fix: workaround for #54

modules/age.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
@@ -103,18 +103,29 @@ in
       '';
     };
   };
-  config = mkIf (cfg.secrets != { }) {
+  config = mkIf (cfg.secrets != { }) (mkMerge [
-    assertions = [{
-      assertion = cfg.sshKeyPaths != [ ];
-      message = "age.sshKeyPaths must be set.";
-    }];
 
-    # Secrets with root owner and group can be installed before users
+    {
-    # exist. This allows user password files to be encrypted.
+      assertions = [{
-    system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets;
+        assertion = cfg.sshKeyPaths != [ ];
-    system.activationScripts.users.deps = [ "agenixRoot" ];
+        message = "age.sshKeyPaths must be set.";
+      }];
 
-    # Other secrets need to wait for users and groups to exist.
+      # Secrets with root owner and group can be installed before users
-    system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets;
+      # exist. This allows user password files to be encrypted.
-  };
+      system.activationScripts.agenixRoot = stringAfter [ "specialfs" ] installRootOwnedSecrets;
+      system.activationScripts.users.deps = [ "agenixRoot" ];
+
+      # Other secrets need to wait for users and groups to exist.
+      system.activationScripts.agenix = stringAfter [ "users" "groups" "specialfs" ] installNonRootSecrets;
+
+    }
+
+    # workaround for #54
+    (optionalAttrs (builtins.hasAttr "dryActivationScript" options.system) {
+      system.activationScripts.users.supportsDryActivation = mkForce false;
+      system.activationScripts.groups.supportsDryActivation = mkForce false;
+    })
+
+  ]);
 }