diff --git a/Makefile b/Makefile
index d39c4d3..673ede9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,7 @@
 .PHONY: docker-image docker-shell
 
 BASE_DIR = $(shell pwd)
+BASE_BINDMOUNT = type=bind,source=$(BASE_DIR),target=/home/builder/citadel
 
 all: docker-image docker-shell
 
@@ -8,5 +9,9 @@ docker-image:
 	docker build -t citadel-builder scripts/docker
 
 docker-shell:
-	docker run -it --mount type=bind,source=$(BASE_DIR),target=/home/builder/citadel citadel-builder 
+	docker run -it --mount $(BASE_BINDMOUNT) citadel-builder 
+
+user-rootfs:
+	mkdir -p build/debootstrap
+	docker run -it --privileged --mount $(BASE_BINDMOUNT) citadel-builder sudo scripts/build-user-rootfs-stage-one | tee build/debootstrap/build-user-rootfs.log
 
diff --git a/scripts/build-user-rootfs-stage-one b/scripts/build-user-rootfs-stage-one
new file mode 100755
index 0000000..7850290
--- /dev/null
+++ b/scripts/build-user-rootfs-stage-one
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+
+#SCRIPT=$(realpath ${BASH_SOURCE})
+SCRIPT_DIR=$(dirname $(realpath ${BASH_SOURCE}))
+DBS_BASE=$(realpath ${SCRIPT_DIR}/../build/debootstrap)
+DBS_ROOT=${DBS_BASE}/rootfs
+CACHE_DIR=${DBS_BASE}/var-cache-apt-archives
+
+[[ -d ${DBS_ROOT} ]] && rm -rf ${DBS_ROOT}
+
+[[ -f ${CACHE_DIR}/lock ]] && rm -f ${CACHE_DIR}/lock
+mkdir -p ${CACHE_DIR} ${DBS_ROOT}/var/cache/apt/archives 
+mount --bind ${CACHE_DIR} ${DBS_ROOT}/var/cache/apt/archives
+
+debootstrap --verbose --merged-usr --variant=minbase --include=systemd-sysv,locales \
+    --exclude=sysv-rc,initscripts,startpar,lsb-base,insserv \
+    buster ${DBS_ROOT}
+
+mount chproc ${DBS_ROOT}/proc -t proc
+mount chsys ${DBS_ROOT}/sys -t sysfs
+
+cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh
+
+DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh
+rm -f ${DBS_ROOT}/root/install.sh
+
+umount ${DBS_ROOT}/proc
+umount ${DBS_ROOT}/sys
+umount ${DBS_ROOT}/var/cache/apt/archives
+rm -f ${DBS_ROOT}/var/cache/apt/pkgcache.bin
+rm -f ${DBS_ROOT}/var/cache/apt/srcpkgcache.bin
+
+printf "\n\n----- Generating compressed tarball (this will take a couple of minutes) -----\n\n"
+tar -C ${DBS_ROOT} -c --xattrs --xattrs-include=* -f ${DBS_BASE}/user-rootfs.tar .
+xz --force --threads=0 ${DBS_BASE}/user-rootfs.tar
+ls -al ${DBS_BASE}/user-rootfs.tar.xz
+printf "\n\n"
+
+
diff --git a/scripts/build-user-rootfs-stage-two b/scripts/build-user-rootfs-stage-two
new file mode 100755
index 0000000..8fce138
--- /dev/null
+++ b/scripts/build-user-rootfs-stage-two
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module firefox"
+
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale LANG=en_US.UTF-8
+export LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
+
+mkdir -p /etc/systemd/user.conf.d
+printf '[Manager]\nDefaultEnvironment="DISPLAY=:0"\n' > /etc/systemd/user.conf.d/50-display-env.conf
+
+echo "subgraph" > /etc/hostname
+echo "deb http://http.debian.net/debian unstable main" >> /etc/apt/sources.list
+useradd -s /bin/bash -m user
+echo "user:user" | chpasswd 
+usermod -aG sudo user
+echo "export DISPLAY=:0" >> /home/user/.bashrc
+
+apt-get update
+apt-get --assume-yes upgrade
+apt-get --assume-yes --no-install-recommends install ${PACKAGES}
+
+printf "\n\nInstalled Packages\n\n"
+dpkg -l
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index b3ae61d..5aab4f9 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -26,6 +26,8 @@ RUN apt update && apt install -y gawk \
     libmpc-dev \
     libelf-dev \
     nano \
+    sudo \
+    debootstrap \
     inkscape
 
 # python
@@ -36,6 +38,7 @@ ENV LC_ALL en_US.UTF-8
 ENV LC_CTYPE en_US.UTF-8
 
 RUN useradd -ms /bin/bash builder
+RUN echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 USER builder
 RUN echo ". /home/builder/citadel/setup-build-env" >> /home/builder/.bashrc