diff --git a/packages/by-name/image-podvm/package.nix b/packages/by-name/image-podvm/package.nix
index 44a6a0aec..acf8d5326 100644
--- a/packages/by-name/image-podvm/package.nix
+++ b/packages/by-name/image-podvm/package.nix
@@ -3,9 +3,8 @@
 
 {
   lib,
-  nixos,
-  pkgs,
   jq,
+  mkNixosConfig,
 
   withDebug ? true,
   withGPU ? false,
@@ -13,52 +12,17 @@
 }:
 
 let
-  # We write this placeholder into the command line and replace it with the real root hash
-  # after the image is built.
   roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
-
-  # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
-  # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
-  # the config, but that doesn't seem to work. We use an overlay for now instead.
-  # TODO(katexochen): Investigate why the config option doesn't work.
-  outerPkgs = pkgs;
 in
 
-(nixos (
-  { modulesPath, ... }:
-
-  {
-    imports = [
-      "${modulesPath}/image/repart.nix"
-      "${modulesPath}/system/boot/uki.nix"
-      ./azure.nix
-      ./debug.nix
-      ./gpu.nix
-      ./image.nix
-      ./kata.nix
-      ./system.nix
-    ];
-
-    contrast.debug.enable = withDebug;
-    contrast.gpu.enable = withGPU;
-    contrast.azure.enable = withCSP == "azure";
+(mkNixosConfig {
+  inherit roothashPlaceholder;
 
-    # TODO(katexochen): imporve, see comment above.
-    nixpkgs.overlays = [
-      (_self: _super: {
-        inherit (outerPkgs)
-          azure-no-agent
-          cloud-api-adaptor
-          kernel-podvm-azure
-          pause-bundle
-          ;
-        inherit (outerPkgs.kata) kata-agent;
-      })
-    ];
+  contrast.debug.enable = withDebug;
+  contrast.gpu.enable = withGPU;
+  contrast.azure.enable = withCSP == "azure";
 
-    boot.kernelParams = [ "roothash=${roothashPlaceholder}" ];
-  }
-)).image.overrideAttrs
+}).image.overrideAttrs
   (oldAttrs: {
     nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
     # Replace the placeholder with the real root hash.
diff --git a/packages/by-name/mkNixosConfig/package.nix b/packages/by-name/mkNixosConfig/package.nix
new file mode 100644
index 000000000..d5d486cd3
--- /dev/null
+++ b/packages/by-name/mkNixosConfig/package.nix
@@ -0,0 +1,60 @@
+# Copyright 2024 Edgeless Systems GmbH
+# SPDX-License-Identifier: AGPL-3.0-only
+
+{
+  lib,
+  nixos,
+  pkgs,
+}:
+
+{
+  # If set, placeholder is written into the command line roothash parameter.
+  # Used for building verity protected images.
+  roothashPlaceholder ? "",
+
+  ...
+}@args:
+
+let
+  # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
+  # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
+  # the config, but that doesn't seem to work. We use an overlay for now instead.
+  # TODO(katexochen): Investigate why the config option doesn't work.
+  outerPkgs = pkgs;
+
+  readModulesDir =
+    dir:
+    lib.pipe (builtins.readDir dir) [
+      (lib.filterAttrs (_filename: type: type == "regular"))
+      (lib.mapAttrsToList (filename: _type: "${dir}/${filename}"))
+    ];
+
+  args' = lib.removeAttrs args [ "roothashPlaceholder" ];
+in
+
+(nixos (
+  { modulesPath, ... }:
+
+  {
+    imports = [
+      "${modulesPath}/image/repart.nix"
+      "${modulesPath}/system/boot/uki.nix"
+    ] ++ readModulesDir ../../nixos;
+
+    # TODO(katexochen): imporve, see comment above.
+    nixpkgs.overlays = [
+      (_self: _super: {
+        inherit (outerPkgs)
+          azure-no-agent
+          cloud-api-adaptor
+          kernel-podvm-azure
+          pause-bundle
+          ;
+        inherit (outerPkgs.kata) kata-agent;
+      })
+    ];
+
+    boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
+  }
+  // args'
+))
diff --git a/packages/default.nix b/packages/default.nix
index 93b7a8af4..4ff52ff3a 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -15,7 +15,7 @@ let
     containers = callPackages ./containers.nix { pkgs = pkgs'; };
     scripts = callPackages ./scripts.nix { pkgs = pkgs'; };
     contrast-releases = callPackages ./contrast-releases.nix { };
-    image-podvm = callPackage ./by-name/image-podvm/package.nix { pkgs = pkgs'; };
+    mkNixosConfig = callPackage ./by-name/mkNixosConfig/package.nix { pkgs = pkgs'; };
     microsoft = self'.microsoft // {
       genpolicy = pkgs.pkgsStatic.callPackage ./by-name/microsoft/genpolicy/package.nix { };
       cloud-hypervisor = pkgs.pkgsStatic.callPackage ./by-name/microsoft/cloud-hypervisor/package.nix { };
diff --git a/packages/by-name/image-podvm/azure.nix b/packages/nixos/azure.nix
similarity index 100%
rename from packages/by-name/image-podvm/azure.nix
rename to packages/nixos/azure.nix
diff --git a/packages/by-name/image-podvm/debug.nix b/packages/nixos/debug.nix
similarity index 100%
rename from packages/by-name/image-podvm/debug.nix
rename to packages/nixos/debug.nix
diff --git a/packages/by-name/image-podvm/gpu.nix b/packages/nixos/gpu.nix
similarity index 100%
rename from packages/by-name/image-podvm/gpu.nix
rename to packages/nixos/gpu.nix
diff --git a/packages/by-name/image-podvm/image.nix b/packages/nixos/image.nix
similarity index 100%
rename from packages/by-name/image-podvm/image.nix
rename to packages/nixos/image.nix
diff --git a/packages/by-name/image-podvm/kata.nix b/packages/nixos/kata.nix
similarity index 100%
rename from packages/by-name/image-podvm/kata.nix
rename to packages/nixos/kata.nix
diff --git a/packages/by-name/image-podvm/system.nix b/packages/nixos/system.nix
similarity index 100%
rename from packages/by-name/image-podvm/system.nix
rename to packages/nixos/system.nix