diff --git a/.github/workflows/vagrant-up.yml b/.github/workflows/vagrant-up.yml
index 3c97705..0434dfd 100644
--- a/.github/workflows/vagrant-up.yml
+++ b/.github/workflows/vagrant-up.yml
@@ -62,3 +62,39 @@ jobs:
       - name: Destroy vagrant common-minimal-desktop.yml
         run: timeout -k 60 -s 9 60 vagrant destroy -f || true
         if: always()
+
+  vagrant-user-2404:
+    runs-on: self-hosted
+
+    needs: vagrant-set-up
+    steps:
+      - name: Run vagrant user.yml
+        run: vagrant --os=bento/ubuntu-24.04 --local --playbook=user.yml --headless up
+
+      - name: Destroy vagrant user.yml
+        run: timeout -k 60 -s 9 60 vagrant destroy -f || true
+        if: always()
+
+  vagrant-common-desktop-2404:
+    runs-on: self-hosted
+
+    needs: vagrant-set-up
+    steps:
+      - name: Run vagrant common-desktop.yml
+        run: vagrant --os=bento/ubuntu-24.04 --local --headless up
+
+      - name: Destroy vagrant common-desktop.yml
+        run: timeout -k 60 -s 9 60 vagrant destroy -f || true
+        if: always()
+
+  vagrant-common-minimal-desktop-2404:
+    runs-on: self-hosted
+
+    needs: vagrant-set-up
+    steps:
+      - name: Run vagrant common-minimal-desktop.yml
+        run: vagrant --os=bento/ubuntu-24.04 --local --playbook=common-minimal-desktop.yml --headless up
+
+      - name: Destroy vagrant common-minimal-desktop.yml
+        run: timeout -k 60 -s 9 60 vagrant destroy -f || true
+        if: always()
diff --git a/README.md b/README.md
index 7b57bcb..515b68a 100644
--- a/README.md
+++ b/README.md
@@ -108,3 +108,11 @@ If can't connect bluetooth, run
 ```
 systemctl --user restart wireplumber.service
 ```
+
+Prepare for the new ubuntu release
+==================================
+
+1. Create ponysay backport https://github.com/fspv/ponysay-deb
+2. Test all vagrant scenarios locally
+3. Test if nix builds
+4. wayland apps can't be tested in vagrant, so test them locally if possible
diff --git a/Vagrantfile b/Vagrantfile
index 8d44f66..36a3ea1 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -29,7 +29,9 @@ opts.each do |opt, arg|
   end
 end
 
-# Example: vagrant --os=ubuntu/jammy64 --playbook=user.yml --local --headless up
+# Example:
+# * vagrant --os=ubuntu/jammy64 --playbook=user.yml --local --headless up
+# * vagrant --os=bento/ubuntu-24.04 --playbook=common-desktop.yml --local up
 
 
 Vagrant.configure("2") do |config|
@@ -74,7 +76,17 @@ Vagrant.configure("2") do |config|
       sed 's/# //g' roles/user/defaults/main.yml > manual/common.yml
 
       chown -R vagrant .
-      sudo -u vagrant ./bootstrap.sh #{playbook} LOCAL
+
+      for i in {1..3}; do
+        set +e
+        sudo -u vagrant ./bootstrap.sh #{playbook} LOCAL && break
+        set -e
+      done
+
+      if $? -ne 0; then
+        echo "Failed to provision"
+        exit 1
+      fi
 
       apt-get update
       apt-get upgrade -y
@@ -85,6 +97,8 @@ Vagrant.configure("2") do |config|
       apt-get update
       apt-get upgrade -y
 
+      cd /tmp/ && sudo -u user /home/user/.bin/init-user-env.sh
+
       reboot
     SHELL
   else
@@ -109,7 +123,16 @@ Vagrant.configure("2") do |config|
       sed 's/# //g' roles/user/defaults/main.yml > manual/common.yml
 
       chown -R vagrant .
-      sudo -u vagrant ./bootstrap.sh #{playbook} REMOTE
+      for i in {1..3}; do
+        set +e
+        sudo -u vagrant ./bootstrap.sh #{playbook} REMOTE && break
+        set -e
+      done
+
+      if $? -ne 0; then
+        echo "Failed to provision"
+        exit 1
+      fi
 
       apt-get update
       apt-get upgrade -y
@@ -120,6 +143,8 @@ Vagrant.configure("2") do |config|
       apt-get update
       apt-get upgrade -y
 
+      cd /tmp/ && sudo -u user /home/user/.bin/init-user-env.sh
+
       reboot
     SHELL
   end
diff --git a/bootstrap-config.sh b/bootstrap-config.sh
index 58aaf0d..776d7ce 100644
--- a/bootstrap-config.sh
+++ b/bootstrap-config.sh
@@ -1,5 +1,5 @@
 BOOTSTRAP_DIR="${HOME}/.local/share/bootstrap"
 ANSIBLE_VENV_DIR="${BOOTSTRAP_DIR}/ansible-venv"
 ANSIBLE_REPO_DIR="${BOOTSTRAP_DIR}/ansible-repo"
-ANSIBLE_VERSION="2.10.7"
+ANSIBLE_VERSION="9.9.0"
 export PYTHONPATH=""
diff --git a/roles/apparmor/meta/main.yml b/roles/apparmor/meta/main.yml
new file mode 100644
index 0000000..4c28e34
--- /dev/null
+++ b/roles/apparmor/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - { role: pkgmanager }
diff --git a/roles/apparmor/tasks/configs.yml b/roles/apparmor/tasks/configs.yml
new file mode 100644
index 0000000..3ef3967
--- /dev/null
+++ b/roles/apparmor/tasks/configs.yml
@@ -0,0 +1,16 @@
+- name: config nix bwrap fix
+  copy:
+    content: |
+      abi <abi/4.0>,
+      include <tunables/global>
+
+      profile bwrap /nix/store/*/bin/bwrap flags=(unconfined) {
+        userns,
+
+        # Site-specific additions and overrides. See local/README for details.
+        include if exists <local/bwrap>
+      }
+
+    dest: /etc/apparmor.d/bwrap
+    owner: "root"
+    mode: 0666
diff --git a/roles/apparmor/tasks/main.yml b/roles/apparmor/tasks/main.yml
new file mode 100644
index 0000000..1fbbe52
--- /dev/null
+++ b/roles/apparmor/tasks/main.yml
@@ -0,0 +1,3 @@
+- import_tasks: packages.yml
+- import_tasks: configs.yml
+- import_tasks: services.yml
diff --git a/roles/apparmor/tasks/packages.yml b/roles/apparmor/tasks/packages.yml
new file mode 100644
index 0000000..55b5d08
--- /dev/null
+++ b/roles/apparmor/tasks/packages.yml
@@ -0,0 +1,3 @@
+- name: package
+  apt:
+    name: apparmor
diff --git a/roles/apparmor/tasks/services.yml b/roles/apparmor/tasks/services.yml
new file mode 100644
index 0000000..5c993ca
--- /dev/null
+++ b/roles/apparmor/tasks/services.yml
@@ -0,0 +1,6 @@
+- name: service
+  service:
+    name: apparmor
+    enabled: yes
+    # restart to pick up a new config
+    state: restarted
diff --git a/roles/apt/defaults/main.yml b/roles/apt/defaults/main.yml
index 4ea79b4..12837fc 100644
--- a/roles/apt/defaults/main.yml
+++ b/roles/apt/defaults/main.yml
@@ -4,5 +4,5 @@ apt_repos:
   - ubuntu-security
   - ubuntu-updates
   - ubuntu-backports
-  - ubuntu-partner
-  - ppa-pv-safronov-backports
+  # - ubuntu-partner
+  # - ppa-pv-safronov-backports
diff --git a/roles/apt/handlers/main.yml b/roles/apt/handlers/main.yml
index 2368d71..18353a8 100644
--- a/roles/apt/handlers/main.yml
+++ b/roles/apt/handlers/main.yml
@@ -1,5 +1,3 @@
 - name: apt-get update
   shell:
     cmd: apt-get update
-  args:
-    warn: false
diff --git a/roles/apt/tasks/packages.yml b/roles/apt/tasks/packages.yml
index c8c8f72..b635d97 100644
--- a/roles/apt/tasks/packages.yml
+++ b/roles/apt/tasks/packages.yml
@@ -3,22 +3,10 @@
   apt:
     name: software-properties-common
 
-- name: package python-pycurl
-  apt:
-    name: python-pycurl
-  # FIXME: missing since Ubuntu jammy
-  ignore_errors: yes
-
 - name: package python3-pycurl
   apt:
     name: python3-pycurl
 
-- name: package python-apt
-  apt:
-    name: python-apt
-  # FIXME: missing since Ubuntu jammy
-  ignore_errors: yes
-
 - name: package python3-apt
   apt:
     name: python3-apt
diff --git a/roles/apt/tasks/repos.yml b/roles/apt/tasks/repos.yml
index b382b48..291b084 100644
--- a/roles/apt/tasks/repos.yml
+++ b/roles/apt/tasks/repos.yml
@@ -8,6 +8,12 @@
     - '/var/lib/apt/lists/'
   tags: build-child
 
+- name: repo remove /etc/apt/sources.list.d/ubuntu.sources
+  file:
+    path: /etc/apt/sources.list.d/ubuntu.sources
+    state: absent
+  tags: build-child
+
 ### Preferences (pins)
 - name: repo ubuntu pins
   template:
@@ -49,7 +55,5 @@
 - name: repo update
   shell:
     cmd: apt-get update
-  args:
-    warn: false
   tags:
     - build-child
diff --git a/roles/common-tools/vars/main.yml b/roles/common-tools/vars/main.yml
index 4ab99f0..768cbaa 100644
--- a/roles/common-tools/vars/main.yml
+++ b/roles/common-tools/vars/main.yml
@@ -11,7 +11,6 @@ common_tools:
   - lsscsi
   - lsof
   - vnstat
-  - mlocate
   - bash-completion
   - parted
   - gdisk
diff --git a/roles/common-tweaks/meta/main.yml b/roles/common-tweaks/meta/main.yml
index b9a9f88..799ec8c 100644
--- a/roles/common-tweaks/meta/main.yml
+++ b/roles/common-tweaks/meta/main.yml
@@ -2,7 +2,8 @@ dependencies:
   - { role: user, when: ansible_distribution == "Ubuntu" }
   - { role: pkgmanager }
   - { role: tzdata }
-  - { role: systemd}
+  - { role: systemd }
+  - { role: apparmor }
   - { role: tuxedo, when: ansible_system_vendor == "TUXEDO" }
   - { role: ntp, when: ansible_distribution == "Ubuntu" }
   - { role: gpg, when: ansible_distribution == "Ubuntu" }
diff --git a/roles/desktop/meta/main.yml b/roles/desktop/meta/main.yml
index bfa9c34..d96fb9e 100644
--- a/roles/desktop/meta/main.yml
+++ b/roles/desktop/meta/main.yml
@@ -1,3 +1,4 @@
 dependencies:
   - { role: ubuntu-desktop, when: ansible_distribution == "Ubuntu" }
-  - { role: fedora-desktop, when: ansible_distribution == "Fedora" }
+  # FIXME: apt handler is getting skipped when this is enabled
+  # - { role: fedora-desktop, when: ansible_distribution == "Fedora" }
diff --git a/roles/minimal-ubuntu-desktop/tasks/packages.yml b/roles/minimal-ubuntu-desktop/tasks/packages.yml
index c0788e3..640207d 100644
--- a/roles/minimal-ubuntu-desktop/tasks/packages.yml
+++ b/roles/minimal-ubuntu-desktop/tasks/packages.yml
@@ -55,8 +55,6 @@
     - dupload
     - virt-manager
     - qemu-kvm
-    - qemu
     - dia
-    - vim-gtk
     - gimp
     - xubuntu-default-settings
diff --git a/roles/ntp/tasks/packages.yml b/roles/ntp/tasks/packages.yml
index 5eaa2ef..a48d023 100644
--- a/roles/ntp/tasks/packages.yml
+++ b/roles/ntp/tasks/packages.yml
@@ -1,3 +1,9 @@
+# only needed before ubuntu noble, replaced by time-daemon after
 - name: pkg
   apt:
     name: ntp
+  # only needed before ubuntu noble, replaced by time-daemon after
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_version'] == "22.04"
diff --git a/roles/ntp/tasks/services.yml b/roles/ntp/tasks/services.yml
index 0e42609..a99b7d8 100644
--- a/roles/ntp/tasks/services.yml
+++ b/roles/ntp/tasks/services.yml
@@ -3,3 +3,8 @@
     name: ntp
     enabled: yes
     state: started
+  # only needed before ubuntu noble, replaced by time-daemon after
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_version'] == "22.04"
diff --git a/roles/nvim/tasks/packages.yml b/roles/nvim/tasks/packages.yml
index 989af2a..e69de29 100644
--- a/roles/nvim/tasks/packages.yml
+++ b/roles/nvim/tasks/packages.yml
@@ -1,19 +0,0 @@
-- name: packages
-  apt:
-    name: "{{ item }}"
-  with_items:
-    - neovim
-    - flake8
-    - mypy
-    - pycodestyle
-    - python3-pyflakes
-    - black
-    - isort
-    - clangd
-    - cppcheck
-    - flawfinder
-    - astyle
-    - clang-format
-    - clang-tidy
-    - uncrustify
-    - clangd
diff --git a/roles/sway/tasks/packages.yml b/roles/sway/tasks/packages.yml
index be64b53..a78d0db 100644
--- a/roles/sway/tasks/packages.yml
+++ b/roles/sway/tasks/packages.yml
@@ -46,6 +46,11 @@
 - name: package libappindicator1
   package:
     name: libappindicator1
+  # removed since ubuntu noble
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_version'] == "22.04"
 
 - name: package qtwayland5
   package:
diff --git a/roles/tlp/tasks/services.yml b/roles/tlp/tasks/services.yml
index 2483bb2..fd072fe 100644
--- a/roles/tlp/tasks/services.yml
+++ b/roles/tlp/tasks/services.yml
@@ -1,17 +1,14 @@
 ---
-- name: service ondemand tlp
-  service:
-    name: ondemand
-    enabled: no
-    state: stopped
-  # FIXME: missing since Ubuntu jammy
-  ignore_errors: yes
-
 - name: service power-profiles-daemon
   service:
     name: power-profiles-daemon
     enabled: no
     state: stopped
+  # only needed before ubuntu noble, replaced by time-daemon after
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_version'] == "22.04"
 
 - name: service tlp
   service:
diff --git a/roles/tzdata/defaults/main.yml b/roles/tzdata/defaults/main.yml
index 248782d..b82fc84 100644
--- a/roles/tzdata/defaults/main.yml
+++ b/roles/tzdata/defaults/main.yml
@@ -1 +1 @@
-tzdata_timezone: "GB"
+tzdata_timezone: "Europe/London"
diff --git a/roles/ubuntu-desktop/meta/main.yml b/roles/ubuntu-desktop/meta/main.yml
index e8a5de1..57f31ff 100644
--- a/roles/ubuntu-desktop/meta/main.yml
+++ b/roles/ubuntu-desktop/meta/main.yml
@@ -2,11 +2,11 @@ dependencies:
   - { role: ubuntu-devserver }
   - { role: minimal-ubuntu-desktop }
   - { role: tlp }
-  - { role: chromium-browser }
-  - { role: skype }
-  - { role: discord }
-  - { role: obs }
-  - { role: keepassxc }
-  - { role: latex }
-  - { role: bitcoin-core }
-  - { role: slack }
+  # - { role: chromium-browser }
+  # - { role: skype }
+  # - { role: discord }
+  # - { role: obs }
+  # - { role: keepassxc }
+  # - { role: latex }
+  # - { role: bitcoin-core }
+  # - { role: slack }
diff --git a/roles/ubuntu-devserver/meta/main.yml b/roles/ubuntu-devserver/meta/main.yml
index 7c65c7f..07402e4 100644
--- a/roles/ubuntu-devserver/meta/main.yml
+++ b/roles/ubuntu-devserver/meta/main.yml
@@ -3,15 +3,15 @@ dependencies:
   - { role: resolv }
   - { role: docker }
   - { role: openvpn }
-  - { role: go }
-  - { role: i2p }
-  - { role: tor }
-  - { role: github-cli }
-  - { role: go-ethereum }
+  # - { role: go }
+  # - { role: i2p }
+  # - { role: tor }
+  # - { role: github-cli }
+  # - { role: go-ethereum }
   - { role: vagrant }
-  - { role: nodejs }
+  # - { role: nodejs }
   - { role: tailscale }
-  - { role: rust }
+  # - { role: rust }
   # TODO: do we really need fonts on the devserver?
   - { role: fonts }
   - { role: nvim }
diff --git a/roles/yubico/tasks/packages.yml b/roles/yubico/tasks/packages.yml
index faa2d8c..9470aef 100644
--- a/roles/yubico/tasks/packages.yml
+++ b/roles/yubico/tasks/packages.yml
@@ -2,6 +2,5 @@
   package:
     name:
       - yubikey-manager
-      - yubikey-personalization-gui
       - libpam-yubico
       - libpam-u2f