diff --git a/elements/core-deps/accountsservice.bst b/elements/core-deps/accountsservice.bst
index 00df3ac2f49fe44c7c772abb364366b258c31d49..31098e3a05b957ffd874c58901b6090e2dbccad0 100644
--- a/elements/core-deps/accountsservice.bst
+++ b/elements/core-deps/accountsservice.bst
@@ -5,6 +5,8 @@ sources:
   url: freedesktop:accountsservice/accountsservice.git
   track: refs/tags/*
   ref: 23.13.9-0-g57e491f5e6f3da2d5a949f4f8747c8f4e8ed799d
+- kind: patch
+  path: patches/accountsservice/tmpfiles.patch
 
 build-depends:
 - sdk/gobject-introspection.bst
diff --git a/elements/gnomeos/confext.bst b/elements/gnomeos/confext.bst
new file mode 100644
index 0000000000000000000000000000000000000000..b8620f26e73320fded63ebf0aa7c74570706a89c
--- /dev/null
+++ b/elements/gnomeos/confext.bst
@@ -0,0 +1,25 @@
+kind: manual
+
+sources:
+- kind: local
+  path: files/gnomeos/confext
+
+build-depends:
+- freedesktop-sdk.bst:components/gcc.bst
+- freedesktop-sdk.bst:components/stripper.bst
+
+depends:
+- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst
+
+config:
+  build-commands:
+  - |
+    g++ -std=c++20 ${CFLAGS} ${LDFLAGS} migrate-confext.cpp -o migrate-confext
+
+  install-commands:
+  - |
+    install -Dm644 -t '%{install-root}%{indep-libdir}/systemd/system' \
+        initrd-confext.service \
+        initrd-migrate-confext.service
+    install -Dm644 -t '%{install-root}%{indep-libdir}/systemd/system/systemd-confext.service.d' mutable.conf
+    install -Dm755 -t '%{install-root}%{indep-libdir}/gnomeos' migrate-confext
diff --git a/elements/gnomeos/devel/layer.bst b/elements/gnomeos/devel/layer.bst
index 230297aa0a57c0d18dfc878fd33360cf72d0e6a9..ca487f70e4086d1e8f02e491121d816fe8d53324 100644
--- a/elements/gnomeos/devel/layer.bst
+++ b/elements/gnomeos/devel/layer.bst
@@ -54,61 +54,29 @@ config:
        --noroot --noboot --nodepmod >/dev/null
 
   - |
-    mkdir -p output/etc
-    make-layer sysroot/etc sysroot-devel/etc output/etc/etc
+    mkdir -p sysroot-devel/etc/extension-release.d
+    case "%{branch}" in
+      master)
+        version_id=Nightly
+        ;;
+      *)
+        version_id="%{branch}"
+        ;;
+    esac
 
-  - |
-    cat >sysroot-devel/usr/lib/tmpfiles.d/extra-etc-devel.conf<<EOF
-    L /etc/apparmor.d
-    # freedesktop-sdk.bst:components/perf.bst
-    # FIXME: move to /usr/share/bash-completion/completions/
-    L /etc/bash_completion.d/perf
-    # freedesktop-sdk.bst:components/binutils.bst
-    L /etc/gprofng.rc
-    # core-deps/libvirt.bst
-    L /etc/libvirt
-    L /etc/sasl2
-    L /etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
-    # vm-deps/swtpm.bst
-    L /etc/swtpm-localca.conf
-    L /etc/swtpm-localca.options
-    L /etc/swtpm_setup.conf
+    commits_url="https://gitlab.gnome.org/GNOME/gnome-build-meta/-/commits/%{commit}"
+    cat <<EOF >sysroot-devel/etc/extension-release.d/extension-release.devel_%{image-version}
+    ID="org.gnome.os"
+    VERSION_ID="${version_id}"
+    CONFEXT_LEVEL="%{image-version}"
+    GNOMEOS_COMMIT="%{commit}"
+    GNOMEOS_COMMIT_DATE="%{commit-date-pretty}"
+    GNOMEOS_COMMITS_URL="${commits_url}"
     EOF
 
   - |
-    find output/etc
-
-  - |
-    mkdir -p output/factory
-    for p in $(grep -v "^#" <sysroot-devel/usr/lib/tmpfiles.d/extra-etc-devel.conf | grep -v "^$" | cut -d" " -f2); do
-      mkdir -p "$(dirname "output/factory${p}")"
-      cp -rlTP "output/etc${p}" "output/factory${p}"
-      rm -rf "output/etc${p}"
-    done
-
-  - |
-    find 'output/etc/etc' -depth -type d -empty -delete
-
-  - |
-    unknown=()
-    for p in output/etc/etc/*; do
-      rel="${p#output/etc}"
-      case "${rel}" in
-        /etc/systemd|/etc/ld.so.cache)
-          # Those are created another way
-        ;;
-        /etc/logrotate.d)
-          # Those should not exist
-        ;;
-        *)
-          unknown+=("${rel}")
-        ;;
-      esac
-    done
-    if [ "${#unknown[*]}" -gt 0 ]; then
-      echo "Unknown paths:" "${unknown[@]}"
-      exit 1
-    fi
+    mkdir -p output/etc
+    make-layer sysroot/etc sysroot-devel/etc output/etc
 
   - |
     mkdir -p sysroot-devel/usr/lib/extension-release.d
@@ -135,14 +103,6 @@ config:
     mkdir -p output
     make-layer sysroot/usr sysroot-devel/usr output/usr
 
-  - |
-    mkdir -p output/usr/share/factory/etc
-    cp -rlTP output/factory output/usr/share/factory
-
-  - |
-    mkdir -p output/etc
-    cp -T sysroot-devel/usr/lib/os-release output/etc/os-release
-
   - |
     mkdir -p tmp
 
@@ -164,6 +124,25 @@ config:
         --copy-source=output \
         devel-%{systemd-arch}_%{image-version}.raw
 
+  - |
+    TMPDIR='%{build-root}/tmp' \
+    SYSTEMD_LOG_LEVEL=debug \
+    SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${EROFS_OPTIONS} ${EROFS_WORKERS}" \
+      systemd-repart \
+        --make-ddi=confext \
+        --empty=create \
+        --size=auto \
+        --dry-run=no \
+        --discard=no \
+        --offline=true \
+        --no-pager \
+        --private-key=SYSEXT.key \
+        --certificate=SYSEXT.crt \
+        --seed %{repart-seed} \
+        --copy-source=output \
+        devel-confext-%{systemd-arch}_%{image-version}.raw
+
   install-commands:
   - |
     mv devel-%{systemd-arch}_%{image-version}.raw %{install-root}
+    mv devel-confext-%{systemd-arch}_%{image-version}.raw %{install-root}
diff --git a/elements/gnomeos/initramfs/deps.bst b/elements/gnomeos/initramfs/deps.bst
index 998cdff995609a8115b3b478d5afb423c4f1e68c..cefcabba91e6ec17cd830ac5457004cbfacbe67b 100644
--- a/elements/gnomeos/initramfs/deps.bst
+++ b/elements/gnomeos/initramfs/deps.bst
@@ -24,6 +24,7 @@ depends:
 - gnomeos/os-release.bst
 - gnomeos/replace-signed-systemd-boot.bst
 - gnomeos/live.bst
+- gnomeos/confext.bst
 
 (?):
 - arch in ["x86_64"]:
diff --git a/elements/gnomeos/snapd/layer.bst b/elements/gnomeos/snapd/layer.bst
index bf98c0b99e14fa4015198d5da8f993b10e4c5b2e..5d1788aa5cd2edafce193d27646c4d16e3658060 100644
--- a/elements/gnomeos/snapd/layer.bst
+++ b/elements/gnomeos/snapd/layer.bst
@@ -53,15 +53,6 @@ config:
        --seed "%{sysroot-seed}" \
        --noroot --noboot --nodepmod >/dev/null
 
-  - |
-    cat >sysroot-snapd/usr/lib/tmpfiles.d/extra-etc-snapd.conf<<EOF
-    L /etc/apparmor
-    L /etc/apparmor.d
-    L /etc/profile.d/snapd.sh
-    L /etc/xdg/autostart/snap-userd-autostart.desktop
-    d /snap
-    EOF
-
   - |
     mkdir -p sysroot-snapd/usr/lib/extension-release.d
     case "%{branch}" in
@@ -83,22 +74,35 @@ config:
     GNOMEOS_COMMITS_URL="${commits_url}"
     EOF
 
+  - |
+    mkdir -p sysroot-snapd/etc/extension-release.d
+    case "%{branch}" in
+      master)
+        version_id=Nightly
+        ;;
+      *)
+        version_id="%{branch}"
+        ;;
+    esac
+
+    commits_url="https://gitlab.gnome.org/GNOME/gnome-build-meta/-/commits/%{commit}"
+    cat <<EOF >sysroot-snapd/etc/extension-release.d/extension-release.snapd_%{image-version}
+    ID="org.gnome.os"
+    VERSION_ID="${version_id}"
+    CONFEXT_LEVEL="%{image-version}"
+    GNOMEOS_COMMIT="%{commit}"
+    GNOMEOS_COMMIT_DATE="%{commit-date-pretty}"
+    GNOMEOS_COMMITS_URL="${commits_url}"
+    EOF
+
   - |
     mkdir -p output
-    make-layer sysroot/usr sysroot-snapd/usr output/usr
 
   - |
-    mkdir -p output/usr/share/factory/etc
-    cp -rT sysroot-snapd/etc/apparmor output/usr/share/factory/etc/apparmor
-    cp -rT sysroot-snapd/etc/apparmor.d output/usr/share/factory/etc/apparmor.d
-    mkdir -p output/usr/share/factory/etc/profile.d
-    cp -rT sysroot-snapd/etc/profile.d/snapd.sh output/usr/share/factory/etc/profile.d/snapd.sh
-    mkdir -p output/usr/share/factory/etc/xdg/autostart
-    cp -rT sysroot-snapd/etc/xdg/autostart/snap-userd-autostart.desktop output/usr/share/factory/etc/xdg/autostart/snap-userd-autostart.desktop
+    make-layer sysroot/usr sysroot-snapd/usr output/usr
 
   - |
-    mkdir -p output/etc
-    cp -T sysroot-snapd/usr/lib/os-release output/etc/os-release
+    make-layer sysroot/etc sysroot-snapd/etc output/etc
 
   - |
     mkdir -p tmp
@@ -121,6 +125,25 @@ config:
         --copy-source=output \
         snapd-%{systemd-arch}_%{image-version}.raw
 
+  - |
+    TMPDIR='%{build-root}/tmp' \
+    SYSTEMD_LOG_LEVEL=debug \
+    SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${EROFS_OPTIONS} ${EROFS_WORKERS}" \
+      systemd-repart \
+        --empty=create \
+        --make-ddi=sysext \
+        --size=auto \
+        --dry-run=no \
+        --discard=no \
+        --offline=true \
+        --no-pager \
+        --private-key=SYSEXT.key \
+        --certificate=SYSEXT.crt \
+        --seed %{repart-seed} \
+        --copy-source=output \
+        snapd-confext-%{systemd-arch}_%{image-version}.raw
+
   install-commands:
   - |
     mv snapd-%{systemd-arch}_%{image-version}.raw %{install-root}
+    mv snapd-confext-%{systemd-arch}_%{image-version}.raw %{install-root}
diff --git a/elements/gnomeos/usr/deps.bst b/elements/gnomeos/usr/deps.bst
index 8c6c1c94d2759d9b45d6f41f0b892697ed2ebf71..a2780a7075907402e42e7159e5d85d4ecc13971f 100644
--- a/elements/gnomeos/usr/deps.bst
+++ b/elements/gnomeos/usr/deps.bst
@@ -16,6 +16,7 @@ depends:
 - gnomeos/public-keys.bst
 - gnomeos/signed-boot-common.bst
 - freedesktop-sdk.bst:vm/config/useradd-default.bst
+- gnomeos/confext.bst
 
 (?):
 - arch in ["x86_64"]:
diff --git a/elements/gnomeos/usr/image.bst b/elements/gnomeos/usr/image.bst
index b791e30c0e6f3e76ee301cd9dcbaa6499f8a736a..c1268d9b51637c68759057ab9263b9b3b58daae9 100644
--- a/elements/gnomeos/usr/image.bst
+++ b/elements/gnomeos/usr/image.bst
@@ -73,11 +73,6 @@ config:
     rm /sysroot/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
     rm /sysroot/etc/ssh/sshd_config.d/20-systemd-userdb.conf
 
-  - |
-    cat >/sysroot/usr/lib/tmpfiles.d/extra-etc-symlinks.conf<<EOF
-    L! /etc/audit/rules.d/10-base-config.rules - - - - /usr/share/audit-rules/10-base-config.rules
-    L! /etc/localtime - - - - /usr/share/zoneinfo/UTC
-    EOF
 
   - |
     # FIXME: move that in pam-config
@@ -88,263 +83,13 @@ config:
     mv -T /sysroot/efi /sysroot/usr/share/factory/efi
 
   - |
-    cat >/sysroot/usr/lib/tmpfiles.d/extra-etc.conf<<EOF
-    # core-deps/ModemManager.bst (just directories)
-    C /etc/ModemManager
-    # core-deps/NetworkManager.bst (just directories)
-    C /etc/NetworkManager
-    # core-deps/upower.bst
-    L /etc/UPower/UPower.conf
-    L /etc/UPower/UPower.conf.d/README.md
-    # core-deps/systemd.bst
-    # FIXME: remove this from factory
-    # /etc/X11
-    # freedesktop-sdk.bst:components/alsa-plugins.bst
-    L /etc/alsa
-    # vm-deps/anthy.bst
-    L /etc/anthy-unicode.conf
-    # freedesktop-sdk.bst:components/audit.bst
-    L /etc/bash_completion.d/audit.bash_completion
-    L! /etc/audit/audisp-filter.conf
-    L! /etc/audit/audisp-remote.conf
-    # auditd does not want to follow symlink for auditd.conf
-    C! /etc/audit/auditd.conf
-    L! /etc/audit/audit-stop.rules
-    L! /etc/audit/plugins.d/af_unix.conf
-    L! /etc/audit/plugins.d/au-remote.conf
-    L! /etc/audit/plugins.d/filter.conf
-    L! /etc/audit/plugins.d/syslog.conf
-    L! /etc/libaudit.conf
-    # freedesktop-sdk.bst:components/avahi.bst
-    L /etc/avahi/avahi-autoipd.action
-    L /etc/avahi/avahi-daemon.conf
-    L /etc/avahi/avahi-dnsconfd.action
-    L /etc/avahi/hosts
-    L /etc/avahi/services/sftp-ssh.service
-    L /etc/avahi/services/ssh.service
-    # Various, we should move them to /usr/share:
-    L /etc/bash_completion.d/000_bash_completion_compat.bash
-    # freedesktop-sdk.bst:components/gawk.bst
-    L /etc/profile.d/gawk.sh
-    L /etc/profile.d/gawk.csh
-
-    # gnomeos-deps/toolbox.bst
-    L /etc/containers/toolbox.conf
-    # freedesktop-sdk.bst:components/containers-common.bst
-    L /etc/containers/policy.json
-    L /etc/containers/registries.conf
-    L /etc/containers/registries.conf.d/000-shortnames.conf
-    L /etc/containers/registries.d/default.yaml
-
-    # freedesktop-sdk.bst:components/git-lfs.bst
-    L /etc/gitconfig
-
-    # freedesktop-sdk.bst:components/bash-config.bst
-    L /etc/bashrc
-
-    # TODO: sort the rest of this mess
-    C /etc/bindresvport.blacklist
-
-    # freedesktop-sdk.bst:components/cups-daemon-only.bst
-    L /etc/cups/cups-files.conf
-    L /etc/cups/cups-files.conf.default
-    L /etc/cups/cupsd.conf
-    L /etc/cups/cupsd.conf.default
-    L /etc/cups/snmp.conf
-    L /etc/cups/snmp.conf.default
-    # Needed for cups which tries to write PPDs there even driverless
-    d /etc/cups/ppd
-    L /etc/cups/ssl
-    L /etc/paperspecs
-    # FIXME: move to /usr/share
-    L /etc/dbus-1/system.d/cups.conf
-    # core-deps/system-config-printer.bst
-    L /etc/cupshelpers/preferreddrivers.xml
-    # FIXME: move to /usr/share
-    L /etc/dbus-1/system.d/com.redhat.NewPrinterNotification.conf
-    L /etc/dbus-1/system.d/com.redhat.PrinterDriversInstaller.conf
-
-    #
-    L /etc/dbus-1/system.d/avahi-dbus.conf
-
-    L /etc/dbus-1/system.d/gdm.conf
-    L /etc/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
-    L /etc/dbus-1/system.d/org.freedesktop.ModemManager1.conf
-
-    # core-deps/systemd.bst
-    # FIXME: do we need to have the directory
-    d /etc/binfmt.d
-
-    L /etc/dbus-1/session.conf
-    L /etc/dbus-1/system.conf
-
-    # freedesktop-sdk.bst:integration/ldconfig.bst
-    L /etc/ld.so.conf
-    # vm/mesa-default.bst
-    L /etc/ld.so.conf.d/00_mesa.conf
-
-    # gnomeos-deps/nftables.bst
-    L /etc/nftables/osf/pf.os
-
-    # gnomeos-deps/firewalld.bst
-    L /etc/firewalld/firewalld.conf
-
-    # gnomeos-deps/vpnc.bst
-    L /etc/vpnc/default.conf
-
-    # freedesktop-sdk.bst:components/slang.bst
-    L /etc/slsh.rc
-
-    # FIXME: sort those and make them symlinks
-    C /etc/dconf
-    C /etc/debuginfod
-    C /etc/default
-    C /etc/e2scrub.conf
-    C /etc/environment
-    C /etc/ethertypes
-    C /etc/fish
-    C /etc/fonts
-    C /etc/fuse.conf
-    C /etc/fwupd
-    C /etc/gdm
-    C /etc/geoclue
-    C /etc/grub.d
-    C /etc/gss
-    C /etc/gtk-3.0
-    C /etc/init.d
-    C /etc/iscsi
-    C /etc/isns
-    C /etc/libblockdev
-    C /etc/libinput
-    C /etc/libnl
-    C /etc/locale.conf
-    C /etc/login.defs
-    C /etc/logrotate.d
-    C /etc/lvm
-    C /etc/man_db.conf
-    C /etc/mke2fs.conf
-    C /etc/modules-load.d
-    C /etc/netconfig
-    C /etc/openldap
-    C /etc/opensc.conf
-    C /etc/ostree
-    C /etc/pkcs11
-    C /etc/pki
-    C /etc/plymouth
-    C /etc/polkit-1
-    C /etc/profile
-    C /etc/profile.d
-    C /etc/protocols
-    C /etc/pulse
-    C /etc/rc_keymaps
-    C /etc/rc_maps.cfg
-    C /etc/rpc
-    C /etc/rygel.conf
-    C /etc/samba
-    C /etc/sane.d
-    C /etc/securetty
-    C /etc/services
-    C /etc/shells
-    C /etc/skel
-    C /etc/speech-dispatcher
-    C /etc/ssh/moduli
-    C /etc/ssh/ssh_config
-    C /etc/ssh/sshd_config
-    C /etc/ssl
-    C /etc/sudo.conf
-    C /etc/sudo_logsrvd.conf
-    C /etc/sudoers
-    C /etc/sudoers.d
-    C /etc/sudoers.dist
-    C /etc/sysctl.d
-    C /etc/tpm2-tss
-    C /etc/udev
-    C /etc/udisks2
-    C /etc/uresourced.conf
-    C /etc/vdpau_wrapper.cfg
-    C /etc/xattr.conf
-    C /etc/xdg
-    C /etc/xml
-    L /etc/passim.conf
-    L /etc/issue
-    L /etc/request-key.conf
-    #L /etc/ssh
-    L /etc/bluetooth
-    L /etc/fprintd.conf
-
-    L! /etc/security
-    C! /etc/subgid
-    C! /etc/subuid
-    C! /etc/systemd/coredump.conf
-    C! /etc/systemd/homed.conf
-    C! /etc/systemd/journal-upload.conf
-    C! /etc/systemd/journald.conf
-    C! /etc/systemd/logind.conf
-    C! /etc/systemd/networkd.conf
-    C! /etc/systemd/oomd.conf
-    C! /etc/systemd/pstore.conf
-    C! /etc/systemd/resolved.conf
-    C! /etc/systemd/sleep.conf
-    C! /etc/systemd/system.conf
-    C! /etc/systemd/timesyncd.conf
-    C! /etc/systemd/user.conf
-    C! /etc/systemd/journal-remote.conf
-    L! /etc/issue.net
-    EOF
-
-  - |
-    case '%{arch}' in
-      x86_64)
-        cat >>/sysroot/usr/lib/tmpfiles.d/extra-etc.conf <<EOF
-    C /etc/libsmbios
+    mkdir -p /sysroot/usr/lib/confexts/gnomeos-base-config
+    mv -T /sysroot/etc /sysroot/usr/lib/confexts/gnomeos-base-config/etc
+    mkdir -p /sysroot/usr/lib/confexts/gnomeos-base-config/etc/extension-release.d
+    cat <<EOF >/sysroot/usr/lib/confexts/gnomeos-base-config/etc/extension-release.d/extension-release.gnomeos-base-config
+    ID="org.gnome.os"
+    CONFEXT_LEVEL="%{image-version}"
     EOF
-        ;;
-    esac
-
-  - |
-    mkdir -p /sysroot/usr/share/factory
-    failures=()
-    for p in $(grep -v "^#" </sysroot/usr/lib/tmpfiles.d/extra-etc.conf | grep -v "^$" | cut -d" " -f2); do
-      mkdir -p "$(dirname "/sysroot/usr/share/factory${p}")"
-      if ! [ -L "/sysroot${p}" ] && cp -rlTP "/sysroot${p}" "/sysroot/usr/share/factory${p}"; then
-        rm -rf "/sysroot${p}"
-      else
-        failures+=("${p}")
-      fi
-    done
-    if [ "${#failures[*]}" -gt 0 ]; then
-      for failure in "${failures[@]}"; do
-        echo "Could not move ${failure}" >&2
-      done
-      exit 1
-    fi
-
-  - |
-    find /sysroot/etc -depth -type d -empty -delete
-
-  - |
-    unknown=()
-    for p in /sysroot/etc/*; do
-      rel="${p#/sysroot}"
-      case "${rel}" in
-        /etc/systemd)
-          # For those we copied the content instead
-        ;;
-        /etc/os-release|/etc/mtab|/etc/passwd|/etc/group|/etc/shadow|/etc/gshadow|/etc/ld.so.cache)
-          # Those are created another way
-        ;;
-        /etc/X11|/etc/dracut.conf.d)
-          # Those should not exist
-        ;;
-        *)
-          unknown+=("${rel}")
-        ;;
-      esac
-    done
-    if [ "${#unknown[*]}" -gt 0 ]; then
-      echo "Unknown paths:" "${unknown[@]}" >&2
-      exit 1
-    fi
 
   - |
     cat >/sysroot/usr/lib/tmpfiles.d/extensions.conf<<EOF
diff --git a/files/gnomeos/confext/initrd-confext.service b/files/gnomeos/confext/initrd-confext.service
new file mode 100644
index 0000000000000000000000000000000000000000..f6f64505099459d8f3690e130c3a4595d69c2e53
--- /dev/null
+++ b/files/gnomeos/confext/initrd-confext.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Merge System Configuration Images into sysroot's /etc/
+Documentation=man:systemd-confext.service(8)
+
+ConditionCapability=CAP_SYS_ADMIN
+ConditionDirectoryNotEmpty=|/sysroot/var/lib/confexts
+ConditionDirectoryNotEmpty=|/sysroot/usr/local/lib/confexts
+ConditionDirectoryNotEmpty=|/sysroot/usr/lib/confexts
+ConditionPathExists=/etc/initrd-release
+
+RequiresMountsFor=/sysroot/usr
+After=initrd-root-fs.target
+Before=initrd-fs.target initrd-parse-etc.service
+
+[Service]
+Type=oneshot
+ExecStart=systemd-confext --mutable=yes --root=/sysroot refresh
diff --git a/files/gnomeos/confext/initrd-migrate-confext.service b/files/gnomeos/confext/initrd-migrate-confext.service
new file mode 100644
index 0000000000000000000000000000000000000000..0ed0d0509e30cf05eb32c5810a0677935002a75b
--- /dev/null
+++ b/files/gnomeos/confext/initrd-migrate-confext.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Migrating existing /etc to confext
+ConditionPathExists=/sysroot/etc/machine-id
+ConditionPathExists=!/sysroot/var/lib/extensions.mutable/etc
+ConditionPathExists=/etc/initrd-release
+
+RequiresMountsFor=/sysroot/usr
+After=initrd-root-fs.target
+Before=initrd-fs.target initrd-parse-etc.service
+Before=initrd-confext.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/gnomeos/migrate-confext
diff --git a/files/gnomeos/confext/migrate-confext.cpp b/files/gnomeos/confext/migrate-confext.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..ab718e334ed84db22bfcb839ca1ab89d7654bd55
--- /dev/null
+++ b/files/gnomeos/confext/migrate-confext.cpp
@@ -0,0 +1,101 @@
+// Sorry about C++. Bash was not good enough. (and C too verbose and
+// Rust too big for initrd)
+
+// This migrate /etc from an old tmpfiles.d, to mutable confext.
+// It copies files From /etc to /var/lib/extensions.mutable/etc
+// Because /etc itself will be on the bottom, the files from
+// confexts will go on top and hide them. So we need to
+// copy to the mutable layer.
+
+// We try to copy only the files that were modified from factory
+// files. However, since sysexts are not yet merged at this point of
+// the boot. The good news is that tmpfiles.d from our extenions (snapd
+// and devel), only create factory symlinks that will be filtered
+// automatically.
+
+// Also we make sure that symlinks pointing to the old factory files
+// are not copied.
+
+// There are still files in /etc. They will be overridden by confexts
+// or the mutable layer. But as soon as they get removed, they will
+// re-appear. Users may fix those by bind mounting /. Then access /etc
+// within that bind mount and clean up their /etc.  We do not clean it
+// up automatically for now because we cannot rollback in case there
+// is an issue.
+
+#include <filesystem>
+#include <iostream>
+#include <fstream>
+#include <algorithm>
+
+namespace fs = std::filesystem;
+
+void copy_with_dir(fs::path const& path,
+                   fs::path const& source,
+                   fs::path const& target) {
+  if (path.has_parent_path()) {
+    copy_with_dir(path.parent_path(), source, target);
+  }
+
+  auto src_path = source / path;
+  if (is_symlink(src_path)) {
+    copy_symlink(src_path, target / path);
+  } else if (is_regular_file(src_path)) {
+    copy_file(src_path, target / path);
+  } else if (is_directory(src_path)) {
+    create_directory(target / path, src_path);
+  }
+}
+
+int main() {
+  auto sysroot_etc = fs::path("/sysroot/etc");
+  auto tmp_target = fs::path("/sysroot/var/lib/extensions.mutable/etc.creating");
+  create_directories(tmp_target);
+
+  for (auto& p : fs::recursive_directory_iterator(sysroot_etc)) {
+    auto path = fs::path(p);
+    auto rel = path.lexically_relative(sysroot_etc);
+    auto factory = "/usr/share/factory/etc" / rel;
+    auto confext = "/sysroot/usr/lib/confexts/gnomeos-base-config/etc" / rel;
+    if (p.is_symlink()) {
+      auto target = read_symlink(p);
+      if (target != factory) {
+        if (is_symlink(confext)) {
+          auto confext_target = read_symlink(confext);
+          if (target != confext_target) {
+            std::cerr << "different symlink " << rel << '\n';
+            copy_with_dir(rel, sysroot_etc, tmp_target);
+          }
+        } else {
+          std::cerr << "new symlink " << rel << '\n';
+          copy_with_dir(rel, sysroot_etc, tmp_target);
+        }
+      }
+    } else if (p.is_regular_file()) {
+      auto path_status = symlink_status(path);
+      auto confext_status = symlink_status(confext);
+      if (!is_regular_file(confext_status)) {
+        std::cerr << "added file " << rel << '\n';
+        copy_with_dir(rel, sysroot_etc, tmp_target);
+      } else if (path_status.permissions() != confext_status.permissions()) {
+        std::cerr << "different perms " << rel << '\n';
+        copy_with_dir(rel, sysroot_etc, tmp_target);
+      } else if (file_size(path) != file_size(confext)) {
+        std::cerr << "different size " << rel << '\n';
+        copy_with_dir(rel, sysroot_etc, tmp_target);
+      } else {
+        std::ifstream f1(path);
+        std::ifstream f2(confext);
+        if (!std::ranges::equal(std::istreambuf_iterator<char>(f1),
+                                std::istreambuf_iterator<char>(),
+                                std::istreambuf_iterator<char>(f2),
+                                std::istreambuf_iterator<char>())) {
+          std::cerr << "different content " << rel << '\n';
+          copy_with_dir(rel, sysroot_etc, tmp_target);
+        }
+      }
+    }
+  }
+  rename(tmp_target, "/sysroot/var/lib/extensions.mutable/etc");
+  return 0;
+}
diff --git a/files/gnomeos/confext/mutable.conf b/files/gnomeos/confext/mutable.conf
new file mode 100644
index 0000000000000000000000000000000000000000..f05109c1fce4cf3bfc38e0b11720ce2511df35ff
--- /dev/null
+++ b/files/gnomeos/confext/mutable.conf
@@ -0,0 +1,5 @@
+[Service]
+ExecStart=
+ExecStart=systemd-confext --mutable=auto refresh
+ExecReload=
+ExecReload=systemd-confext --mutable=auto refresh
diff --git a/files/gnomeos/generate-initramfs/modules/50-confext/module.sh b/files/gnomeos/generate-initramfs/modules/50-confext/module.sh
new file mode 100644
index 0000000000000000000000000000000000000000..87955690227e7e6d560681c85bb17fe63c89b9ff
--- /dev/null
+++ b/files/gnomeos/generate-initramfs/modules/50-confext/module.sh
@@ -0,0 +1,11 @@
+install() {
+    install_files \
+        "/usr/lib/systemd/system/initrd-confext.service" \
+        "/usr/lib/systemd/system/initrd-migrate-confext.service" \
+        "/usr/lib/gnomeos/migrate-confext"
+
+    mkdir -p "${root}/usr/lib/systemd/system/initrd-fs.target.wants"
+
+    ln -s ../initrd-confext.service "${root}/usr/lib/systemd/system/initrd.target.wants/initrd-confext.service"
+    ln -s ../initrd-migrate-confext.service "${root}/usr/lib/systemd/system/initrd.target.wants/initrd-migrate-confext.service"
+}
diff --git a/files/os-release/os-release.oci.in b/files/os-release/os-release.oci.in
index 06bda857f3687355eeb00240b104307fa3b9356a..33a74bd351cde5042e07ca9d114ad8d930b2468d 100644
--- a/files/os-release/os-release.oci.in
+++ b/files/os-release/os-release.oci.in
@@ -8,6 +8,7 @@ BUG_REPORT_URL="https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/new"
 HOME_URL="https://www.gnome.org/"
 IMAGE_VERSION="@IMAGE_VERSION@"
 SYSEXT_LEVEL="@IMAGE_VERSION@"
+CONFEXT_LEVEL="@IMAGE_VERSION@"
 GNOMEOS_COMMIT="@GNOMEOS_COMMIT@"
 GNOMEOS_COMMIT_DATE="@GNOMEOS_COMMIT_DATE@"
 GNOMEOS_COMMITS_URL="@GNOMEOS_COMMITS_URL@"
diff --git a/files/os-release/os-release.sysupdate.in b/files/os-release/os-release.sysupdate.in
index 864195e57db7082cfef8bf6d8ffbd3d76c9d3e05..d81367ec62e45e1f07ed592b4228294b3164104a 100644
--- a/files/os-release/os-release.sysupdate.in
+++ b/files/os-release/os-release.sysupdate.in
@@ -10,6 +10,7 @@ VARIANT="@VARIANT@ (sysupdate)"
 VARIANT_ID="su-@VARIANT_ID@"
 IMAGE_VERSION="@IMAGE_VERSION@"
 SYSEXT_LEVEL="@IMAGE_VERSION@"
+CONFEXT_LEVEL="@IMAGE_VERSION@"
 IMAGE_ID="@VARIANT_ID@"
 DEFAULT_HOSTNAME="gnomeos"
 GNOMEOS_COMMIT="@GNOMEOS_COMMIT@"
diff --git a/files/sysupdate/40-gnomeos-devel-confext.transfer b/files/sysupdate/40-gnomeos-devel-confext.transfer
new file mode 100644
index 0000000000000000000000000000000000000000..efe0588ad987ddd5e94ed5bdd22b99046d8e81b5
--- /dev/null
+++ b/files/sysupdate/40-gnomeos-devel-confext.transfer
@@ -0,0 +1,16 @@
+[Transfer]
+ProtectVersion=%A
+Features=devel
+
+[Source]
+Type=url-file
+Path=https://1270333429.rsc.cdn77.org/nightly/sysupdate/
+MatchPattern=devel-confext-%a_@v.raw \
+             devel-confext-%a_@v.raw.xz \
+             devel-confext-%a_@v.raw.zst
+
+[Target]
+Type=regular-file
+Path=/var/lib/confexts/
+MatchPattern=devel_@v.raw
+InstancesMax=2
diff --git a/files/sysupdate/40-gnomeos-snapd-confext.transfer b/files/sysupdate/40-gnomeos-snapd-confext.transfer
new file mode 100644
index 0000000000000000000000000000000000000000..451adcced19491c9de8d135ebfa679d87c8bb4b6
--- /dev/null
+++ b/files/sysupdate/40-gnomeos-snapd-confext.transfer
@@ -0,0 +1,16 @@
+[Transfer]
+ProtectVersion=%A
+Features=snapd
+
+[Source]
+Type=url-file
+Path=https://1270333429.rsc.cdn77.org/nightly/sysupdate/
+MatchPattern=snapd-confext-%a_@v.raw \
+             snapd-confext-%a_@v.raw.xz \
+             snapd-confext-%a_@v.raw.zst
+
+[Target]
+Type=regular-file
+Path=/var/lib/confexts/
+MatchPattern=snapd_@v.raw
+InstancesMax=2
diff --git a/patches/accountsservice/tmpfiles.patch b/patches/accountsservice/tmpfiles.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ff4eecb31bc8b64224d49cfb66835a2f707e9cf1
--- /dev/null
+++ b/patches/accountsservice/tmpfiles.patch
@@ -0,0 +1,14 @@
+diff -ru accountsservice.old/data/accounts-daemon.service.in accountsservice/data/accounts-daemon.service.in
+--- accountsservice.old/data/accounts-daemon.service.in	2026-01-31 18:44:32.698418179 +0100
++++ accountsservice/data/accounts-daemon.service.in	2026-01-31 18:45:47.544478762 +0100
+@@ -7,6 +7,10 @@
+ After=nss-user-lookup.target
+ Wants=nss-user-lookup.target
+ 
++# For ProtectSystem=strict to work and /home to be writable
++# /home has to exist. So tmpfiles should have run first
++After=systemd-tmpfiles-setup.service
++
+ [Service]
+ Type=dbus
+ BusName=org.freedesktop.Accounts