diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..2cd0836
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,28 @@
+name: build
+
+on:
+  workflow_dispatch:
+# TODO: schedule
+
+env:
+  tag: ghcr.io/${{ github.repository_owner }}/workstation-bootc:latest
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build
+        run: sudo podman build -t ${{ env.tag }} .
+
+      - name: Log in to container registry
+        run: sudo podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
+
+      - name: Push container
+        run: sudo podman push ${{ env.tag }}
diff --git a/2022-RH-IT-Root-CA.pem b/2022-RH-IT-Root-CA.pem
new file mode 100644
index 0000000..f2d8b8a
--- /dev/null
+++ b/2022-RH-IT-Root-CA.pem
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGXjCCBEagAwIBAgIEeIXl3TANBgkqhkiG9w0BAQwFADCBozELMAkGA1UEBhMC
+VVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYw
+FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0IElUMRkwFwYD
+VQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJpbmZvc2VjQHJl
+ZGhhdC5jb20wIBcNMjIwNDEwMTMxNzE4WhgPMjA1MjA0MDIxMzE3MThaMIGjMQsw
+CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
+bGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQg
+SVQxGTAXBgNVBAMMEEludGVybmFsIFJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEmlu
+Zm9zZWNAcmVkaGF0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALG6WgRWCXNZdn0UUVQ5JV2lEgHaNblgGnCAx6bZ89l5Ygi+tVDo8v1c16cM5e4E
+dtKEP88CnGL+6NJnI4iMuw2HtYM77Q2qmR9PIH3BRgCHHcZMgZjvlFKjJnLXIptk
+NMq/6tJ+6L0iWy0AzPovc5AtkRL3MBgrwgKINTBN41nuq4Dqp/QpqbYvK4Fz9uUE
+jtYUs4YZZjXfk/U5RcmCclSwyGdgxOC9lDInY/t4tCmJHxM6vlkjoJhqmLIbrgue
+Sv+uwAuNLGhSjT1hqLUJU7rpUUn9eAw23ebNC0sMw9eIpS7CwGyC+jhC8uORdgiK
+L79hDJBrKmwpy0byZ58qRNPWREMqPgs11NFGB3m1yj5vj47/i6m3yYizHX61t0ws
+0YTPcmp3SyPwWXhHO6z5b56fNeYx9kfzpfptTm0y+564V3ktX4z1fOWKxxoRAwoR
+DsILvaV2s4rYrXYaNvtu7x0qr5pKU25Yr4bPU29vBiloIFinQmivK8cSrmOsIs+V
+OS4lDcdpoB/7gtoGbyej3ErZVsN/qX/se1vkjkucABmLT/lPMfTs2Eegh4xKZMQR
+rTuL+LmVuEzapvHql8u6SDbgcsIpN2LgWjr8mo9Yfr/d4jnk2yhZKagN1OIuDi/U
+b+uBRWvY3oXfoZNgwaqIhO+93hCbeL1c5NC+zHxEnHglAgMBAAGjgZUwgZIwHQYD
+VR0OBBYEFLX6jeUKeKEJldtNIYaVallPSciLMB8GA1UdIwQYMBaAFLX6jeUKeKEJ
+ldtNIYaVallPSciLMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMC8G
+A1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9vc2NwLnJlZGhhdC5jb20vY3JsLnBlbTAN
+BgkqhkiG9w0BAQwFAAOCAgEAr4RGb1FvUb0kqCbwNlEUwC0vqcdG/uJA38UL4vNa
+RgrUZOz8LlE1UywZacvLxpYY5G6duJgB6X6NxN98PV8ei5eYRp5pEyUXIaAl0vvT
+WQ+mr+nizbGCeRjnk1rAI9s9P/ho/uRq06l9upEJvgIotOb9+KY1ljBxstl00Egb
+4B+gjR6wDHwaHb9wKgNB7xgSRBqwJ84eLtK1UoXtYpVTDe9nHiqzVb9JfYA8rscM
+quPqLXeqKDJ/SP72vlM3BocY6HqQ7l9kV8Bbk0BmnBwHTPe1uiuiW61oRYT0dv8L
+RLoswGZGSar14HId8tZ3EGTNfGvrTkhBI6bjjSGs+0MDcv6ARAZF0JSH6YWTRRGK
+oGV5x2vE6zPXvaejzNzN5aTK9qspOK4QM/bM+DFxl3HvKWsm5urJZnCCrf+pSRC2
+crzoBtmKR6TQIzYbMSu6jfc8xOKCR30LJ+wlZ/LuEZmroSp5xc6Ixeg5FV6w4h4m
+eNlQFU9n5AJyCG3ThQBhahfK4vtOtjYZXrtJ5VFaMlG26xzavVDRppYp3taLtiNi
+qChV/dbSdc7HqYQOnDglUF5mRiu78uZ9+fl5OgE4PjHVG/exyqi6OQZeujPzBXL7
+gZ1WEVt+fV8FWaH/NaEvVu5EFhISI/2dM+y/nuRQ4n2IwauEAWCQ+o6Qdq8TXytp
+70A=
+-----END CERTIFICATE-----
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..e502faa
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,9 @@
+FROM quay.io/fedora/fedora-bootc:40
+
+COPY packages.sh /
+COPY 2022-RH-IT-Root-CA.pem /etc/pki/ca-trust/source/anchors/
+COPY rpmfusion.repo /etc/yum.repos.d/
+RUN /packages.sh; rm /packages.sh
+
+COPY config.sh /
+RUN /config.sh; rm /config.sh
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..567db1b
--- /dev/null
+++ b/README.md
@@ -0,0 +1,37 @@
+Martin Pitt's desktop
+=====================
+
+This is an [rpm-ostree](https://coreos.github.io/rpm-ostree/) and
+[bootc](https://docs.fedoraproject.org/en-US/bootc/) based minimal
+[Fedora](https://getfedora.org/) developer desktop with the [sway window manager](https://swaywm.org/) and [podman](https://podman.io/)/[toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) for doing development and running less common graphical applications.
+
+It gets [automatically built](.github/workflows/build.yml) every week and [published as container image](https://github.com/martinpitt/ostree-bootc/pkgs/container/workstation-bootc), for using with [ostree native containers](https://coreos.github.io/rpm-ostree/container/).
+
+To use it from an existing OSTree based system like [Fedora CoreOS](https://getfedora.org/coreos) or [Fedora Silverblue](https://docs.fedoraproject.org/en-US/fedora-silverblue/), rebase your tree to it:
+
+```sh
+sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/martinpitt/workstation-bootc
+```
+
+After that, you can install weekly updates with
+
+```
+sudo rpm-ostree upgrade
+```
+
+If anything goes wrong, you can go back to the previous version with `sudo rpm-ostree rollback`.
+
+Login
+-----
+
+There is no graphical login manager. I log in on VT1, and my `.bashrc`
+automatically starts the GNOME SSH agent and sway:
+
+```sh
+if [ "$(tty)" = "/dev/tty1" ]; then
+    export `gnome-keyring-daemon --start --components=ssh`
+    export BROWSER=firefox-wayland
+    export XDG_CURRENT_DESKTOP=sway
+    exec sway > $XDG_RUNTIME_DIR/sway.log 2>&1
+fi
+```
diff --git a/config.sh b/config.sh
new file mode 100755
index 0000000..cc0f78c
--- /dev/null
+++ b/config.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# Enable SysRQ
+echo 'kernel.sysrq = 1' > /usr/lib/sysctl.d/90-sysrq.conf
+
+# power saving
+echo 'blacklist e1000e' > /usr/lib/modprobe.d/blacklist-local.conf
+
+# set up PAM for systemd-homed
+authselect enable-feature with-systemd-homed
+
+# homed is missing a lot of SELinux policy (https://bugzilla.redhat.com/show_bug.cgi?id=1809878)
+sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
+
+# enable other units
+ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket
+
+# disable unwanted services
+ln -sfn /dev/null /usr/lib/systemd/user/at-spi-dbus-bus.service
+
+# move OS systemd unit defaults to /usr
+cp -a --verbose /etc/systemd/system /etc/systemd/user /usr/lib/systemd/
+rm -r /etc/systemd/system /etc/systemd/user
+
+# scanner permissions without scanner packages
+echo 'ACTION=="add|change", ENV{DEVTYPE}=="usb_device", ENV{ID_MODEL}=="CanoScan", MODE="666"' > /usr/lib/udev/rules.d/canoscan.rules
+
+# battery health
+echo 'ACTION=="add|change", ATTR{type}=="Battery", ATTR{charge_stop_threshold}="80"' > /usr/lib/udev/rules.d/80-battery-health.rules
+
+# update for Red Hat certificate
+ln -s /etc/pki/ca-trust/source/anchors/2022-RH-IT-Root-CA.pem /etc/pki/tls/certs/2022-RH-IT-Root-CA.pem
+update-ca-trust
diff --git a/packages.sh b/packages.sh
new file mode 100755
index 0000000..911b6e8
--- /dev/null
+++ b/packages.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+set -eux
+
+# hardware/drivers
+dnf install -y \
+    kernel-modules-extra \
+    iwlwifi-mvm-firmware \
+    alsa-sof-firmware \
+    NetworkManager-wifi \
+    NetworkManager-openvpn-gnome \
+    powertop \
+    wpa_supplicant
+
+# shell tools and development
+dnf install -y \
+    cockpit-system \
+    cockpit-ws \
+    cyrus-sasl-plain \
+    fpaste \
+    git \
+    glibc-langpack-de \
+    glibc-langpack-en \
+    isync \
+    krb5-workstation \
+    man-db \
+    mtr \
+    mutt  \
+    neovim \
+    nmap-ncat \
+    restic \
+    rsync \
+    strace \
+    syncthing \
+    systemd-container \
+    toolbox \
+    tree \
+    w3m \
+    wget
+
+# desktop plumbing/apps
+dnf install -y \
+    dejavu-sans-fonts \
+    dejavu-serif-fonts \
+    dejavu-sans-mono-fonts \
+    flatpak \
+    fontawesome-fonts \
+    google-noto-emoji-color-fonts \
+    gvfs-mtp \
+    pulseaudio-utils \
+    alsa-plugins-pulseaudio \
+    gstreamer1-plugins-good \
+    gstreamer1-plugins-bad-free \
+    gstreamer1-plugin-openh264 \
+    gstreamer1-libav \
+    libavdevice \
+    xdg-desktop-portal-gtk \
+    pavucontrol \
+    pcmanfm \
+    nm-connection-editor \
+    eog \
+    evince \
+    rhythmbox \
+    gnome-keyring \
+    pinentry-gnome3 \
+    mate-polkit \
+    lxterminal \
+    gnome-disk-utility \
+    rofimoji
+
+# sway/wayland desktop
+dnf install -y \
+    sway \
+    swayidle \
+    swaylock \
+    kanshi \
+    mako \
+    waybar \
+    slurp \
+    grim \
+    xorg-x11-server-Xwayland \
+    firefox \
+    wofi \
+    brightnessctl \
+    wl-clipboard
+
+dnf remove -y \
+    NetworkManager-cloud-setup \
+    adcli \
+    avahi \
+    btrfs-progs \
+    chrony \
+    cloud-utils-growpart \
+    fwupd \
+    libosinfo \
+    lvm2 \
+    lvm2-libs \
+    nfs-utils \
+    nilfs-utils \
+    passim-libs \
+    quota-nls \
+    rpcbind \
+    sssd-common \
+    sssd-nfs-idmap \
+    sos \
+    tracker \
+    tracker-miners \
+    udftools \
+    vim-data \
+    vim-minimal \
+    xdg-desktop-portal-wlr \
+    zram-generator
+
+rpm -qa 'qemu-user-static*' | xargs dnf remove -y
+
+dnf clean all
+
+rpm -e --verbose dnf dnf-data python3-dnf
diff --git a/rpmfusion.repo b/rpmfusion.repo
new file mode 100644
index 0000000..febd9e4
--- /dev/null
+++ b/rpmfusion.repo
@@ -0,0 +1,18 @@
+[rpmfusion-free]
+name=RPM Fusion for Fedora $releasever - Free
+#baseurl=http://download1.rpmfusion.org/free/fedora/releases/$releasever/Everything/$basearch/os/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-40&arch=$basearch
+enabled=1
+metadata_expire=14d
+type=rpm-md
+gpgcheck=0
+
+[rpmfusion-free-updates]
+name=RPM Fusion for Fedora $releasever - Free - Updates
+#baseurl=http://download1.rpmfusion.org/free/fedora/updates/$releasever/$basearch/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-40&arch=$basearch
+enabled=1
+enabled_metadata=1
+type=rpm-md
+gpgcheck=0
+repo_gpgcheck=0