diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index c8b7749..ba783f7 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -7,10 +7,12 @@
 }:
 let
   pname = "patos-image";
+  defaultPassword = "patos";
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   inherit version;
   inherit pname;
+  inherit defaultPassword;
 
   buildInputs = with pkgs; [
     erofs-utils
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index b104525..d4975ab 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -12,7 +12,21 @@ find rootfs/ -type d -exec chmod 755 {} \;
 # set default target to multi-user
 ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
 
-# mount /etc overlay
+# Overlay mount for /etc which makes it read-write in runtime
+cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount
+[Unit]
+Description=Overlay mount for /etc
+Before=local-fs.target
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
+
+[Install]
+WantedBy=local-fs.target
+EOF
 ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
 
 # enable dbus
@@ -26,9 +40,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
 # enable default network config
 mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
 
-### install sys users (default password is patos)
+# install sys users
 mkdir creds
-echo -n patos > creds/passwd.plaintext-password.root
+echo -n $defaultPassword > creds/passwd.plaintext-password.root
 CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
 chmod 600 rootfs/etc/shadow
 cat rootfs/etc/shadow
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 62bfe56..110b1e4 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -80,22 +80,6 @@ DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
 ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
 EOF
 
-# Overlay mount for /etc which makes it read-write in runtime
-cat <<EOF > $out/usr/lib/systemd/system/etc.mount
-[Unit]
-Description=Overlay mount for /etc
-Before=local-fs.target
-
-[Mount]
-What=overlay
-Where=/etc
-Type=overlay
-Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
-
-[Install]
-WantedBy=local-fs.target
-EOF
-
 ### install PatOS glibc
 cp -P $glibcPatos/lib/*.so* $out/usr/lib/
 
@@ -123,12 +107,11 @@ cp -Pr ${btrfs}/bin/* $out/usr/bin/
 cp -Pr ${btrfs}/lib/* $out/usr/lib/
 
 ### install tpm2 tools
-cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+# For TPM debugging
+# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+# cp -P $cryptsetup/bin/* $out/usr/bin/
 cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
 
-### install cryptsetup tools
-cp -P $cryptsetup/bin/* $out/usr/bin/
-
 ### install lib kmod
 cp -P $kmodLibs/lib/* $out/usr/lib
 cp -P $kmodBin/bin/* $out/usr/bin