diff --git a/TODO.md b/TODO.md
index ce4447c..41ad667 100644
--- a/TODO.md
+++ b/TODO.md
@@ -7,3 +7,28 @@
 ## Check if motd generation works
 
 See Bastillefile pub
+
+## racct.enable = 1!
+
+sysctl kern.racct.enable=1
+sysctl: oid 'kern.racct.enable' is a read only tunable
+sysctl: Tunable values are set in /boot/loader.conf
+
+not ="YES"
+
++ test the current setup: does it get configured and how does it limit
+  users? also check if new users belong to login class "jail" and test
+  their limits
+
+## bastille start+template
+
+https://github.com/BastilleBSD/bastille/issues/772
+
+Maybe build+copy  devzat only after the  jail is built and  running by
+just copying the binariy into it, perhaps like this:
+
+- stop
+- copy
+- start
+
+or something.
diff --git a/roles/chat/files/devzat b/roles/chat/files/devzat
index d96ad7e..cd2d654 100644
--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@@ -13,7 +13,7 @@ devzat_user="nobody"
 devzat_command="/usr/local/sbin/devzat"
 pidfile="/tmp/${name}.pid"
 command="/usr/sbin/daemon"
-command_args="-P ${pidfile} ${devzat_command}"
+command_args="-P ${pidfile} -c ${devzat_command}"
 devzat_config="/usr/local/etc/devzat.yml"
 
 load_rc_config $name
diff --git a/roles/chat/tasks/main.yaml b/roles/chat/tasks/main.yaml
index d1f03af..bd1f850 100644
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -34,7 +34,9 @@
     - usr/local/sbin
 
 - name: copy devzat binary
-  shell: install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+  shell: |
+    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+    touch /tmp/.ansible.devzat
   args:
     creates: "/tmp/.ansible.devzat"
   
@@ -58,9 +60,11 @@
   shell: bastille start {{ role_name }} || true
 
 - name: template jail
-  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+  shell: |
+    bastille template {{ role_name }} services/{{ role_name }}
+    touch /tmp/.ansible.devzattemplate
   args:
     # FIXME: might make it impossible to update, on the other hand w/o
     # it this command fails with "devzat binary busy" when the jail is
     # already running, since go binaries do not fork.
-    creates: "/tmp/.ansible.devzattemplate"
+    creates: /tmp/.ansible.devzattemplate
diff --git a/roles/chat/templates/Bastillefile.j2 b/roles/chat/templates/Bastillefile.j2
index 85b4755..46855e5 100644
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -6,7 +6,7 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES
 
-CMD if test -l /home; then rm /home; fi
+CMD if test -L /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 
diff --git a/roles/jails/tasks/main.yaml b/roles/jails/tasks/main.yaml
index 0a430be..b7c1c2c 100644
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -31,6 +31,11 @@
   args:
     creates: "/usr/local/bastille/releases/{{ release }}"
 
+- name: remove home link from bootstrap
+  shell: |
+    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
+    mkdir -p /usr/local/bastille/releases/{{ release }}/home
+
 - name: configure bootstrap to use latest pkgs
   replace:
     path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
diff --git a/roles/pub/bin/user.sh b/roles/pub/bin/user.sh
index 4ebd2f8..f7c9caa 100755
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@@ -74,7 +74,7 @@ args=""
 root=""
 
 if test -n "$rootdir"; then
-    root="-R $rootdir"
+    root="-R $rootdir -L jail"
 fi
 
 if test -n "$groups"; then
diff --git a/roles/pub/tasks/main.yaml b/roles/pub/tasks/main.yaml
index 14161c5..738e4f9 100644
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -51,7 +51,7 @@
   template:
     src: hosts.j2
     dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
-    
+
 - name: create jail
   shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
   args:
@@ -77,6 +77,15 @@
     src: keys
     dest: "/usr/local/bastille/"
 
+# create our login class, needed for rctl rules
+- name: create jail login class
+  shell: |
+    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    touch /tmp/.ansiblepubloginconf
+  args:
+    creates: /tmp/.ansiblepubloginconf
+
 # create our own group[s]
 - name: Manage groups
   loop: "{{ jailgroups }}"
diff --git a/roles/server/files/rctl.conf b/roles/server/files/rctl.conf
new file mode 100644
index 0000000..3f7021b
--- /dev/null
+++ b/roles/server/files/rctl.conf
@@ -0,0 +1,10 @@
+#
+# rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
+# being   created  inside   the   "pub"   jail's  /etc/login.conf   in
+# roles/pub/tasks/main.yaml. But we can  still configure the kernel to
+# accept rules based on this login class. Cool!
+loginclass:jail:maxproc:deny=50/user
+loginclass:jail:openfiles:deny=100/user
+loginclass:jail:pcpu:deny=20/user
+#loginclass:jail:cputime:sigkill=100/user
+
diff --git a/roles/server/handlers/main.yaml b/roles/server/handlers/main.yaml
index 91d6b5f..d2c69e7 100644
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@@ -9,4 +9,9 @@
     name: local_unbound
     state: stopped
 
+- name: start rctl
+  service:
+    name: rctl
+    state: started
+    
 - meta: flush_handlers
diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml
index 050a3bf..7c7c926 100644
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -71,29 +71,37 @@
     reload: true
 
 - name: Install doas config
-  ansible.builtin.copy:
-    src: roles/server/files/doas.conf
+  copy:
+    src: doas.conf
     dest: /usr/local/etc/doas.conf
     owner: root
     group: wheel
     mode: '0600'
 
 - name: Install knot resolver config
-  ansible.builtin.copy:
-    src: roles/server/files/kresd.conf
+  copy:
+    src: kresd.conf
     dest: /usr/local/etc/knot-resolver/kresd.conf
     owner: root
     group: wheel
     mode: '0644'
 
 - name: Install knot resolv.conf
-  ansible.builtin.copy:
-    src: roles/server/files/resolv.conf
+  copy:
+    src: resolv.conf
     dest: /etc/resolv.conf
     owner: root
     group: wheel
     mode: '0644'
 
+- name: Install rctl rule set
+  copy:
+    src: rctl.conf
+    dest: /etc/rctl.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
 - name: Install /etc/hosts file
   copy:
     src: hosts
@@ -127,3 +135,8 @@
     value: "YES"
   notify: start kresd
 
+- name: enable rctl
+  community.general.sysrc:
+    name: rctl_enable
+    value: "YES"
+  notify: start rctl