diff --git a/.gitignore b/.gitignore
index 935f048..b9d83d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,3 @@
 *.img
-!config/
 config/*
-!config/etc/
-config/etc/*
-!config/etc/motd
+!config/.gitkeep
diff --git a/Makefile b/Makefile
index 9041a6c..5c537a2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,7 @@
 .PHONY: sdcard images clean
 
 A=./artifacts
+C=./config
 R=./resources
 S=./scripts
 
@@ -24,6 +25,7 @@ INITRD=$(A)/initramfs
 FIRMWARE_TAR=$(A)/firmware.tar
 MODULES_TAR=$(A)/modules.tar
 ROOTFS_TAR=$(A)/rootfs.tar
+CONFIG_TAR=$(A)/config.tar
 ROOTFS=$(A)/rootfs.img
 IMAGES=$(SPL) $(UBOOT) $(ENV) $(RESOURCES) $(BOOT) $(ROOTFS)
 SD=$(A)/alpine-h700.img
@@ -63,10 +65,14 @@ $(ROOTFS_TAR):
 $(FIRMWARE_TAR) $(MODULES_TAR): $(FACTORY_IMAGE)
 	$(S)/extract-modules.sh $< $(A)
 
-$(ROOTFS): $(ROOTFS_TAR) $(FIRMWARE_TAR) $(MODULES_TAR)
+$(CONFIG_TAR): $(shell find $(C) -type f -print0 | xargs -0)
+	date --utc "+%Y-%m-%dT%H:%M:%SZ" >$(C)/.build
+	fakeroot -- tar cf $@ --exclude .gitkeep -C $(C) .
+
+$(ROOTFS): $(ROOTFS_TAR) $(FIRMWARE_TAR) $(MODULES_TAR) $(CONFIG_TAR)
 	$(RM) $@
 	truncate -s $(ROOTFS_SIZE) $@
-	$(S)/mkfsimage.sh $@ 0 ext4 rootfs $(ROOTFS_TAR) $(FIRMWARE_TAR):/lib/firmware/ $(MODULES_TAR):/lib/modules/ config
+	$(S)/mkfsimage.sh $@ 0 ext4 rootfs $(ROOTFS_TAR) $(FIRMWARE_TAR):/lib/firmware/ $(MODULES_TAR):/lib/modules/ config.tar
 
 clean:
 	$(RM) $(A)/*
diff --git a/README.md b/README.md
index 3d64958..23793ba 100644
--- a/README.md
+++ b/README.md
@@ -14,18 +14,21 @@ image has been tested on an Anbernic RG35XX Plus portable console.
 
 The scripts require the following software:
 
-- `make` (specifically, GNU Make) to orchestrate the build and track dependencies
-- `python3` to run some of the provided scripts; only modules from the standard
-  library are used
+- `make` (specifically, GNU Make) to orchestrate the build and track
+  dependencies
+- `python3` to run some of the provided scripts; only modules from the
+  standard library are used
 - `sgdisk` to manipulate GPT partition tables
 - `guestfish` to manipulate filesystem images without root privileges
+- `fakeroot` to inject custom configuration files into the rootfs image
+  without root privileges
 - `podman` to provide an Alpine Linux environment
 - `qemu-user-static-aarch64` to enable `podman` to run aarch64 container
   images on a different architecture like x86_64
 
-An image of a stock SD card is required in order to extract components that are
-specific to the H700 SoC that do not have open source alternatives yet; those
-components are:
+An image of a stock SD card is required in order to extract components that
+are specific to the H700 SoC that do not have open source alternatives yet;
+those components are:
 
 - the SPL
 - the U-Boot bootloader
@@ -48,9 +51,11 @@ A good staring point would be something like this (replace `$ssid` and
 ```shell
 mkdir -p config/etc/wpa_supplicant
 wpa_passphrase '$ssid' '$password' >config/etc/wpa_supplicant/wpa_supplicant.conf
+chmod 600 config/etc/wpa_supplicant/wpa_supplicant.conf
 
 mkdir -p config/root/.ssh
 cat ~/.ssh/id_*.pub >config/root/.ssh/authorized_keys
+chmod 700 config/root config/root/.ssh
 ```
 
 ### Stock SD card image
diff --git a/config/.gitkeep b/config/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/config/etc/motd b/config/etc/motd
deleted file mode 100644
index 0ff9c60..0000000
--- a/config/etc/motd
+++ /dev/null
@@ -1,11 +0,0 @@
-Welcome to Alpine!
-
-This is an unofficial port to the Allwinner H700 SoC: please report
-issues to https://github.com/mporrato/alpine-h700 .
-
-The Alpine Wiki contains a large amount of how-to guides and general
-information about administrating Alpine systems.
-See <https://wiki.alpinelinux.org/>.
-
-You may change this message by editing /etc/motd.
-
diff --git a/scripts/_build.sh b/scripts/_build.sh
index b94f1f6..09e0c18 100755
--- a/scripts/_build.sh
+++ b/scripts/_build.sh
@@ -9,8 +9,21 @@ trap 'rm -rf "$target"' 0
 apk update
 apk -X "$(awk '/\/alpine\/[^\/]+\/main$/{print;exit}' /etc/apk/repositories)" \
     --keys-dir /etc/apk/keys -U -p "$target/" --initdb \
-    add alpine-base alpine-release ca-certificates wpa_supplicant dropbear
+    add alpine-base alpine-release ca-certificates wpa_supplicant dropbear dropbear-scp
 cp /etc/apk/repositories "$target/etc/apk/"
+cat >"$target/etc/motd" <<__EOF__
+Welcome to Alpine!
+
+This is an unofficial port to the Allwinner H700 SoC: please report
+issues to https://github.com/mporrato/alpine-h700 .
+
+The Alpine Wiki contains a large amount of how-to guides and general
+information about administrating Alpine systems.
+See <https://wiki.alpinelinux.org/>.
+
+You may change this message by editing /etc/motd.
+
+__EOF__
 echo "nameserver 8.8.8.8" >"$target/etc/resolv.conf"
 sed -Ei 's/^(tty[0-9]+:)/#\1/;s/^#ttyS0:/ttyS0:/' "$target/etc/inittab"
 echo h700 >"$target/etc/hostname"