diff --git a/mkosi.conf b/mkosi.conf
index 35a19a27aad..a5d4eab23bd 100644
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -66,9 +66,6 @@ KernelCommandLine=
         printk.devkmsg=on
         # Make sure /sysroot is mounted rw in the initrd.
         rw
-        # Lower the default device timeout so we get a shell earlier if the root device does
-        # not appear for some reason.
-        systemd.default_device_timeout_sec=90
         # Make sure no LSMs are enabled by default.
         selinux=0
         systemd.early_core_pattern=/core
@@ -78,9 +75,6 @@ KernelCommandLine=
         panic=-1
         softlockup_panic=1
         panic_on_warn=1
-        # These don't ship proper units with [Install] directives so we have to mask them instead.
-        systemd.mask=isc-dhcp-server.service
-        systemd.mask=mdmonitor.service
         psi=1
 
 KernelModulesInitrdExclude=.*
diff --git a/mkosi.extra.common/usr/lib/systemd/system.conf.d/10-device-timeout.conf b/mkosi.extra.common/usr/lib/systemd/system.conf.d/10-device-timeout.conf
new file mode 100644
index 00000000000..05fb1f76391
--- /dev/null
+++ b/mkosi.extra.common/usr/lib/systemd/system.conf.d/10-device-timeout.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Manager]
+# Lower the default device timeout so we get a shell earlier if the root device does
+# not appear for some reason.
+DefaultDeviceTimeoutSec=90
diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot
index a35f824176b..0f9e361488a 100755
--- a/mkosi.postinst.chroot
+++ b/mkosi.postinst.chroot
@@ -48,6 +48,10 @@ cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
 # Remove to make TEST-73-LOCALE pass on Ubuntu.
 rm -f /etc/default/keyboard
 
+# These don't ship proper units with [Install] directives so we have to mask them instead.
+systemctl mask isc-dhcp-server.service
+systemctl mask mdmonitor.service
+
 # This is executed inside the chroot so no need to disable any features as the default features will match
 # the kernel's supported features.
 SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
diff --git a/mkosi.sanitizers/mkosi.conf b/mkosi.sanitizers/mkosi.conf
index 0137d4e38d6..0492716ec11 100644
--- a/mkosi.sanitizers/mkosi.conf
+++ b/mkosi.sanitizers/mkosi.conf
@@ -13,10 +13,10 @@ Environment=!SANITIZERS=
 Environment=ASAN_OPTIONS=verify_asan_link_order=0:intercept_tls_get_addr=0
 
 [Content]
+# When modifying these also modify mkosi.extra/usr/lib/systemd/system.conf.d/10-sanitizers.conf. We don't use
+# systemd.setenv here as there's a size limit on the kernel command line and we don't want to trigger it. We
+# don't use ManagerEnvironment= either as we want these to be set for pid1 from the earliest possible moment.
 KernelCommandLine=
         ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
-        systemd.setenv=ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1
         UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
-        systemd.setenv=UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
         LSAN_OPTIONS=suppressions=/usr/lib/systemd/leak-sanitizer-suppressions
-        systemd.setenv=LSAN_OPTIONS=suppressions=/usr/lib/systemd/leak-sanitizer-suppressions
diff --git a/mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system.conf.d/10-sanitizers.conf b/mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system.conf.d/10-sanitizers.conf
new file mode 100644
index 00000000000..a7152a3abe4
--- /dev/null
+++ b/mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system.conf.d/10-sanitizers.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Manager]
+DefaultEnvironment=ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1 \
+                   UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 \
+                   LSAN_OPTIONS=suppressions=/usr/lib/systemd/leak-sanitizer-suppressions
diff --git a/mkosi.sanitizers/mkosi.extra/etc/systemd/system/service.d/10-timeout-abort.conf b/mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system/service.d/10-timeout-abort.conf
similarity index 100%
rename from mkosi.sanitizers/mkosi.extra/etc/systemd/system/service.d/10-timeout-abort.conf
rename to mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system/service.d/10-timeout-abort.conf
diff --git a/mkosi.sanitizers/mkosi.extra/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf b/mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system/systemd-journald.service.d/10-stdout-tty.conf
similarity index 100%
rename from mkosi.sanitizers/mkosi.extra/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf
rename to mkosi.sanitizers/mkosi.extra/usr/lib/systemd/system/systemd-journald.service.d/10-stdout-tty.conf