I don't have a direct answer for you, but perhaps another way. We have the .network-autostart script setup and it pulls the updates that we have made since imaging over the summer. However, in the update.sh there is a check for a file
#!/bin/bash
if [ ! -e /etc/updated.txt ]
then
your code
sudo echo > /etc/updated.txt
fi
That way the script code only runs on a system once and, if a system is restored the script runs on first boot. So it is like the change is a permanent part of the read-only/generic file system.