diff --git a/Makefile b/Makefile
index 36260dd..2ea788b 100644
--- a/Makefile
+++ b/Makefile
@@ -57,14 +57,16 @@ USER_DROPIN_DIR ?= "usr/lib/systemd/user"
 
 SYSTEM_DROPINS := chronyd.service crond.service
 SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemManager.service
-SYSTEM_DROPINS += NetworkManager.service NetworkManager-wait-online.service getty@tty.service
-SYSTEM_DROPINS += tinyproxy.service
+SYSTEM_DROPINS += getty@tty.service
 SYSTEM_DROPINS += tmp.mount
 SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket
 SYSTEM_DROPINS += systemd-random-seed.service
 SYSTEM_DROPINS += tor.service tor@default.service
 SYSTEM_DROPINS += systemd-timesyncd.service
 
+SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service
+SYSTEM_DROPINS_NETWORKING += tinyproxy.service
+
 USER_DROPINS := pulseaudio.service pulseaudio.socket
 
 # Ubuntu Dropins
@@ -107,6 +109,13 @@ install-systemd-dropins:
 	    install -m 0644 vm-systemd/user/$${dropin}.d/*.conf $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 
+install-systemd-networking-dropins:
+	# Install system dropins
+	@for dropin in $(SYSTEM_DROPINS_NETWORKING); do \
+	    install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\
+	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\
+	done
+
 install-init:
 	install -d $(DESTDIR)$(LIBDIR)/qubes/init
 	# FIXME: do a source code move vm-systemd/*.sh to init/
@@ -114,16 +123,17 @@ install-init:
 	install -m 0755 init/*.sh vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 
+# Systemd service files
+SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service)
+SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service
+SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES), $(SYSTEMD_ALL_SERVICES))
+
 install-systemd: install-init
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d
-	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
-	install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
-	install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \
-		$(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
 
 install-sysvinit: install-init
 	install -d $(DESTDIR)/etc/init.d
@@ -175,11 +185,6 @@ install-common: install-doc
 	PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
 	mkdir -p $(DESTDIR)$(SBINDIR)
 
-ifneq ($(SBINDIR),/usr/bin)
-	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
-endif
-
-
 	install -d -m 0750 $(DESTDIR)/etc/sudoers.d/
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
 	install -D -m 0440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm
@@ -214,26 +219,6 @@ endif
 	install misc/upgrades-status-notify $(DESTDIR)$(LIBDIR)/qubes/upgrades-status-notify
 
 	install -m 0644 network/udev-qubes-network.rules $(DESTDIR)/etc/udev/rules.d/99-qubes-network.rules
-	install network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes
-	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes
-	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
-	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
-	install -d $(DESTDIR)/etc/dhclient.d
-	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
-	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
-	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
-	install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d
-	install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf
-	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
-	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
-	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
-	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
-	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
-	install -d $(DESTDIR)/etc/xdg/autostart
-	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
-	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
 	install -m 0755 network/update-proxy-configs $(DESTDIR)$(LIBDIR)/qubes/
 
 	install -d $(DESTDIR)$(BINDIR)
@@ -276,7 +261,6 @@ endif
 	install -m 0755 qubes-rpc/qubes.InstallUpdatesGUI $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.ResizeDisk $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.StartApp $(DESTDIR)/etc/qubes-rpc
-	install -m 0755 qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.PostInstall $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc
 
@@ -320,7 +304,70 @@ endif
 	install -d $(DESTDIR)/var/run/qubes
 	install -d $(DESTDIR)/rw
 
-install-deb: install-common install-systemd install-systemd-dropins
+# Networking install target includes:
+# * basic network functionality (setting IP address, DNS, default gateway)
+# * package update proxy client
+install-networking:
+	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system
+	install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+
+	install -d $(DESTDIR)$(LIBDIR)/qubes/
+	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
+
+# Netvm install target includes:
+# * qubes-firewall service (FirewallVM)
+# * DNS redirection setup
+# * proxy service used by TemplateVMs to download updates
+install-netvm:
+	install -D -m 0644 $(SYSTEMD_NETWORK_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+
+	install -D -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/qubes-iptables
+
+	install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \
+		$(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
+
+	mkdir -p $(DESTDIR)$(SBINDIR)
+
+ifneq ($(SBINDIR),/usr/bin)
+	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
+endif
+
+	install -D network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes/qubes-setup-dnat-to-ns
+
+	install -d $(DESTDIR)/etc/dhclient.d
+	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
+
+	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
+	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
+	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
+	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
+	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
+
+	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
+	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
+
+	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
+
+# networkmanager install target allow integration of NetworkManager for Qubes VM:
+# * make connections config persistent
+# * adjust DNS redirections when needed
+# * show/hide NetworkManager applet icon
+install-networkmanager:
+	install -d $(DESTDIR)$(LIBDIR)/qubes/
+	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes/
+	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
+
+	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
+	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
+
+	install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d
+	install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf
+
+	install -d $(DESTDIR)/etc/xdg/autostart
+	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/
+	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
+
+install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins install-networking install-networkmanager install-netvm
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
 	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r4.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r4.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
@@ -339,4 +386,8 @@ install-deb: install-common install-systemd install-systemd-dropins
 	mkdir -p $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/
 
-install-vm: install-rh install-common
+install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins install-networking
+
+install-netvm: install-systemd-networking-dropins install-networkmanager
+
+install-vm: install-corevm install-netvm
diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD
index 6a3dd4e..86e3b15 100644
--- a/archlinux/PKGBUILD
+++ b/archlinux/PKGBUILD
@@ -1,25 +1,22 @@
 #!/bin/bash
 # Maintainer: Olivier Medoc <o_medoc@yahoo.fr>
 # shellcheck disable=SC2034
-pkgname=qubes-vm-core
+pkgname=(qubes-vm-core qubes-vm-networking qubes-vm-keyring)
 pkgver=$(cat version)
-pkgrel=13
+pkgrel=14
 epoch=
 pkgdesc="The Qubes core files for installation inside a Qubes VM."
 arch=("x86_64")
 url="http://qubes-os.org/"
 license=('GPL')
 groups=()
-depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg)
 makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc)
 checkdepends=()
-optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer)
 provides=()
 conflicts=()
 replaces=()
 backup=()
 options=()
-install=PKGBUILD.install
 changelog=
 
 source=(
@@ -27,6 +24,9 @@ source=(
     PKGBUILD-qubes-pacman-options.conf
     PKGBUILD-qubes-repo-3.2.conf
     PKGBUILD-qubes-repo-4.0.conf
+    PKGBUILD-keyring-keys
+    PKGBUILD-keyring-trusted
+    PKGBUILD-keyring-revoked
 )
 
 noextract=()
@@ -60,15 +60,31 @@ build() {
     done
 }
 
-package() {
+#This package provides:
+# * qrexec agent
+# * qubes rpc scripts
+# * core linux tools and scripts
+# * core systemd services and drop-ins
+# * basic network functionality (setting IP address, DNS, default gateway)
+package_qubes-vm-core() {
+    depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools
+             gnome-packagekit imagemagick fakeroot notification-daemon dconf
+             zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject
+             python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg
+             socat
+             )
+    optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer qubes-vm-networking qubes-vm-keyring)
+    install=PKGBUILD.install
+
     # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html)
     # shellcheck disable=SC2154
     make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib
 
-    PYTHON=python2 make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
+    PYTHON=python2 make install-corevm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
 
     # Remove things non wanted in archlinux
     rm -r "$pkgdir/etc/yum"*
+    rm -r "$pkgdir/etc/dnf"*
     rm -r "$pkgdir/etc/init.d"
     # Remove fedora specific scripts
     rm "$pkgdir/etc/fstab"
@@ -101,4 +117,37 @@ EOF
     rm -r "$pkgdir/var/run"
 }
 
+#This package provides:
+# * proxy service used by TemplateVMs to download updates
+# * qubes-firewall service (FirewallVM)
+#
+#Integration of NetworkManager for Qubes VM:
+# * make connections config persistent
+# * adjust DNS redirections when needed
+# * show/hide NetworkManager applet icon
+#
+package_qubes-vm-networking() {
+    pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM"
+    depends=(qubes-vm-core "qubes-vm-utils>=3.1.3" python2 ethtool net-tools
+             "qubes-db-vm>=3.2.1" networkmanager iptables tinyproxy nftables
+             )
+    install=PKGBUILD-networking.install
+
+    # shellcheck disable=SC2154
+    PYTHON=python2 make install-netvm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
+
+}
+
+package_qubes-vm-keyring() {
+    pkgdesc="Qubes OS Binary Repository Activation package and Keyring"
+    install=PKGBUILD-keyring.install
+
+    # Install keyring (will be activated through the .install file)
+    install -dm755 "${pkgdir}/usr/share/pacman/keyrings/"
+    install -m0644 PKGBUILD-keyring-keys "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg"
+    install -m0644 PKGBUILD-keyring-trusted "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted"
+    install -m0644 PKGBUILD-keyring-revoked "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked"
+
+}
+
 # vim:set ts=2 sw=2 et:
diff --git a/archlinux/PKGBUILD-keyring-keys b/archlinux/PKGBUILD-keyring-keys
new file mode 100644
index 0000000..33b9077
--- /dev/null
+++ b/archlinux/PKGBUILD-keyring-keys
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFM0TnYBCADNyamUtA9e0/oUu4AeAgt1JYDtq3zCQSX7pHpY1zkGtulppSOe
+gkCgW2db+FlKeUNHQ+JX0uv8Ny0SjQBZO0yNxDLfPuqJzM/VjUIdLTJS0FEpxzT1
+Oiz0WRdcbeHtQ8SmEfmRStaB9PTNZ97FogFFONvQ6r/ICNldqfe+Qq72D/p6FqNM
+mW16dZokQEOgJpOb/L7dHNrta1ye8CurrEbXIt7B+4NnUpvzFmnQ+OxsC3AUbvI5
+PbaQyu8ivhoofnpgj66PojlFYMaL8mUaScL2VM5Ljx72zVA5+MUmk8O02O2X8Rdc
++5boRi2h7oyCASBYK3x+WayaDTNWx3o8+sSdABEBAAG0N09saXZpZXIgTUVET0Mg
+KFF1YmVzLU9TIHNpZ25pbmcga2V5KSA8b19tZWRvY0B5YWhvby5mcj6JAT4EEwEC
+ACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW+jhsBQkHiFDrAAoJECBD
+56zBgzucHCwH/RLCCM1PJ50jEMJg7ZBrwkv5cvKePD1iGhPFOZ1gBtMTYfl7zJO7
+gOuOgQ+TKjfIFM/ijQBFMRmByrQ0ZkGNIqY7JB3shZ5EsCeb7cgyw7hEyj4S3O6e
+K+CVVy4CBAyXILVr/En8xU41K1qQpEiHkvqk0E05sEkYcN4Ggvw5JUNWpZO7fl6I
+tLvTBf5aPqiLqWN08fjdmVJ/5l+LCdMyJxUdsQV0pkzcv9l8ouB/0ig8HikoC+dW
+HuWbk9uj1CU0c4C8tTbOszjKAbEZ5msZ2NUxPM1vqKaac8IbWkSJBqlYFcb3PSMk
+LmFtXN/0hAcf8KbziODQgKcyuEBi3b5d6wy5AQ0EUzROdgEIAOG22xrDqJkCrEx8
+QFnZYSwxV2lI9fDyCT/kaHPa/5YOV/Xa01RLM27UPbV/UKkKN+M6+mFj26e+E25p
+2R/e1Wk9HDrbu7NDXozGcKDlTIAmQ4yjNVb/G1850/SO1vuPDfNzMD81F18XzYCa
+eyUV88HjXTbJSeJAbjWNvTkoMK4wY6PlHfyT0G0i4svfL/mZCGM8KagNouGHuG8s
+5JKwlC1BZnmfDuB4exP7cSNEDWwnBn98rx13DMLkGJu1xGnLqdGJw6WpP4a1IG7A
+9NDE2VetAS/ElMbMqfyuqiAxhtnuGdxstDaU7gW4VMTjAOMtO9LLY20EipsSBUrg
+7U1ync0AEQEAAYkBJQQYAQIADwIbDAUCVvo4nQUJB4hRJAAKCRAgQ+eswYM7nLWy
+CAC6enhJbXKGchqgfh+CeKsvWg97JG8yjW4W/9RL9Vto8ppgNzIKbA7AKgqOiy5l
+TToLaxK+Z1JE72lsWUnALmz1Oa7M7M9J1ptfD8TMj1/D3cj2Lnrg7qTaEEL5Nw+t
+FRNXeUjsuWt+iW7eYiGtI+eSWBokH945Ig32vf88n0t3F8whDRzv5fy1yF35aMRS
+HS5gDJv5t2BnPtehMhr5EOHbUH3UFevA79Hf4bUlOOo7eTTmSPMDcWFUA9MMKoE5
+pkHwoimXiNJy3e8TZ4uSTBH8XcXA/5mYSXbWKBX4Y5JznOBTtkjGsbL7dua3zDbF
+BGNH5RhiY1/bJ+m4zxU8bDWq
+=ofdo
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/archlinux/PKGBUILD-keyring-revoked b/archlinux/PKGBUILD-keyring-revoked
new file mode 100644
index 0000000..e69de29
diff --git a/archlinux/PKGBUILD-keyring-trusted b/archlinux/PKGBUILD-keyring-trusted
new file mode 100644
index 0000000..a608c62
--- /dev/null
+++ b/archlinux/PKGBUILD-keyring-trusted
@@ -0,0 +1 @@
+D85EE12F967851CCF433515A2043E7ACC1833B9C:4:
diff --git a/archlinux/PKGBUILD-keyring.install b/archlinux/PKGBUILD-keyring.install
new file mode 100644
index 0000000..c915659
--- /dev/null
+++ b/archlinux/PKGBUILD-keyring.install
@@ -0,0 +1,18 @@
+post_upgrade() {
+	if usr/bin/pacman-key -l >/dev/null 2>&1; then
+		usr/bin/pacman-key --populate qubesos-vm
+	fi
+	release=$(echo "$1" | cut -d '.' -f 1,2)
+
+	if ! [ -h /etc/pacman.d/99-qubes-repository-${release}.conf ] ; then
+            ln -s /etc/pacman.d/99-qubes-repository-${release}.conf.disabled /etc/pacman.d/99-qubes-repository-${release}.conf 
+        fi
+
+}
+
+post_install() {
+	if [ -x usr/bin/pacman-key ]; then
+		post_upgrade "$1"
+	fi
+}
+
diff --git a/archlinux/PKGBUILD-networking.install b/archlinux/PKGBUILD-networking.install
new file mode 100644
index 0000000..965778a
--- /dev/null
+++ b/archlinux/PKGBUILD-networking.install
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+## arg 1:  the new package version
+post_install() {
+    # Create NetworkManager configuration if we do not have it
+    if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
+    echo '[main]' > /etc/NetworkManager/NetworkManager.conf
+    echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
+    echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
+    fi
+
+    # Remove ip_forward setting from sysctl, so NM will not reset it
+    # Archlinux now use sysctl.d/ instead of sysctl.conf
+    #sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
+
+    /usr/lib/qubes/qubes-fix-nm-conf.sh
+
+    # Yum proxy configuration is fedora specific
+    #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
+    #  echo >> /etc/yum.conf
+    #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
+    #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
+    #fi
+
+    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
+        systemctl enable $srv
+    done
+}
+
+## arg 1:  the new package version
+## arg 2:  the old package version
+post_upgrade() {
+    post_install
+}
+
+## arg 1:  the old package version
+post_remove() {
+    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
+        systemctl disable $srv
+    done
+}
diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install
index 94a71d5..3438c17 100644
--- a/archlinux/PKGBUILD.install
+++ b/archlinux/PKGBUILD.install
@@ -74,29 +74,11 @@ configure_selinux() {
 ############################
 
 update_qubesconfig() {
-    # Create NetworkManager configuration if we do not have it
-    if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
-    echo '[main]' > /etc/NetworkManager/NetworkManager.conf
-    echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
-    echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
-    fi
-    /usr/lib/qubes/qubes-fix-nm-conf.sh
-
-    # Remove ip_forward setting from sysctl, so NM will not reset it
-    # Archlinux now use sysctl.d/ instead of sysctl.conf
-    #sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
-
     # Remove old firmware updates link
     if [ -L /lib/firmware/updates ]; then
       rm -f /lib/firmware/updates
     fi
 
-    # Yum proxy configuration is fedora specific
-    #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
-    #  echo >> /etc/yum.conf
-    #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
-    #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
-    #fi
     #/usr/lib/qubes/update-proxy-configs
     # Archlinux pacman configuration is handled in update_finalize
 
@@ -438,7 +420,7 @@ post_remove() {
 
     rm -rf /var/lib/qubes/xdg
 
-    for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-network qubes-qrexec-agent; do
+    for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-qrexec-agent; do
         systemctl disable $srv.service
     done
 }