diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix
index e712fac17a46..ac4cd752615d 100644
--- a/nixos/modules/virtualisation/azure-agent.nix
+++ b/nixos/modules/virtualisation/azure-agent.nix
@@ -202,6 +202,13 @@ in
 
     services.udev.packages = [ pkgs.waagent ];
 
+    # Provide waagent-shipped udev rules in initrd too.
+    boot.initrd.services.udev.packages = [ pkgs.waagent ];
+    # udev rules shell out to chmod, cut and readlink, which are all
+    # provided by pkgs.coreutils, which is in services.udev.path, but not
+    # boot.initrd.services.udev.binPackages.
+    boot.initrd.services.udev.binPackages = [ pkgs.coreutils ];
+
     networking.dhcpcd.persistent = true;
 
     services.logrotate = {
@@ -245,6 +252,27 @@ in
         pkgs.e2fsprogs
         pkgs.bash
 
+        pkgs.findutils
+        pkgs.gnugrep
+        pkgs.gnused
+        pkgs.iproute2
+        pkgs.iptables
+
+        # for hostname
+        pkgs.nettools
+
+        pkgs.openssh
+        pkgs.openssl
+        pkgs.parted
+
+        # for pidof
+        pkgs.procps
+
+        # for useradd, usermod
+        pkgs.shadow
+
+        pkgs.util-linux # for (u)mount, fdisk, sfdisk, mkswap
+
         # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3
         pkgs.python39
 
diff --git a/pkgs/applications/networking/cluster/waagent/default.nix b/pkgs/applications/networking/cluster/waagent/default.nix
index d71e9fb7fb7d..45fc40384763 100644
--- a/pkgs/applications/networking/cluster/waagent/default.nix
+++ b/pkgs/applications/networking/cluster/waagent/default.nix
@@ -1,25 +1,18 @@
-{ fetchFromGitHub,
-  findutils,
-  gnugrep,
-  gnused,
-  iproute2,
-  iptables,
-  lib,
-  nettools, # for hostname
-  openssh,
-  openssl,
-  parted,
-  procps, # for pidof,
-  python39, # the latest python version that waagent test against according to https://github.com/Azure/WALinuxAgent/blob/28345a55f9b21dae89472111635fd6e41809d958/.github/workflows/ci_pr.yml#L75
-  shadow, # for useradd, usermod
-  util-linux, # for (u)mount, fdisk, sfdisk, mkswap
+{ bash
+, coreutils
+, fetchFromGitHub
+, lib
+, python39
+, substituteAll
 }:
 
 let
   inherit (lib) makeBinPath;
+  # the latest python version that waagent test against according to https://github.com/Azure/WALinuxAgent/blob/28345a55f9b21dae89472111635fd6e41809d958/.github/workflows/ci_pr.yml#L75
+  python = python39;
 
 in
-python39.pkgs.buildPythonPackage rec {
+python.pkgs.buildPythonApplication rec {
   pname = "waagent";
   version = "2.8.0.11";
   src = fetchFromGitHub {
@@ -29,44 +22,54 @@ python39.pkgs.buildPythonPackage rec {
     sha256 = "0fvjanvsz1zyzhbjr2alq5fnld43mdd776r2qid5jy5glzv0xbhf";
   };
   patches = [
-    # Suppress the following error when waagent try to configure sshd:
+    # Suppress the following error when waagent tries to configure sshd:
     # Read-only file system: '/etc/ssh/sshd_config'
     ./dont-configure-sshd.patch
   ];
   doCheck = false;
 
-  buildInputs = with python39.pkgs; [ distro ];
-  runtimeDeps = [
-    findutils
-    gnugrep
-    gnused
-    iproute2
-    iptables
-    nettools # for hostname
-    openssh
-    openssl
-    parted
-    procps # for pidof
-    shadow # for useradd, usermod
-    util-linux # for (u)mount, fdisk, sfdisk, mkswap
-  ];
-
-  fixupPhase = ''
-     mkdir -p $out/bin/
-     WAAGENT=$(find $out -name waagent | grep sbin)
-     cp $WAAGENT $out/bin/waagent
-     wrapProgram "$out/bin/waagent" \
-         --prefix PYTHONPATH : $PYTHONPATH \
-         --prefix PATH : "${makeBinPath runtimeDeps}"
-     patchShebangs --build "$out/bin/"
+  # azure-product-uuid chmod rule invokes chmod to change the mode of
+  # product_uuid (which is not a device itself).
+  # Replace this with an absolute path.
+  postPatch = ''
+    substituteInPlace config/99-azure-product-uuid.rules \
+      --replace "/bin/chmod" "${coreutils}/bin/chmod"
   '';
 
+  propagatedBuildInputs = [ python.pkgs.distro ];
+
+  # The udev rules are placed to the wrong place.
+  # Move them to their default location.
+  # Keep $out/${python.sitePackages}/usr/sbin/waagent where it is.
+  # waagent re-executes itself in UpdateHandler.run_latest, even if autoupdate
+  # is disabled, manually spawning a python interprever with argv0.
+  # We can't use the default python program wrapping mechanism, as it uses
+  # wrapProgram which doesn't support --argv0.
+  # So instead we make our own wrapper in $out/bin/waagent, setting PATH and
+  # PYTHONPATH.
+  # PATH contains our PYTHON, and PYTHONPATH stays set, so this should somewhat
+  # still work.
+  preFixup = ''
+    mv $out/${python.sitePackages}/etc $out/
+
+    buildPythonPath
+
+    mkdir -p $out/bin
+    makeWrapper $out/${python.sitePackages}/usr/sbin/waagent $out/bin/waagent \
+      --set PYTHONPATH $PYTHONPATH \
+      --prefix PATH : $program_PATH \
+      --argv0 $out/${python.sitePackages}/usr/sbin/waagent
+  '';
+
+  dontWrapPythonPrograms = false;
+
   meta = {
-    description = "The Microsoft Azure Linux Agent (waagent)
-                   manages Linux provisioning and VM interaction with the Azure
-                   Fabric Controller";
+    description = "The Microsoft Azure Linux Agent (waagent)";
+    longDescription = ''
+      The Microsoft Azure Linux Agent (waagent)
+      manages Linux provisioning and VM interaction with the Azure
+      Fabric Controller'';
     homepage = "https://github.com/Azure/WALinuxAgent";
     license = with lib.licenses; [ asl20 ];
   };
-
 }