{
  lib,
  concatText,
  fetchzip,
  stdenvNoCC,
  writeText,
  writeShellApplication,

  resholve,

  bash,
  cacert,
  coreutils,
  pacman,
  systemd,
  zstd,

  repos ? ["core" "community" "extra"],
  keyring-version ? "20241015-1",
  keyring-hash ? "sha256-7IegfprKTNn0aPRMgTw34SEc/GRCfy92mE9CVI4rxr0=",
  mirror ? "https://mirror.rackspace.com/archlinux/$repo/os/$arch",
}: rec {
  keyring = (fetchzip.override { withUnzip = false; }) {
    url = "${builtins.replaceStrings ["$repo" "$arch"] ["core" "x86_64"] mirror}/archlinux-keyring-${keyring-version}-any.pkg.tar.zst";
    hash = keyring-hash;
    nativeBuildInputs = [ zstd ];
    stripRoot = false;
    postFetch = ''
      rm "$out"/.BUILDINFO "$out"/.INSTALL "$out"/.MTREE "$out"/.PKGINFO
      mkdir "$out"/share/pacman -p
      mv "$out"/usr/share/pacman/keyrings "$out"/share/pacman
      rm -rf "$out"/usr
    '';
  };

  pacman_conf_in =
    writeText
      "pacman-mirrors.conf"
      (lib.strings.concatLines
        (lib.map
          (repo: ''
            [${repo}]
            Server = ${mirror}
          '')
          repos));

  pacman_conf = concatText "pacman.conf" [ "${pacman}/etc/pacman.conf" pacman_conf_in ];

  bootstrap = resholve.writeScriptBin "archlinux-bootstrap" {
    interpreter = "${bash}/bin/bash";
    inputs = [ coreutils pacman systemd ];
    execer = [
      "cannot:${pacman}/bin/pacman-key"
      "cannot:${systemd}/bin/systemd-nspawn"
    ];
  } ''
    set -o errexit
    set -o nounset
    set -o pipefail

    if [ $# -lt 1 ]; then
      echo "usage: $0 [directory] [pkgs ...]"
      exit 1
    fi

    newroot="$1"
    shift

    echo "Installing arch linux to $newroot"

    # set up new base filesystem
    install -dm0755 "$newroot"
    install -dm0755 "$newroot"/var/{cache/pacman/pkg,lib/pacman,log}
    install -dm0755 "$newroot"/{dev,run,etc/pacman.d}
    install -dm1777 "$newroot"/tmp
    install -dm0555 "$newroot"/{sys,proc}

    # set up mountpoint for nix
    install -dm0755 "$newroot"/nix

    # temporarily set up /etc/mtab, pacman needs this to work
    ln -sf /proc/mounts "$newroot"/etc/mtab

    # fully initialize the keyring ahead of entering the container
    pacman_conf="${pacman_conf}"
    pacman-key --gpgdir "$newroot"/etc/pacman.d/gnupg --config "$pacman_conf" --init
    pacman-key --gpgdir "$newroot"/etc/pacman.d/gnupg --config "$pacman_conf" \
      --populate archlinux --populate-from "${keyring}/share/pacman/keyrings"

    # install the config file
    install -Dm0755 "$pacman_conf" "$newroot"/etc/pacman.conf

    # bootstrap the system. allow pacman to overwrite the existing mtab entry
    systemd-nspawn -D "$newroot" --bind-ro=/nix \
      -E SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt \
      -E PATH=/usr/bin/ \
      -- \
      "${pacman}/bin/pacman" -Sy --noconfirm --overwrite /etc/mtab base "$@"

    # remove nix mount point
    rmdir "$newroot"/nix

    echo "Done installing!"
    echo "Set root password:"
    echo "  sudo systemd-nspawn -UD \"$newroot\" -- /bin/passwd root"
    echo "Boot system:"
    echo "  sudo systemd-nspawn -bUD \"$newroot\""
  '';
}