diff --git a/roles/install_arch/files/pacman-init.service b/roles/install_arch/files/pacman-init.service
new file mode 100644
index 0000000000000000000000000000000000000000..e064df40785fe0ecc7c490c3f6e2c94335807ef3
--- /dev/null
+++ b/roles/install_arch/files/pacman-init.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Initializes Pacman keyring
+Before=sshd.service
+ConditionFirstBoot=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/pacman-key --init
+ExecStart=/usr/bin/pacman-key --populate archlinux
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/install_arch/tasks/main.yml b/roles/install_arch/tasks/main.yml
index e18abe617e4c9c4465bb2888fbc7509540831916..7ac0656ab147910b0ade88d9de02695162e7a974 100644
--- a/roles/install_arch/tasks/main.yml
+++ b/roles/install_arch/tasks/main.yml
@@ -150,8 +150,17 @@
   register: chroot_grub_mkconfig
   changed_when: "chroot_grub_mkconfig.rc == 0"
 
+- name: setup pacman-init.service on first boot
+  copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
+
+- name: remove generated keyring in the installation process
+  file: path=/mnt/etc/pacman.d/gnupg state=absent
+
+- name: make sure /etc/machine-id is absent
+  file: path=/mnt/etc/machine-id state=absent
+
 - name: enable services inside chroot
-  command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer
+  command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init
   register: chroot_systemd_services
   changed_when: "chroot_systemd_services.rc == 0"