diff --git a/docs/example.ks b/docs/example.ks
new file mode 100644
index 0000000..819e1f3
--- /dev/null
+++ b/docs/example.ks
@@ -0,0 +1,110 @@
+text
+
+# Basic partitioning
+clearpart --all --initlabel --disklabel=gpt
+part prepboot  --size=4    --fstype=prepboot
+part biosboot  --size=1    --fstype=biosboot
+part /boot/efi --size=100  --fstype=efi
+part /boot     --size=1000  --fstype=ext4 --label=boot
+part / --grow --fstype xfs
+
+ostreecontainer --url quay.io/centos-boot/fedora-tier-1:eln	--no-signature-verification
+
+firewall --disabled
+services --enabled=sshd
+
+# Only inject a SSH key for root
+rootpw --iscrypted locked
+# Add your example SSH key here!
+#sshkey --username root "ssh-ed25519 <key> demo@example.com"
+reboot
+
+# ONLY SCROLL PAST HERE TO SEE THE TEMPORARY UGLY HACKS
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Install via bootupd - TODO change anaconda to auto-detect this
+bootloader --location=none --disabled
+%post
+# Work around anaconda wanting a root password
+passwd -l root
+/usr/bin/bootupctl backend install --device /dev/vda /
+mkdir -p /boot/grub2
+# Work around https://github.com/coreos/bootupd/pull/536 not being merged yet
+base64 -d >/boot/grub2/grub.cfg << EOF
+IyBUaGlzIGZpbGUgaXMgY29waWVkIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL2NvcmVvcy9jb3Jl
+b3MtYXNzZW1ibGVyL2Jsb2IvbWFpbi9zcmMvZ3J1Yi5jZmcKIyBDaGFuZ2VzOgojICAgLSBEcm9w
+cGVkIElnbml0aW9uIGdsdWUsIHRoYXQgY2FuIGJlIGluamVjdGVkIGludG8gcGxhdGZvcm0uY2Zn
+CiMgc2V0IHBhZ2VyPTEKIyBwZXRpdGJvb3QgZG9lc24ndCBzdXBwb3J0IC1lIGFuZCBkb2Vzbid0
+IHN1cHBvcnQgYW4gZW1wdHkgcGF0aCBwYXJ0CmlmIFsgLWQgKG1kL21kLWJvb3QpL2dydWIyIF07
+IHRoZW4KICAjIGZjY3QgY3VycmVudGx5IGNyZWF0ZXMgL2Jvb3QgUkFJRCB3aXRoIHN1cGVyYmxv
+Y2sgMS4wLCB3aGljaCBhbGxvd3MKICAjIGNvbXBvbmVudCBwYXJ0aXRpb25zIHRvIGJlIHJlYWQg
+ZGlyZWN0bHkgYXMgZmlsZXN5c3RlbXMuICBUaGlzIGlzCiAgIyBuZWNlc3NhcnkgYmVjYXVzZSB0
+cmFuc3Bvc2VmcyBkb2Vzbid0IHlldCByZXJ1biBncnViMi1pbnN0YWxsIG9uIEJJT1MsCiAgIyBz
+byBHUlVCIHN0aWxsIGV4cGVjdHMgL2Jvb3QgdG8gYmUgYSBwYXJ0aXRpb24gb24gdGhlIGZpcnN0
+IGRpc2suCiAgIwogICMgVGhlcmUgYXJlIHR3byBjb25zZXF1ZW5jZXM6CiAgIyAxLiBPbiBCSU9T
+IGFuZCBVRUZJLCB0aGUgc2VhcmNoIGNvbW1hbmQgbWlnaHQgcGljayBhbiBpbmRpdmlkdWFsIFJB
+SUQKICAjICAgIGNvbXBvbmVudCwgYnV0IHdlIHdhbnQgaXQgdG8gdXNlIHRoZSBmdWxsIFJBSUQg
+aW4gY2FzZSB0aGVyZSBhcmUgYmFkCiAgIyAgICBzZWN0b3JzIGV0Yy4gIFRoZSB1bmRvY3VtZW50
+ZWQgLS1oaW50IG9wdGlvbiBpcyBzdXBwb3NlZCB0byBzdXBwb3J0CiAgIyAgICB0aGlzIHNvcnQg
+b2Ygb3ZlcnJpZGUsIGJ1dCBpdCBkb2Vzbid0IHNlZW0gdG8gd29yaywgc28gd2Ugc2V0ICRib290
+CiAgIyAgICBkaXJlY3RseS4KICAjIDIuIE9uIEJJT1MsIHRoZSAibm9ybWFsIiBtb2R1bGUgaGFz
+IGFscmVhZHkgYmVlbiBsb2FkZWQgZnJvbSBhbgogICMgICAgaW5kaXZpZHVhbCBSQUlEIGNvbXBv
+bmVudCwgYW5kICRwcmVmaXggc3RpbGwgcG9pbnRzIHRoZXJlLiAgV2Ugd2FudAogICMgICAgZnV0
+dXJlIG1vZHVsZSBsb2FkcyB0byBjb21lIGZyb20gdGhlIFJBSUQsIHNvIHdlIHJlc2V0ICRwcmVm
+aXguCiAgIyAgICAoT24gVUVGSSwgdGhlIHN0dWIgZ3J1Yi5jZmcgaGFzIGFscmVhZHkgc2V0ICRw
+cmVmaXggcHJvcGVybHkuKQogIHNldCBib290PW1kL21kLWJvb3QKICBzZXQgcHJlZml4PSgkYm9v
+dCkvZ3J1YjIKZWxzZQogIGlmIFsgLWYgJHtjb25maWdfZGlyZWN0b3J5fS9ib290dXVpZC5jZmcg
+XTsgdGhlbgogICAgc291cmNlICR7Y29uZmlnX2RpcmVjdG9yeX0vYm9vdHV1aWQuY2ZnCiAgZmkK
+ICBpZiBbIC1uICIke0JPT1RfVVVJRH0iIF07IHRoZW4KICAgIHNlYXJjaCAtLWZzLXV1aWQgIiR7
+Qk9PVF9VVUlEfSIgLS1zZXQgYm9vdCAtLW5vLWZsb3BweQogIGVsc2UKICAgIHNlYXJjaCAtLWxh
+YmVsIGJvb3QgLS1zZXQgYm9vdCAtLW5vLWZsb3BweQogIGZpCmZpCnNldCByb290PSRib290Cgpp
+ZiBbIC1mICR7Y29uZmlnX2RpcmVjdG9yeX0vZ3J1YmVudiBdOyB0aGVuCiAgbG9hZF9lbnYgLWYg
+JHtjb25maWdfZGlyZWN0b3J5fS9ncnViZW52CmVsaWYgWyAtcyAkcHJlZml4L2dydWJlbnYgXTsg
+dGhlbgogIGxvYWRfZW52CmZpCgppZiBbIHgiJHtmZWF0dXJlX21lbnVlbnRyeV9pZH0iID0geHkg
+XTsgdGhlbgogIG1lbnVlbnRyeV9pZF9vcHRpb249Ii0taWQiCmVsc2UKICBtZW51ZW50cnlfaWRf
+b3B0aW9uPSIiCmZpCgpmdW5jdGlvbiBsb2FkX3ZpZGVvIHsKICBpZiBbIHgkZmVhdHVyZV9hbGxf
+dmlkZW9fbW9kdWxlID0geHkgXTsgdGhlbgogICAgaW5zbW9kIGFsbF92aWRlbwogIGVsc2UKICAg
+IGluc21vZCBlZmlfZ29wCiAgICBpbnNtb2QgZWZpX3VnYQogICAgaW5zbW9kIGllZWUxMjc1X2Zi
+CiAgICBpbnNtb2QgdmJlCiAgICBpbnNtb2QgdmdhCiAgICBpbnNtb2QgdmlkZW9fYm9jaHMKICAg
+IGluc21vZCB2aWRlb19jaXJydXMKICBmaQp9CgojIHRyYWNrZXI6IGh0dHBzOi8vZ2l0aHViLmNv
+bS9jb3Jlb3MvZmVkb3JhLWNvcmVvcy10cmFja2VyL2lzc3Vlcy84MDUKaWYgWyAtZiAkcHJlZml4
+L3BsYXRmb3JtLmNmZyBdOyB0aGVuCiAgc291cmNlICRwcmVmaXgvcGxhdGZvcm0uY2ZnCmZpCgpp
+ZiBbIHgkZmVhdHVyZV90aW1lb3V0X3N0eWxlID0geHkgXSA7IHRoZW4KICBzZXQgdGltZW91dF9z
+dHlsZT1tZW51CiAgc2V0IHRpbWVvdXQ9MQojIEZhbGxiYWNrIG5vcm1hbCB0aW1lb3V0IGNvZGUg
+aW4gY2FzZSB0aGUgdGltZW91dF9zdHlsZSBmZWF0dXJlIGlzCiMgdW5hdmFpbGFibGUuCmVsc2UK
+ICBzZXQgdGltZW91dD0xCmZpCgojIEltcG9ydCB1c2VyIGRlZmluZWQgY29uZmlndXJhdGlvbgoj
+IHRyYWNrZXI6IGh0dHBzOi8vZ2l0aHViLmNvbS9jb3Jlb3MvZmVkb3JhLWNvcmVvcy10cmFja2Vy
+L2lzc3Vlcy84MDUKaWYgWyAtZiAkcHJlZml4L3VzZXIuY2ZnIF07IHRoZW4KICBzb3VyY2UgJHBy
+ZWZpeC91c2VyLmNmZwpmaQoKYmxzY2ZnCgo=
+EOF
+%end
diff --git a/docs/install.md b/docs/install.md
index 57b2014..3151654 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -4,6 +4,67 @@
 nav_order: 2
 ---
 
+## Operating system state (users, ssh keys)
+
+It's absolutely crucial to understand that the container image *is* the
+operating system content. Notably the default `tier-1` image
+[does not include cloud-init](cloud-agents.md) or Ignition or any default
+recommended mechanism for provisioning user accountson its own.
+
+Commonly then you will want to build your own container image derived from e.g.
+`quay.io/centos-boot/fedora-tier-1:eln` that adds a login mechanism. For
+example, you could
+[add cloud-init](https://gitlab.com/CentOS/cloud/sagano-examples/-/blob/main/cloud-init-base/Containerfile).
+
+However, it's also possible to embed SSH login configuration in the image, or
+configure any login mechanism you desire in general! For example, you could set
+up a VPN configuration in your operating system and ensure logins are only
+possible over the VPN, etc.
+
+## Installation using Anaconda
+
+Tools like
+[Anaconda](https://anaconda-installer.readthedocs.io/en/latest/intro.html)
+support injecting configuration at image installation time, such as SSH keys and
+passwords. This means that in contrast to what was said just before, it's
+possible to directly install (and update from) an "unconfigured base image"
+provided by this project.
+
+This hinges on the
+[ostreecontainer](https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#ostreecontainer)
+kickstart verb, which is new in Fedora 38; for example, there is a
+[netinst.iso](https://dl.fedoraproject.org/pub/fedora/linux/releases/39/Everything/x86_64/iso/)
+which can be scripted with kickstart. Because a current development target for
+this project is [Fedora ELN](https://docs.fedoraproject.org/en-US/eln/), it's
+also supported to use the ISO generated by that project.
+
+See [example.ks](example.ks) for an example Kickstart file. The
+[virt-install --initrd-inject](https://github.com/virt-manager/virt-manager/blob/main/man/virt-install.rst#--initrd-inject)
+helps inject kickstart for installation to virtual machines.
+
+## Using `bootc install-to-filesystem --replace=alongside` with a cloud image
+
+A toplevel goal of this project is that the "source of truth" for Linux
+operating system management is a container image registry - as opposed to e.g. a
+set of qcow2 OpenStack images or AMIs, etc. You should not need to maintain
+infrastructure to e.g. manage garbage collection or versioning of cloud (IaaS)
+VM images.
+
+The latest releases of `bootc` have support for
+`bootc install-to-filesystem --replace=alongside`. More about this core mechanic
+in the
+[bootc install docs](https://github.com/containers/bootc/blob/main/docs/install.md).
+
+Here's an example set of steps to execute; this could be done via e.g.
+[cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/index.html)
+configuration.
+
+```shell
+dnf -y install podman skopeo
+podman run --rm --privileged --pid=host -v /:/target --security-opt label=type:unconfined_t <yourimage> bootc install-to-filesystem --target-no-signature-verification --karg=console=ttyS0,115200n8 --replace=alongside /target
+reboot
+```
+
 <!--
 ## Booting directly from KVM guest image
 
@@ -31,41 +92,6 @@ rpm-ostree rebase ostree-unverified-registry:quay.io/centos-boot/fedora-tier-1:e
 systemctl reboot
 ```
 
-See also [this pull request][1] for more information.
-
 ## TODO: Use osbuild
 
 Document the ongoing work to materialize a disk image from a container.
-
-## Using `bootc install-to-filesystem --replace=alongside` with a cloud image
-
-A toplevel goal of this project is that the "source of truth" for Linux
-operating system management is a container image registry - as opposed to e.g. a
-set of qcow2 OpenStack images or AMIs, etc.
-
-The latest development builds of `bootc` have support for
-`bootc install-to-filesystem --replace=alongside`.  More about this core
-mechanic in the [bootc install docs](https://github.com/containers/bootc/blob/main/docs/install.md).
-
-Here's an example set of steps to execute; this could be done via e.g.
-[cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/index.html)
-configuration.
-
-```shell
-dnf -y install podman skopeo
-podman run --rm --privileged --pid=host -v /:/target --security-opt label=type:unconfined_t quay.io/centos-boot/fedora-tier-1:eln bootc install-to-filesystem --target-no-signature-verification --karg=console=ttyS0,115200n8 --replace=alongside /target
-reboot
-```
-
-## Generating a derived container image
-
-These examples just use a "stock" container image, and in the first case rely on
-user state being preserved by the `rpm-ostree rebase`.
-
-What's much more interesting is to generate a custom derived container image,
-and target that instead.  For more information, see
-
-- <https://github.com/coreos/layering-examples>
-- <https://github.com/openshift/rhcos-image-layering-examples>
-
-[1]: https://github.com/coreos/fedora-coreos-docs/pull/540