diff --git a/flake.nix b/flake.nix
index 221d203..90fe634 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
           glibc = pkgs.callPackage ./glibc { };
           systemd = pkgs.callPackage ./systemd { };
           dbus-broker = pkgs.callPackage ./dbus-broker { };
+          rootfs = pkgs.callPackage ./rootfs { inherit patosPkgs; };
 
           mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
           qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
diff --git a/rootfs/default.nix b/rootfs/default.nix
new file mode 100644
index 0000000..27e8096
--- /dev/null
+++ b/rootfs/default.nix
@@ -0,0 +1,29 @@
+{
+  pkgs,
+  stdenvNoCC,
+  patosPkgs,
+  ...
+}:
+let
+  version = "0.0.1";
+  pname = "patos-rootfs";
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+  inherit version;
+  inherit pname;
+
+  buildInputs = with pkgs; [
+    glibc
+  ];
+
+  glibcPatos = "${patosPkgs.glibc.out}";
+  systemd = "${patosPkgs.systemd.out}";
+  dbusBroker = "${patosPkgs.dbus-broker.out}";
+  kernel = "${patosPkgs.kernel.kernel}";
+  busybox = "${pkgs.busybox.out}";
+  kmodLibs = "${pkgs.kmod.lib}";
+  kmodBin = "${pkgs.kmod.out}";
+  libbpf = "${pkgs.libbpf.out}";
+
+  builder = ./install.sh;
+})
diff --git a/rootfs/install.sh b/rootfs/install.sh
new file mode 100644
index 0000000..a098650
--- /dev/null
+++ b/rootfs/install.sh
@@ -0,0 +1,48 @@
+set -ex -o pipefail
+
+mkdir -p $out
+
+### install systemd
+echo "Installing systemd"
+cp -Pr $systemd/* $out/
+find $out -type d -exec chmod 755 {} \;
+rm -rf $out/usr/include
+rm -rf $out/usr/sbin
+rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+# remove vconsole setup
+rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
+
+### install PatOS glibc
+cp -Pr $glibcPatos/lib/*.so* $out/usr/lib/
+
+### install kernel modules
+cp -Pr $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+
+### install busybox
+cp $busybox/bin/busybox $out/usr/bin/
+$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
+
+### install dbus broker
+cp -r $dbusBroker/* $out/
+
+### install lib kmod
+cp -P $kmodLibs/lib/* $out/usr/lib
+cp -P $kmodBin/bin/* $out/usr/bin
+
+### install libbpf
+cp -P $libbpf/lib/libbpf* $out/usr/lib
+
+### Find and install all shared libs
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec chmod 755 {} \;
+
+# FIXME: ELF patching. Is there a better way?
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \; 2> /dev/null
+find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; 2> /dev/null
+patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
+
+# strip binaries
+find $out -type f -executable -exec strip {} \; 2> /dev/null
+find $out -type d -exec chmod 755 {} \;
+