diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index 7d8b7d4e..2d9f8768 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -80,7 +80,7 @@
                     add_header 'access-control-allow-origin' '*' always;
                     add_header 'access-control-allow-methods' 'GET, HEAD, POST, PUT, DELETE, OPTIONS' always;
                     add_header 'access-control-allow-headers' 'X-Requested-With, Content-Type, Authorization, Date' always;
-                 '';
+                  '';
                   priority = 1;
                 };
                 "/".return = "307 https://www.vanpetegem.me$request_uri";
diff --git a/modules/base/zfs/default.nix b/modules/base/zfs/default.nix
index e6d5ccb7..17344e0b 100644
--- a/modules/base/zfs/default.nix
+++ b/modules/base/zfs/default.nix
@@ -89,22 +89,36 @@
       };
     };
 
+    system.activationScripts =
+      let
+        ensureSystemExistsScript = lib.concatStringsSep "\n" (map (path: ''mkdir -p "${path}"'') config.chvp.base.zfs.ensureSystemExists);
+        ensureHomeExistsScript = lib.concatStringsSep "\n" (map (path: ''mkdir -p "/home/charlotte/${path}"; chown charlotte:users /home/charlotte/${path};'') config.chvp.base.zfs.ensureHomeExists);
+      in
+      {
+        ensureSystemPathsExist = {
+          text = ensureSystemExistsScript;
+          deps = [ "agenixMountSecrets" ];
+        };
+        agenixRoot.deps = [ "ensureSystemPathsExist" ];
+        ensureHomePathsExist = {
+          text = ''
+            mkdir -p /home/charlotte/
+            ${ensureHomeExistsScript}
+          '';
+          deps = [ "users" "groups" ];
+        };
+        agenix.deps = [ "ensureHomePathsExist" ];
+      };
+
     systemd.services =
       let
         makeLinkScript = config: lib.concatStringsSep "\n" (map (location: ''mkdir -p "${location.path}"'') config);
-        ensureSystemExistsScript = lib.concatStringsSep "\n" (map (path: ''mkdir -p "${path}"'') config.chvp.base.zfs.ensureSystemExists);
         systemLinksScript = makeLinkScript config.chvp.base.zfs.systemLinks;
-        ensureHomeExistsScript = lib.concatStringsSep "\n" (map (path: ''mkdir -p "${path}"'') config.chvp.base.zfs.ensureHomeExists);
         homeLinksScript = makeLinkScript config.chvp.base.zfs.homeLinks;
       in
       {
         make-system-links-destinations = {
-          script = ''
-            ${ensureSystemExistsScript}
-            ${systemLinksScript}
-            mkdir -p /home/charlotte
-            chown charlotte:users /home/charlotte
-          '';
+          script = systemLinksScript;
           after = [ "local-fs.target" ];
           wants = [ "local-fs.target" ];
           before = [ "shutdown.target" "sysinit.target" ];
@@ -121,10 +135,7 @@
         };
 
         make-home-links-destinations = {
-          script = ''
-            ${ensureHomeExistsScript}
-            ${homeLinksScript}
-          '';
+          script = homeLinksScript;
           after = [ "local-fs.target" "make-system-links-destinations.service" ];
           wants = [ "local-fs.target" "make-system-links-destinations.service" ];
           before = [ "shutdown.target" "sysinit.target" ];