diff --git a/flake.nix b/flake.nix
index 99e6d55..6a4e60f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,7 @@
           '';
 
           kernel = pkgs.callPackage ./kernel { };
+          systemd = pkgs.callPackage ./systemd { };
         };
 
         checks = {
diff --git a/systemd/default.nix b/systemd/default.nix
new file mode 100644
index 0000000..ccfea25
--- /dev/null
+++ b/systemd/default.nix
@@ -0,0 +1,251 @@
+{
+  fetchFromGitHub,
+  lib,
+  pkgs,
+  stdenv,
+  ...
+}:
+let
+  version = "257.3";
+
+  # Use the command below to update `releaseTimestamp` on every (major) version
+  # change. More details in the commentary at mesonFlags.
+  # command:
+  #  $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
+  #     jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
+  releaseTimestamp = "1734643670";
+
+  pname = "systemd";
+in
+stdenv.mkDerivation (finalAttrs: {
+  inherit version;
+
+  pname = pname;
+
+  src = fetchFromGitHub {
+    owner = "systemd";
+    repo = "systemd";
+    rev = "v${version}";
+    hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
+  };
+
+  nativeBuildInputs = with pkgs; [
+    pkg-config
+    makeBinaryWrapper
+    gperf
+    ninja
+    meson
+    glibcLocales
+    getent
+    m4
+    autoPatchelfHook
+
+    intltool
+    gettext
+
+    libxslt
+    docbook_xsl
+    docbook_xml_dtd_42
+    docbook_xml_dtd_45
+    bash
+    (buildPackages.python3Packages.python.withPackages (
+      ps: with ps; [
+        lxml
+        jinja2
+        ps.pyelftools
+      ]
+    ))
+
+    bpftools
+    buildPackages.llvmPackages.clang
+    buildPackages.llvmPackages.libllvm
+  ];
+
+  autoPatchelfFlags = [ "--keep-libc" ];
+
+  hardeningDisable = [
+    # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
+    "trivialautovarinit"
+    # breaks clang -target bpf; should be fixed to filter target?
+    "zerocallusedregs"
+    "shadowstack"
+  ];
+
+  buildInputs = with pkgs; [
+    libxcrypt
+    libcap
+    libuuid
+    linuxHeaders
+    bashInteractive # for patch shebangs
+    libgcrypt
+    libgpg-error
+    openssl
+    acl
+    libapparmor
+    audit
+    zlib
+    bzip2
+    lz4
+    xz
+    zstd
+    elfutils
+    kexec-tools
+    kmod
+    libidn2
+    libseccomp
+    libselinux
+    iptables
+    p11-kit
+    libfido2
+    pam
+    pcre2
+    libbpf
+    tpm2-tss
+    qrencode
+    libarchive
+    (lib.getDev curl)
+    (lib.getDev cryptsetup.dev)
+    (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
+    (llvmPackages.compiler-rt.override {
+      doFakeLibgcc = true;
+    })
+  ];
+
+  mesonBuildType = "release";
+
+  mesonFlags = [
+    # Options
+
+    # We bump this attribute on every (major) version change to ensure that we
+    # have known-good value for a timestamp that is in the (not so distant)
+    # past. This serves as a lower bound for valid system timestamps during
+    # startup. Systemd will reset the system timestamp if this date is +- 15
+    # years from the system time.
+    # See the systemd v250 release notes for further details:
+    #   https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
+    (lib.mesonOption "time-epoch" releaseTimestamp)
+
+    (lib.mesonOption "version-tag" version)
+    (lib.mesonOption "mode" "release")
+    (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
+
+    # SBAT
+    (lib.mesonOption "sbat-distro" "patos")
+    (lib.mesonOption "sbat-distro-summary" "PatOS")
+    (lib.mesonOption "sbat-distro-url" "https://patagia.io/")
+    (lib.mesonOption "sbat-distro-pkgname" pname)
+    (lib.mesonOption "sbat-distro-version" version)
+
+    # Users
+    (lib.mesonOption "system-uid-max" "999")
+    (lib.mesonOption "system-gid-max" "999")
+
+    # SysVinit
+    (lib.mesonOption "sysvinit-path" "")
+    (lib.mesonOption "sysvrcnd-path" "")
+
+    # SSH
+    # Disabled for now until someone makes this work.
+    (lib.mesonOption "sshconfdir" "no")
+    (lib.mesonOption "sshdconfdir" "no")
+
+    # Features
+
+    # Tests
+    (lib.mesonBool "tests" false)
+    (lib.mesonEnable "glib" false)
+    (lib.mesonEnable "dbus" false)
+
+    # Compression
+    (lib.mesonEnable "bzip2" true)
+    (lib.mesonEnable "lz4" true)
+    (lib.mesonEnable "xz" true)
+    (lib.mesonEnable "zstd" true)
+    (lib.mesonEnable "zlib" true)
+
+    # NSS
+    (lib.mesonEnable "nss-resolve" true)
+    (lib.mesonBool "nss-myhostname" true)
+    (lib.mesonBool "nss-systemd" true)
+
+    # Cryptsetup
+    (lib.mesonEnable "libcryptsetup" true)
+    (lib.mesonEnable "libcryptsetup-plugins" true)
+    (lib.mesonEnable "p11kit" true)
+
+    # FIDO2
+    (lib.mesonEnable "libfido2" true)
+    (lib.mesonEnable "openssl" true)
+
+    # Password Quality
+    (lib.mesonEnable "pwquality" false)
+    (lib.mesonEnable "passwdqc" false)
+
+    # Remote
+    (lib.mesonEnable "remote" false)
+    (lib.mesonEnable "microhttpd" false)
+
+    (lib.mesonEnable "pam" true)
+    (lib.mesonEnable "acl" true)
+    (lib.mesonEnable "audit" true)
+    (lib.mesonEnable "apparmor" true)
+    (lib.mesonEnable "gcrypt" true)
+    (lib.mesonEnable "importd" true)
+    (lib.mesonEnable "homed" true)
+    (lib.mesonEnable "polkit" true)
+    (lib.mesonEnable "elfutils" true)
+    (lib.mesonEnable "libcurl" true)
+    (lib.mesonEnable "libidn" false)
+    (lib.mesonEnable "libidn2" true)
+    (lib.mesonEnable "libiptc" true)
+    (lib.mesonEnable "repart" true)
+    (lib.mesonEnable "sysupdate" true)
+    (lib.mesonEnable "seccomp" true)
+    (lib.mesonEnable "selinux" true)
+    (lib.mesonEnable "tpm2" true)
+    (lib.mesonEnable "pcre2" true)
+    (lib.mesonEnable "bpf-framework" true)
+    (lib.mesonEnable "bootloader" true)
+    (lib.mesonEnable "ukify" true)
+    (lib.mesonEnable "kmod" true)
+    (lib.mesonEnable "qrencode" true)
+    (lib.mesonEnable "vmspawn" true)
+    (lib.mesonEnable "libarchive" true)
+    (lib.mesonEnable "xenctrl" false)
+    (lib.mesonEnable "gnutls" false)
+    (lib.mesonEnable "xkbcommon" false)
+    (lib.mesonEnable "man" true)
+
+    (lib.mesonBool "analyze" true)
+    (lib.mesonBool "logind" true)
+    (lib.mesonBool "localed" true)
+    (lib.mesonBool "hostnamed" true)
+    (lib.mesonBool "machined" true)
+    (lib.mesonBool "networkd" true)
+    (lib.mesonBool "oomd" true)
+    (lib.mesonBool "portabled" true)
+    (lib.mesonBool "hwdb" true)
+    (lib.mesonBool "timedated" true)
+    (lib.mesonBool "timesyncd" true)
+    (lib.mesonBool "userdb" true)
+    (lib.mesonBool "coredump" true)
+    (lib.mesonBool "firstboot" true)
+    (lib.mesonBool "resolve" true)
+    (lib.mesonBool "sysusers" true)
+    (lib.mesonBool "efi" true)
+    (lib.mesonBool "utmp" true)
+    (lib.mesonBool "log-trace" true)
+
+    (lib.mesonBool "kernel-install" true)
+    (lib.mesonBool "quotacheck" false)
+    (lib.mesonBool "ldconfig" false)
+    (lib.mesonBool "install-sysconfdir" false)
+    (lib.mesonBool "create-log-dirs" false)
+    (lib.mesonBool "smack" true)
+    (lib.mesonBool "b_pie" true)
+
+    (lib.mesonOption "bashcompletiondir" "no")
+    (lib.mesonOption "zshcompletiondir" "no")
+  ];
+
+})