv1tFNTGwI
+xZkAnPiKz9DLHoNI85wGj3CH7zjsUUR/Gm9CN19q7XYcOzGBG5b7hatmS4f+hU9W
+k93oFReoiSCa2PuFP3TqNdEdAZXm5xDb5H9r/PpQHuQnowQnauH86hMjRz/bGBWx
+CyiCMfNyK2m00043LemRB+VOuNwd086TQvyIrguW7nQFtjx+NlUCXkccZREEq4l/
+ZkGQ/XUwPUTNW3QKc13t7RuHHNcpVMxwYeOBiRYvHJ0ISgyZNORfMSj5wMPi1Xl0
+3Wvgi0pIEmpf9nxkCeZB4ac9ttP3GdyveuF/d19gnkWW4qvlQT8ivBX9FfkOEp8l
+A7NuGJYpr9UhLUDS5QNd8ymnO68r1q/snUkF3GlK5qG64RoQb1PDcFHbqcsjKlXu
+nde5gp7QNXW/dPW3S+wOh1roOdeWKeY2RPliuNlX1Js7F52c6H4shWRZxUv944/V
+if2EGyh0eWZJsjhKMAMPoiT3Cle7PL9suOKkIMpix7fPoyubXLMNZBoXBGNEe8Mx
+nGmEYMgOXhmeQ4l18Hn7FaolK7sm8h357CQ4jfxS3k/qnLnnK2tiD/4sLjQ3ylyK
+5uqXrQGjwFXQDWT/OpjywzgH5wJdd4UCFYN5B8ns2H0xS9tWM7vUHYfPVRhQjJfl
+NwjD/T1486R4rBH7mUaLRz8p1lubc7pBRhBa1Y6Ot2CIsXuPh7wEXMdAJv+FxQmB
+UGxh6tdRWos/x/WAJmABYNFYY0rIon5frIz+U9y++lzgTcYqUSq10jluCyS/2E/T
+VfQcmbJkgzodzYLF91tMUKySkroDuIkVBflqT2/AtUy7yX77Z/zsU6OOGSsDYmVm
+zt41S38TiPI8CSGdSwkd1DUzGs2oFjxHVLc3DUCkfpe0JIlzppzuf5L/F6Xs95Ez
+OJ59zyAf48KGDGNHzo9p5fh475xcNpyCnmyddkR+Y1m1qVVUC2QUd/yYt06D3IOH
+Y4UjpFm4EG5ePpUpScn8/TZeBZY6EzTdGsH7r7I9a/mkxPeKrvZ+h6kUk/5XIMFi
+/60PHLoq8pDyNHBuw5jrT2gahEnKtbE4MkGeRGeaB6KOBby2Xbbn3oIshABytasN
+UX4zxIM7AXvzMwwnuYLdi0R/3R0qQpA6PwgmTS4ovrccyIMB6Wvf+7wvvz5UoYtr
+7ZY2afNfDLmwX9ZiLKd91WHhYwM36IwKT3usjgVZGQWljCGqBIyNsgXfMBzjA5rs
+RITCKPu0sWoCoZ1ByJAMbtwFOXznD1Fu3w==
+=Jqi8
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/overlays/turnkey.d/autologin/usr/share/initramfs-tools/scripts/live-bottom/25autologin b/overlays/turnkey.d/autologin/usr/share/initramfs-tools/scripts/live-bottom/25autologin
deleted file mode 100755
index 377a05c7..00000000
--- a/overlays/turnkey.d/autologin/usr/share/initramfs-tools/scripts/live-bottom/25autologin
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/sh
-
-PREREQ=""
-DESCRIPTION="Configuring autologin..."
-
-# don't configure autologin if noautologin is passed as a boot param
-for x in $(cat /proc/cmdline); do
-    if [ $x = "noautologin" ]; then
-        exit 0
-    fi
-done
-
-. /scripts/functions
-
-prereqs()
-{
-    echo "$PREREQ"
-}
-
-case $1 in
-# get pre-requisites
-prereqs)
-    prereqs
-    exit 0
-    ;;
-esac
-
-log_begin_msg "$DESCRIPTION"
-
-# Arrange for shells on virtual consoles, rather than login prompts
-
-# debian/lenny
-if [ -f /root/etc/inittab ]; then
-    sed -i -e "s|^\([^:]*:[^:]*:[^:]*\):.*getty.*\<\(tty[0-9]*\).*$|\1:/bin/login -f root </dev/\2 >/dev/\2 2>\&1|" /root/etc/inittab
-fi
-
-# ubuntu/lucid
-if [ "/root/etc/init/tty*" != "$(echo /root/etc/init/tty*)" ]; then
-    for f in /root/etc/init/tty*; do
-        sed -i -e "s|^exec.*|exec /bin/login -f root </dev/$(basename $f .conf) > /dev/$(basename $f .conf) 2>\&1|" $f
-    done
-fi
-
-# Since we use autologin, lastlog doesn't make sense on the console.
-sed -i '/^[^#].*pam_lastlog\.so/s/^/# /' /root/etc/pam.d/login
-
-log_end_msg
-exit 0
diff --git a/overlays/turnkey.d/rcS-sulogin/usr/share/initramfs-tools/scripts/live-bottom/25singleuser_shell b/overlays/turnkey.d/rcS-sulogin/usr/share/initramfs-tools/scripts/live-bottom/25singleuser_shell
deleted file mode 100755
index 92f1253d..00000000
--- a/overlays/turnkey.d/rcS-sulogin/usr/share/initramfs-tools/scripts/live-bottom/25singleuser_shell
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-
-PREREQ=""
-DESCRIPTION="Configuring single user shell respawning..."
-
-. /scripts/functions
-
-prereqs()
-{
-    echo "$PREREQ"
-}
-
-case $1 in
-# get pre-requisites
-prereqs)
-    prereqs
-    exit 0
-    ;;
-esac
-
-log_begin_msg "$DESCRIPTION"
-
-# ubuntu/lucid
-CONF=/root/etc/init/rcS.conf
-[ -e $CONF ] || exit 0
-
-cat > $CONF <<EOF
-start on runlevel S
-stop on runlevel
-
-console owner
-script
-    while true; do
-        echo "Running a shell"
-        /bin/bash
-    done
-end script
-EOF
-
-log_end_msg
-exit 0
-
diff --git a/overlays/turnkey.d/ssh-emptypw/usr/share/initramfs-tools/scripts/live-bottom/25ssh_emptypw b/overlays/turnkey.d/ssh-emptypw/usr/share/initramfs-tools/scripts/live-bottom/25ssh_emptypw
deleted file mode 100755
index f8e08e6f..00000000
--- a/overlays/turnkey.d/ssh-emptypw/usr/share/initramfs-tools/scripts/live-bottom/25ssh_emptypw
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-
-PREREQ=""
-DESCRIPTION="Configuring sshd to permit empty passwords..."
-
-. /scripts/functions
-
-prereqs()
-{
-    echo "$PREREQ"
-}
-
-case $1 in
-# get pre-requisites
-prereqs)
-    prereqs
-    exit 0
-    ;;
-esac
-
-log_begin_msg "$DESCRIPTION"
-
-# Configure sshd to permit empty passwords
-CONF=/root/etc/ssh/sshd_config
-[ -e $CONF ] && sed -i 's/^PermitEmptyPasswords no/PermitEmptyPasswords yes/' $CONF
-
-log_end_msg
-exit 0
diff --git a/overlays/turnkey.d/sslcert/etc/ssl/private/cert.pem b/overlays/turnkey.d/sslcert/etc/ssl/private/cert.pem
index cd1f2e23..90144952 100644
--- a/overlays/turnkey.d/sslcert/etc/ssl/private/cert.pem
+++ b/overlays/turnkey.d/sslcert/etc/ssl/private/cert.pem
@@ -48,10 +48,15 @@ yAvIUEK4a3ZvSPODfGRMou3bLoBEje70jF1AJoNTnSSDd/GpCJdixCzAETLlkma7
 Ls7uQcShQuBuaj0oiRs/vw==
 -----END PRIVATE KEY-----
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA3Yo7kqH2QN4efsaG8m8sQjEZmI2P/HWiiZVEsyMSIFHHPJ1l7vKV
-MDD0h7zc99ExV4AktKvp3UzU0D7So7q/dBtgFcYBwRnzPozjaP7EWfn42/CMOetO
-T/GRRLU590OVV0qoBQxtV8P6PJgAaLTMpzzYUrC2A15pZK2RQvbprcodMAgLEBUN
-Uyf5ettUKvFQ9EeUtOKckrVwbASP2Bf91k1q2CBXmzk51yMxUjQXQulqqSCIoNZ+
-tPVOBoB6A5Fw3iZC0CF3Mw7GaQAb9R3lickopQz14qw3HQf/DMuCLyTcQA5YdrT+
-PE/sgJGKCbmfr53/PvCwFBweHrKJhtMUEwIBAg==
+MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAgFF
 -----END DH PARAMETERS-----
diff --git a/overlays/turnkey.d/sslcert/etc/ssl/private/dhparams.pem b/overlays/turnkey.d/sslcert/etc/ssl/private/dhparams.pem
index 0f300a7c..2ce9ed85 100644
--- a/overlays/turnkey.d/sslcert/etc/ssl/private/dhparams.pem
+++ b/overlays/turnkey.d/sslcert/etc/ssl/private/dhparams.pem
@@ -1,8 +1,13 @@
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA3Yo7kqH2QN4efsaG8m8sQjEZmI2P/HWiiZVEsyMSIFHHPJ1l7vKV
-MDD0h7zc99ExV4AktKvp3UzU0D7So7q/dBtgFcYBwRnzPozjaP7EWfn42/CMOetO
-T/GRRLU590OVV0qoBQxtV8P6PJgAaLTMpzzYUrC2A15pZK2RQvbprcodMAgLEBUN
-Uyf5ettUKvFQ9EeUtOKckrVwbASP2Bf91k1q2CBXmzk51yMxUjQXQulqqSCIoNZ+
-tPVOBoB6A5Fw3iZC0CF3Mw7GaQAb9R3lickopQz14qw3HQf/DMuCLyTcQA5YdrT+
-PE/sgJGKCbmfr53/PvCwFBweHrKJhtMUEwIBAg==
+MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAgFF
 -----END DH PARAMETERS-----
diff --git a/overlays/turnkey.d/sslcert/usr/local/bin/turnkey-make-ssl-cert b/overlays/turnkey.d/sslcert/usr/local/bin/turnkey-make-ssl-cert
index 079bf571..eced9abf 100755
--- a/overlays/turnkey.d/sslcert/usr/local/bin/turnkey-make-ssl-cert
+++ b/overlays/turnkey.d/sslcert/usr/local/bin/turnkey-make-ssl-cert
@@ -65,7 +65,7 @@ WILD=false
 OVERWRITE=false
 EXPIRY=10y
 # Unless set via env var; set default Diffie-Hellman bit size as 1024
-DH_BITS=${DH_BITS:-1024}
+DH_BITS=${DH_BITS:-2048}
 DH_BITS_REC=2048 # minimum recommended DH bit size
 GEN_DH=false
 DH_ONLY=false
@@ -146,9 +146,11 @@ $(usage)
       -b, --dh-bits DH_BITS   Generate a Diffie-Hellman parameters file; bit
                                 size: DH_BITS (can also be set via env var)
                                 /etc/ssl/private/dhparams.pem
+                                valid options: 1024 | 2048 | 4096
                                 default: $DH_BITS
                                 recommended: $DH_BITS_REC
-                                Note that 4096 is best but may take hours
+                                Note that as of v1.4 an audited dh_params is
+                                provided (as per RFC7919)
       -p, --dh-params-only    Generate a Diffie-Hellman parameters file only
                                 (Also rebuilds default cert.pem file)
       -r, --csr               Generate a certificate signing request
@@ -257,6 +259,16 @@ done
 if [[ $DH_ONLY == true ]]; then
     warning "--dh-params-only switch used, no cert or key files will be generated."
 fi
+if [[ $DH_BITS -ne 1024 ]] && [[ $DH_BITS -ne 2048 ]] \
+                                    && [[ $DH_BITS -ne 4096 ]]; then
+    error_exit "DH_BITS must be one of 1024, 2048 or 4096."
+elif [[ $DH_BITS -eq 1024 ]]; then
+    msg="DH_BITS of 1024 is not recommended and may leave https connections"
+    msg="$msg with your webserver vulnerable to attack. Unless you need to"
+    msg="$msg support really old clients (e.g. Windows XP, Internet Explorer"
+    msg="$msg <11, etc) use 2048 or 4096 bits."
+    warning "$msg"
+fi
 
 expiry_days $EXPIRY
 
@@ -325,23 +337,14 @@ fi
 
 # gen dhparams.
 if [[ "$GEN_DH" == "true" ]]; then
-    if [[ $DH_BITS -le 1050 ]]; then
-        _time="a while"
-    elif [[ $DH_BITS -le 3000 ]]; then
-        _time="a long time"
-    else
-        _time="hours, possibly days"
-    fi
-    info "Generating Diffie-Hellman parameters file - this may take $_time..."
-    if ! openssl dhparam -out $DHP $DH_BITS > $TMPOUT 2>&1; then
+    msg="Generating Diffie-Hellman parameters file - using predifined"
+    msg="$msg parameters as per RFC7919."
+    info "$msg"
+    if ! openssl genpkey -genparam -algorithm DH \
+                -pkeyopt dh_param:ffdhe$DH_BITS -out $DHP \
+                -outform PEM > $TMPOUT 2>&1; then
         msg="Diffie-Hellman parameter generation failed.  OpenSSL output: "
         error_exit "$msg" $TMPOUT
-    elif [[ $DH_BITS -lt 2048 ]]; then
-        msg="Diffie-Hellman parameter bit size is $DH_BITS. Recommended
-             minimum is $DH_BITS_REC; 4096 is best, but may take hours to
-             generate."
-        warning $msg
-        info "Recommended to rerun with '--dh-bits $DH_BITS_REC' (or larger)."
     fi
 fi
 
diff --git a/overlays/turnkey.d/systemd-chroot/usr/local/bin/systemctl b/overlays/turnkey.d/systemd-chroot/usr/local/bin/systemctl
index a4129821..fc491233 100755
--- a/overlays/turnkey.d/systemd-chroot/usr/local/bin/systemctl
+++ b/overlays/turnkey.d/systemd-chroot/usr/local/bin/systemctl
@@ -55,8 +55,7 @@ while [[ "$#" -gt 0 ]]; do
             fi;;
         status)
             fatal "Status currently not supported in a chroot.";;
-        --quiet)
-            warning "--quiet is only honored with commands is-active|is-failed."
+        -q|--quiet)
             QUIET=true
             shift;;
         --*)
@@ -82,6 +81,12 @@ if [[ -n "$COMMAND" ]]; then
         SERVICE_NAME=ghost
     fi
 
+    if [[ "$QUIET" == 'true' ]] \
+        && [[ "$COMMAND" != "is-failed" ]] \
+        && [[ "$COMMAND" != "is-active" ]]; then
+            warning "--quiet is only honored with commands is-active|is-failed."
+    fi
+
     if [[ "$COMMAND" != "daemon-reload" ]] && [[ -z "$SERVICE_NAME" ]]; then
         fatal "Service name required with $COMMAND"
     fi
@@ -108,13 +113,13 @@ if [[ -n "$COMMAND" ]]; then
 
         is-failed|is-active)
             running=$(_is_running $SERVICE_NAME)
-            if $running; then
-                [[ -n "$QUIET" ]] || echo "active"
-                [[ "$COMMAND" != "is-failed" ]] || exit 0
+            if [[ "$running" == 'true' ]]; then
+                [[ -n "$QUIET" ]] || echo "active/running"
+                [[ "$COMMAND" == "is-active" ]] || exit 0
                 exit 1
             else
-                [[ -n "$QUIET" ]] || echo "inactive"
-                [[ "$COMMAND" != "is-failed" ]] || exit 1
+                [[ -n "$QUIET" ]] || echo "inactive/failed"
+                [[ "$COMMAND" == "is-failed" ]] || exit 1
                 exit 0
             fi;;
     esac
diff --git a/overlays/turnkey.d/vim-tiny-config/etc/vim/vimrc.local b/overlays/turnkey.d/vim-tiny-config/etc/vim/vimrc.local
index 5c62f1b1..5f4643cd 100644
--- a/overlays/turnkey.d/vim-tiny-config/etc/vim/vimrc.local
+++ b/overlays/turnkey.d/vim-tiny-config/etc/vim/vimrc.local
@@ -1,4 +1,4 @@
-source /usr/share/vim/vim81/defaults.vim
+source /usr/share/vim/vim82/defaults.vim
 
 set tabstop=4 shiftwidth=4 expandtab softtabstop=0
 set mouse=
diff --git a/plans/turnkey/base b/plans/turnkey/base
index ec3701d4..4b23ce71 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -23,7 +23,6 @@ resolvconf              /* confconsole recommends */
 jitterentropy-rngd
 
 tklbam                  /* still depends on py2 for now */
-gnupg                   /* tklbam depends - new for Stretch */
 
 hubdns
 inithooks
@@ -65,6 +64,7 @@ webmin-lvm
 webmin-tklbam
 webmin-updown
 webmin-filemin
+fdisk                   /* webmin-fdisk recommends */
 unzip                   /* webmin-updown recommends */
 libfile-mimeinfo-perl   /* webmin-filemin requires to extract archives */