diff --git a/core/cmd/init/BUILD.bazel b/core/cmd/init/BUILD.bazel
new file mode 100644
index 0000000..afe4a39
--- /dev/null
+++ b/core/cmd/init/BUILD.bazel
@@ -0,0 +1,22 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "git.monogon.dev/source/nexantic.git/core/cmd/init",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//core/internal/network:go_default_library",
+        "//core/internal/node:go_default_library",
+        "//core/pkg/tpm:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "init",
+    embed = [":go_default_library"],
+    pure = "on",  # keep
+    visibility = ["//visibility:public"],
+)
diff --git a/core/cmd/init/main.go b/core/cmd/init/main.go
new file mode 100644
index 0000000..a69de2c
--- /dev/null
+++ b/core/cmd/init/main.go
@@ -0,0 +1,109 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"git.monogon.dev/source/nexantic.git/core/internal/network"
+	"git.monogon.dev/source/nexantic.git/core/internal/node"
+	"git.monogon.dev/source/nexantic.git/core/pkg/tpm"
+	"os"
+	"os/signal"
+	"runtime/debug"
+
+	"go.uber.org/zap"
+	"golang.org/x/sys/unix"
+)
+
+func main() {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Init panicked:", r)
+			debug.PrintStack()
+		}
+		unix.Sync()
+		// TODO: Switch this to Reboot when init panics are less likely
+		unix.Reboot(unix.LINUX_REBOOT_CMD_POWER_OFF)
+	}()
+	logger, err := zap.NewDevelopment()
+	if err != nil {
+		panic(err)
+	}
+	logger.Info("Starting Smalltown Init")
+
+	// Set up bare minimum mounts
+	if err := os.Mkdir("/sys", 0755); err != nil {
+		panic(err)
+	}
+	if err := unix.Mount("sysfs", "/sys", "sysfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, ""); err != nil {
+		panic(err)
+	}
+
+	if err := os.Mkdir("/proc", 0755); err != nil {
+		panic(err)
+	}
+	if err := unix.Mount("procfs", "/proc", "proc", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, ""); err != nil {
+		panic(err)
+	}
+
+	signalChannel := make(chan os.Signal, 2)
+	signal.Notify(signalChannel)
+
+	if err := tpm.Initialize(logger.With(zap.String("component", "tpm"))); err != nil {
+		logger.Panic("Failed to initialize TPM 2.0", zap.Error(err))
+	}
+
+	networkSvc, err := network.NewNetworkService(network.Config{}, logger.With(zap.String("component", "network")))
+	if err != nil {
+		panic(err)
+	}
+	networkSvc.Start()
+
+	nodeInstance, err := node.NewSmalltownNode(logger, 7833, 7834)
+	if err != nil {
+		panic(err)
+	}
+
+	err = nodeInstance.Start()
+	if err != nil {
+		panic(err)
+	}
+
+	// We're PID1, so orphaned processes get reparented to us to clean up
+	for {
+		sig := <-signalChannel
+		switch sig {
+		case unix.SIGCHLD:
+			var status unix.WaitStatus
+			var rusage unix.Rusage
+			for {
+				res, err := unix.Wait4(-1, &status, unix.WNOHANG, &rusage)
+				if err != nil && err != unix.ECHILD {
+					logger.Error("Failed to wait on orphaned child", zap.Error(err))
+					break
+				}
+				if res <= 0 {
+					break
+				}
+			}
+		// TODO(lorenz): We can probably get more than just SIGCHLD as init, but I can't think
+		// of any others right now, just log them in case we hit any of them.
+		default:
+			logger.Warn("Got unexpected signal", zap.String("signal", sig.String()))
+		}
+	}
+}
diff --git a/core/cmd/mkimage/BUILD.bazel b/core/cmd/mkimage/BUILD.bazel
new file mode 100644
index 0000000..35e162d
--- /dev/null
+++ b/core/cmd/mkimage/BUILD.bazel
@@ -0,0 +1,20 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "git.monogon.dev/source/nexantic.git/core/cmd/mkimage",
+    visibility = ["//visibility:private"],
+    deps = [
+        "@com_github_diskfs_go_diskfs//:go_default_library",
+        "@com_github_diskfs_go_diskfs//disk:go_default_library",
+        "@com_github_diskfs_go_diskfs//filesystem:go_default_library",
+        "@com_github_diskfs_go_diskfs//partition/gpt:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "mkimage",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)
diff --git a/core/cmd/mkimage/main.go b/core/cmd/mkimage/main.go
new file mode 100644
index 0000000..a727e8b
--- /dev/null
+++ b/core/cmd/mkimage/main.go
@@ -0,0 +1,112 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/diskfs/go-diskfs"
+	"github.com/diskfs/go-diskfs/disk"
+	"github.com/diskfs/go-diskfs/filesystem"
+	"github.com/diskfs/go-diskfs/partition/gpt"
+)
+
+var SmalltownDataPartition gpt.Type = gpt.Type("9eeec464-6885-414a-b278-4305c51f7966")
+
+func mibToSectors(size uint64) uint64 {
+	return (size * 1024 * 1024) / 512
+}
+
+func main() {
+	if len(os.Args) < 3 {
+		fmt.Println("Usage: mkimage <UEFI payload> <image path>")
+		os.Exit(2)
+	}
+	_ = os.Remove(os.Args[2])
+	diskImg, err := diskfs.Create(os.Args[2], 3*1024*1024*1024, diskfs.Raw)
+	if err != nil {
+		fmt.Printf("Failed to create disk: %v", err)
+		os.Exit(1)
+	}
+
+	table := &gpt.Table{
+		// This is appropriate at least for virtio disks. Might need to be adjusted for real ones.
+		LogicalSectorSize:  512,
+		PhysicalSectorSize: 512,
+		ProtectiveMBR:      true,
+		Partitions: []*gpt.Partition{
+			{
+				Type:  gpt.EFISystemPartition,
+				Name:  "ESP",
+				Start: mibToSectors(1),
+				End:   mibToSectors(128) - 1,
+			},
+			{
+				Type:  SmalltownDataPartition,
+				Name:  "SIGNOS-DATA",
+				Start: mibToSectors(128),
+				End:   mibToSectors(2560) - 1,
+			},
+		},
+	}
+	if err := diskImg.Partition(table); err != nil {
+		fmt.Printf("Failed to apply partition table: %v", err)
+		os.Exit(1)
+	}
+
+	fs, err := diskImg.CreateFilesystem(disk.FilesystemSpec{Partition: 1, FSType: filesystem.TypeFat32, VolumeLabel: "ESP"})
+	if err != nil {
+		fmt.Printf("Failed to create filesystem: %v", err)
+		os.Exit(1)
+	}
+	if err := fs.Mkdir("/EFI"); err != nil {
+		panic(err)
+	}
+	if err := fs.Mkdir("/EFI/BOOT"); err != nil {
+		panic(err)
+	}
+	if err := fs.Mkdir("/EFI/smalltown"); err != nil {
+		panic(err)
+	}
+	efiPayload, err := fs.OpenFile("/EFI/BOOT/BOOTX64.EFI", os.O_CREATE|os.O_RDWR)
+	if err != nil {
+		fmt.Printf("Failed to open EFI payload for writing: %v", err)
+		os.Exit(1)
+	}
+	efiPayloadSrc, err := os.Open(os.Args[1])
+	if err != nil {
+		fmt.Printf("Failed to open EFI payload for reading: %v", err)
+		os.Exit(1)
+	}
+	defer efiPayloadSrc.Close()
+	// If this is streamed (e.g. using io.Copy) it exposes a bug in diskfs, so do it in one go.
+	efiPayloadFull, err := ioutil.ReadAll(efiPayloadSrc)
+	if err != nil {
+		panic(err)
+	}
+	if _, err := efiPayload.Write(efiPayloadFull); err != nil {
+		fmt.Printf("Failed to write EFI payload: %v", err)
+		os.Exit(1)
+	}
+	if err := diskImg.File.Close(); err != nil {
+		fmt.Printf("Failed to write image: %v", err)
+		os.Exit(1)
+	}
+	fmt.Println("Success! You can now boot smalltown.img")
+}