diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 4a12e17..e5619f3 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -225,7 +225,6 @@ jobs:
             FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }}
             KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
             KERNEL_VERSION=${{ env.KERNEL_VERSION }}
-            RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
           extra-args: |
@@ -288,7 +287,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/cosign-installer@v3.6.0
+      - uses: sigstore/cosign-installer@v3.7.0
         if: github.event_name != 'pull_request'
 
       - name: Sign container image
diff --git a/Containerfile b/Containerfile
index 2508f7f..b5dd486 100644
--- a/Containerfile
+++ b/Containerfile
@@ -16,7 +16,6 @@ ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG IMAGE_VENDOR="${IMAGE_VENDOR:-bpbeatty}"
-ARG RPMFUSION_MIRROR=""
 ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"
 
 RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
@@ -41,14 +40,13 @@ ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG IMAGE_VENDOR="${IMAGE_VENDOR:-bpbeatty}"
-ARG RPMFUSION_MIRROR=""
 
 RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
     --mount=type=bind,from=ctx,src=/,dst=/ctx \
     --mount=type=bind,from=akmods_nvidia,src=/rpms,dst=/tmp/akmods-rpms \
     mkdir -p /var/lib/alternatives && \
     IMAGE_FLAVOR=nvidia /ctx/image-info.sh && \
-    /ctx/nvidia-install.sh && \
+    NVIDIA_FLAVOR=nvidia /ctx/nvidia-install.sh && \
     /ctx/build-initramfs.sh && \
     mv /var/lib/alternatives /staged-alternatives && \
     /ctx/cleanup.sh && \
diff --git a/install.sh b/install.sh
index b66706d..c5c8100 100755
--- a/install.sh
+++ b/install.sh
@@ -9,19 +9,8 @@ if [ "${KERNEL_FLAVOR}" = "main" ]; then
     exit 0
 fi
 
-# after F41 launches, bump to 42
-if [[ "${FEDORA_MAJOR_VERSION}" -ge 41 ]]; then
-    # note: this is done before single mirror hack to ensure this persists in image and is not reset
-    # pre-release rpmfusion is in a different location
-    sed -i "s%free/fedora/releases%free/fedora/development%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
-
-if [ -n "${RPMFUSION_MIRROR}" ]; then
-    # force use of single rpmfusion mirror
-    echo "Using single rpmfusion mirror: ${RPMFUSION_MIRROR}"
-    sed -i.bak "s%^metalink=%#metalink=%" /etc/yum.repos.d/rpmfusion-*.repo
-    sed -i "s%^#baseurl=http://download1.rpmfusion.org%baseurl=${RPMFUSION_MIRROR}%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
+# disable any remaining rpmfusion repos
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion*.repo
 
 # do HWE specific things
 if [ "${KERNEL_FLAVOR}" = "asus" ]; then
@@ -99,10 +88,4 @@ else
     echo "install.sh: post-install for unexpected KERNEL_FLAVOR: ${KERNEL_FLAVOR}"
 fi
 
-if [ -n "${RPMFUSION_MIRROR}" ]; then
-    # reset forced use of single rpmfusion mirror
-    echo "Revert from single rpmfusion mirror: ${RPMFUSION_MIRROR}"
-    rename -v .repo.bak .repo /etc/yum.repos.d/rpmfusion-*repo.bak
-fi
-
 /ctx/build-initramfs.sh
diff --git a/nvidia-install.sh b/nvidia-install.sh
index 8e0d4d7..0530836 100755
--- a/nvidia-install.sh
+++ b/nvidia-install.sh
@@ -4,22 +4,19 @@ set -ouex pipefail
 
 RELEASE="$(rpm -E %fedora)"
 
-sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
+# disable any remaining rpmfusion repos
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion*.repo
 
-# after F41 launches, bump to 42
-if [[ "${FEDORA_MAJOR_VERSION}" -ge 41 ]]; then
-    # note: this is done before single mirror hack to ensure this persists in image and is not reset
-    # pre-release rpmfusion is in a different location
-    sed -i "s%free/fedora/releases%free/fedora/development%" /etc/yum.repos.d/rpmfusion-*.repo
-fi
+sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
 
 ## nvidia install steps
 rpm-ostree install /tmp/akmods-rpms/ublue-os/ublue-os-nvidia-addons-*.rpm
 
 # enables nvidia repos provided by ublue-os-nvidia-addons
 sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo
-sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo
 sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
+#NOTE: nvidia drivers are already provided by negativo17-fedora-multimedia.repo, no need to enable
+#sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo
 
 source /tmp/akmods-rpms/kmods/nvidia-vars
 
@@ -51,6 +48,10 @@ rpm-ostree install \
 # disables nvidia repos provided by ublue-os-nvidia-addons
 sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/{eyecantcu-supergfxctl,negativo17-fedora-nvidia,nvidia-container-toolkit}.repo
 
+# ensure kernel.conf matches NVIDIA_FLAVOR (which must be nvidia or nvidia-open)
+# kmod-nvidia-common defaults to 'nvidia-open' but this will match our akmod image
+sed -i "s/^MODULE_VARIANT=.*/MODULE_VARIANT=$KERNEL_MODULE_TYPE/" /etc/nvidia/kernel.conf
+
 systemctl enable nvidia-persistenced.service
 
 systemctl enable ublue-nvctk-cdi.service