diff --git a/scripts/_build-alarm.sh b/scripts/_build-alarm.sh
new file mode 100755
index 0000000..6ceec71
--- /dev/null
+++ b/scripts/_build-alarm.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# This script runs inside an aarch64 Arch Linux container and creates a
+# rootfs tarball with X11, RetroArch, and all dependencies for ES-DE.
+set -e
+
+target="$(mktemp -d)"
+trap 'rm -rf "$target"' 0
+
+# Initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinuxarm || true
+
+# Install base system + emulation stack
+pacstrap -c "$target" \
+    base \
+    linux-firmware \
+    networkmanager \
+    openssh \
+    sudo \
+    mesa \
+    xorg-server \
+    xorg-xinit \
+    xf86-video-fbdev \
+    retroarch \
+    retroarch-assets \
+    libretro-core-info \
+    exfatprogs \
+    fuse2 \
+    wget \
+    unzip \
+    htop \
+    nano
+
+# Configure hostname
+echo "h700" > "$target/etc/hostname"
+
+# Configure locale
+echo "en_US.UTF-8 UTF-8" > "$target/etc/locale.gen"
+chroot "$target" locale-gen
+echo "LANG=en_US.UTF-8" > "$target/etc/locale.conf"
+
+# Enable services
+chroot "$target" systemctl enable NetworkManager
+chroot "$target" systemctl enable sshd
+
+# Create emulation user
+chroot "$target" useradd -m -G wheel,video,audio,input -s /bin/bash emulation
+echo "emulation:emulation" | chroot "$target" chpasswd
+
+# Allow wheel group sudo
+echo "%wheel ALL=(ALL:ALL) NOPASSWD: ALL" > "$target/etc/sudoers.d/wheel"
+
+# Set DNS fallback
+echo "nameserver 8.8.8.8" > "$target/etc/resolv.conf"
+
+# MOTD
+cat > "$target/etc/motd" << '__EOF__'
+ALARM H700 Emulation Image
+SSH is available. Default user: emulation / emulation
+__EOF__
+
+tar cf "${1:-/tmp/rootfs.tar}" -C "$target" .
diff --git a/scripts/build-alarm-rootfs.sh b/scripts/build-alarm-rootfs.sh
new file mode 100755
index 0000000..56f6bbd
--- /dev/null
+++ b/scripts/build-alarm-rootfs.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# Build an Arch Linux ARM rootfs tarball inside a podman aarch64 container.
+set -e
+
+outdir="${1:-./artifacts}"
+
+podman run --arch=aarch64 --security-opt=label=disable \
+    -v "$(realpath "$outdir"):/artifacts" \
+    -v "$(realpath ./scripts/_build-alarm.sh):/usr/local/bin/_build-alarm.sh" \
+    --rm "docker.io/lopsided/archlinux:latest" \
+    bash /usr/local/bin/_build-alarm.sh /artifacts/rootfs.tar