diff --git a/nixos/pkgs/default.nix b/nixos/pkgs/default.nix
index 619f69e93eedf8d8baa125c9b84df7c9ac0e5822..9e98f253692ed95e4be89c0753542d797db710d1 100644
--- a/nixos/pkgs/default.nix
+++ b/nixos/pkgs/default.nix
@@ -4,23 +4,11 @@
 #
 #    pkgs.callPackage ./nixos/pkgs
 {buildPlatform, hostPlatform, callPackage}:
-let
-  # Our own nixpkgs fork:
-  ourpkgs = import ../../nixpkgs-ps.nix {
-    # Ensure that the fork is configured for the same system
-    # as we were called with.
-    localSystem = buildPlatform;
-    crossSystem = hostPlatform;
-    # Ensure that configuration of the system where this runs
-    # doesn't leak into what we build.
-    # See https://github.com/NixOS/nixpkgs/issues/62513
-    config = {};
-    overlays = [];
-  };
-in
 {
-  inherit (ourpkgs) privatestorage;
   leasereport = callPackage ./leasereport {};
+  # `privatestorage` is a derivation with a good Tahoe+ZKAP environment
+  # that is exposed by ZKAPAuthorizer.
+  privatestorage = callPackage ./privatestorage {};
   zkap-spending-service = callPackage ./zkap-spending-service {};
   zkapissuer = callPackage ./zkapissuer {};
 }
diff --git a/nixos/pkgs/privatestorage/default.nix b/nixos/pkgs/privatestorage/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..bd487af32941f6db920ea2d43ec89e9eded38201
--- /dev/null
+++ b/nixos/pkgs/privatestorage/default.nix
@@ -0,0 +1,8 @@
+{ fetchFromGitHub, callPackage, lib }:
+let
+  repo-data = lib.importJSON ./repo.json;
+  repo = fetchFromGitHub (builtins.removeAttrs repo-data [ "branch" ]);
+  privatestorage = callPackage repo {};
+in
+  privatestorage.privatestorage
+
diff --git a/nixos/pkgs/privatestorage/repo.json b/nixos/pkgs/privatestorage/repo.json
new file mode 100644
index 0000000000000000000000000000000000000000..f8bf81b54bb431e9807ff1ea78e460331cec747e
--- /dev/null
+++ b/nixos/pkgs/privatestorage/repo.json
@@ -0,0 +1,8 @@
+{
+  "owner": "PrivateStorageio",
+  "branch": "main",
+  "repo": "ZKAPAuthorizer",
+  "rev": "c38c42362ac81dad25b4c5bcfe7a5cf0d49e1401",
+  "outputHashAlgo": "sha512",
+  "outputHash": "1pm44ihqn0m2zckmnzdxn7sj6v67m2kaqhpkpv9b48palyd8109ajh818aaj8rw6mlh2k9nrrza39khbqzh1910k8d6dk72ldqkqibl"
+}
diff --git a/nixos/tests/private-storage.nix b/nixos/tests/private-storage.nix
index 6fb85a6713b4668ef4bdfa239480485bfbb52a18..86c6cbdb08e3f305dc5e1a18907d737d1f8c1c1e 100644
--- a/nixos/tests/private-storage.nix
+++ b/nixos/tests/private-storage.nix
@@ -209,8 +209,8 @@ in {
     try:
       ${runOnNode "introducer" [ run-introducer "/tmp/node.pem" (toString introducerPort) introducerFURL ]}
     except:
-      code, log = introducer.execute('cat /tmp/stdout /tmp/stderr')
-      introducer.log(log)
+      code, output = introducer.execute('cat /tmp/stdout /tmp/stderr')
+      introducer.log(output)
       raise
 
     #
@@ -244,8 +244,8 @@ in {
     try:
       api_stripe_com.wait_for_unit("api.stripe.com")
     except:
-      code, log = api_stripe_com.execute('journalctl -u api.stripe.com')
-      api_stripe_com.log(log)
+      code, output = api_stripe_com.execute('journalctl -u api.stripe.com')
+      api_stripe_com.log(output)
       raise
 
     # Get some ZKAPs from the issuer.
@@ -259,20 +259,20 @@ in {
       ]}
     except:
       code, log = client.execute('cat /tmp/stdout /tmp/stderr');
-      client.log(log)
+      client.log(output)
 
       # Dump the fake Stripe API server logs, too, since the error may arise
       # from a PaymentServer/Stripe interaction.
-      code, log = api_stripe_com.execute('journalctl -u api.stripe.com')
-      api_stripe_com.log(log)
+      code, output = api_stripe_com.execute('journalctl -u api.stripe.com')
+      api_stripe_com.log(output)
       raise
 
     # The client should be prepped now.  Make it try to use some storage.
     try:
       ${runOnNode "client" [ exercise-storage "/tmp/client" ]}
     except:
-      code, log = client.execute('cat /tmp/stdout /tmp/stderr')
-      client.log(log)
+      code, output = client.execute('cat /tmp/stdout /tmp/stderr')
+      client.log(output)
       raise
 
     # It should be possible to restart the storage service without the
@@ -285,16 +285,16 @@ in {
       if (before != after):
         raise Exception('fURL changes after storage node restart')
     except:
-      code, log = storage.execute('cat /tmp/stdout /tmp/stderr')
-      storage.log(log)
+      code, output = storage.execute('cat /tmp/stdout /tmp/stderr')
+      storage.log(output)
       raise
 
     # The client should actually still work, too.
     try:
       ${runOnNode "client" [ exercise-storage "/tmp/client" ]}
     except:
-      code, log = client.execute('cat /tmp/stdout /tmp/stderr')
-      client.log(log)
+      code, output = client.execute('cat /tmp/stdout /tmp/stderr')
+      client.log(output)
       raise
 
     # The issuer metrics should be accessible from the monitoring network.
diff --git a/nixpkgs-ps.json b/nixpkgs-ps.json
deleted file mode 100644
index 58add30734e8f7b9b2840a9be38693ceb6a4249d..0000000000000000000000000000000000000000
--- a/nixpkgs-ps.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{ "name": "nixpkgs"
-, "url": "https://github.com/PrivateStorageio/nixpkgs/archive/5ebd5af2d5c6caf23735c8c0e6bc27357fa8d2a8.tar.gz"
-, "sha256": "1g2bvs8prqjskzv8s1qmh36k7rmj98jib0syqbrq02xxzw5dpqb4"
-}
diff --git a/nixpkgs-ps.nix b/nixpkgs-ps.nix
deleted file mode 100644
index d98a53843052fda824f4ed7e34db50524df36ce2..0000000000000000000000000000000000000000
--- a/nixpkgs-ps.nix
+++ /dev/null
@@ -1 +0,0 @@
-import (builtins.fetchTarball (builtins.fromJSON (builtins.readFile ./nixpkgs-ps.json)))