diff --git a/install.sh b/install.sh
new file mode 100644
index 0000000..3369fc7
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Load configuration
+if [[ ! -f .env ]]; then
+  echo "Missing .env. Copy .env.template and edit it before running."
+  exit 1
+fi
+source .env
+
+echo ">>> Arch Secure Install starting on ${DISK}"
+
+timedatectl set-ntp true
+
+# Wipe and partition
+sgdisk --zap-all "${DISK}"
+sgdisk -n1:0:+512M -t1:EF00 -c1:"EFI System Partition" "${DISK}"
+sgdisk -n2:0:0     -t2:8309 -c2:"Linux LUKS" "${DISK}"
+partprobe "${DISK}"
+
+EFI="${DISK}p1"
+ROOT="${DISK}p2"
+
+echo ">>> Formatting EFI partition"
+mkfs.fat -F32 "${EFI}"
+
+echo ">>> Setting up LUKS2 on ${ROOT}"
+echo -n "${LUKS_PASSPHRASE}" | cryptsetup luksFormat --type luks2 "${ROOT}" -
+echo -n "${LUKS_PASSPHRASE}" | cryptsetup open "${ROOT}" "${LUKS_NAME}" -
+
+echo ">>> Creating Btrfs filesystem"
+mkfs.btrfs /dev/mapper/"${LUKS_NAME}"
+
+mount /dev/mapper/"${LUKS_NAME}" /mnt
+
+for subvol in ${BTRFS_SUBVOLS}; do
+  btrfs subvolume create "/mnt/${subvol}"
+done
+umount /mnt
+
+echo ">>> Mounting subvolumes"
+mount -o subvol=@,${BTRFS_OPTS} /dev/mapper/"${LUKS_NAME}" /mnt
+mkdir -p /mnt/{boot,home,var/log,var/cache}
+
+mount -o subvol=@home,${BTRFS_OPTS} /dev/mapper/"${LUKS_NAME}" /mnt/home
+mount -o subvol=@log /dev/mapper/"${LUKS_NAME}" /mnt/var/log
+mount -o subvol=@cache /dev/mapper/"${LUKS_NAME}" /mnt/var/cache
+mount "${EFI}" /mnt/boot
+
+echo ">>> Installing base system"
+pacstrap -K /mnt base linux linux-firmware btrfs-progs systemd-ukify systemd-bootctl
+
+echo ">>> Generating fstab"
+genfstab -U /mnt >> /mnt/etc/fstab
+
+echo ">>> Copying configuration"
+mkdir -p /mnt/root/install
+cp .env /mnt/root/install/.env
+cp chroot_setup.sh /mnt/root/install/
+cp firstboot.sh /mnt/root/install/
+chmod +x /mnt/root/install/{chroot_setup.sh,firstboot.sh}
+
+echo ">>> Chrooting into new system"
+arch-chroot /mnt /root/install/chroot_setup.sh
+
+echo ">>> Installation complete. Reboot when ready."