diff --git a/morph/lib/base.nix b/morph/lib/base.nix
index f167f54ad55baa65fa13fe2b7ac29b79333b8b90..271766d9cff5253f6d9a72e475dec3398b2cd6b3 100644
--- a/morph/lib/base.nix
+++ b/morph/lib/base.nix
@@ -20,6 +20,10 @@
     };
   };
 
+  imports = [
+    ../../nixos/modules/packages.nix
+  ];
+
   config = {
     # The morph default deployment target the name of the node in the network
     # attrset.  We don't always want to give the node its proper public address
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 0433c4f011578bdecea023220c68d6d5047eae35..605cb93b1831b9303b91607725d43ddaa4f0c0b2 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -1,13 +1,12 @@
 # A NixOS module which can run a Ristretto-based issuer for PrivateStorage
 # ZKAPs.
-{ lib, pkgs, config, ... }: let
+{ lib, pkgs, ourpkgs, config, ... }: let
   cfg = config.services.private-storage-issuer;
-  zkapissuer = pkgs.callPackage ../pkgs/zkapissuer { };
 in {
   options = {
     services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
     services.private-storage-issuer.package = lib.mkOption {
-      default = zkapissuer.components.exes."PaymentServer-exe";
+      default = ourpkgs.zkapissuer;
       type = lib.types.package;
       example = lib.literalExample "pkgs.zkapissuer.components.exes.\"PaymentServer-exe\"";
       description = ''
@@ -193,7 +192,7 @@ in {
             "--stripe-endpoint-scheme ${cfg.stripeEndpointScheme} " +
             "--stripe-endpoint-port ${toString cfg.stripeEndpointPort}";
         in
-          "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpArgs} ${stripeArgs}";
+          "${cfg.package.exePath} ${originArgs} ${issuerArgs} ${databaseArgs} ${httpArgs} ${stripeArgs}";
     };
 
     # PaymentServer runs as this user and group by default
diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d6518dcf290c27b95e3428434623a63cfbdb8e19
--- /dev/null
+++ b/nixos/modules/packages.nix
@@ -0,0 +1,8 @@
+# A NixOS module which exposes custom packages to other modules.
+{ pkgs, ...}:
+{
+  config = {
+    # Expose `nixos/pkgs` as a new module argument `ourpkgs`.
+    _module.args.ourpkgs = pkgs.callPackage ../../nixos/pkgs {};
+  };
+}
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index d3bc9e61bb8a805d4432edf7d37d51a9501ecc1e..c119a3d3417f7d4b7ec07c5652b65122dc5fce12 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -1,6 +1,6 @@
 # A NixOS module which can instantiate a Tahoe-LAFS storage server in the
 # preferred configuration for the Private Storage grid.
-{ pkgs, lib, config, ... }:
+{ pkgs, ourpkgs, lib, config, ... }:
 let
   # Grab the configuration for this module for convenient access below.
   cfg = config.services.private-storage;
@@ -8,9 +8,6 @@ let
   # TODO: This path copied from tahoe.nix.
   tahoe-base = "/var/db/tahoe-lafs";
 
-  # Our own nixpkgs fork:
-  ourpkgs = import ../../nixpkgs-ps.nix {};
-
   # The full path to the directory where the storage server will write
   # incident reports.
   incidents-dir = "${tahoe-base}/${storage-node-name}/logs/incidents";
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 3e8009b01d6c8a803909dcf08573029273c66bde..0d5fc75b64f56f6d6856cca9e5be007a79bd5312 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -83,21 +83,19 @@ let
       command = builtins.concatStringsSep " " argv;
     in
       "${node}.succeed('set -eo pipefail; ${command} | systemd-cat')";
-
-  pspkgs = import ../../../nixpkgs-ps.nix { };
-
 in {
   # https://nixos.org/nixos/manual/index.html#sec-nixos-tests
   # https://nixos.mayflower.consulting/blog/2019/07/11/leveraging-nixos-tests-in-your-project/
   nodes = rec {
     # Get a machine where we can run a Tahoe-LAFS client node.
     client =
-      { config, pkgs, ... }:
-      { environment.systemPackages = [
+      { config, pkgs, ourpkgs, ... }:
+      { imports = [ ../packages.nix ];
+        environment.systemPackages = [
           pkgs.daemonize
           # A Tahoe-LAFS configuration capable of using the right storage
           # plugin.
-          pspkgs.privatestorage
+          ourpkgs.privatestorage
           # Support for the tests we'll run.
           (pkgs.python3.withPackages (ps: [ ps.requests ps.hyperlink ]))
         ];
@@ -110,7 +108,8 @@ in {
     storage =
       { config, pkgs, ... }:
       { imports =
-        [ ../private-storage.nix
+        [ ../packages.nix
+          ../private-storage.nix
           ../ssh.nix
         ];
         services.private-storage = {
@@ -128,7 +127,8 @@ in {
     issuer =
     { config, pkgs, ... }:
     { imports =
-      [ ../issuer.nix
+      [ ../packages.nix
+        ../issuer.nix
         ../ssh.nix
       ];
       services.private-storage.sshUsers = sshUsers;
diff --git a/nixos/modules/tests/tahoe.nix b/nixos/modules/tests/tahoe.nix
index a582accfc09c404383d796c28b6072de70a02ce7..624a9691d96d31e2f66d1898f1c795bd0b975063 100644
--- a/nixos/modules/tests/tahoe.nix
+++ b/nixos/modules/tests/tahoe.nix
@@ -1,15 +1,14 @@
 { ... }:
-  let
-    pspkgs = import ../../../nixpkgs-ps.nix { };
-  in {
+  {
   nodes = {
-    storage = { config, pkgs, ... }: {
+    storage = { config, pkgs, ourpkgs, ... }: {
       imports = [
+        ../packages.nix
         ../tahoe.nix
       ];
 
       services.tahoe.nodes.storage = {
-        package = pspkgs.privatestorage;
+        package = ourpkgs.privatestorage;
         sections = {
           node = {
             nickname = "storage";
diff --git a/nixos/pkgs/default.nix b/nixos/pkgs/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..3d534430377cb5fbbf0739d60a8a7ca9bb0419f6
--- /dev/null
+++ b/nixos/pkgs/default.nix
@@ -0,0 +1,24 @@
+# Expose all our locally defined packages as attributes.
+# In `gridlib.base`, we expose this as a new `ourpkgs` module argument.
+# To access this directly, you can call this as::
+#
+#    pkgs.callPackage ./nixos/pkgs
+{buildPlatform, hostPlatform, callPackage}:
+let
+  # Our own nixpkgs fork:
+  ourpkgs = import ../../nixpkgs-ps.nix {
+    # Ensure that the fork is configured for the same system
+    # as we were called with.
+    localSystem = buildPlatform;
+    crossSystem = hostPlatform;
+    # Ensure that configuration of the system where this runs
+    # doesn't leak into what we build.
+    # See https://github.com/NixOS/nixpkgs/issues/62513
+    config = {};
+    overlays = [];
+  };
+in
+{
+  zkapissuer = callPackage ./zkapissuer {};
+  inherit (ourpkgs) privatestorage leasereport;
+}
diff --git a/nixos/pkgs/zkapissuer/default.nix b/nixos/pkgs/zkapissuer/default.nix
index 27f5fa3ddf67f44800ab927aee8c23943a57cc96..b4f90d3582cd686fbdf62a6267cb1070c05e9c57 100644
--- a/nixos/pkgs/zkapissuer/default.nix
+++ b/nixos/pkgs/zkapissuer/default.nix
@@ -1,5 +1,6 @@
 { callPackage }:
 let
   repo = callPackage ./repo.nix { };
+  PaymentServer = (import "${repo}/nix").PaymentServer;
 in
-  (import "${repo}/nix").PaymentServer
+  PaymentServer.components.exes."PaymentServer-exe"