diff --git a/default.nix b/default.nix
index dfb5e3a..fc9fbf5 100644
--- a/default.nix
+++ b/default.nix
@@ -54,33 +54,30 @@ in rec {
       echo "NixPkgs Version: $nixpkgsVersion"      >> "$versionFile"
       echo "Build Platform:  $buildSystem"         >> "$versionFile"
 
-      mkdir -p "$out"/share
-      cp "$versionFile" "$out"/share
+      mkdir -p "$out"
+      cp "$versionFile" "$out"/version
     '';
   };
 
-  goBinaries = pkgs.buildGoModule {
-    pname = "isle-go-binaries";
-    version = "unstable";
+  entrypoint = {
+    systemRoot ? null,
+  }: (pkgs.buildGoModule {
+    pname = "isle-entrypoint";
+    version = builtins.readFile revisionFile;
 
     # If this seems pointless, that's because it is! buildGoModule doesn't like
     # it if the src derivation's name ends in "-go". So this mkDerivation here
     # only serves to give buildGoModule a src derivation with a name it likes.
-    src = pkgs.stdenv.mkDerivation {
-      name = "isle-go-src";
-      src = ./go;
-      builder = builtins.toFile "builder.sh" ''
-        source $stdenv/setup
-        cp -r "$src" "$out"
-      '';
-    };
+    src = pkgs.runCommand "isle-go-src" {} ''cp -r "${./go}" "$out"'';
 
     vendorHash = "sha256-uq+UgoVKqMUE4hEVlMFQnZuyFOilUyZDmiy7ASrq338=";
-
-    subPackages = [
-      "./cmd/entrypoint"
-    ];
-  };
+    subPackages = [ "./cmd/entrypoint" ];
+  }).overrideAttrs (prev: {
+    ldflags = prev.ldflags ++
+      (if builtins.isNull systemRoot
+      then []
+      else [ "-X main.systemRoot=${systemRoot}" ]);
+  });
 
   dnsmasq = (pkgs.callPackage ./nix/dnsmasq.nix {
     stdenv = pkgs.pkgsStatic.stdenv;
@@ -92,23 +89,24 @@ in rec {
     inherit pkgsNix buildSystem hostSystem;
   };
 
-  appDirBase = pkgs.buildEnv {
-    name = "isle-AppDir-base";
-    paths = [
-      ./AppDir
-      version
-      dnsmasq
-      nebula
-      garage
-      pkgs.minio-client
-    ];
-  };
+  appDirBase = pkgs.runCommand "isle-AppDir-base" {} ''
+    mkdir -p "$out"/usr/libexec/isle
+    cp ${dnsmasq}/bin/* "$out"/usr/libexec/isle
+    cp ${nebula}/bin/* "$out"/usr/libexec/isle
+    cp ${garage}/bin/* "$out"/usr/libexec/isle
+    cp ${pkgs.minio-client}/bin/* "$out"/usr/libexec/isle
 
-  appDir = pkgs.stdenv.mkDerivation {
+    cp ${./AppDir}/* "$out"/
+
+    mkdir -p "$out"/usr/share/isle
+    cp ${version}/* "$out"/usr/share/isle
+  '';
+
+  appDir = { systemRoot ? null, }: pkgs.stdenv.mkDerivation {
     name = "isle-AppDir";
 
     src = appDirBase;
-    inherit goBinaries;
+    entrypoint = entrypoint { inherit systemRoot; };
 
     builder = builtins.toFile "build.sh" ''
       source $stdenv/setup
@@ -116,7 +114,9 @@ in rec {
       chmod +w "$out" -R
 
       cd "$out"
-      cp $goBinaries/bin/entrypoint ./AppRun
+      mkdir -p ./usr/bin
+      cp $entrypoint/bin/entrypoint ./usr/bin/isle
+      ln -s ./usr/bin/isle ./AppRun
     '';
   };
 
@@ -147,7 +147,7 @@ in rec {
   build = rec {
     appImage = pkgs.stdenv.mkDerivation {
       name = "isle-AppImage";
-      src = appDir;
+      src = appDir {};
       inherit revisionFile;
 
       nativeBuildInputs = [ appimagekit ];
@@ -164,8 +164,9 @@ in rec {
     };
 
     archPkg = ((import ./dist/linux/arch) {
-      inherit hostSystem releaseName appImage;
+      inherit hostSystem releaseName;
       pkgs = pkgsNative;
+      appDir = appDir { systemRoot = "/"; };
     });
   };
 }
diff --git a/dist/linux/arch/default.nix b/dist/linux/arch/default.nix
index fb44ef1..ef2867e 100644
--- a/dist/linux/arch/default.nix
+++ b/dist/linux/arch/default.nix
@@ -2,7 +2,7 @@
   pkgs,
   hostSystem,
   releaseName,
-  appImage,
+  appDir,
 }: let
 
   cpuArch = (pkgs.lib.systems.parse.mkSystemFromString hostSystem).cpu.name;
@@ -16,24 +16,12 @@
     url="https://code.betamike.com/micropelago/isle"
     license=('AGPL-3.0-or-later')
 
-    depends=(
-      'fuse2'
-    )
-
-    # The appImage is deliberately kept separate from the src.tar.zst. For some
-    # reason including the appImage within the archive results in a large part
-    # of the binary being stripped away and some weird skeleton appImage comes
-    # out the other end.
-    source=('isle' 'src.tar.zst')
-    md5sums=('SKIP' 'SKIP')
-    noextract=('isle')
+    source=('src.tar.zst')
+    md5sums=('SKIP')
 
     package() {
       cp -r etc "$pkgdir"/etc
       cp -r usr "$pkgdir"/usr
-
-      mkdir -p "$pkgdir"/usr/bin/
-      cp isle "$pkgdir"/usr/bin/
     }
   '';
 
@@ -49,12 +37,15 @@ in
     ];
 
     inherit pkgbuild;
-    src = appImage;
+    src = appDir;
     defaultDaemonYml = ../../../go/daemon/daecommon/daemon.yml;
     systemdService = ../isle.service;
     dontUnpack = true;
 
     buildPhase = ''
+      cp -rL "$src" root
+      chmod -R +w root
+
       mkdir -p root/etc/isle/
       cp "$defaultDaemonYml" root/etc/isle/daemon.yml
 
@@ -69,7 +60,6 @@ in
       cp $pkgbuild PKGBUILD
 
       tar -cf src.tar.zst --zstd --mode=a+rX,u+w -C root .
-      cp "$src"/bin/isle isle
 
       PKGEXT=".pkg.tar.zst" CARCH="${cpuArch}" makepkg \
         --nodeps \
diff --git a/go/cmd/entrypoint/daemon.go b/go/cmd/entrypoint/daemon.go
index f455fef..7b7c6e2 100644
--- a/go/cmd/entrypoint/daemon.go
+++ b/go/cmd/entrypoint/daemon.go
@@ -43,7 +43,7 @@ var subCmdDaemon = subCmd{
 		networkLoader, err := network.NewLoader(
 			ctx,
 			ctx.logger.WithNamespace("network-loader"),
-			envBinDirPath,
+			getBinDirPath(),
 			nil,
 		)
 		if err != nil {
diff --git a/go/cmd/entrypoint/main.go b/go/cmd/entrypoint/main.go
index 1c8b65c..046b799 100644
--- a/go/cmd/entrypoint/main.go
+++ b/go/cmd/entrypoint/main.go
@@ -15,18 +15,30 @@ import (
 	"github.com/adrg/xdg"
 )
 
-func getAppDirPath() string {
-	appDirPath := os.Getenv("APPDIR")
-	if appDirPath == "" {
-		appDirPath = "."
+const systemRootPath = ""
+
+func getSystemRootPath() string {
+	if systemRootPath != "" {
+		return systemRootPath
 	}
-	return appDirPath
+
+	if appDirPath := os.Getenv("APPDIR"); appDirPath != "" {
+		return appDirPath
+	}
+
+	return "/"
+}
+
+func getBinDirPath() string {
+	return filepath.Join(getSystemRootPath(), "usr/libexec/isle")
+}
+
+func getShareDirPath() string {
+	return filepath.Join(getSystemRootPath(), "usr/share/isle")
 }
 
 var (
-	envAppDirPath = getAppDirPath()
-	envBinDirPath = filepath.Join(envAppDirPath, "bin")
-	envCacheDir   = sync.OnceValue(func() toolkit.Dir {
+	envCacheDir = sync.OnceValue(func() toolkit.Dir {
 		cacheHome, err := toolkit.MkDir(xdg.CacheHome, true)
 		if err != nil {
 			panic(fmt.Errorf("creating cache directory %q: %w", xdg.CacheHome, err))
@@ -42,7 +54,7 @@ var (
 )
 
 func binPath(name string) string {
-	return filepath.Join(envBinDirPath, name)
+	return filepath.Join(getBinDirPath(), name)
 }
 
 var rootCmd = subCmd{
diff --git a/go/cmd/entrypoint/version.go b/go/cmd/entrypoint/version.go
index 83187e5..67282cf 100644
--- a/go/cmd/entrypoint/version.go
+++ b/go/cmd/entrypoint/version.go
@@ -17,7 +17,7 @@ var subCmdVersion = subCmd{
 			return fmt.Errorf("parsing flags: %w", err)
 		}
 
-		versionPath := filepath.Join(envAppDirPath, "share/version")
+		versionPath := filepath.Join(getShareDirPath(), "version")
 
 		version, err := os.ReadFile(versionPath)
 		if err != nil {
diff --git a/go/daemon/network/network_it_util_test.go b/go/daemon/network/network_it_util_test.go
index 9253cbc..45a2f2d 100644
--- a/go/daemon/network/network_it_util_test.go
+++ b/go/daemon/network/network_it_util_test.go
@@ -28,7 +28,7 @@ var (
 		if appDirPath == "" {
 			panic("APPDIR not set")
 		}
-		return filepath.Join(appDirPath, "bin")
+		return filepath.Join(appDirPath, "usr/libexec/isle")
 	})
 
 	ipNetCounter          = new(atomic.Uint64)