diff --git a/packages/static/kairos-overlay-files/collection.yaml b/packages/static/kairos-overlay-files/collection.yaml
index 00e9225..2778897 100644
--- a/packages/static/kairos-overlay-files/collection.yaml
+++ b/packages/static/kairos-overlay-files/collection.yaml
@@ -1,4 +1,4 @@
 packages:
   - name: "kairos-overlay-files"
     category: "static"
-    version: "1.1.35"
+    version: "1.1.36"
diff --git a/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml b/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
similarity index 60%
rename from packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml
rename to packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
index 77338a8..8dc3919 100644
--- a/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml
+++ b/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
@@ -19,11 +19,20 @@ stages:
           group: 0
           content: |
             [Service]
+            # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
             TimeoutStartSec=10
+            # override exec and reload to set the image policy
             ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
             ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
+            # set the sysext hierarchies so we dont overwrite our mount at /usr/local
+            # set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO
+            # and we dont want the full /usr/local to be RO as we store state in there
+            # on systemd 256 we can control if they are mutable or not
+            Environment="SYSTEMD_SYSEXT_HIERARCHIES=/usr/local/bin:/usr/local/sbin:/usr/local/include:/usr/local/lib:/usr/local/share:/usr/local/src:/usr/bin:/usr/share:/usr/lib:/usr/include:/usr/src:/usr/sbin"
             [Unit]
+            # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
             JobRunningTimeoutSec=5
+  initramfs.after:
     - name: "systemd-sysext initramfs settings"
       if: '[ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ]'
       systemctl: