diff --git a/arch.md b/arch.md
index ad6e18f..bd21d58 100644
--- a/arch.md
+++ b/arch.md
@@ -11,7 +11,8 @@
       - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
       - [Firewall](#firewall)
       - [AppArmor](#apparmor)
-      - [Firejail](#firejail)
+        - [Install Apparmor](#install-apparmor)
+        - [Custom Profiles](#custom-profiles)
       - [Chroots](#chroots)
       - [Fingerprint Reader Support](#fingerprint-reader-support)
         - [Setup](#setup)
@@ -32,6 +33,8 @@
     - [Virtualization](#virtualization)
       - [Arch Guests](#arch-guests)
     - [CUPS Printing](#cups-printing)
+    - [Flatpak](#flatpak)
+    - [Discord](#discord)
     - [Steam](#steam)
     - [XWayland](#xwayland)
     - [Wireguard](#wireguard)
@@ -53,6 +56,9 @@
   - [Help](#help)
     - [Update Grub](#update-grub)
     - [Downgrading Kernel](#downgrading-kernel)
+  - [Deprecated](#deprecated)
+    - [Deprecated Security](#deprecated-security)
+      - [Firejail](#firejail)
 
 <!-- /TOC -->
 
@@ -267,8 +273,11 @@ sudo ufw enable
 
 #### AppArmor
 
-I would recommend running apparmor with the default profiles. You could load the profiles
-in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of that.
+##### Install Apparmor
+
+Apparmor protects your system by limiting the access binaries have to specific files.
+All binaries which are protected by apparmor profiles have a whitelist of allowed
+paths they can touch, even if they run as root.
 
 1. `sudo pacman -S apparmor`
 2. `sudo systemctl enable --now apparmor`
@@ -285,59 +294,64 @@ in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of t
 
 5. `reboot`
 
-#### Firejail
+##### Custom Profiles
 
-Firejail launches supported applications in a sandboxed environment where it limits access
-to system files and resources.
+You will likely need to create custom profiles for your apps. There are a few ways to
+do this but the least painful ways are as follows:
 
-For example:
+1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
 
-- Firefox will not be able to access more than a small subset of your home directory.
-- VSCode will not be able to acces ~/.config/autostart.
+    Check here first. More than likely there's a good starting point. This will probably
+    need to be tuned but you can (and should) copy it to /etc/apparmor.d
 
-1. `sudo pacman -S firejail`
-2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
-3. `sudo firecfg`
-4. `firecfg --fix`
-5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
-6. Add a pacman hook to apply firejail on install
+2. No profile exists in `/usr/share/apparmor/extra-profiles/`
 
-    /etc/pacman.d/hooks/firejail.hook
+    You can use `aa-genprof <binary>` to generate a profile for that binary and begin
+    listening to log events. Then, launch the application and use it as intended. When
+    you've done what you consider to be the typical use-case you should.
 
-    ```conf
-    [Trigger]
-    Type = Path
-    Operation = Install
-    Operation = Upgrade
-    Operation = Remove
-    Target = usr/bin/*
-    Target = usr/share/applications/*.desktop
+    1. Press `s` until it begins recommending additions to your profile
+    2. Use (A) or (D) to add or deny paths
+    3. Use (G) to glob a path
+    4. Use (N) to write a custom path
+    5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
+    6. When done, (F) to finish and (S) to save.
+    7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
+    8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
+    9. Try to launch the app. It will probably crash
+    10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
+    11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
 
-    [Action]
-    Description = Configure symlinks in /usr/local/bin based on firecfg.config...
-    When = PostTransaction
-    Depends = firejail
-    Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
-    ```
+From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
 
-You can run firejail with noprofile to fix access issues (like firefox gnome connector)
+```text
+Access Modes
+    File permission access modes consists of combinations of the following modes:
 
-```bash
-firejail --noprofile firefox
-```
-
-You'll probably want to enable the following
-
-`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
-
-/etc/firejail/firejail.config
-
-```conf
-browser-disable-u2f no
-chroot yes
-firejail-prompt yes
-force-nonewprivs yes
-tracelog yes
+    r       - read
+    w       - write -- conflicts with append
+    a       - append -- conflicts with write
+    ux      - unconfined execute
+    Ux      - unconfined execute -- scrub the environment
+    px      - discrete profile execute
+    Px      - discrete profile execute -- scrub the environment
+    cx      - transition to subprofile on execute
+    Cx      - transition to subprofile on execute -- scrub the environment
+    ix      - inherit execute
+    pix     - discrete profile execute with inherit fallback
+    Pix     - discrete profile execute with inherit fallback -- scrub the environment
+    cix     - transition to subprofile on execute with inherit fallback
+    Cix     - transition to subprofile on execute with inherit fallback -- scrub the
+            environment
+    pux     - discrete profile execute with fallback to unconfined
+    PUx     - discrete profile execute with fallback to unconfined -- scrub the environment
+    cux     - transition to subprofile on execute with fallback to unconfined
+    CUx     - transition to subprofile on execute with fallback to unconfined -- scrub the
+            environment
+    deny x  - disallow execute (in rules with the deny qualifier)
+    m       - allow PROT_EXEC with mmap(2) calls
+    l       - link
+    k       - lock
 ```
 
 #### Chroots
@@ -350,14 +364,6 @@ You can create chroot environments to run firejails or just use for testing purp
 4. `pacstrap -K /chroots/testing/ base base-devel`
 5. `arch-chroot /chroots/testing`
 
-With firejail
-
-1. `sudo firejail --noprofile --chroot=/chroots/testing`
-2. `adduser ducoterra`
-3. `pacman -S firefox`
-4. `exit`
-5. `firejail --chroot=/chroots/testing`
-
 #### Fingerprint Reader Support
 
 ##### Setup
@@ -653,6 +659,16 @@ sudo pacman -S qemu-guest-agent spice-vdagent
 3. `sudo systemctl start cups`
 4. `sudo systemctl start avahi-daemon`
 
+### Flatpak
+
+```bash
+sudo pacman -S flatpak
+```
+
+### Discord
+
+1. `flatpak install com.discordapp.Discord`
+
 ### Steam
 
 <https://wiki.archlinux.org/title/Official_repositories#multilib>
@@ -1105,3 +1121,67 @@ If you want to downgrade to a kernel that wasn't previously installed:
 1. Download linux... and linux-headers... from above
 2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
 3. `reboot`
+
+## Deprecated
+
+### Deprecated Security
+
+#### Firejail
+
+Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
+almost exactly the same thing but runs in the kernel at boot and protects you more
+completely. I'm leaving this here in case you're interested but realistically you
+should just learn apparmor.
+
+Firejail launches supported applications in a sandboxed environment where it limits access
+to system files and resources.
+
+For example:
+
+- Firefox will not be able to access more than a small subset of your home directory.
+- VSCode will not be able to acces ~/.config/autostart.
+
+1. `sudo pacman -S firejail`
+2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
+3. `sudo firecfg`
+4. `firecfg --fix`
+5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
+6. Add a pacman hook to apply firejail on install
+
+    /etc/pacman.d/hooks/firejail.hook
+
+    ```conf
+    [Trigger]
+    Type = Path
+    Operation = Install
+    Operation = Upgrade
+    Operation = Remove
+    Target = usr/bin/*
+    Target = usr/share/applications/*.desktop
+
+    [Action]
+    Description = Configure symlinks in /usr/local/bin based on firecfg.config...
+    When = PostTransaction
+    Depends = firejail
+    Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
+    ```
+
+You can run firejail with noprofile to fix access issues (like firefox gnome connector)
+
+```bash
+firejail --noprofile firefox
+```
+
+You'll probably want to enable the following
+
+`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
+
+/etc/firejail/firejail.config
+
+```conf
+browser-disable-u2f no
+chroot yes
+firejail-prompt yes
+force-nonewprivs yes
+tracelog yes
+```