diff --git a/third_party/sandboxroot/mirror/BUILD.bazel b/third_party/sandboxroot/mirror/BUILD.bazel
new file mode 100644
index 0000000..ea62a45
--- /dev/null
+++ b/third_party/sandboxroot/mirror/BUILD.bazel
@@ -0,0 +1,26 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "mirror_lib",
+    srcs = [
+        "bazeldnf.go",
+        "external.go",
+        "main.go",
+    ],
+    importpath = "source.monogon.dev/third_party/sandboxroot/mirror",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//build/toolbase",
+        "@com_github_cenkalti_backoff_v4//:backoff",
+        "@com_github_spf13_cobra//:cobra",
+        "@com_google_cloud_go_storage//:storage",
+        "@io_k8s_klog_v2//:klog",
+        "@net_starlark_go//starlark",
+    ],
+)
+
+go_binary(
+    name = "mirror",
+    embed = [":mirror_lib"],
+    visibility = ["//visibility:public"],
+)
diff --git a/third_party/sandboxroot/mirror/README.md b/third_party/sandboxroot/mirror/README.md
new file mode 100644
index 0000000..002d9ae
--- /dev/null
+++ b/third_party/sandboxroot/mirror/README.md
@@ -0,0 +1,37 @@
+sandboxroot mirror
+===
+
+Fedora mirrors tend to drop RPMs very quickly. As we don't want to be constantly
+chasing every single tiny update, we have decided to set up our own mirror on GCS.
+
+The mirror only contains RPMs that the sandboxroot actually uses, and is managed
+by running the `mirror` tool from this directory.
+
+Using the mirror
+---
+
+The mirror is enabled by default whenever you use Bazel (see repositories.bzl in this directory).
+
+Updating the mirror
+---
+
+Any time you run `third_party/sandboxroot/regenerate.sh`, the last step calls `mirror sync`. If that fails for some reason (eg. you were not logged into GCS), you can run it manually:
+
+```
+$ bazel run :mirror sync
+```
+
+Checking the mirror
+---
+
+If you want to just check whether everything's properly synced, you can run:
+
+```
+$ bazel run :mirror check
+```
+
+To do a full scan (downloading and checking SHA256 sums) do:
+
+```
+$ bazel run :mirror check --deep
+```
diff --git a/third_party/sandboxroot/mirror/bazeldnf.go b/third_party/sandboxroot/mirror/bazeldnf.go
new file mode 100644
index 0000000..4f85581
--- /dev/null
+++ b/third_party/sandboxroot/mirror/bazeldnf.go
@@ -0,0 +1,69 @@
+package main
+
+import (
+	"fmt"
+
+	"go.starlark.net/starlark"
+)
+
+// getBazelDNFFiles parses third_party/sandboxroot/repositories.bzl (at the given
+// path) into a list of rpmDefs. It does so by loading the .bzl file into a
+// minimal starlark interpreter that emulates enough of the Bazel internal API to
+// get things going.
+func getBazelDNFFiles(path string) ([]*rpmDef, error) {
+	var res []*rpmDef
+
+	// rpm will be called any time the Starlark code calls rpm() from
+	// @bazeldnf//:deps.bzl.
+	rpm := func(thread *starlark.Thread, b *starlark.Builtin, args starlark.Tuple, kwargs []starlark.Tuple) (starlark.Value, error) {
+		var name, sha256 starlark.String
+		var urls *starlark.List
+		if err := starlark.UnpackArgs("rpm", args, kwargs, "name", &name, "sha256", &sha256, "urls", &urls); err != nil {
+			return nil, err
+		}
+		it := urls.Iterate()
+		defer it.Done()
+
+		var urlsS []string
+		var url starlark.Value
+		for it.Next(&url) {
+			if url.Type() != "string" {
+				return nil, fmt.Errorf("urls must be a list of strings")
+			}
+			urlS := url.(starlark.String)
+			urlsS = append(urlsS, urlS.GoString())
+		}
+
+		ext, err := newRPMDef(name.GoString(), sha256.GoString(), urlsS)
+		if err != nil {
+			return nil, fmt.Errorf("invalid rpm: %v", err)
+		}
+		res = append(res, ext)
+		return starlark.None, nil
+	}
+
+	thread := &starlark.Thread{
+		Name: "fakebazel",
+		Load: func(thread *starlark.Thread, module string) (starlark.StringDict, error) {
+			switch module {
+			case "@bazeldnf//:deps.bzl":
+				return map[string]starlark.Value{
+					"rpm": starlark.NewBuiltin("rpm", rpm),
+				}, nil
+			}
+			return nil, fmt.Errorf("not implemented in fakebazel")
+		},
+	}
+	globals, err := starlark.ExecFile(thread, path, nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("executing failed: %w", err)
+	}
+	if !globals.Has("sandbox_dependencies") {
+		return nil, fmt.Errorf("does not contain sandbox_dupendencies")
+	}
+	_, err = starlark.Call(thread, globals["sandbox_dependencies"], nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to call sandbox_dependencies: %w", err)
+	}
+	return res, nil
+}
diff --git a/third_party/sandboxroot/mirror/external.go b/third_party/sandboxroot/mirror/external.go
new file mode 100644
index 0000000..2c8bcdf
--- /dev/null
+++ b/third_party/sandboxroot/mirror/external.go
@@ -0,0 +1,234 @@
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"cloud.google.com/go/storage"
+	"github.com/cenkalti/backoff/v4"
+	"k8s.io/klog/v2"
+)
+
+// rpmDef is a definition of an RPM dependency, containing the internal
+// bazeldnf/bazel name of the dependency, an expected SHA256 sum of the RPM file,
+// and a list of URLs of where that file should be downloaded from. This
+// structure is parsed from repositories.bzl.
+type rpmDef struct {
+	name   string
+	sha256 string
+	mpath  string
+	urls   []*url.URL
+}
+
+// newRPMDef builds and validates an rpmDef based on raw data from
+// repositories.bzl.
+func newRPMDef(name string, sha256 string, urls []string) (*rpmDef, error) {
+	if len(urls) < 1 {
+		return nil, fmt.Errorf("needs at least one URL")
+	}
+	var urlsP []*url.URL
+
+	// Look through all URLs and make sure they're valid Fedora mirror paths, and
+	// that all the mirror paths are the same.
+	path := ""
+	for _, us := range urls {
+		u, err := url.Parse(us)
+		if err != nil {
+			return nil, fmt.Errorf("url invalid %w", err)
+		}
+
+		mpath, err := getFedoraMirrorPath(u)
+		if err != nil {
+			return nil, fmt.Errorf("unexpected url %s: %w", us, err)
+		}
+
+		// If this isn't the first mirror path we've seen, make sure they're the same.
+		if path == "" {
+			path = mpath
+		} else {
+			if path != mpath {
+				return nil, fmt.Errorf("url path difference, %s vs %s", path, mpath)
+			}
+		}
+		urlsP = append(urlsP, u)
+	}
+	return &rpmDef{
+		name:   name,
+		sha256: sha256,
+		urls:   urlsP,
+		mpath:  path,
+	}, nil
+}
+
+// getFedoraMirrorPath takes a full URL to a mirrored RPM and returns its
+// mirror-root-relative path, ie. the path which starts with fedora/linux/....
+func getFedoraMirrorPath(u *url.URL) (string, error) {
+	parts := strings.Split(u.Path, "/")
+
+	// Find fedora/linux/...
+	found := false
+	for i, p := range parts {
+		if p == "fedora" && (i+1) < len(parts) && parts[i+1] == "linux" {
+			parts = parts[i:]
+			found = true
+			break
+		}
+	}
+	if !found || len(parts) < 7 {
+		return "", fmt.Errorf("does not look like a fedora mirror URL")
+	}
+	// Make sure the rest of the path makes some vague sense.
+	switch parts[2] {
+	case "releases", "updates":
+	default:
+		return "", fmt.Errorf("unexpected category %q", parts[2])
+	}
+	switch parts[4] {
+	case "Everything":
+	default:
+		return "", fmt.Errorf("unexpected category %q", parts[3])
+	}
+	switch parts[5] {
+	case "x86_64":
+	default:
+		return "", fmt.Errorf("unexpected architecture %q", parts[5])
+	}
+
+	// Return the path rebuilt and starting at fedora/linux/...
+	return strings.Join(parts, "/"), nil
+}
+
+// validateOurs checks if our mirror has a copy of this RPM. If deep is true, the
+// file will be downloaded and its SHA256 verified. Otherwise, a simple HEAD
+// request is used.
+func (e *rpmDef) validateOurs(ctx context.Context, deep bool) (bool, error) {
+	ctxT, ctxC := context.WithTimeout(ctx, 2*time.Second)
+	defer ctxC()
+
+	url := ourMirrorURL(e.mpath)
+
+	bo := backoff.NewExponentialBackOff()
+	var found bool
+	err := backoff.Retry(func() error {
+		method := "HEAD"
+		if deep {
+			method = "GET"
+		}
+		req, err := http.NewRequestWithContext(ctxT, method, url, nil)
+		if err != nil {
+			return backoff.Permanent(err)
+		}
+		res, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return err
+		}
+		defer res.Body.Close()
+		if res.StatusCode == 200 {
+			found = true
+		} else {
+			found = false
+		}
+
+		if !deep || !found {
+			return nil
+		}
+
+		data, err := io.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+
+		h := sha256.New()
+		h.Write(data)
+		got := hex.EncodeToString(h.Sum(nil))
+		want := strings.ToLower(e.sha256)
+		if want != got {
+			log.Printf("SHA256 mismatch: wanted %s, got %s", want, got)
+			found = false
+		}
+		return nil
+
+	}, backoff.WithContext(bo, ctxT))
+	if err != nil {
+		return false, err
+	}
+	return found, nil
+}
+
+// mirrorToOurs attempts to download this RPM from a mirror that's not ours and
+// upload it to our mirror via the given bucket.
+func (e *rpmDef) mirrorToOurs(ctx context.Context, bucket *storage.BucketHandle) error {
+	log.Printf("Mirroring %s ...", e.name)
+	for _, source := range e.urls {
+		// Skip our own mirror as a source.
+		if strings.HasPrefix(source.String(), ourMirrorURL()) {
+			continue
+		}
+
+		log.Printf("  Getting %s ...", source)
+		data, err := e.get(ctx, source.String())
+		if err != nil {
+			klog.Errorf("  Failed: %v", err)
+			continue
+		}
+
+		objName := filepath.Join(flagMirrorBucketSubdir, e.mpath)
+		obj := bucket.Object(objName)
+		log.Printf("  Uploading to %s...", objName)
+		wr := obj.NewWriter(ctx)
+		if _, err := wr.Write(data); err != nil {
+			return fmt.Errorf("Write failed: %w", err)
+		}
+		if err := wr.Close(); err != nil {
+			return fmt.Errorf("Close failed: %w", err)
+		}
+		return nil
+	}
+	return fmt.Errorf("all mirrors failed")
+}
+
+// get downloads the given RPM from the given URL and checks its SHA256.
+func (e *rpmDef) get(ctx context.Context, url string) ([]byte, error) {
+	ctxT, ctxC := context.WithTimeout(ctx, 60*time.Second)
+	defer ctxC()
+
+	bo := backoff.NewExponentialBackOff()
+	var data []byte
+	err := backoff.Retry(func() error {
+		req, err := http.NewRequestWithContext(ctxT, "GET", url, nil)
+		if err != nil {
+			return backoff.Permanent(err)
+		}
+		res, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return err
+		}
+		defer res.Body.Close()
+		data, err = io.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+		return nil
+	}, backoff.WithContext(bo, ctxT))
+	if err != nil {
+		return nil, err
+	}
+
+	h := sha256.New()
+	h.Write(data)
+	got := hex.EncodeToString(h.Sum(nil))
+	want := strings.ToLower(e.sha256)
+	if want != got {
+		return nil, fmt.Errorf("sha256 mismatch: wanted %s, got %s", want, got)
+	}
+	return data, nil
+}
diff --git a/third_party/sandboxroot/mirror/main.go b/third_party/sandboxroot/mirror/main.go
new file mode 100644
index 0000000..c7e823e
--- /dev/null
+++ b/third_party/sandboxroot/mirror/main.go
@@ -0,0 +1,203 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	"cloud.google.com/go/storage"
+	"github.com/spf13/cobra"
+
+	"source.monogon.dev/build/toolbase"
+)
+
+var (
+	flagDeep               bool
+	flagMirrorBucketName   string
+	flagMirrorBucketSubdir string
+)
+
+var rootCmd = &cobra.Command{
+	Use:          "mirror",
+	Short:        "Developer/CI tool to make sure our RPM mirror for the sandboxroot is up to date",
+	SilenceUsage: true,
+}
+
+// ourMirrorURL returns a fully formed URL-string to our mirror (as defined by
+// flags), optionally appending the given parts as file path parts.
+func ourMirrorURL(parts ...string) string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = "storage.googleapis.com"
+
+	path := []string{
+		flagMirrorBucketName,
+		flagMirrorBucketSubdir,
+	}
+	path = append(path, parts...)
+	u.Path = filepath.Join(path...)
+	return u.String()
+}
+
+// progress is used to notify the user about operational progress.
+func progress(done, total int) {
+	fmt.Printf("%d/%d files done...\r", done, total)
+}
+
+func checkMirrorURLs(rpms []*rpmDef) error {
+	log.Printf("Checking all RPMs are using our mirror...")
+	allCorrect := true
+	for _, rpm := range rpms {
+		urls := rpm.urls
+
+		haveOur := false
+		haveExternal := false
+		for _, u := range urls {
+			if strings.HasPrefix(u.String(), ourMirrorURL()) {
+				haveOur = true
+			} else {
+				haveExternal = true
+			}
+			if haveOur && haveExternal {
+				break
+			}
+		}
+		if !haveOur {
+			allCorrect = false
+			log.Printf("RPM %s does not contain our mirror in its URLs", rpm.name)
+		}
+		if !haveExternal {
+			allCorrect = false
+			log.Printf("RPM %s does not contain any upstream mirror in its URLs", rpm.name)
+		}
+	}
+	if !allCorrect {
+		return fmt.Errorf("some RPMs have incorrect mirror urls")
+	}
+	return nil
+}
+
+func getRepositoriesBzl() string {
+	ws, err := toolbase.WorkspaceDirectory()
+	if err != nil {
+		log.Fatalf("Failed to figure out workspace location: %v", err)
+	}
+	return filepath.Join(ws, "third_party/sandboxroot/repositories.bzl")
+}
+
+var checkCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Check that everything is okay (without performing actual mirroring)",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path := getRepositoriesBzl()
+		rpms, err := getBazelDNFFiles(path)
+		if err != nil {
+			return fmt.Errorf("could not get RPMs from %s: %v", path, err)
+		}
+
+		if err := checkMirrorURLs(rpms); err != nil {
+			return err
+		}
+
+		if !flagDeep {
+			log.Printf("Checking if all files are present on mirror... (use --deep to download and check hashes)")
+		} else {
+			log.Printf("Verifying contents of all mirrored files...")
+		}
+
+		hasAll := true
+		for i, rpm := range rpms {
+			has, err := rpm.validateOurs(cmd.Context(), flagDeep)
+			if err != nil {
+				return fmt.Errorf("checking %s failed: %v", rpm.name, err)
+			}
+			if !has {
+				log.Printf("Missing %s in mirror", rpm.name)
+				hasAll = false
+			}
+			progress(i+1, len(rpms))
+		}
+		if !hasAll {
+			return fmt.Errorf("some packages missing in mirror, run `mirror sync`")
+		} else {
+			log.Printf("All good.")
+		}
+
+		return nil
+	},
+}
+
+var syncCmd = &cobra.Command{
+	Use:   "sync",
+	Short: "Mirror all missing dependencies",
+	Long: `
+Check existence of (or download and verify when --deep) of every file in our
+mirror and upload it if it's missing. If an upload occured, a full re-download
+will be performed for verification.
+`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+
+		path := getRepositoriesBzl()
+		rpms, err := getBazelDNFFiles(path)
+		if err != nil {
+			return fmt.Errorf("could not get RPMs from %s: %v", path, err)
+		}
+
+		if err := checkMirrorURLs(rpms); err != nil {
+			return err
+		}
+
+		client, err := storage.NewClient(ctx)
+		if err != nil {
+			if strings.Contains(err.Error(), "could not find default credentials") {
+				log.Printf("Try running gcloud auth application-default login --no-browser")
+			}
+			return fmt.Errorf("could not build google cloud storage client: %v", err)
+		}
+		bucket := client.Bucket(flagMirrorBucketName)
+
+		if !flagDeep {
+			log.Printf("Checking for any missing files...")
+		} else {
+			log.Printf("Verifying all files and uploading if missing or corrupted...")
+		}
+
+		for i, rpm := range rpms {
+			has, err := rpm.validateOurs(ctx, flagDeep)
+			if err != nil {
+				return err
+			}
+			if !has {
+				log.Printf("Mirroring %s...", rpm.name)
+				if err := rpm.mirrorToOurs(ctx, bucket); err != nil {
+					return err
+				}
+				log.Printf("Verifying %s...", rpm.name)
+				has, err = rpm.validateOurs(ctx, true)
+				if err != nil {
+					return err
+				}
+				if !has {
+					return fmt.Errorf("post-mirror validation of %s failed", rpm.name)
+				}
+			}
+			progress(i+1, len(rpms))
+		}
+
+		log.Printf("All good.")
+		return nil
+	},
+}
+
+func main() {
+	rootCmd.PersistentFlags().StringVar(&flagMirrorBucketName, "bucket_name", "monogon-infra-public", "Name of GCS bucket to mirror into.")
+	rootCmd.PersistentFlags().StringVar(&flagMirrorBucketSubdir, "bucket_subdir", "mirror", "Subpath in bucket to upload data to.")
+	rootCmd.PersistentFlags().BoolVar(&flagDeep, "deep", false, "Always download files fully during check/sync to make sure the SHA256 matches.")
+	rootCmd.AddCommand(checkCmd)
+	rootCmd.AddCommand(syncCmd)
+	rootCmd.Execute()
+
+}