diff --git a/packages/static/kairos-overlay-files/collection.yaml b/packages/static/kairos-overlay-files/collection.yaml
index 252ce27..c131600 100644
--- a/packages/static/kairos-overlay-files/collection.yaml
+++ b/packages/static/kairos-overlay-files/collection.yaml
@@ -1,4 +1,4 @@
 packages:
   - name: "kairos-overlay-files"
     category: "static"
-    version: "1.6.8"
+    version: "1.7.0"
diff --git a/packages/static/kairos-overlay-files/files/system/oem/00_rootfs.yaml b/packages/static/kairos-overlay-files/files/system/oem/00_rootfs.yaml
index 31e1202..b8eb23e 100644
--- a/packages/static/kairos-overlay-files/files/system/oem/00_rootfs.yaml
+++ b/packages/static/kairos-overlay-files/files/system/oem/00_rootfs.yaml
@@ -54,6 +54,7 @@ stages:
           /var/lib/snapd
           /var/lib/tailscale
           /var/lib/wicked
+          /var/lib/kairos
           /var/log
           /var/run/cilium
           /var/snap
@@ -106,6 +107,7 @@ stages:
           /var/lib/snapd
           /var/lib/tailscale
           /var/lib/wicked
+          /var/lib/kairos
           /var/log
           /var/run/cilium
           /var/snap
diff --git a/packages/static/kairos-overlay-files/files/system/oem/00_rootfs_uki.yaml b/packages/static/kairos-overlay-files/files/system/oem/00_rootfs_uki.yaml
index 7259c58..eecf04e 100644
--- a/packages/static/kairos-overlay-files/files/system/oem/00_rootfs_uki.yaml
+++ b/packages/static/kairos-overlay-files/files/system/oem/00_rootfs_uki.yaml
@@ -47,6 +47,7 @@ stages:
           /var/lib/rancher
           /var/lib/snapd
           /var/lib/wicked
+          /var/lib/kairos
           /var/log
           /var/snap
     - if: '[ -e "/run/cos/uki_boot_mode" ] && ([ -e "/run/cos/recovery_mode" ] || [ -e "/run/cos/autoreset_mode" ])'
diff --git a/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml b/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
index f1db9d9..cd7fd12 100644
--- a/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
+++ b/packages/static/kairos-overlay-files/files/system/oem/99_sysext.yaml
@@ -13,7 +13,7 @@ stages:
     - name: "systemd-sysext uki config"
       if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
       files:
-        - path: /etc/systemd/system/systemd-sysext.service.d/uki.conf
+        - path: /etc/systemd/system/systemd-sysext.service.d/kairos-uki.conf
           permissions: 0644
           owner: 0
           group: 0
@@ -22,7 +22,9 @@ stages:
             # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
             TimeoutStartSec=10
             # override exec and reload to set the image policy
+            ExecStart=
             ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
+            ExecReload=
             ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
             # set the sysext hierarchies so we dont overwrite our mount at /usr/local
             # set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO
@@ -32,8 +34,32 @@ stages:
             [Unit]
             # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
             JobRunningTimeoutSec=5
+    - name: "systemd-sysext config"
+      if: '[ ! -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
+      files:
+        - path: /etc/systemd/system/systemd-sysext.service.d/kairos.conf
+          permissions: 0644
+          owner: 0
+          group: 0
+          content: |
+            [Service]
+            # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
+            TimeoutStartSec=10
+            # override exec and reload to set the image policy
+            ExecStart=
+            ExecStart=systemd-sysext refresh --image-policy="root=verity+absent:usr=verity+absent"
+            ExecReload=
+            ExecReload=systemd-sysext refresh --image-policy="root=verity+absent:usr=verity+absent"
+            # set the sysext hierarchies so we dont overwrite our mount at /usr/local
+            # set them very specifically instead of a generic /usr/local as systemd <= 255 mounts the overlay as RO
+            # and we dont want the full /usr/local to be RO as we store state in there
+            # on systemd 256 we can control if they are mutable or not
+            Environment="SYSTEMD_SYSEXT_HIERARCHIES=/usr/local/bin:/usr/local/sbin:/usr/local/include:/usr/local/lib:/usr/local/share:/usr/local/src:/usr/bin:/usr/share:/usr/lib:/usr/include:/usr/src:/usr/sbin"
+            [Unit]
+            # Make it timeout early to avoid blocking boot if keys are not in there to unlock sysext
+            JobRunningTimeoutSec=5
     - name: "systemd-sysext set hierarchy system-wide"
-      if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
+      if: '[ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
       files:
         - path: /etc/profile.d/systemd-sysext.sh
           permissions: 0644