diff --git a/packages/by-name/buildVerityUKI/package.nix b/packages/by-name/buildVerityUKI/package.nix
new file mode 100644
index 000000000..cd9ba87f7
--- /dev/null
+++ b/packages/by-name/buildVerityUKI/package.nix
@@ -0,0 +1,27 @@
+# Copyright 2024 Edgeless Systems GmbH
+# SPDX-License-Identifier: AGPL-3.0-only
+
+{ lib, jq }:
+
+let
+  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
+in
+
+nixos-config:
+
+(nixos-config.override {
+  # Inject the `roothash` parameter into the kernel command line,
+  # using a placeholder for the verity root hash.
+  boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
+}).image.overrideAttrs
+  (oldAttrs: {
+    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
+    # Replace the placeholder with the real root hash.
+    # The real root hash is only known after we build the image, so this
+    # is injected into the derivation that builds the image.
+    # Only replace first occurrence, or integrity of erofs will be compromised.
+    postInstall = ''
+      realRoothash=$(${lib.getExe jq} -r "[.[] | select(.roothash != null)] | .[0].roothash" $out/repart-output.json)
+      sed -i "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$realRoothash/" $out/${oldAttrs.pname}_${oldAttrs.version}.raw
+    '';
+  })
diff --git a/packages/by-name/image-podvm/package.nix b/packages/by-name/image-podvm/package.nix
index acf8d5326..26729aa10 100644
--- a/packages/by-name/image-podvm/package.nix
+++ b/packages/by-name/image-podvm/package.nix
@@ -2,8 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
-  lib,
-  jq,
+  buildVerityUKI,
   mkNixosConfig,
 
   withDebug ? true,
@@ -11,24 +10,10 @@
   withCSP ? "azure",
 }:
 
-let
-  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
-in
-
-(mkNixosConfig {
-  inherit roothashPlaceholder;
-
-  contrast.debug.enable = withDebug;
-  contrast.gpu.enable = withGPU;
-  contrast.azure.enable = withCSP == "azure";
-
-}).image.overrideAttrs
-  (oldAttrs: {
-    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
-    # Replace the placeholder with the real root hash.
-    # Only replace first occurrence, or integrity of erofs will be compromised.
-    postInstall = ''
-      realRoothash=$(${lib.getExe jq} -r "[.[] | select(.roothash != null)] | .[0].roothash" $out/repart-output.json)
-      sed -i "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$realRoothash/" $out/${oldAttrs.pname}_${oldAttrs.version}.raw
-    '';
-  })
+buildVerityUKI (mkNixosConfig {
+  contrast = {
+    debug.enable = withDebug;
+    gpu.enable = withGPU;
+    azure.enable = withCSP == "azure";
+  };
+})
diff --git a/packages/by-name/mkNixosConfig/package.nix b/packages/by-name/mkNixosConfig/package.nix
index d5d486cd3..1e00b77a2 100644
--- a/packages/by-name/mkNixosConfig/package.nix
+++ b/packages/by-name/mkNixosConfig/package.nix
@@ -7,14 +7,6 @@
   pkgs,
 }:
 
-{
-  # If set, placeholder is written into the command line roothash parameter.
-  # Used for building verity protected images.
-  roothashPlaceholder ? "",
-
-  ...
-}@args:
-
 let
   # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
   # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
@@ -28,33 +20,33 @@ let
       (lib.filterAttrs (_filename: type: type == "regular"))
       (lib.mapAttrsToList (filename: _type: "${dir}/${filename}"))
     ];
-
-  args' = lib.removeAttrs args [ "roothashPlaceholder" ];
 in
 
-(nixos (
-  { modulesPath, ... }:
-
-  {
-    imports = [
-      "${modulesPath}/image/repart.nix"
-      "${modulesPath}/system/boot/uki.nix"
-    ] ++ readModulesDir ../../nixos;
-
-    # TODO(katexochen): imporve, see comment above.
-    nixpkgs.overlays = [
-      (_self: _super: {
-        inherit (outerPkgs)
-          azure-no-agent
-          cloud-api-adaptor
-          kernel-podvm-azure
-          pause-bundle
-          ;
-        inherit (outerPkgs.kata) kata-agent;
-      })
-    ];
-
-    boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
-  }
-  // args'
-))
+lib.makeOverridable (
+  args:
+  nixos (
+    { modulesPath, ... }:
+
+    {
+      imports = [
+        "${modulesPath}/image/repart.nix"
+        "${modulesPath}/system/boot/uki.nix"
+      ] ++ readModulesDir ../../nixos;
+
+      # TODO(katexochen): imporve, see comment above.
+      nixpkgs.overlays = [
+        (_self: _super: {
+          inherit (outerPkgs)
+            azure-no-agent
+            cloud-api-adaptor
+            kernel-podvm-azure
+            pause-bundle
+            ;
+          inherit (outerPkgs.kata) kata-agent;
+        })
+      ];
+
+    }
+    // args
+  )
+)