diff --git a/defaults/main.yml b/defaults/main.yml
index 94ea8cd..702bf9c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,3 +4,31 @@ debian_installer_set_hostname: true
 debian_installer_nonfree_firmware: false
 debian_installer_cmdline: auto=true
 cmdline: ""
+
+debian_mirror: http://deb.debian.org/debian
+debian_security_mirror: http://security.debian.org/debian-security
+
+live_build_serial_console: false
+live_build_bootappend_live:
+  boot=live
+  components
+  quiet
+  locales=de_DE.UTF-8
+  timezone=Europe/Berlin
+  keyboard-layouts=de
+
+live_build_distribution: bullseye
+
+debian_nonfree_firmware: true
+
+debian_live_debian_installer: netinst
+live_build_debian_installer_gui: false
+live_build_directory: /opt/live
+
+live_build_desktop: false
+
+live_build_iso_publisher: custom
+
+live_build_nice_level: 14
+
+live_build_linux_surface: false
diff --git a/files/linux-surface/config/archives/linux-surface.key.chroot b/files/linux-surface/config/archives/linux-surface.key.chroot
new file mode 100644
index 0000000..34c14ca
--- /dev/null
+++ b/files/linux-surface/config/archives/linux-surface.key.chroot
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF4mFh4BEADLu7iRoKyoFSCt35hCzl4w9TmtTIaSB7oHsOAlU+PizbSGrnmb
+svnu5/kEXCBu2L/vk6rKzoIbgBDOtNE+6WnDOAhzMcQIQ73laIDPxJA5qO/wgaeT
+ifhO/JI62Lw48hDRpbYNKqZVabnJ5UZIoKRO13PjSQKl55hexuhdQhSi3nRl6vUE
+uQLBVftZP2yn1oep7/weaRhabKHDpjXNkdA8m8lZhD7J95IuaS0COzpwhxUJtCW0
+UE5qRxeOm6QT4yKRDq6PyAvXKHSORdKUxB492BOC7Gb6TABTLgV7mZnZvbuKHf+r
+gMAuBcxodvB83O2UgaKtwX9JK8u6RkR9oo0pjhQWt/f4fej3uIxBgJW3ksZrexao
+fCwT9p7XYsDZKm8yZO1lelZCg+nTWHEcc4G7tp+PxQxiOxXg2gkLdP7dOrOlynNW
+BH6+7cPqhe1w5PonYOSQBae1kwFyI5pE+mxCeOUMWdyu9yWVPbsidXUnz3qH37Hs
+0MTvn6s9CYTGnng/+JD+at2PFQTvqkh+9wIo0WKu9g+wUvyo5Ncp5B2FL8jsgTmR
+HfKmNzoFNBXtpMJ5qfSEk9YqIGmGb3/pd3baePuDE8V9f3jvhD80Unn/LYQPkePi
+UIzYRamoYb+DK/9kYncXO4vdsgwsSds+oSuYpjsYzmfdMC53BixbjF0T5wARAQAB
+tA1saW51eC1zdXJmYWNliQJOBBMBCAA4FiEEh976SrlKmaTIwxElVsRkuqxCFFMF
+Al4mFh4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQVsRkuqxCFFOw2xAA
+kc4iDI4zOY3AVwdJ0/Cg6z7XCOdXBZJ4gDtAuHhi9h7UiOzgw6Ey4rvNDHJ64Npg
+gPtsG6jocZurOreldrZlc+egPx18wVI8ouuaeiKCO+q7wjs1thxH9I323r4V96ye
+7jJ02p3a8nCs1fDjdn9SlP7Ig9axfOdEI5fBhyT1B2RstGEEGqN3ZmAOt8rLSgXd
+PQi3VdrsEI4ljOTg6ygCBeNUKH+jJ48QRk7SsgX5rb3ZCF0c6sA4buy0Y4vyVW8S
+Qg5VkPz8Oz4+Zm3W+CXawa4LVtzz5twFwWBjhaSnLsRXBZXAu1QU5aIcwsfeQLqX
+X4NGtqIa/HV6lw1rA97qmVBq4PNY1QIMZ9xQSoSHDJ1aONhDON5jW0VK7iJr+g+A
+0ot42X7OTeYi/lZL6aWVY/DG480eh07oxJyMt/BVoVqbruYsIDluwhP5YEGn9iNr
++V+Kfe7chZzyeqBDjewfHP9FlpNxNfdMa6Xr5nFFrec+wXx5y34/p6WXlukpjy/D
+9i5fNCKAUxS74k41C7x2//jF/vFoMJhtDwIwYszp1TS9qfAnbygWZmHBAiB8FjBM
+lMmlRcuTyb8bPuhur0CbhtLr+ZOA3yzb54YKgeNrJXU+L/mOLA/Axr6wKppcAcmm
+xCEs7a07XWmNPiKLn5KQqjBdRYCEdIaBuRyay36ynAi5Ag0EXiYWHgEQALFXP2NX
+46+2t4W82CClZ8tvw+4xLBXHbq4/ejwIJEdUtk/lRUUXEhERELxV/RIOP7R7PoKM
+DKVcXAoOSx19ei6SkKBFKJlG8ocavbRXaScc8rtO1iotJggpq79X+t8u6N2SkxOQ
+3ynuxS7aI1tOKChMwF9lgcvcG7YpXSLsZLwYgX/msUY0C4Qz3Rsb/74jZuKFeSwl
+RcY1fix17+wnoldKlQlcK6sOLUtQ39fcUpd9ktEHQ+s1BhynLvyfEHDXZkZulUpr
+63OSjP7gvN6PsF3iShu4fcpB6yWiiQQyCgKq5SlnE0glKbZwfbRWZ2zwYr7NbfPK
+3yObvGqBtpIjWguS0mM80d3tkieHlmvqTljx5LiPBhosuCREdnH6GZ5Oa6n6T7m1
+7996XphxcaER9i0fkMB1HfU7ECJjiIOXUVkgUt9rP7F70/EbzsZuBF+NzFoui0ma
+u4UcW1f+4QnEldn94BOOGOtV/mqvk7kk/LXplPDgELsZYtpWHNht+9wOsZaT8dQU
+sOsI1lKB83hsr3tkgyiWXRcP3561hJG1Vhqx19IKFKKmy3xUemonV2dshP5Kzqd3
+W/FwLUuGWsI6fK0x7ak8G+Hy+AMKMcXblM/oSuMbgu3f/SXKnfvKurIc50QZQWky
+97lWjwX6Ek8f1YvkSLuz37dRCEOOpp6UR6S7ABEBAAGJAjYEGAEIACAWIQSH3vpK
+uUqZpMjDESVWxGS6rEIUUwUCXiYWHgIbDAAKCRBWxGS6rEIUU9OrD/9cNF7W1Lip
+nH/vet4X1Z2mm1fN5iQ/r+jOyLmf9L6LXtAfjDla7oU+X0Kj8FxOZetaRWJfx+vb
+yscCNHW6z8s6ai9HSa6D81g8xOmVya/ULx19WcDNgsyEpBiv6SKkm45GN/lByneX
+paBhrOi9DWvz/c22GW69I7+DtLhVjJvGhkAfYF/RIn15KEsgfNk+/FBNK1dnmhHO
+Vt2Szf33xkGv08SRgi/0dULPygGLXgrptrkzyfV7oMNhIjvO74ZF+hQt9YeFG1Yq
+MqqmWIjnau7v8lvp7vIVeZvqO16e+swhcU2puaXagrKrB97mumQ68TC2FBkkwvM7
+d15BqRKqaAv7WwBxXE/SGUywNip9oaEasho9odMXlf/XHKWh2XmCkccfFkejFemr
+boSqNLs6mNPeo0k9msZl3ARLO8/mMPnX1WW6wZ8ApH3GE6/goZz44qZuomO+eBqW
+xE5BNzuBLLJkg7rq8OoT1bMzoKd90+gZjJZzj+qM5bnaU81gGOtlA4s6cbRk5zu8
+9iRRZoI5YBQAVzRJ49xOu0CGhzGfmrG/y28qxLHQgaovVjVbZgdjUdbVYJ3n3Iro
+JdpouBPRoXr7cKjV74mCG2VX/LPSmRM4JizyZg2wKtIop9u+fcm8yxkTkOlGGTjL
+JcYSQaEgtpWZ3OhD14QVf5museDuNdfluQ==
+=06Jw
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/files/linux-surface/config/archives/linux-surface.list.chroot b/files/linux-surface/config/archives/linux-surface.list.chroot
new file mode 100644
index 0000000..2f2d383
--- /dev/null
+++ b/files/linux-surface/config/archives/linux-surface.list.chroot
@@ -0,0 +1 @@
+deb [arch=amd64] https://pkg.surfacelinux.com/debian release main
diff --git a/files/linux-surface/config/package-lists/linux-surface.list.chroot b/files/linux-surface/config/package-lists/linux-surface.list.chroot
new file mode 100644
index 0000000..f1f61da
--- /dev/null
+++ b/files/linux-surface/config/package-lists/linux-surface.list.chroot
@@ -0,0 +1,4 @@
+linux-image-surface
+linux-headers-surface
+iptsd
+libwacom-surface
diff --git a/tasks/build.yaml b/tasks/build.yaml
new file mode 100644
index 0000000..b503982
--- /dev/null
+++ b/tasks/build.yaml
@@ -0,0 +1,59 @@
+---
+
+- name: lb bootstrap (first build stage)
+  command:
+    nice -n {{ live_build_nice_level }}
+    lb bootstrap
+  args:
+    chdir: "{{ live_build_directory }}"
+  register: _lb_bootstrap
+
+- name: install ca-certificates in the chroot
+  command:
+    nice -n {{ live_build_nice_level }}
+    chroot "{{ live_build_directory }}/chroot" apt install -f ca-certificates
+  args:
+    chdir: "{{ live_build_directory }}"
+  register: _lb_chroot
+  when: live_build_linux_surface
+
+- name: lb chroot (second build stage)
+  command:
+    nice -n {{ live_build_nice_level }}
+    lb chroot
+  args:
+    chdir: "{{ live_build_directory }}"
+  register: _lb_chroot
+
+- name: lb installer (third build stage)
+  command:
+    nice -n {{ live_build_nice_level }}
+    lb installer
+  args:
+    chdir: "{{ live_build_directory }}"
+  register: _lb_installer
+
+- name: lb binary (fourth build stage)
+  command:
+    nice -n {{ live_build_nice_level }}
+    lb binary
+  args:
+    chdir: "{{ live_build_directory }}"
+  register: _lb_binary
+
+#- name: lb source (fifth build stage)
+#  command: lb source
+#  args:
+#    chdir: "{{ live_source_directory }}"
+#  register: _lb_source
+
+#- name: lb build
+#  command: lb build
+#  args:
+#    chdir: "{{ live_build_directory }}"
+#  register: _lb_build
+#
+#- name: save build log
+#  copy:
+#    content: "{{ _lb_build.stdout }}"
+#    dest: "{{ live_build_directory }}/build.log"
diff --git a/tasks/config.yaml b/tasks/config.yaml
new file mode 100644
index 0000000..01cd0f8
--- /dev/null
+++ b/tasks/config.yaml
@@ -0,0 +1,92 @@
+---
+
+- name: remove config directory
+  file:
+    path: "{{ live_build_directory }}/config"
+    state: absent
+
+- name: lb clean
+  command:
+    lb clean
+  args:
+    chdir: "{{ live_build_directory }}"
+
+- name: lb config
+  command:
+    lb config
+
+    {% if live_build_distribution is defined %}
+    --distribution "{{ live_build_distribution }}"
+    {% endif %}
+
+    --mirror-bootstrap "{{ debian_mirror }}"
+    --mirror-chroot-security "{{ debian_security_mirror }}"
+    --mirror-binary "{{ debian_mirror }}"
+    --mirror-binary-security "{{ debian_security_mirror }}"
+
+    {% if debian_nonfree_firmware %}
+    --archive-areas "main contrib non-free"
+    --firmware-chroot true
+    {% endif %}
+
+    {% if live_build_bootappend_live is defined %}
+    --bootappend-live "{{ live_build_bootappend_live }}"
+    {% endif %}
+
+    {% if (debian_backports is defined) and (debian_backports == true)  %}
+    --backports true
+    {% endif %}
+
+    {% if debian_live_debian_installer is defined %}
+    --debian-installer "{{ debian_live_debian_installer }}"
+    --debian-installer-gui "{{ live_build_debian_installer_gui | ternary("true","false") }}"
+    {% if debian_nonfree_firmware %}
+    --firmware-binary true
+    {% endif %}
+    {% endif %}
+
+    --iso-publisher "{{ live_build_iso_publisher }}"
+
+    --debootstrap-options "--include=ca-certificates"
+
+    {% if live_build_linux_surface  %}
+    --linux-flavours surface
+    {% endif %}
+
+  args:
+    chdir: "{{ live_build_directory }}"
+
+- name: include chroot packages
+  copy:
+    content: "{{ live_build_chroot_package_lists[item] | unique | join('\n') }}"
+    dest: "{{ live_build_directory }}/config/package-lists/{{ item }}.list.chroot"
+  loop: "{{ live_build_chroot_package_lists.keys() | list }}"
+
+- name: debian-installer installer includes directory
+  file:
+    path: "{{ live_build_directory }}/config/includes.installer"
+    state: directory
+
+- name: debian-installer preseed
+  template:
+    src: config/includes.installer/preseed.cfg.j2
+    dest: "{{ live_build_directory }}/config/includes.installer/preseed.cfg"
+
+- name: linux-surface
+  copy:
+    src: linux-surface/
+    dest: "{{ live_build_directory }}"
+  when: live_build_linux_surface
+
+- name: root user ssh directory
+  file:
+    path: "{{ live_build_directory }}/config/includes.chroot/root/.ssh"
+    state: directory
+    mode: 0700
+  when: root_ssh_authorized_keys is defined
+
+- name: root user ssh authorized keys
+  copy:
+    content: "{{ root_ssh_authorized_keys | join('\n') }}"
+    dest: "{{ live_build_directory }}/config/includes.chroot/root/.ssh/authorized_keys"
+  when: root_ssh_authorized_keys is defined
diff --git a/tasks/main.yaml b/tasks/main.yaml
new file mode 100644
index 0000000..a4b86e8
--- /dev/null
+++ b/tasks/main.yaml
@@ -0,0 +1,11 @@
+---
+
+- import_tasks: setup.yaml
+
+- name: debian live-build directory
+  file:
+    path: "{{ live_build_directory }}"
+    state: directory
+
+- import_tasks: config.yaml
+- import_tasks: build.yaml
diff --git a/tasks/setup.yaml b/tasks/setup.yaml
new file mode 100644
index 0000000..b8cddee
--- /dev/null
+++ b/tasks/setup.yaml
@@ -0,0 +1,6 @@
+---
+- name: debian packages
+  apt:
+    pkg:
+      - live-build
+      - memtest86+
diff --git a/templates/config/includes.installer/preseed.cfg.j2 b/templates/config/includes.installer/preseed.cfg.j2
new file mode 100644
index 0000000..c2f7223
--- /dev/null
+++ b/templates/config/includes.installer/preseed.cfg.j2
@@ -0,0 +1,93 @@
+#### Contents of the preconfiguration file (for jessie)
+### Localization
+# Locale
+d-i debian-installer/language string de
+d-i debian-installer/country string DE
+d-i debian-installer/locale string de_DE.UTF-8
+
+# Keyboard selection.
+d-i keyboard-configuration/xkb-keymap select de
+d-i keyboard-configuration/toggle select No toggling
+
+### Network configuration
+
+### Network console
+
+### Hostname
+{# d-i netcfg/hostname string {{inventory_hostname}} #}
+
+### Mirror settings
+d-i mirror/country string manual
+d-i mirror/http/hostname string deb.debian.org
+d-i mirror/http/directory string /debian
+d-i mirror/http/proxy string
+
+### Account setup
+d-i passwd/root-login boolean true
+d-i passwd/make-user boolean false
+{% if root_password is defined %}
+d-i passwd/root-password-crypted password {{ root_password }}
+{% endif %}
+
+### Clock and time zone setup
+d-i clock-setup/utc boolean true
+d-i time/zone string Europe/Berlin
+d-i clock-setup/ntp boolean true
+d-i clock-setup/ntp-server string 0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
+
+### Partitioning
+
+## Controlling how partitions are mounted
+# The default is to mount by UUID, but you can also choose "traditional" to
+# use traditional device names, or "label" to try filesystem labels before
+# falling back to UUIDs.
+d-i partman/mount_style select uuid
+
+d-i partman/default_filesystem string btrfs
+
+### Apt setup
+d-i apt-setup/use_mirror boolean true
+d-i apt-setup/non-free boolean {{ debian_nonfree_firmware | default(false) }}
+d-i apt-setup/contrib boolean {{ debian_nonfree_firmware | default(false) }}
+d-i apt-setup/services-select multiselect security,updates
+d-i apt-setup/security_host string security.debian.org
+
+### Package selection
+tasksel tasksel/first multiselect minimal
+
+# Individual additional packages to install
+d-i pkgsel/include string openssh-server python python-apt
+
+# Whether to upgrade packages after debootstrap.
+# Allowed values: none, safe-upgrade, full-upgrade
+d-i pkgsel/upgrade select full-upgrade
+
+# Some versions of the installer can report back on what software you have
+# installed, and what software you use. The default is not to report back,
+# but sending reports helps the project determine what software is most
+# popular and include it on CDs.
+popularity-contest popularity-contest/participate boolean false
+
+### Boot loader installation
+# This is fairly safe to set, it makes grub install automatically to the MBR
+# if no other operating system is detected on the machine.
+d-i grub-installer/only_debian boolean true
+
+# This one makes grub-installer install to the MBR if it also finds some other
+# OS, which is less safe as it might not be able to boot that other OS.
+#d-i grub-installer/with_other_os boolean true
+
+### Finishing up the installation
+# Avoid that last message about the install being complete.
+#d-i finish-install/reboot_in_progress note
+
+### Running custom commands during the installation
+d-i preseed/late_command string DIR=/target/root/.ssh; \
+mkdir -p $DIR; \
+chmod 700 $DIR; \
+{% if root_ssh_authorized_keys is defined %}
+{% for key in root_ssh_authorized_keys %}
+echo '{{key}}' >> $DIR/authorized_keys; \
+{% endfor %}
+{% endif %}
+echo ssh authorized keys configured