diff --git a/image.ks b/image.ks
index 2e0de2fa5a..5ef4171d8c 100644
--- a/image.ks
+++ b/image.ks
@@ -70,4 +70,35 @@ rm -f /var/lib/random-seed
 
 echo "Removing /root/anaconda-ks.cfg"
 rm -f /root/anaconda-ks.cfg
+
+# Replace /etc/fstab with mount units; mostly so we can easily enable the "ro"
+# flag for /boot without having to parse/rewrite /etc/fstab.  But we also
+# use the labels rather than anaconda's UUID defaults.
+cat > /etc/systemd/system/-.mount << EOF
+[Unit]
+Before=local-fs.target
+[Mount]
+Where=/
+What=/dev/disk/by-label/root
+Type=xfs
+EOF
+
+cat > /etc/systemd/system/boot.mount << EOF
+[Unit]
+Before=local-fs.target
+[Mount]
+Where=/boot
+What=/dev/disk/by-label/boot
+Type=xfs
+Options=ro
+EOF
+
+rm /etc/fstab
+
+# Enable readonly /sysroot,/boot: https://github.com/ostreedev/ostree/issues/1265
+cat >> /ostree/repo/config << EOF
+[sysroot]
+readonly=true
+EOF
+
 %end