diff --git a/packages.nix b/packages.nix
index 8cdb3fe8..d440d60b 100644
--- a/packages.nix
+++ b/packages.nix
@@ -93,10 +93,14 @@ lib.attrsets.mapAttrs
   builtins.foldl'
     (result: name:
       let
+        discardStringCtx = builtins.unsafeDiscardStringContext;
         host = getHostAddr name;
         target = ''root@"${host}"'';
         rebuildArg = "--flake ${self}#${name} ${overrideInputsArgs} --accept-flake-config";
         hostConfig = self.nixosConfigurations."${name}".config;
+        hostPkgs = self.nixosConfigurations."${name}".pkgs;
+        declaredRunnerDrvPath = discardStringCtx hostConfig.microvm.declaredRunner.drvPath;
+        toplevelOutPath = discardStringCtx hostConfig.system.build.toplevel.outPath;
         # let /var/lib/microvm/*/flake point to the flake-update branch so that
         # `microvm -u $NAME` updates to what hydra built today.
         selfRef = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update";
@@ -117,7 +121,7 @@ lib.attrsets.mapAttrs
           nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
 
           # use nixos-rebuild from target config
-          nixosRebuild=$(ssh ${target} nix build ${self}#nixosConfigurations.${name}.config.system.build.nixos-rebuild ${overrideInputsArgs} --no-link --json | ${pkgs.jq}/bin/jq -r '.[0].outputs.out')
+          nixosRebuild=$(ssh ${target} nix build ${discardStringCtx hostConfig.system.build.nixos-rebuild.outPath} ${overrideInputsArgs} --no-link --json | ${lib.getExe hostPkgs.jq} -r '.[0].outputs.out')
           ssh ${target} $nixosRebuild/bin/nixos-rebuild ${rebuildArg} "$@"
         '';
 
@@ -129,8 +133,8 @@ lib.attrsets.mapAttrs
 
           echo Building on Hydra
           ssh root@hydra.serv.zentralwerk.org -- \
-            nix build -L -o /tmp/nixos-system-${name} \
-            ${self}#nixosConfigurations.${name}.config.system.build.toplevel
+            nix build -L -o /tmp/nixos-system-${name} ${toplevelOutPath}
+
           echo Built. Obtaining link to data
           TOPLEVEL=$(ssh root@hydra.serv.zentralwerk.org \
             readlink /tmp/nixos-system-${name})
@@ -153,57 +157,15 @@ lib.attrsets.mapAttrs
 
           [[ $1 == build || $(ssh ${target} cat /etc/hostname) == ${name} ]]
           # don't re-execute, otherwise we run the targetPlatform locally
-          _NIXOS_REBUILD_REEXEC=1 ${pkgs.nixos-rebuild}/bin/nixos-rebuild ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
+          _NIXOS_REBUILD_REEXEC=1 ${lib.getExe hostPkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
         '';
 
         "${name}-cleanup" = pkgs.writeScriptBin "${name}-cleanup" ''
           set -eou pipefail
           ssh ${target} "time nix-collect-garbage -d && time nix-store --optimise"
         '';
-
-        "microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" (
-          if builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]
-          then ''
-            #!${pkgs.runtimeShell} -e
-
-            ${hostConfig.system.build.copyToServer} ${inputPaths}
-
-            ${hostConfig.system.build.runOnServer} bash -e <<END
-            mkdir -p /var/lib/microvms/${name}
-            cd /var/lib/microvms/${name}
-            chown root:kvm .
-            chmod 0775 .
-
-            rm -f old
-            [ -e current ] && cp --no-dereference current old
-
-            nix build -L --accept-flake-config -o current \
-              ${overrideInputsArgs} \
-              ${self}#nixosConfigurations.${name}.config.microvm.declaredRunner
-            echo '${selfRef}' > flake
-
-            [ -e old ] && nix store diff-closures ./old ./current
-            ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
-            ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
-            ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
-
-            systemctl restart microvm@${name}.service
-            END
-          ''
-          else throw "${name} is not configured to run on microvm.nix. Is it a physical host or is it deployed in Skyflake?"
-        );
-
-        "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
-          #!${pkgs.runtimeShell} -e
-
-          ${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
-            echo "MicroVM must be configured to proper server" >&2
-            exit 1
-          ''}
-
-          ${hostConfig.system.build.copyToServer} ${hostConfig.microvm.declaredRunner}
-
-          ${hostConfig.system.build.runOnServer} bash -e <<END
+      } // (let
+        createDirsCopyCurrent = name: ''
           mkdir -p /var/lib/microvms/${name}
           cd /var/lib/microvms/${name}
           chown root:kvm .
@@ -211,19 +173,70 @@ lib.attrsets.mapAttrs
 
           rm -f old
           [ -e current ] && cp --no-dereference current old
+        '';
+        createSymlinks = name: ''
+          if [[ -e old ]]; then
+            nix store diff-closures ./old ./current
+
+            echo System package diff:
+            ${discardStringCtx hostConfig.nix.package.outPath}/bin/nix --extra-experimental-features nix-command store diff-closures ./old ./current || true
+          fi
+
+          ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
+          ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
+          ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
+        '';
+      in {
+
+        "microvm-update-${name}" = pkgs.writeScriptBin "microvm-update-${name}" (
+          if builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]
+          then ''
+            set -eou pipefail
+
+            ${hostConfig.system.build.copyToServer} ${inputPaths} ${declaredRunnerDrvPath}
+
+            ${hostConfig.system.build.runOnServer} bash -e <<END
+            ${createDirsCopyCurrent name}
+
+            nix build -L --accept-flake-config -o current ${overrideInputsArgs} ${declaredRunnerDrvPath}
+            echo '${selfRef}' > flake
+
+            ${createSymlinks name}
+
+            if [[ -z NIXOS_REBUILD ]]; then
+              systemctl restart microvm@${name}.service
+            fi
+            END
+
+            if [[ -n NIXOS_REBUILD ]]; then
+              ssh ${target} -- ${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
+            fi
+          ''
+          else throw "${name} is not configured to run on microvm.nix. Is it a physical host or is it deployed in Skyflake?"
+        );
+
+        "microvm-update-${name}-local" = pkgs.writeScriptBin "microvm-update-${name}" ''
+          set -eou pipefail
+
+          ${lib.optionalString (!builtins.elem (hostConfig.c3d2.deployment.server or null) [ "server9" "server10" ]) ''
+            echo "MicroVM must be configured to proper server" >&2
+            exit 1
+          ''}
+
+          ${hostConfig.system.build.copyToServer} ${declaredRunnerDrvPath}
+
+          ${hostConfig.system.build.runOnServer} bash -e <<END
+          ${createDirsCopyCurrent name}
 
           ln -sfT ${hostConfig.microvm.declaredRunner} current
           echo '${selfRef}' > flake
 
-          [ -e old ] && nix store diff-closures ./old ./current
-          ln -sfT \$PWD/current /nix/var/nix/gcroots/microvm/${name}
-          ln -sfT \$PWD/booted /nix/var/nix/gcroots/microvm/booted-${name}
-          ln -sfT \$PWD/old /nix/var/nix/gcroots/microvm/old-${name}
+          ${createSymlinks name}
 
           systemctl restart microvm@${name}.service
           END
         '';
-      })
+      }))
     { }
     (builtins.attrNames self.nixosConfigurations) //