diff --git a/Makefile b/Makefile
index 3ec48d4..5d4fa0d 100644
--- a/Makefile
+++ b/Makefile
@@ -71,17 +71,20 @@ build_overlay::
 #	@virsh list | grep "${INST_BOX_NAME}.*running" && exit 1
 	@virsh list --all | grep ${INST_BOX_NAME} && \
 		virsh undefine ${INST_BOX_NAME} && \
-		rm -f /a/tmp/GentooImgr/create-vm/xml/gentoo1.xml \
+		rm -f \
 		 ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml \
 		 ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; true
+# /a/tmp/GentooImgr/create-vm/xml/gentoo1.xml 
 #	! virsh list --all | grep "${INST_BOX_NAME}" && exit 2
 	[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] || { \
-		echo WARN ; echo rm -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; \
+		echo WARN delete this file to continue; \
+		echo rm -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; \
 		exit 3 ; }
 	[ ! -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ] || { \
-		echo WARN ; echo rm -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ; \
+		echo WARN delete this file to continue ; \
+		echo rm -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ; \
 		exit 4 ; }
-	PLAY_ANSIBLE_SRC=${PWD} bash /usr/local/bin/toxcore_build_overlay_qcow.bash
+	PLAY_ANSIBLE_SRC=${PWD} bash bin/toxcore_build_overlay_qcow.bash
 	[ -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ]
 	xmllint -noout ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
 
diff --git a/etc/hosts.yml b/etc/hosts.yml
new file mode 100644
index 0000000..5b7a23d
--- /dev/null
+++ b/etc/hosts.yml
@@ -0,0 +1,446 @@
+# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8 -*-
+# use double quotes exclusively around  strings and
+# use single quotes exclusively with lists - for bash post-processing
+
+all:
+
+  children:
+
+    vbox_winrm_group:
+
+      hosts:
+
+        y_UEFI_MediCat_VHD_DW:
+          # /var/lib/libvirt/qemu/channel/target/domain-37-y_UEFI_MediCat_VHD_D/org.qemu.guest_agent.0
+          # doesnt work: ansible_connection: "libvirt_qemu"
+
+          BOX_SERVICE_MGR: "win11"
+          BOX_HOST_NAME: "y_UEFI_MediCat_VHD_DW"
+
+          UPD_WINRM_CRT_PASSWORD: ""
+          UPD_WINRM_CRT_NAME: "WINRM_WIN11VBOX cert for "
+          UPD_WINRM_FILE_BASE: "winrm-win11vbox"
+          UPD_WINRM_KEY_BITS: 4096
+
+          UPD_WINRM_HOST_NAME: "y_UEFI_MediCat_VHD_D"
+          UPD_WINRM_HOST_DEV: "vboxnet0"
+          UPD_WINRM_ADMIN_NAME: "administrator"
+          UPD_WINRM_ADMIN_PASS: "<get from vault>"
+
+          # NOT  remote_addr:
+          ansible_winrm_host: "192.168.56.1"
+          # remote_user
+          ansible_winrm_user: "administrator"
+          BOX_DEFAULT_OUTPUT_IF: fixme
+
+          UPD_WINRM_WINRM_ADMIN_NAME: "winrmadmin"
+          UPD_WINRM_WINRM_ADMIN_PASS: "winrmadmin"
+
+          # List of winrm transports to attempt to to use (ssl, plaintext, kerberos, etc)
+          # python2 -c 'import winrm;print winrm.FEATURE_SUPPORTED_AUTHTYPES'
+          # ['basic', 'certificate', 'ntlm', 'kerberos', 'plaintext', 'ssl', 'credssp']
+          # FixMe: which one works?
+          UPD_WINRM_WINRM_TRANSPORT: "basic"
+          # Lati sda Disk identifier: 0A00A495-684B-425E-823F-60257EBD6D3B
+
+      vars:
+        #maybe ansible_connection: "winrm"
+        BOX_ANSIBLE_CONNECTIONS: ["libvirt_qemu"]
+        ansible_winrm_port: 5985
+        ansible_winrm_scheme: http
+        ansible_winrm_transport: ['basic', 'plaintext', 'certificate',  'ssl']
+        # NOT remote_user
+        # ansible_user
+        ansible_winrm_user: "Administrator"
+        #? ansible_password: ""
+        ansible_winrm_server_cert_validation: ignore
+        validate_certs: false
+        # NO proxy from environment - or ensure no_proxy
+        no_proxy:    "localhost,127.0.0.1,192.168.56.1"
+
+    linux_unix_group:
+
+      children:
+
+        linux_local_group:
+
+          hosts:
+
+            pentoo:
+              ansible_remote_addr: "/mnt/linuxPen19"
+              BOX_HOST_NAME: "pentoo"
+              BOX_SERVICE_MGR: "openrc"
+              BOX_USER_NAME: "vagrant"
+              BOX_USER_GROUP: "users"
+              BOX_USER_HOME: "/home/vagrant"
+              BOX_OS_FAMILY: Gentoo
+              BOX_OS_NAME: gentoo
+              BOX_OS_FLAVOR: "Pentoo"
+              BOX_USR_LIB: lib
+              BOX_DEFAULT_OUTPUT_IF: wlan4
+              BOX_PROXY_MODE: selektor
+              BOX_WHONIX_PROXY_HOST: ""
+              BOX_GENTOO_DISTFILES_ARCHIVES: "/i/net/Http/distfiles.gentoo.org/distfiles"
+              BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
+              # /usr/lib/jvm/openjdk-bin-*/conf/net.properties
+              BOX_ALSO_USERS:
+                - pentoo
+              BOX_PORTAGE_PYTHON_MINOR: "3.11"
+              BOX_PYTHON2_MINOR: "2.7"
+              BOX_PYTHON3_MINOR: "3.11"
+              BOX_GENTOO_FROM_MP: "/"
+
+            devuan:
+              ansible_remote_addr: "/mnt/linuxDev4" #ignored for local
+              BOX_HOST_NAME: "devuan"
+              BOX_SERVICE_MGR: "sysvinit"
+              BOX_USER_NAME: "devuan"
+              BOX_USER_GROUP: "adm"
+              BOX_USER_HOME: "/home/devuan"
+              BOX_OS_FAMILY: Debian
+              BOX_OS_NAME: Devuan
+              BOX_OS_FLAVOR: "Devuan"
+              BOX_USR_LIB: lib
+              BOX_DEFAULT_OUTPUT_IF: wlan6
+              BOX_DEVUAN5_VAR_APT_ARCHIVES: "/mnt/o/Cache/Devuan/5/var/cache/apt/archives"
+              BOX_ALSO_USERS: []
+              BOX_PORTAGE_PYTHON_MINOR: "3.11"
+              BOX_PYTHON2_MINOR: "2.7"
+              BOX_PYTHON3_MINOR: "3.11"
+
+              BOX_JAVA_NET_PROPERTIES: /etc/java-11-openjdk/net.properties
+
+              BOX_WHONIX_PROXY_HOST: ""
+              BOX_PROXY_MODE: tor
+              BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
+
+          vars:
+            BOX_ANSIBLE_CONNECTIONS: ["local"]
+            BOX_REMOTE_MOUNTS: ['/mnt/h', '/mnt/j','/mnt/i', '/mnt/o',  '/mnt/mnt/linuxPen19']
+            BOX_BASE_FEATURES: ['insecure_sudo']
+            BOX_PROXY_FEATURES: ['run_dnsmasq', 'run_privoxy']
+            BOX_TOXCORE_FEATURES: []
+
+        # libvirt_group could also be ssh_group
+        linux_libvirt_group:
+
+          hosts:
+
+            gentoo1:
+
+              ansible_remote_addr: "gentoo1"
+              ansible_host: "gentoo1"
+              ansible_ssh_user: "gentoo"
+              BOX_SERVICE_MGR: "openrc"
+              BOX_HOST_NAME: "gentoo1"
+              BOX_USER_NAME: "gentoo"
+              BOX_USER_GROUP: "adm"
+              BOX_ALSO_GROUP: "adm"
+              BOX_USER_HOME: "/home/gentoo"
+              BOX_OS_NAME: Gentoo
+              BOX_OS_FAMILY: Gentoo
+              BOX_OS_FLAVOR: "Gentoo"
+              BOX_USR_LIB: lib64
+              BOX_DEFAULT_OUTPUT_IF: eth0
+              BOX_PYTHON2_MINOR: ""
+              BOX_PYTHON3_MINOR: "3.11"
+              BASE_PORTAGE_PYTHON_MINOR: 3.11
+              BOX_HOST_CONTAINER_MOUNTS: []
+              BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/linuxPen19/usr/portage/distfiles"
+              BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
+              BOX_ALSO_USERS:
+                - gentoo
+              BOX_BASE_FEATURES: []
+              BOX_TOXCORE_FEATURES: ['libvirt', 'docker']
+              BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
+
+            ubuntu18.04:
+              # /mnt
+              ansible_remote_addr: "ubuntu18.04"
+              # this is what the libvirt-qemu connector uses
+              ansible_host: "ubuntu18.04"
+              ansible_ssh_user: "vagrant"
+              BOX_SERVICE_MGR: systemd
+              BOX_HOST_NAME: "Ubuntu18.04"
+              BOX_USER_NAME: "vagrant"
+              BOX_USER_GROUP: "users"
+              BOX_USER_HOME: "/home/vagrant"
+              BOX_OS_FAMILY: Debian
+              BOX_OS_NAME: Ubuntu
+              BOX_OS_FLAVOR: "Ubuntu18"
+              BOX_USR_LIB: lib
+              BOX_DEFAULT_OUTPUT_IF: eth0
+              BOX_UBUNTU16_VAR_APT_ARCHIVES: "/o/Cache/Apt/Ubuntu/18/var/cache/apt/archives"
+              ansible_python_interpreter: "/usr/bin/python3.6"
+              BOX_PYTHON2_MINOR: ""
+              BOX_PYTHON3_MINOR: "3.6"
+              BOX_REMOTE_MOUNTS: ['/mnt/o']
+    #            BOX_WHONIX_PROXY_HOST: "Whonix-Gateway"
+    #            BOX_PROXY_MODE: ws
+              # FixMe
+              base_system_users: ['vagrant']
+              BOX_TOXCORE_FEATURES: ['libvirt', 'docker']
+
+          vars:
+            BOX_ANSIBLE_CONNECTIONS: ["ssh", "libvirt_qemu"]
+            # proxy from environment
+    #        ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
+    #        ansible_ssh_host: "127.0.0.1"
+            BOX_ROOT_GROUP: root
+            BOX_PROXY_MODE: client
+            http_proxy: "http://127.0.0.1:3128"
+            https_proxy: "http://127.0.0.1:9128"
+            socks_proxy: "socks5://127.0.0.1:9050"
+            no_proxy: "localhost,127.0.0.1,127.0.0.1"
+
+        linux_chroot_group :
+
+          hosts:
+
+            linuxGentoo:
+
+              ansible_remote_addr: "/mnt/gentoo"
+              # required
+              ansible_host: "/mnt/gentoo"
+              BOX_SERVICE_MGR: "openrc"
+              BOX_HOST_NAME: "gentoo"
+              BOX_USER_NAME: "gentoo"
+              BOX_USER_GROUP: "adm"
+              BOX_USER_HOME: "/home/gentoo"
+              BOX_OS_FAMILY: Gentoo
+              BOX_OS_NAME: gentoo
+              BOX_OS_FLAVOR: "Gentoo"
+              BOX_USR_LIB: lib64
+              BOX_DEFAULT_OUTPUT_IF: wlan6
+              BASE_PORTAGE_PYTHON_MINOR: 3.11
+              ansible_python_interpreter: "/usr/bin/python3.11"
+              BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/linuxPen19/usr/portage/distfiles"
+              BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
+              BOX_ALSO_USERS:
+                - gentoo
+              BOX_PROXY_MODE: "{{lookup('env', 'MODE'|default('tor'}}"
+              BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
+
+            linuxPen19:
+
+              ansible_remote_addr: "/mnt/linuxPen19"
+              # required
+              ansible_host: "/mnt/linuxPen19"
+              BOX_SERVICE_MGR: "openrc"
+              BOX_HOST_NAME: "linuxPen19"
+              BOX_USER_NAME: "vagrant"
+              BOX_USER_GROUP: "adm"
+              BOX_USER_HOME: "/home/vagrant"
+              BOX_OS_FAMILY: Gentoo
+              BOX_OS_NAME: gentoo
+              BOX_OS_FLAVOR: "Pentoo"
+              BOX_USR_LIB: lib64
+              BOX_DEFAULT_OUTPUT_IF: wlan6
+              BASE_PORTAGE_PYTHON_MINOR: 3.11
+              ansible_python_interpreter: "/usr/bin/python3.11"
+              BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/i/net/Http/distfiles.gentoo.org/distfiles"
+              BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
+              BOX_ALSO_USERS:
+                - gentoo
+              BOX_BASE_FEATURES: []
+              BOX_TOXCORE_FEATURES: ['nbd', 'libvirt', 'docker']
+              BOX_PROXY_MODE: "{{lookup('env', 'MODE'|default('tor'}}"
+
+          # linux_chroot_group  vars
+          vars:
+            BOX_ANSIBLE_CONNECTIONS: ["local", "chroot"]
+            # ignored? chroot_connection/exe in ansible.cfg?
+            ansible_chroot_exe: "/usr/local/sbin/base_chroot.bash"
+
+            #? ansible_ssh_common_args: "/usr/bin/env -i CHROOT=1"
+            #  -i "PATH"
+            #  -i "http_proxy https_proxy socks_proxy no_proxy"
+            #? -l
+            # for a non-root login: ansible_ssh_extra_args: "--userspec=foo:adm"
+      vars: # linux_unix_group
+        # toxcore
+        BOX_NBD_DEV: nbd1
+        BOX_NBD_MP: /mnt/gentoo
+        BOX_NBD_OVERLAY_NAME: "gentoo1"
+        BOX_NBD_FILES: "/i/data/Agile/tmp/Topics/GentooImgr"
+        BOX_NBD_PORTAGE_FILE: "{{AGI_NBD_FILES}}/portage-20231223.tar.xz"
+        BOX_NBD_STAGE3_FILE: "{{AGI_NBD_FILES}}/stage3-amd64-openrc-20231217T170203Z.tar.xz"
+        BOX_NBD_KERNEL_DIR: /usr/src/linux
+        BOX_NBD_BASE_PROFILE: openrc
+        BOX_NBD_BASE_DIR: "/a/tmp/GentooImgr"
+        BOX_NBD_BASE_QCOW: "{{BOX_NBD_BASE_DIR}}/gentoo.qcow2"
+        BOX_NBD_OVERLAY_QCOW: "/o/var/lib/libvirt/images/gentoo1.qcow2"
+        BOX_NBD_BASE_PUBKEY: "/root/.ssh/id_rsa-ansible.pub"
+
+        # libvirt overlay
+        BOX_NBD_OVERLAY_DIR: "/a/tmp/GentooImgr/create-vm"
+        BOX_NBD_LOGLEVEL: 10
+        BOX_NBD_OVERLAY_GB: "20"
+        BOX_NBD_OVERLAY_CPUS: 1
+        BOX_NBD_OVERLAY_RAM: 2048
+        BOX_NBD_OVERLAY_BR: virbr1
+        # unused?
+        BOX_NBD_OVERLAY_NETWORK: default
+        # plaintext
+        BOX_NBD_OVERLAY_PASS: "gentoo"
+        BOX_GENTOOIMGR_CONFIGFILE: "/g/Agile/tmp/Topics/GentooImgr/base.json"
+
+
+  vars:
+    # These come from the inventory overridden for connection = local,chroot in base_proxy.yml
+    http_proxy:  ""
+    https_proxy: ""
+    socks_proxy: ""
+    ftp_proxy:   ""
+    no_proxy:    "localhost,127.0.0.1"
+    SSL_CERT_FILE: "/usr/local/etc/ssl/cacert-testforge.pem"
+    RSYNC_PROXY: ""
+
+    BOX_OS_FAMILY: ""
+    BOX_OS_NAME: ""
+    BOX_OS_FLAVOR: ""
+    BOX_DEFAULT_OUTPUT_IF: ""
+    BOX_ALSO_GROUP: "adm"
+
+    # only common to local and vagrant because /mnt/j is remote mounted - need a linux_group
+    BOX_ROOT_PIP_CACHE: "/mnt/o/Cache/Pip"
+    BOX_BOXUSER_PIP_CACHE: "/mnt/o/Cache/Pip"
+
+    HOST_MOUNT_SYMLINKS: []
+    HOST_MOUNT_SYMLINK_CONTENTS: {}
+
+    LXD_TRUST_PASSWORD: sekret
+
+    BOX_HOST_CONTAINER_MOUNTS:
+      - /mnt/l
+      - /mnt/e
+      - /mnt/h
+      - /mnt/i
+      - /mnt/j
+      - /mnt/q
+      - /mnt/w
+      - /mnt/o
+
+    BOX_DOS_SCAN_DIRS:
+      - /mnt/h
+      - /mnt/i
+      - /mnt/j
+      - /mnt/e
+      - /mnt/q
+      - /mnt/w
+      - /mnt/c
+
+    # These will fluctuate with what's been started - it's safe to open them all
+    # FixMe: should these go on no_proxy systematically
+    PRIV_TOR_LOCAL_NETS:
+      - "192.168.56.0/24"
+
+    BOX_ALSO_USERS: []
+    BOX_PYTHON2_MINOR: ""
+    BOX_PYTHON3_MINOR: "3.11"
+    BOX_BASH_SHELL: /bin/bash
+    BOX_IPV6_DISABLE: 1
+    BOX_EMACS_VERSION: 27
+
+    BOX_ROOT_USER: root
+    BOX_ROOT_GROUP: root
+
+    BOX_BYPASS_PROXY_GROUP: tor
+    BOX_FIREWALL_ALLOW_TRANS: false
+    BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
+
+    BOX_BASE_FEATURES: []
+    BOX_LOGG_FEATURES: []
+    BOX_KEYS_FEATURES: ['tpm2'] # truecrypt
+    BOX_HARDEN_FEATURES: ['bubblewrap', 'sysctl', 'jabber'] # 'clamscan', firejail
+    # libvirt means  'qemu'
+    BOX_HOSTVMS_FEATURES: []
+
+    BOX_MISP_FEATURES: [] # 'kitchen'
+    BOX_W3AF_FEATURES: [] # 'kitchen'
+    BOX_MISP_GPG_PASS: gpg_pass_to_change_fast
+
+    BOX_timezone: UTC
+    BOX_hwclock_local: false
+    BOX_hwclock_systohc: true
+    BOX_hwclock_hctosys: false
+
+    BOX_PROXY_MODE: ""
+    BOX_DNS_PROXY: dnsmasq
+    BOX_TIME_DAEMON: ntpd
+    BOX_NTP_GROUP: ntp
+    BOX_NET_MANAGER: "networkmanager"
+    BOX_HTTP_PROXY: privoxy
+
+    # toxcore
+    BOX_NBD_DEV: ""
+    BOX_NBD_MP: ""
+    BOX_NBD_FILES: ""
+    BOX_NBD_LOGLEVEL: 20
+    BOX_NBD_PORTAGE_FILE: "{{AGI_NBD_FILES}}/portage-20231223.tar.xz"
+    BOX_NBD_STAGE3_FILE: "{{AGI_NBD_FILES}}/stage3-amd64-openrc-20231217T170203Z.tar.xz"
+    BOX_NBD_KERNEL_DIR: /usr/src/linux
+    BOX_NBD_BASE_PROFILE: openrc
+    BOX_NBD_BASE_DIR: ""
+    BOX_NBD_BASE_QCOW: ""
+    BOX_NBD_BASE_PUBKEY: ""
+
+    # libvirt overlay
+    BOX_NBD_OVERLAY_QCOW: ""
+    BOX_NBD_OVERLAY_DIR: ""
+    BOX_NBD_OVERLAY_BR: ""
+    BOX_NBD_OVERLAY_GB: "20"
+    BOX_NBD_OVERLAY_NAME: ""
+    BOX_NBD_OVERLAY_CPUS: 1
+    BOX_NBD_OVERLAY_RAM: 2048
+    # plaintext
+    BOX_NBD_OVERLAY_PASS: ""
+    BOX_GENTOOIMGR_CONFIGFILE: ""
+
+# Controls what compression method is used for new-style ansible modules when
+# they are sent to the remote system. The compression types depend on having
+# support compiled into both the controller's python and the client's python.
+# The names should match with the python Zipfile compression types:
+# * ZIP_STORED (no compression. available everywhere)
+# * ZIP_DEFLATED (uses zlib, the default)
+# These values may be set per host via the ansible_module_compression inventory variable.
+#
+    ansible_module_compression: "ZIP_STORED"
+    ansible_python_interpreter: "/usr/local/bin/python3.sh"
+
+    BOX_ANSIBLE_VERSION: "2.9.22"
+    #  Cannot communicate securely with peer: no common encryption algorithm(s).
+    #  git.kernel.org/ sslversion = tlsv1.3
+    BOX_TLS_VERSION: "1.3"
+    BOX_SSL_GIT_SSLVERSION: "1.3"
+
+    # unused so far - needed by src/ansible_gentooimgr/gentooimgr/
+    BOX_ARCHITECTURE: amd64
+    BOX_SUBTYPE: -hardened
+    # https://distfiles.gentoo.org/releases/amd64/autobuilds/latest-stage3-amd64-hardened-openrc.txt
+    GENTOO_BASE_STAGE_OPENRC_TXT_URL: "https://distfiles.gentoo.org/releases/{{BOX_ARCHITECTURE}}/autobuilds/latest-stage3-{{BOX_ARCHITECTURE}}{{BOX_SUBTYPE}}-openrc.txt"
+    # plus .gpgsig and .md5sum
+    GENTOO_BASE_PORTAGE_URL: "https://distfiles.gentoo.org/snapshots/portage-latest.tar.xz"
+    BOX_GENTOO_DISTFILES_ARCHIVES: "/i/net/Http/distfiles.gentoo.org/distfiles"
+    #? Gentoo specific?
+
+    # unused so far
+    # missing HOSTVMS_LXD_TRUST_PASSWORD base_passwords_database
+    # /mnt/o/data/TestForge/src/ansible/roles/hostvms/tasks/vms.yml
+    box_passwords_database: "{{ lookup('env', 'USER')}}/Passwords.kdbx"
+
+    BOX_WHONIX_PROXY_HOST: ""
+    BOX_PROXY_FEATURES: []
+    BOX_GPG_SERVER: "keys.gnupg.net"
+    BOX_USR_LIB: lib
+    # if you are on a Gentoo, then / else the mp of a Gentoo if you have one, else ''
+    BOX_GENTOO_FROM_MP: ''
+
+    # bc
+    MOUNT_GENTOO_DISTFILES_ARCHIVES: "{{BOX_GENTOO_DISTFILES_ARCHIVES}}"
+
+#        # These are inventory overridden for connection = chroot in base_proxy.yml
+#        http_proxy: "{{ lookup('env', 'http_proxy')|default('http://127.0.0.1:3128') }}"
+#        https_proxy: "{{ lookup('env', 'https_proxy')|default('http://10.0.2.15:9128') }}"
+#        socks_proxy: "{{ lookup('env', 'socks_proxy')|default('socks5://10.0.2.15:9050') }}"
+#        no_proxy: "{{ lookup('env', 'no_proxy')|default('10.0.2.15,127.0.0.1,localhost') }}"
diff --git a/etc/libvirt/qemu/gentoo_bridge.xml b/etc/libvirt/qemu/gentoo_bridge.xml
new file mode 100644
index 0000000..8395ddc
--- /dev/null
+++ b/etc/libvirt/qemu/gentoo_bridge.xml
@@ -0,0 +1,255 @@
+<domain type='kvm' id='20'>
+  <name>gentoo_bridge</name>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://gentoo.org/gentoo/rolling"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>2097152</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-7.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state='off'/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/root/vms/virsh/images/gentoo5.img' index='2'/>
+      <backingStore type='file' index='3'>
+        <format type='qcow2'/>
+        <source file='/g/Linux/net/Http/mirror.init7.net/gentoo/experimental/amd64/openstack/gentoo-openstack-amd64-hardened-latest.qcow2'/>
+        <backingStore/>
+      </backingStore>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu' type='raw'/>
+      <source file='/root/vms/virsh/images/gentoo5-cidata.img' index='1'/>
+      <backingStore/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x10'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x11'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0x12'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0x13'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0x14'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0x15'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0x16'/>
+      <alias name='pci.7'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0x17'/>
+      <alias name='pci.8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x18'/>
+      <alias name='pci.9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x19'/>
+      <alias name='pci.10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x1a'/>
+      <alias name='pci.11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x1b'/>
+      <alias name='pci.12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x1c'/>
+      <alias name='pci.13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x1d'/>
+      <alias name='pci.14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='15' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='15' port='0x1e'/>
+      <alias name='pci.15'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x6'/>
+    </controller>
+    <controller type='pci' index='16' model='pcie-to-pci-bridge'>
+      <model name='pcie-pci-bridge'/>
+      <alias name='pci.16'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='bridge'>
+      <mac address='52:54:00:e8:20:5a'/>
+      <source bridge='virbr0'/>
+      <target dev='vnet17'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/12'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/12'>
+      <source path='/dev/pts/12'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='spicevmc'>
+      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <channel type='unix'>
+      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-20-gentoo5/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel1'/>
+      <address type='virtio-serial' controller='0' bus='0' port='2'/>
+    </channel>
+    <input type='tablet' bus='usb'>
+      <alias name='input0'/>
+      <address type='usb' bus='0' port='1'/>
+    </input>
+    <input type='mouse' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input2'/>
+    </input>
+    <graphics type='spice'>
+      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-20-gentoo5/spice.sock'/>
+      <image compression='off'/>
+    </graphics>
+    <sound model='ich9'>
+      <alias name='sound0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
+    </sound>
+    <audio id='1' type='spice'/>
+    <video>
+      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
+      <alias name='video0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+    </video>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir0'/>
+      <address type='usb' bus='0' port='2'/>
+    </redirdev>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir1'/>
+      <address type='usb' bus='0' port='3'/>
+    </redirdev>
+    <watchdog model='i6300esb' action='reset'>
+      <alias name='watchdog0'/>
+      <address type='pci' domain='0x0000' bus='0x10' slot='0x01' function='0x0'/>
+    </watchdog>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='apparmor' relabel='yes'>
+    <label>libvirt-c7a5d87b-348e-412c-9e81-afce3232ff65</label>
+    <imagelabel>libvirt-c7a5d87b-348e-412c-9e81-afce3232ff65</imagelabel>
+  </seclabel>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+0:+0</label>
+    <imagelabel>+0:+0</imagelabel>
+  </seclabel>
+</domain>
+
diff --git a/etc/libvirt/qemu/gentoo_network.xml b/etc/libvirt/qemu/gentoo_network.xml
new file mode 100644
index 0000000..4437ef7
--- /dev/null
+++ b/etc/libvirt/qemu/gentoo_network.xml
@@ -0,0 +1,255 @@
+<domain type='kvm' id='33'>
+  <name>gentoo_network</name>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://gentoo.org/gentoo/rolling"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>2097152</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-7.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state='off'/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/root/vms/virsh/images/gentoo6.img' index='2'/>
+      <backingStore type='file' index='3'>
+        <format type='qcow2'/>
+        <source file='/g/Linux/net/Http/mirror.init7.net/gentoo/experimental/amd64/openstack/gentoo-openstack-amd64-hardened-latest.qcow2'/>
+        <backingStore/>
+      </backingStore>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu' type='raw'/>
+      <source file='/root/vms/virsh/images/gentoo6-cidata.img' index='1'/>
+      <backingStore/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x10'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x11'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0x12'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0x13'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0x14'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0x15'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0x16'/>
+      <alias name='pci.7'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0x17'/>
+      <alias name='pci.8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x18'/>
+      <alias name='pci.9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x19'/>
+      <alias name='pci.10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x1a'/>
+      <alias name='pci.11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x1b'/>
+      <alias name='pci.12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x1c'/>
+      <alias name='pci.13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x1d'/>
+      <alias name='pci.14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='15' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='15' port='0x1e'/>
+      <alias name='pci.15'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x6'/>
+    </controller>
+    <controller type='pci' index='16' model='pcie-to-pci-bridge'>
+      <model name='pcie-pci-bridge'/>
+      <alias name='pci.16'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='network'>
+      <mac address='52:54:00:1d:9c:6f'/>
+      <source network='Whonix-External' portid='7748c5ca-d57c-4913-9d00-aa7884b87666' bridge='virbr1'/>
+      <target dev='vnet29'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/0'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/0'>
+      <source path='/dev/pts/0'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='spicevmc'>
+      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <channel type='unix'>
+      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-33-gentoo6/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel1'/>
+      <address type='virtio-serial' controller='0' bus='0' port='2'/>
+    </channel>
+    <input type='tablet' bus='usb'>
+      <alias name='input0'/>
+      <address type='usb' bus='0' port='1'/>
+    </input>
+    <input type='mouse' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input2'/>
+    </input>
+    <graphics type='spice'>
+      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-33-gentoo6/spice.sock'/>
+      <image compression='off'/>
+    </graphics>
+    <sound model='ich9'>
+      <alias name='sound0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
+    </sound>
+    <audio id='1' type='spice'/>
+    <video>
+      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
+      <alias name='video0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+    </video>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir0'/>
+      <address type='usb' bus='0' port='2'/>
+    </redirdev>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir1'/>
+      <address type='usb' bus='0' port='3'/>
+    </redirdev>
+    <watchdog model='i6300esb' action='reset'>
+      <alias name='watchdog0'/>
+      <address type='pci' domain='0x0000' bus='0x10' slot='0x01' function='0x0'/>
+    </watchdog>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='apparmor' relabel='yes'>
+    <label>libvirt-069ed70a-e004-4120-9987-81a4a2c650d2</label>
+    <imagelabel>libvirt-069ed70a-e004-4120-9987-81a4a2c650d2</imagelabel>
+  </seclabel>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+0:+0</label>
+    <imagelabel>+0:+0</imagelabel>
+  </seclabel>
+</domain>
+
diff --git a/hosts.yml b/hosts.yml
index 5b7a23d..212ea1c 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -274,6 +274,7 @@ all:
 
         # libvirt overlay
         BOX_NBD_OVERLAY_DIR: "/a/tmp/GentooImgr/create-vm"
+        BOX_NBD_OVERLAY_BASE: "/o/var/lib/libvirt/images/gentoo.qcow2.2"
         BOX_NBD_LOGLEVEL: 10
         BOX_NBD_OVERLAY_GB: "20"
         BOX_NBD_OVERLAY_CPUS: 1
diff --git a/library/ansible_gentooimgr.py b/library/ansible_gentooimgr.py
index 4b75bbc..393f499 100755
--- a/library/ansible_gentooimgr.py
+++ b/library/ansible_gentooimgr.py
@@ -216,9 +216,8 @@ def run_module():
         # is stdout already in result? how can it be?
     except Exception as e:
         result['message'] = str(e)
-        e = traceback.print_exc()
-        if e: result['original_message'] += f"{e}"
-        module.fail_json(msg='Exception', **result)
+        result['original_message'] = f"{traceback.print_exc()}"
+        module.fail_json(msg=f'Exception {e.__class__}', **result)
     else:
         result['message'] = str(retval)
 
diff --git a/roles/ansible-gentoo_install/defaults/main.yml b/roles/ansible-gentoo_install/defaults/main.yml
index 6b49e2c..b0d37f3 100644
--- a/roles/ansible-gentoo_install/defaults/main.yml
+++ b/roles/ansible-gentoo_install/defaults/main.yml
@@ -28,9 +28,92 @@ AGI_install_network_interfaces:
     config: dhcp
 AGI_container_disk: /dev/vda
 
-AGI_install_root_password: root
 AGI_install_syslog_daemon: syslog-ng # app-admin/sysklogd
-AGI_install_cron_daemon: sys-process/cronie
+AGI_install_cron_daemon: cronie
+AGI_install_bootloader: syslinux
+
+AGI_install_syslinux_kernel_line:
+  # this is required I think
+  - console=tty1
+  # this is required I think
+  - text
+  # adjust these to suit
+  - lang=en
+  - keymap=us
+  - rootfstype=ext2
+  # remove this if you want IPV6
+  - ipv6.disable=1
+  # fsck should NOT be done by the bootloader
+  - rd.skipfsck=1
+  # =0x37f works too
+  - vga=789
+# these may not all be needed or useful in a container
+  - pti=on
+  - iommu=pt
+  - amd_iommu=on
+  - intel_iommu=on
+  - debug
+
+# remove the unused ones:
+AGI_install_syslinux_c32:
+  - vesa.c32
+  - vesainfo.c32
+  - vesamenu.c32
+  - cat.c32
+  - chain.c32
+  - cmd.c32
+  - cmenu.c32
+  - cptime.c32
+  - cpu.c32
+  - cpuid.c32
+  - cpuidtest.c32
+  - debug.c32
+  - dir.c32
+  - disk.c32
+  - dmi.c32
+  - dmitest.c32
+  - elf.c32
+  - ethersel.c32
+  - gfxboot.c32
+  - gpxecmd.c32
+  - hdt.c32
+  - host.c32
+  - ifcpu.c32
+  - ifcpu64.c32
+  - ifmemdsk.c32
+  - ifplop.c32
+  - kbdmap.c32
+  - kontron_wdt.c32
+  - ldlinux.c32
+  - lfs.c32
+  - libcom32.c32
+  - libgpl.c32
+  - liblua.c32
+  - libmenu.c32
+  - libutil.c32
+  - linux.c32
+  - ls.c32
+  - mboot.c32
+  - meminfo.c32
+  - menu.c32
+  - pci.c32
+  - pcitest.c32
+  - pmload.c32
+  - poweroff.c32
+  - prdhcp.c32
+  - pwd.c32
+  - pxechn.c32
+  - reboot.c32
+  - rosh.c32
+  - sanboot.c32
+  - sdi.c32
+  - sysdump.c32
+  - syslinux.c32
+  - vpdtest.c32
+  - whichsys.c32
+
+
+AGI_install_root_password: root
 
 AGI_bootstrap_mountpoints: []
 
diff --git a/roles/ansible-gentoo_install/tasks/bootloader.yml b/roles/ansible-gentoo_install/tasks/bootloader.yml
index 57f3d64..9d3fd89 100644
--- a/roles/ansible-gentoo_install/tasks/bootloader.yml
+++ b/roles/ansible-gentoo_install/tasks/bootloader.yml
@@ -7,35 +7,107 @@
 
 - name: test we are in the chroot
   shell: |
-    df | grep {{AGI_NBD_MP}} && exit 1
+    df | grep {{AGI_install_disk}} && exit 1
   check_mode: false
 
-- name: install grub
+- name: install grub or syslinx
   portage:
-    package: sys-boot/grub:2
+    package: sys-boot/{{AGI_install_bootloader}}
     state: installed
 
-- name: install grub to MBR
-  command: grub-install {{ AGI_install_disk }}
-  args:
-    creates: /boot/grub
+- block:
 
-- name: generate grub config
-  shell: grub-mkconfig -o /boot/grub/grub.cfg
-  args:
-    creates: /boot/grub/grub.cfg
+  - name: setup syslinux
+    shell: |
+      [ -d /boot/syslinux ] || mkdir  /boot/syslinux
+      [ -f /boot/syslinux/syslinux.cfg ] || \
+        cat > /boot/syslinux/syslinux.cfg << EOF
+      # -*-mode: sh; tab-width: 8; coding: utf-8-dos -*-
+      default vesamenu.c32
+      prompt 0
+      # timeout 150
+      
+      menu title nbd2
+      menu background splash.png
+      menu color title 1;36;44    #c0ffffff #00000000 std
+      menu color sel   7;37;40    #e0000000 #20ECEAC7 all
+      menu rows 15
+      menu tabmsgrow 21
+      menu timeoutrow 23
+      menu helpmsgrow 23
+      
+      # drm.debug=0xe 
+      #  rd.shell rd.debug
+      
+      label pentoo2019-Pen19-6.1.52-pentoo_2023_09_30_0x037f
+        menu label pentoo2019_Pen19_6.1.52-pentoo_2023_09_30_0x037f
+        menu default
+        kernel vmlinuz-6.1.52-pentoo_2023_09_30
+        INITRD initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
+        # was vga=0x315 
+        APPEND root=LABEL=root {{''.join(AGI_install_syslinux_kernel_commands)}}
+      
+      label MAIN hd0 MBR
+          menu label MAIN hd0 0
+          com32 chain.c32
+          APPEND hd0
+      
+      EOF
+      [ ! -d /usr/share/syslinux/ ] || \
+        for elt in {{' '.join(AGI_install_syslinux_c32)}}; do
+          [ -f /boot/syslinux/$elt ] && continue
+          cp -np /usr/share/syslinux/$elt /boot/syslinux
+         done
+      exit 0
 
-- name: edit grub config
-  shell: |
-    [ -f /etc/default/grub.dst ] || cp -p /etc/default/grub /etc/default/grub.dst
-    a=$(cat /proc/cmdline | sed -e 's/ BOOT_IMAGE=[^ ]*/ /' \
-                                -e 's/ initrd=[^ ]*/ /'
-                                -e 's/ resume=[^ ]*/ /'
-                                -e 's/ root=[^ ]*/ /')
-    sed -e "s/^#*GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"$a\"/" \
-        -i /etc/default/grub
-    grub-script-check  /etc/default/grub
+  - name: do syslinux install manually
+    shell: |
+        df | grep {{AGI_install_disk}} && \
+            echo ERROR: somethings wrong - {{AGI_install_disk}} isnt mounted
+            && exit 1
+        # should unmount it?
+        dd if={{AGI_install_disk}}p1 count=440 bs=1|strings|grep SYSLINUX
+        [ $? -eq 0 ] && exit 0
+        echo HALT: YOU MUST INSTALL THE MBR YOURSELF - do this
+        echo dd if=/usr/share/syslinux/mbr.bin of={{AGI_install_disk}}p1 count=440 bs=1 conv=notrunc
+        echo HALT: YOU MUST INSTALL SYSLINUX YOURSELF - do this
+        syslinux -d syslinux --install {{AGI_install_disk}}p1
+        exit 999
+    register: syslinux_out
+    failed_when: false
 
+  - name: install syslinux install manually
+    fail:
+      msg: "HALT: install syslinux install manually"
+    when: syslinux_out.rc != 0
+
+  when: AGI_install_bootloader == 'syslinux'
+
+- block:
+    
+  - name: install grub to MBR
+    command: grub-install {{ AGI_install_disk }}
+    args:
+      creates: /boot/grub
+  
+  - name: generate grub config
+    shell: grub-mkconfig -o /boot/grub/grub.cfg
+    args:
+      creates: /boot/grub/grub.cfg
+  
+  - name: edit grub config
+    shell: |
+      [ -f /etc/default/grub.dst ] || cp -p /etc/default/grub /etc/default/grub.dst
+      a=$(cat /proc/cmdline | sed -e 's/ BOOT_IMAGE=[^ ]*/ /' \
+                                  -e 's/ initrd=[^ ]*/ /'
+                                  -e 's/ resume=[^ ]*/ /'
+                                  -e 's/ root=[^ ]*/ /')
+      sed -e "s/^#*GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"$a\"/" \
+          -i /etc/default/grub
+      grub-script-check  /etc/default/grub
+
+  when: AGI_install_bootloader == 'grub:2'
+  
 - name: fstab root
   lineinfile:
     dest: /etc/fstab
@@ -80,6 +152,27 @@
     line: 'consolefont="ter-v{{AGI_consolefont_font_size}}b"'
     regexp: '^consolefont=.*'
 
+- name: /etc/default/grub
+  lineinfile:
+    dest: /etc/default/grub
+    line: '{{item.from}}="{{item.to}}"'
+    regexp: '^#*{{item.from}}=.*'
+  with_items:
+    # Append parameters to the linux kernel command line for non-recovery entries
+    - from: GRUB_CMDLINE_LINUX_DEFAULT
+      to: " rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us intel_iommu=on vga=0x315 text"
+    # The resolution used on graphical terminal.
+  # Note that you can use only modes which your graphic card supports via VBE.
+  # You can see them in real GRUB with the command `vbeinfo'.
+    - from: GRUB_GFXMODE
+      to: 640x480
+    # Set to 'text' to force the Linux kernel to boot in normal text
+    - from: GRUB_GFXPAYLOAD_LINUX
+      to: text
+    # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
+    - from: GRUB_DISABLE_LINUX_UUID
+      to: true
+
 - name: roles/ansible-gentoo_install/tasks/
   shell: |
     LINE="rd.skipfsck=1  ipv6.disable=1 console=tty1 lang=en keymap=us "
@@ -88,11 +181,13 @@
     df | grep /boot || mount /dev/vda1 /boot
     [ -d /boot/grub ] || exit 2
     [ -f /boot/grub/grub.cfg ] || exit 3
-    sed -e "s@ ro *$@ $LINE ro@" -i /boot/grub/grub.cfg
+    cd /
+#    ln -s boot/vmlinuz* vmlinuz
+    # boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
+    ln -s boot/initramfs* initrd.img
 
 - name: consolefont
   shell: |
-    rc-update add consolefont
     cat >> /etc/rc.local << EOF
     /etc/init.d consolefont stop
     /etc/init.d consolefont start
@@ -103,6 +198,7 @@
 
 - name: rc-update add bootlogd boot
   shell: |
+    rc-update add consolefont
     rc-update | grep -q 'bootlogd .* boot' || \
       rc-update add bootlogd boot
     exit 0
diff --git a/roles/ansible-gentoo_install/tasks/disk.yml b/roles/ansible-gentoo_install/tasks/disk.yml
index 6f14ae0..ca270a5 100644
--- a/roles/ansible-gentoo_install/tasks/disk.yml
+++ b/roles/ansible-gentoo_install/tasks/disk.yml
@@ -16,8 +16,16 @@
     [ -d "{{AGI_GENTOO_FROM_MP}}" ] || exit 5
   check_mode: false
 
+- name: check for partitions
+  shell: |
+    grep '/dev/{{AGI_NBD_DEV}}p3' /proc/partitions && exit 0
+    exit 1
+  register: partitions_out
+  failed_when: false
+    
 - block:
-
+  # old code
+  
   - name: create disklabel
     command: parted -s {{ AGI_install_disk }} mklabel {{ AGI_install_disklabel }}
     register: disklabel_out
@@ -44,7 +52,7 @@
   # able to install to the MBR
   - name: create boot partition
     shell: |
-      parted -s {{ AGI_install_disk }} mkpart primary ext2 1M 200M
+      parted -s {{ AGI_install_disk }} mkpart primary {{'ext2' if AGI_install_bootloader != 'syslinux' else 'fat32'}} 1M 200M
     args:
       creates: "{{ AGI_install_disk }}p1"
 
@@ -65,7 +73,7 @@
       creates: "{{ AGI_install_disk }}p3"
 
   - name: format boot partition
-    filesystem: dev={{ AGI_install_disk }}p1 fstype=ext2 force=yes
+    filesystem: dev={{ AGI_install_disk }}p1 fstype={{'ext2' if AGI_install_bootloader != 'syslinux' else 'vfat'}} force=yes
     check_mode: false
     when: not ansible_check_mode
 
@@ -85,7 +93,15 @@
       e2label  {{ AGI_install_disk }}p3 root
       e2label  {{ AGI_install_disk }}p1 boot
       mkswap -L swap  "{{ AGI_install_disk }}p2"
-      sync
+    when: AGI_install_bootloader != 'syslinux'
+
+  - name: label partitions syslinux
+    shell: |
+      partprobe
+      fatlabel  {{ AGI_install_disk }}p3 root
+      e2label  {{ AGI_install_disk }}p1 boot
+      mkswap -L swap  "{{ AGI_install_disk }}p2"
+    when: AGI_install_bootloader == 'syslinux'
       
   when: false
 
@@ -100,15 +116,29 @@
       unit: sectors
       sector-size: 512
 
-      {{ AGI_install_disk }}p1 : start=        2048, size=      819200, type=83, bootable
+      {{ AGI_install_disk }}p1 : start=        2048, size=      819200, type={{'83' if AGI_install_bootloader != 'syslinux' else 'c'}}, bootable
       {{ AGI_install_disk }}p2 : start=      821248, size=     4096000, type=82
       {{ AGI_install_disk }}p3 : start=     4917248, size=    37025792, type=83
       EOF
       partprobe
+      
+  - name: format disk partitions grub:2
+    shell: |
       mke2fs -L boot {{ AGI_install_disk }}p1
       mke2fs -L root {{ AGI_install_disk }}p3
       mkswap -L swap  "{{ AGI_install_disk }}p2"
-      sync
-      
-  when: true
+
+    when: AGI_install_bootloader != 'syslinux'
+
+  - name: format disk partitions syslinux
+    shell: |
+      mkfs.vfat -F 32 -n boot {{ AGI_install_disk }}p1
+      mke2fs -L root {{ AGI_install_disk }}p3
+      mkswap -L swap  "{{ AGI_install_disk }}p2"
+
+    when: AGI_install_bootloader == 'syslinux'
+
+  when:
+    - partitions_out.rc != 0
+
 
diff --git a/roles/ansible-gentoo_install/tasks/local.yml b/roles/ansible-gentoo_install/tasks/local.yml
index 50d7143..d844bd0 100644
--- a/roles/ansible-gentoo_install/tasks/local.yml
+++ b/roles/ansible-gentoo_install/tasks/local.yml
@@ -143,7 +143,7 @@
 
   check_mode: false
   when:
-    - "ansible_connection in ['chroot'] or (ansible_connection in ['local'] or  and chroot_out.rc|default(1) == 0)"
+    - "ansible_connection in ['chroot'] or (ansible_connection in ['local'] and chroot_out.rc|default(1) == 0)"
   rescue:
     - debug:
         msg: "ERROR: error during chroot execution"
diff --git a/roles/ansible-gentoo_install/tasks/main.yml b/roles/ansible-gentoo_install/tasks/main.yml
index 80b3d43..a5083b0 100644
--- a/roles/ansible-gentoo_install/tasks/main.yml
+++ b/roles/ansible-gentoo_install/tasks/main.yml
@@ -113,7 +113,8 @@
       action: status
       loglevel: "{{BOX_NBD_LOGLEVEL}}"
       threads: 1
-      config: "{{AGI_GENTOOIMGR_CONFIGFILE}}" # base.json - bare filename in configs
+      # base.json - bare filename in configs
+      config: "{{AGI_GENTOOIMGR_CONFIGFILE}}" 
       profile: "{{BOX_NBD_BASE_PROFILE}}"
       kernel_dir: "{{BOX_NBD_KERNEL_DIR}}"
       portage: "{{BOX_NBD_PORTAGE_FILE}}"
diff --git a/roles/ansible-gentoo_install/tasks/misc.yml b/roles/ansible-gentoo_install/tasks/misc.yml
index c6b46af..ed8b303 100644
--- a/roles/ansible-gentoo_install/tasks/misc.yml
+++ b/roles/ansible-gentoo_install/tasks/misc.yml
@@ -86,6 +86,13 @@
   user:
     name: gentoo
     password: "{{ gentoo_password_out.stdout }}"
+    group: "{{ BOX_USER_GROUP }}"
+    append: true
+    groups: ['{{ BOX_ALSO_GROUP }}', 'wheel']
+    create_home: yes
+    shell: /bin/bash
+  #? usermod: user vagrant is currently used by process 2190
+  ignore_errors: true
 
 - name: configure sudoers
   lineinfile:
@@ -96,6 +103,13 @@
     owner: root
     mode: '0640'
 
+- name: make symlinks
+  shell: |
+    [ -e /var/db/repos/gentoo ] || \
+      ln -s  /usr/portage /var/db/repos/gentoo
+    grep -q ^tmpfs /etc/fstab || \
+      echo >> /etc/fstab 'tmpfs                   /dev/shm                tmpfs   defaults,noexec,size=5%        0 0'
+    
 - block:
 
   - name: make symlinks
diff --git a/roles/ansible-gentoo_install/tasks/portage.yml b/roles/ansible-gentoo_install/tasks/portage.yml
index 82d8ad8..4033264 100644
--- a/roles/ansible-gentoo_install/tasks/portage.yml
+++ b/roles/ansible-gentoo_install/tasks/portage.yml
@@ -5,11 +5,6 @@
     verbosity: 1
     msg: "DEBUG: ansible-gentoo_install portage ansible_shell_executable={{ansible_shell_executable}}"
 
-- name: reenable chroot wrapper
-  set_fact:
-    ansible_shell_executable: /var/tmp/chroot_wrapper.sh
-    ansible_python_interpreter: "/usr/bin/python3"
-
 - name: test we are in the chroot
   shell: |
     df | grep /mnt/gentoo && exit 1
diff --git a/roles/ansible-gentoo_install/vars/target_Gentoo2.yml b/roles/ansible-gentoo_install/vars/target_Gentoo2.yml
index d139a07..d77cdf5 100644
--- a/roles/ansible-gentoo_install/vars/target_Gentoo2.yml
+++ b/roles/ansible-gentoo_install/vars/target_Gentoo2.yml
@@ -16,6 +16,7 @@ AGI_install_portage_makeconf_default:
   MAKEOPTS: "-j{{ ansible_processor_vcpus | default(1) }}"
   USE: "-X verify-sig"
   CFLAGS: "-march=native -O2 -pipe"
+  
 AGI_install_portage_conf_files:
   'package.accept_keywords': |
     =sys-kernel/genkernel-4.3* ~amd64
@@ -41,6 +42,8 @@ AGI_bootstrap_dirs:
   - etc/portage/repos.conf
   - etc/portage/savedconfig
   - etc/portage/sets
+  - usr/local/tmp/bootstrap/logs
+  - usr/local/tmp/bootstrap/distfiles
 
 AGI_bootstrap_files:
   - usr/local/etc/local.d/local.bash
@@ -59,8 +62,9 @@ AGI_bootstrap_pkgs:
   - app-editors/mg
   - qemu-guest-agent
   - app-admin/logrotate
-  - "{{ AGI_install_cron_daemon }}"
-  - "{{AGI_install_syslog_daemon}}"
+  - "sys-process/{{ AGI_install_cron_daemon }}"
+  - "{{ AGI_install_syslog_daemon}}"
+  - "sys-boot/{{ AGI_install_bootloader }}"  
   - media-fonts/terminus-font
   - sys-apps/gptfdisk
   - net-analyzer/openbsd-netcat
@@ -68,7 +72,7 @@ AGI_bootstrap_pkgs:
   - dev-util/strace
   - sys-libs/gpm
   - app-portage/eix
-  - www-client/lynx
+  - net-misc/curl
   - linux-firmware
 
 AGI_cloud_pkgs:
@@ -83,12 +87,11 @@ AGI_cloud_pkgs:
   - tmux
   - app-misc/screen
   - dev-vcs/git
-  - net-misc/curl
   - usbutils
   - pciutils
   - net-misc/ntp
   - net-fs/nfs-utils
   # get these from config.json
-  - app-emulation/cloud-init
-  - sys-block/open-iscsi
+#  - app-emulation/cloud-init
+#  - sys-block/open-iscsi
 
diff --git a/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_build_overlay_qcow.bash b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_build_overlay_qcow.bash
index da0f1cf..12e6be9 100755
--- a/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_build_overlay_qcow.bash
+++ b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_build_overlay_qcow.bash
@@ -23,11 +23,22 @@ yamllint -c $BASE_SRC_ANSIBLE/.yamllint.rc $BASE_SRC_ANSIBLE/hosts.yml|| {
 
 # put these values in $BASE_SRC_ANSIBLE/hosts.yml
 [ -n "$BOX_NBD_OVERLAY_NAME" ] || \
-  BOX_NBD_OVERLAY_NAME=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_NAME $BOX)
+    BOX_NBD_OVERLAY_NAME=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_NAME $BOX)
+
+if virsh list | grep  "$BOX_NBD_OVERLAY_NAME" ; then
+    ERROR "$BOX_NBD_OVERLAY_NAME" is running - please virsh destroy "$BOX_NBD_OVERLAY_NAME" 
+    exit 2
+fi
+if virsh list --all | grep  "$BOX_NBD_OVERLAY_NAME" ; then
+    ERROR "$BOX_NBD_OVERLAY_NAME" is running - please virsh undefine "$BOX_NBD_OVERLAY_NAME" 
+    exit 3
+fi
+    
+
 [ -n "$BOX_NBD_BASE_PUBKEY" ] || \
   BOX_NBD_BASE_PUBKEY=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_BASE_PUBKEY $BOX)
-[ -n "$BOX_NBD_BASE_QCOW" ] || \
-  BOX_NBD_BASE_QCOW=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_BASE_QCOW $BOX)
+[ -n "$BOX_NBD_OVERLAY_BASE" ] || \
+  BOX_NBD_OVERLAY_BASE=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_BASE $BOX)
 [ -n "$BOX_NBD_OVERLAY_GB" ] || \
   BOX_NBD_OVERLAY_GB=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_GB $BOX)
 [ -n "$BOX_NBD_OVERLAY_CPUS" ] || \
@@ -43,8 +54,8 @@ yamllint -c $BASE_SRC_ANSIBLE/.yamllint.rc $BASE_SRC_ANSIBLE/hosts.yml|| {
 [ -n "$BOX_NBD_OVERLAY_PASS" ] || \
   BOX_NBD_OVERLAY_PASS=$( /usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_PASS $BOX)
 
-[ ! -f "$BOX_NBD_BASE_QCOW" ] && \
-    ERROR BOX_NBD_BASE_QCOW=$BOX_NBD_BASE_QCOW must exist && exit 3
+[ ! -f "$BOX_NBD_OVERLAY_BASE" ] && \
+    ERROR BOX_NBD_OVERLAY_BASE=$BOX_NBD_OVERLAY_BASE must exist && exit 3
 [ ! -d "$BOX_NBD_OVERLAY_DIR" ] && \
     ERROR BOX_NBD_OVERLAY_DIR=$BOX_NBD_OVERLAY_DIR must exist && exit 5
 
@@ -58,7 +69,7 @@ export BOX_NBD_OVERLAY_DIR
 DBUG bash toxcore_create-vm.bash \
              -n $BOX_NBD_OVERLAY_NAME \
              -k $BOX_NBD_BASE_PUBKEY \
-             -i $BOX_NBD_BASE_QCOW \
+             -i $BOX_NBD_OVERLAY_BASE \
              -s $BOX_NBD_OVERLAY_GB \
              -b $BOX_NBD_OVERLAY_BR \
              -c $BOX_NBD_OVERLAY_CPUS \
@@ -69,7 +80,7 @@ DBUG bash toxcore_create-vm.bash \
 bash toxcore_create-vm.bash \
              -n $BOX_NBD_OVERLAY_NAME \
              -k $BOX_NBD_BASE_PUBKEY \
-             -i $BOX_NBD_BASE_QCOW \
+             -i $BOX_NBD_OVERLAY_BASE \
              -s $BOX_NBD_OVERLAY_GB \
              -b $BOX_NBD_OVERLAY_BR \
              -c $BOX_NBD_OVERLAY_CPUS \
@@ -83,8 +94,8 @@ retval=$?
     INFO $BOX_NBD_OVERLAY_DIR/images/$BOX_NBD_OVERLAY_NAME.img || {
     ERROR NO $BOX_NBD_OVERLAY_DIR/images/$BOX_NBD_OVERLAY_NAME.img  ; exit 2$retval ; }
 
-INFO virsh define $BOX_NBD_OVERLAY_NAME
-virsh define $BOX_NBD_OVERLAY_DIR/$BOX_NBD_OVERLAY_NAME.img 
+INFO virsh define $BOX_NBD_OVERLAY_DIR/xml/$BOX_NBD_OVERLAY_NAME.xml
+virsh define $BOX_NBD_OVERLAY_DIR/xml/$BOX_NBD_OVERLAY_NAME.xml 
 sleep 5
 INFO virsh net-dhcp-leases default
 sudo  virsh net-dhcp-leases default
diff --git a/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_create-vm.bash b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_create-vm.bash
index 28efb0d..dafdac8 100755
--- a/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_create-vm.bash
+++ b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_create-vm.bash
@@ -13,6 +13,11 @@
 prog=`basename $0 .bash`
 PREFIX=/usr/local
 ROLE=toxcore
+if which genisoimage >/dev/null 2>/dev/null ; then
+    have_genisoimage=true
+else
+    have_genisoimage=false
+fi
 
 #   create-vm - Quickly create guest VMs using cloud image files and cloud-init.
 
@@ -136,8 +141,11 @@ mkdir -p "$BOX_NBD_OVERLAY_DIR"/{images,xml,init,base} || exit 2
 
 echo "Creating a qcow2 image file ${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img that uses the cloud image file ${IMG_FQN} as its base"
 
-INFO qemu-img create -b "${IMG_FQN}" -f qcow2 -F qcow2 "${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img" "${STORAGE}G"
-qemu-img create -b "${IMG_FQN}" -f qcow2 -F qcow2 "${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img" "${STORAGE}G" || exit 3
+INFO qemu-img create -b "${IMG_FQN}" -f qcow2 -F qcow2 \
+     "${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img" "${STORAGE}G"
+qemu-img create -b "${IMG_FQN}" -f qcow2 -F qcow2 \
+	 "${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img" "${STORAGE}G" || \
+    exit 3
 
 echo "Creating meta-data file $BOX_NBD_OVERLAY_DIR/init/meta-data"
 cat > "$BOX_NBD_OVERLAY_DIR/init/meta-data" << EOF
@@ -246,6 +254,7 @@ done
 #grep gentoo /etc/shadow
 EOF
 
+if $have_genisoimage ; then
 echo "Generating the cidata ISO file $BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.iso"
 (
     cd "$BOX_NBD_OVERLAY_DIR/init/"
@@ -257,6 +266,7 @@ echo "Generating the cidata ISO file $BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cid
         -input-charset utf-8 \
         user-data meta-data
 ) || exit 5
+fi
 
 MACCMD=
 if [[ -n $MAC ]]; then
@@ -264,7 +274,9 @@ if [[ -n $MAC ]]; then
 fi
 
 [ -f ${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img ] || exit 5
-[ -f $BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.img ] || exit 6
+if $have_genisoimage ; then
+    [ -f $BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.img ] || exit 6
+fi
 
 # libvirt.libvirtError: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=-c --fd=31: failed to communicate with bridge helper: stderr=failed to parse default acl file `/etc/qemu/bridge.conf'
 if [ ! -f "/etc/qemu/bridge.conf" ] ; then
@@ -288,38 +300,14 @@ sudo ifconfig -a | grep $BRIDGE && \
   NETWORK="--network bridge=${BRIDGE},model=virtio" || \
   WARN bridge $BRIDGE not running. not adding a network
 NETWORK="--network network=default,model=virtio"
+NETWORK="--interface type=network,source.network=default,model.type=virtio"
 
-INFO virt-install \
-    --name="${HOSTNAME}" \
-    --osinfo  "$OSINFO" \
-    --import \
-    --name="${HOSTNAME}" \
-    --disk "path=${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img,format=qcow2" \
-    --disk "path=$BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.img,device=cdrom" \
-    --ram="${RAM}" \
-    --vcpus="${VCPUS}" \
-    --autostart \
-    --hvm \
-    --arch x86_64 \
-    --accelerate \
-    --check-cpu \
-    --force \
-    --watchdog=default \
-    --graphics spice,listen=socket \
-    --channel spicevmc,target.type=virtio,target.name=com.redhat.spice.0 \
-    --channel type=unix,target.type=virtio,target.name=org.qemu.guest_agent.0 \
-    --network "bridge=${BRIDGE},model=virtio" \
-    --rng /dev/urandom \
-    --os-variant detect=on,name=$OSINFO \
-    --noautoconsole
-
-# squelch warnings
-python3.sh `which virt-install` \
+declare -a LARGS
+LARGS=(
     --name="${HOSTNAME}" \
     --osinfo  "$OSINFO" \
     --import \
     --disk "path=${BOX_NBD_OVERLAY_DIR}/images/${HOSTNAME}.img,format=qcow2" \
-    --disk "path=$BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.img,device=cdrom" \
     --ram="${RAM}" \
     --vcpus="${VCPUS}" \
     --autostart \
@@ -332,12 +320,24 @@ python3.sh `which virt-install` \
     --graphics spice,listen=socket \
     --filesystem /,/mnt/linuxPen19 \
     --channel spicevmc,target.type=virtio,target.name=com.redhat.spice.0 \
-    --channel unix,target.type=virtio,target.name=org.qemu.guest_agent.0 \
-    $NETWORK \
+    --channel type=unix,target.type=virtio,target.name=org.qemu.guest_agent.0 \
     --rng /dev/urandom \
     --os-variant detect=on,name=$OSINFO \
     --noautoconsole \
-    || exit 7
+    )
+if [ -n "$NETWORK" ] ; then
+LARGS+=(
+    $NETWORK \
+)
+if $have_genisoimage ; then
+LARGS+=(
+    --disk "path=$BOX_NBD_OVERLAY_DIR/images/${HOSTNAME}-cidata.img,device=cdrom" \
+	)
+fi
+
+INFO virt-install  "${LARGS[@]}" 
+# squelch warnings
+python3.sh `which virt-install` "${LARGS[@]}"  || exit 7
 # --debug 
 #?    --shmem name=shmem_server,type="memfd",mode="shared"
 #    --shmem name=shmem0  ivshmem device is not supported with this QEMU binary
diff --git a/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_libvirt_test_ga.bash b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_libvirt_test_ga.bash
new file mode 100755
index 0000000..b3b69eb
--- /dev/null
+++ b/roles/toxcore/overlay/Linux/usr/local/bin/toxcore_libvirt_test_ga.bash
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+ROLE=toxcore
+MODE=host
+TOX_PLAY=/o/var/local/src/play_tox
+
+sudo virsh list | grep running | while read a elt b ; do
+    echo INFO testing $elt
+    ansible -i $TOX_PLAY/hosts.yml  -c libvirt_qemu -m setup $elt
+done
+