diff --git a/roles/display_manager/defaults/main.yaml b/roles/display_manager/defaults/main.yaml
new file mode 100644
index 0000000..7b30c37
--- /dev/null
+++ b/roles/display_manager/defaults/main.yaml
@@ -0,0 +1,8 @@
+---
+# should the system automatically login as the primary user
+dm_auto_login: true
+
+# default command to run on login
+# can be pause if we use services to start graphical env
+# otherwise a shell, e.g. zsh makes sense
+dm_command: pause
diff --git a/roles/display_manager/tasks/main.yaml b/roles/display_manager/tasks/main.yaml
index 952c6a8..2ccdc87 100644
--- a/roles/display_manager/tasks/main.yaml
+++ b/roles/display_manager/tasks/main.yaml
@@ -22,6 +22,15 @@
     mode: 0644
     force: true
 
+- name: Enable power management for _greeter user
+  ansible.builtin.copy:
+    content: "_greeter ALL=(ALL) NOPASSWD: /usr/sbin/shutdown, /usr/bin/reboot, /usr/bin/poweroff, /usr/bin/shutdown"
+    dest: "/etc/sudoers.d/30-greeter"
+    owner: root
+    group: root
+    mode: 0644
+    force: true
+
 - name: Activate greetd service
   ansible.builtin.file:
     src: "/etc/sv/greetd"
diff --git a/roles/display_manager/templates/greetd-config.toml.j2 b/roles/display_manager/templates/greetd-config.toml.j2
index 68b2c5d..aedfeb6 100644
--- a/roles/display_manager/templates/greetd-config.toml.j2
+++ b/roles/display_manager/templates/greetd-config.toml.j2
@@ -5,9 +5,14 @@ vt = 7
 
 # The default session, also known as the greeter.
 [default_session]
-command = "tuigreet --cmd zsh"
+command = "tuigreet --cmd {{ dm_command }}"
+command = "tuigreet --power-reboot 'sudo reboot' --power-shutdown 'sudo poweroff' --cmd {{ dm_command }}"
 user = "{{ greeter_user }}"
 
+[initial_session]
+command = "{{ dm_command }}"
+user = "{{ user_name | default('root') }}"
+
 # `agreety` is the bundled agetty/login-lookalike. You can replace `/bin/sh`
 # with whatever you want started, such as `sway`.
 # command = "agreety --cmd /bin/sh"
diff --git a/roles/gnupg/tasks/main.yaml b/roles/gnupg/tasks/main.yaml
index cb5a088..98b5a2b 100644
--- a/roles/gnupg/tasks/main.yaml
+++ b/roles/gnupg/tasks/main.yaml
@@ -3,6 +3,7 @@
     name:
       - gnupg
       - gnupg2-scdaemon
+      - keychain
     state: "{{ desired_package_state | default('present') }}"
   tags: packages
 
diff --git a/roles/pipewire/tasks/main.yaml b/roles/pipewire/tasks/main.yaml
index e525adc..b2ce769 100644
--- a/roles/pipewire/tasks/main.yaml
+++ b/roles/pipewire/tasks/main.yaml
@@ -45,5 +45,37 @@
     src: "/usr/share/examples/pipewire/20-pipewire-pulse.conf"
     dest: "/etc/pipewire/pipewire.conf.d/20-pipewire-pulse.conf"
     state: link
+  tags: pulseaudio
+
+- name: Install alsa integration package
+  community.general.xbps:
+    name:
+      - alsa-pipewire
+    state: "{{ desired_package_state | default('present') }}"
+  tags:
+    - packages
+    - alsa
+
+- name: Set up wireplumber to auto start
+  ansible.builtin.file:
+    dest: "/etc/alsa/conf.d"
+    state: directory
+
+- name: Enable alsa-pipewire interface
+  become: true
+  ansible.builtin.file:
+    force: "yes"
+    src: "/usr/share/alsa/alsa.conf.d/50-pipewire.conf"
+    dest: "/etc/alsa/conf.d/50-pipewire.conf"
+    state: link
+  tags: alsa
+
+- name: Make alsa-pipewire interface default for alsa
+  ansible.builtin.file:
+    force: "yes"
+    src: "/usr/share/alsa/alsa.conf.d/99-pipewire-default.conf"
+    dest: "/etc/alsa/conf.d/99-pipewire-default.conf"
+    state: link
+  tags: alsa
 
 # TODO: Find way to install and enable pipewire-roc-sink module (and enable ~/.config/pipewire/pipewire.conf.d/roc-sink.conf)