diff --git a/flake.nix b/flake.nix
index 2a32da6ca..20d68570d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,6 +19,8 @@
     let
       pkgsUnstable = import nixpkgsUnstable { inherit system; };
 
+      callPackage = pkgsUnstable.callPackage;
+
       mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
         propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable;  [
           # package management
@@ -41,10 +43,11 @@
     {
       packages.mkosi = mkosiDev;
 
-      packages.openssl = pkgsUnstable.symlinkJoin {
-        name = "openssl";
-        paths = [ openssl-static.out openssl-static.dev ];
-      };
+      packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };
+
+      packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+
+      packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
 
       packages.awscli2 = pkgsUnstable.awscli2;
 
diff --git a/nix/cc/cryptsetup.nix b/nix/cc/cryptsetup.nix
new file mode 100644
index 000000000..9687e1019
--- /dev/null
+++ b/nix/cc/cryptsetup.nix
@@ -0,0 +1,18 @@
+{ pkgs, pkgsLinux, buildEnv, closureInfo }:
+let
+  lib = pkgs.lib;
+  cc = pkgsLinux.stdenv.cc;
+  packages = [ pkgsLinux.cryptsetup.out pkgsLinux.cryptsetup.dev ];
+  closure = builtins.toString (lib.strings.splitString "\n" (builtins.readFile "${closureInfo {rootPaths = packages;}}/store-paths"));
+  rpath = pkgs.lib.makeLibraryPath [ pkgsLinux.cryptsetup pkgsLinux.glibc pkgsLinux.libgcc.lib ];
+in
+pkgs.symlinkJoin {
+  name = "cryptsetup";
+  paths = packages;
+  buildInputs = packages;
+  postBuild = ''
+    tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name ${closure}
+    echo "${rpath}" > $out/rpath
+    cp ${cc}/nix-support/dynamic-linker $out/dynamic-linker
+  '';
+}
diff --git a/nix/cc/libvirt.nix b/nix/cc/libvirt.nix
new file mode 100644
index 000000000..47660a97f
--- /dev/null
+++ b/nix/cc/libvirt.nix
@@ -0,0 +1,19 @@
+{ pkgs, pkgsLinux, buildEnv, closureInfo }:
+let
+  lib = pkgs.lib;
+  cc = pkgsLinux.stdenv.cc;
+  packages = [ pkgsLinux.libvirt ];
+  closure = builtins.toString (lib.strings.splitString "\n" (builtins.readFile "${closureInfo {rootPaths = packages;}}/store-paths"));
+  rpath = pkgs.lib.makeLibraryPath [ pkgsLinux.libvirt pkgsLinux.glib pkgsLinux.libxml2 pkgsLinux.readline pkgsLinux.glibc pkgsLinux.libgcc.lib ];
+in
+pkgs.symlinkJoin {
+  name = "libvirt";
+  paths = packages;
+  buildInputs = packages;
+  postBuild = ''
+    tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name ${closure}
+    tar --transform 's+^./+bin/+' -cf $out/bin-linktree.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name -C $out/bin .
+    echo "${rpath}" > $out/rpath
+    cp ${cc}/nix-support/dynamic-linker $out/dynamic-linker
+  '';
+}
diff --git a/nix/cc/openssl.nix b/nix/cc/openssl.nix
new file mode 100644
index 000000000..0651fea67
--- /dev/null
+++ b/nix/cc/openssl.nix
@@ -0,0 +1,8 @@
+{ pkgs }:
+let
+  openssl-static = pkgs.openssl.override { static = true; };
+in
+pkgs.symlinkJoin {
+  name = "openssl";
+  paths = [ openssl-static.out openssl-static.dev ];
+}