diff --git a/Schutzfile b/Schutzfile
index 3f6625304e..c47bd7efa2 100644
--- a/Schutzfile
+++ b/Schutzfile
@@ -8,7 +8,7 @@
   "fedora-39": {
     "dependencies": {
       "osbuild": {
-        "commit": "ec496769c5905bc07264ffdb26f6facb3cb3cdd6"
+        "commit": "6549bf1992b9731d52df5416584fab3f014a421f"
       }
     },
     "repos": [
diff --git a/pkg/distro/rhel/rhel10/ami.go b/pkg/distro/rhel/rhel10/ami.go
index e61d985348..714f27899a 100644
--- a/pkg/distro/rhel/rhel10/ami.go
+++ b/pkg/distro/rhel/rhel10/ami.go
@@ -125,7 +125,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},
diff --git a/pkg/distro/rhel/rhel10/azure.go b/pkg/distro/rhel/rhel10/azure.go
index 28f3b362ef..2d748363d5 100644
--- a/pkg/distro/rhel/rhel10/azure.go
+++ b/pkg/distro/rhel/rhel10/azure.go
@@ -294,7 +294,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},
diff --git a/pkg/distro/rhel/rhel8/ami.go b/pkg/distro/rhel/rhel8/ami.go
index fc9386023c..1c9e3bbe58 100644
--- a/pkg/distro/rhel/rhel8/ami.go
+++ b/pkg/distro/rhel/rhel8/ami.go
@@ -269,7 +269,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},
diff --git a/pkg/distro/rhel/rhel8/azure.go b/pkg/distro/rhel/rhel8/azure.go
index a4d3170501..b078de050b 100644
--- a/pkg/distro/rhel/rhel8/azure.go
+++ b/pkg/distro/rhel/rhel8/azure.go
@@ -644,7 +644,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},
diff --git a/pkg/distro/rhel/rhel9/ami.go b/pkg/distro/rhel/rhel9/ami.go
index 53025e07c3..2326a6acde 100644
--- a/pkg/distro/rhel/rhel9/ami.go
+++ b/pkg/distro/rhel/rhel9/ami.go
@@ -126,7 +126,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},
diff --git a/pkg/distro/rhel/rhel9/azure.go b/pkg/distro/rhel/rhel9/azure.go
index fafbc5277b..04ad0a2590 100644
--- a/pkg/distro/rhel/rhel9/azure.go
+++ b/pkg/distro/rhel/rhel9/azure.go
@@ -593,7 +593,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},
diff --git a/pkg/osbuild/systemd_unit_create_stage.go b/pkg/osbuild/systemd_unit_create_stage.go
index 19eea44b80..e4bd4b8ae2 100644
--- a/pkg/osbuild/systemd_unit_create_stage.go
+++ b/pkg/osbuild/systemd_unit_create_stage.go
@@ -1,5 +1,10 @@
 package osbuild
 
+import (
+	"fmt"
+	"regexp"
+)
+
 type serviceType string
 type unitPath string
 
@@ -26,11 +31,13 @@ type Unit struct {
 }
 
 type Service struct {
-	Type            serviceType `json:"Type,omitempty"`
-	RemainAfterExit bool        `json:"RemainAfterExit,omitempty"`
-	ExecStartPre    []string    `json:"ExecStartPre,omitempty"`
-	ExecStopPost    []string    `json:"ExecStopPost,omitempty"`
-	ExecStart       []string    `json:"ExecStart,omitempty"`
+	Type            serviceType           `json:"Type,omitempty"`
+	RemainAfterExit bool                  `json:"RemainAfterExit,omitempty"`
+	ExecStartPre    []string              `json:"ExecStartPre,omitempty"`
+	ExecStopPost    []string              `json:"ExecStopPost,omitempty"`
+	ExecStart       []string              `json:"ExecStart,omitempty"`
+	Environment     []EnvironmentVariable `json:"Environment,omitempty"`
+	EnvironmentFile []string              `json:"EnvironmentFile,omitempty"`
 }
 
 type Install struct {
@@ -53,7 +60,22 @@ type SystemdUnitCreateStageOptions struct {
 
 func (SystemdUnitCreateStageOptions) isStageOptions() {}
 
+func (o *SystemdUnitCreateStageOptions) validate() error {
+	vre := regexp.MustCompile(envVarRegex)
+	if service := o.Config.Service; service != nil {
+		for _, envVar := range service.Environment {
+			if !vre.MatchString(envVar.Key) {
+				return fmt.Errorf("variable name %q doesn't conform to schema (%s)", envVar.Key, envVarRegex)
+			}
+		}
+	}
+	return nil
+}
+
 func NewSystemdUnitCreateStageOptions(options *SystemdUnitCreateStageOptions) *Stage {
+	if err := options.validate(); err != nil {
+		panic(err)
+	}
 	return &Stage{
 		Type:    "org.osbuild.systemd.unit.create",
 		Options: options,
diff --git a/pkg/osbuild/systemd_unit_stage.go b/pkg/osbuild/systemd_unit_stage.go
index b46094e977..0d1326091d 100644
--- a/pkg/osbuild/systemd_unit_stage.go
+++ b/pkg/osbuild/systemd_unit_stage.go
@@ -1,5 +1,10 @@
 package osbuild
 
+import (
+	"fmt"
+	"regexp"
+)
+
 type unitType string
 
 const (
@@ -16,7 +21,22 @@ type SystemdUnitStageOptions struct {
 
 func (SystemdUnitStageOptions) isStageOptions() {}
 
+func (o *SystemdUnitStageOptions) validate() error {
+	vre := regexp.MustCompile(envVarRegex)
+	if service := o.Config.Service; service != nil {
+		for _, envVar := range service.Environment {
+			if !vre.MatchString(envVar.Key) {
+				return fmt.Errorf("variable name %q doesn't conform to schema (%s)", envVar.Key, envVarRegex)
+			}
+		}
+	}
+	return nil
+}
+
 func NewSystemdUnitStage(options *SystemdUnitStageOptions) *Stage {
+	if err := options.validate(); err != nil {
+		panic(err)
+	}
 	return &Stage{
 		Type:    "org.osbuild.systemd.unit",
 		Options: options,
@@ -32,7 +52,8 @@ type SystemdServiceUnitDropin struct {
 // 'Service' configuration section of a unit file
 type SystemdUnitServiceSection struct {
 	// Sets environment variables for executed process
-	Environment string `json:"Environment,omitempty"`
+	Environment     []EnvironmentVariable `json:"Environment,omitempty"`
+	EnvironmentFile []string              `json:"EnvironmentFile,omitempty"`
 }
 
 // 'Unit' configuration section of a unit file