diff --git a/deploy_nixos/README.md b/deploy_nixos/README.md
index 1346545..77ece95 100644
--- a/deploy_nixos/README.md
+++ b/deploy_nixos/README.md
@@ -106,6 +106,7 @@ see also:
 | extra\_build\_args | List of arguments to pass to the nix builder | `list(string)` | `[]` | no |
 | extra\_eval\_args | List of arguments to pass to the nix evaluation | `list(string)` | `[]` | no |
 | hermetic | Treat the provided nixos configuration as a hermetic expression and do not evaluate using the ambient system nixpkgs. Useful if you customize eval-modules or use a pinned nixpkgs. | `bool` | false | no |
+| arguments | Attribute set passed to hermetic configuration if it is a function. | `map(any)` | `{}` | no |
 | keys | A map of filename to content to upload as secrets in /var/keys | `map(string)` | `{}` | no |
 | nixos\_config | Path to a NixOS configuration | `string` | `""` | no |
 | ssh\_agent | Whether to use an SSH agent. True if not ssh\_private\_key is passed | `bool` | `null` | no |
diff --git a/deploy_nixos/main.tf b/deploy_nixos/main.tf
index 8914a90..871d624 100644
--- a/deploy_nixos/main.tf
+++ b/deploy_nixos/main.tf
@@ -81,6 +81,12 @@ variable "triggers" {
   default     = {}
 }
 
+variable "arguments" {
+  type        = map(any)
+  description = "A map of values to pass to the Nix expression. It only works form 'hermetic' configurations. For secrets, use 'keys' instead."
+  default     = {}
+}
+
 variable "keys" {
   type        = map(string)
   description = "A map of filename to content to upload as secrets in /var/keys"
@@ -129,7 +135,8 @@ data "external" "nixos-instantiate" {
     # end of positional arguments
     # start of pass-through arguments
     "--argstr", "system", var.target_system,
-    "--arg", "hermetic", var.hermetic
+    "--arg", "hermetic", var.hermetic,
+    "--argstr", "argumentsJson", jsonencode(var.arguments)
     ],
     var.extra_eval_args,
   )
@@ -197,4 +204,3 @@ output "id" {
   description = "random ID that changes on every nixos deployment"
   value       = null_resource.deploy_nixos.id
 }
-
diff --git a/deploy_nixos/nixos-instantiate.sh b/deploy_nixos/nixos-instantiate.sh
index 9ad402d..9906fd3 100755
--- a/deploy_nixos/nixos-instantiate.sh
+++ b/deploy_nixos/nixos-instantiate.sh
@@ -9,11 +9,19 @@ shift 3
 
 
 command=(nix-instantiate --show-trace --expr '
-  { system, configuration, hermetic ? false, ... }:
+  { system, configuration, hermetic ? false, argumentsJson, ... }:
   let
+    arguments = builtins.fromJSON argumentsJson;
+
     os =
       if hermetic
-        then import configuration
+        then
+          let
+            config = import configuration;
+          in
+          if builtins.isFunction config
+            then config arguments
+            else config
         else import <nixpkgs/nixos> { inherit system configuration; };
   in {
     inherit (builtins) currentSystem;