diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6345634..e48411b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,7 +9,9 @@ jobs:
     - uses: actions/checkout@v3
     - uses: cachix/install-nix-action@v22
       with:
-        extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
+        extra_nix_config: |
+          system-features = nixos-test recursive-nix benchmark big-parallel kvm
+          extra-experimental-features = recursive-nix nix-command flakes
     - run: nix build
     - run: nix build .#doc
     - run: nix fmt . -- --check
diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
index 7ce6de2..987d679 100644
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@@ -9,29 +9,54 @@
   substituteAll,
   ageBin ? "${age}/bin/age",
   shellcheck,
-}:
-stdenv.mkDerivation rec {
-  pname = "agenix";
-  version = "0.15.0";
-  src = substituteAll {
-    inherit ageBin version;
-    jqBin = "${jq}/bin/jq";
-    nixInstantiate = "${nix}/bin/nix-instantiate";
-    mktempBin = "${mktemp}/bin/mktemp";
-    diffBin = "${diffutils}/bin/diff";
-    src = ./agenix.sh;
-  };
-  dontUnpack = true;
+}: let
+  bin = "${placeholder "out"}/bin/agenix";
+in
+  stdenv.mkDerivation rec {
+    pname = "agenix";
+    version = "0.15.0";
+    src = substituteAll {
+      inherit ageBin version;
+      jqBin = "${jq}/bin/jq";
+      nixInstantiate = "${nix}/bin/nix-instantiate";
+      mktempBin = "${mktemp}/bin/mktemp";
+      diffBin = "${diffutils}/bin/diff";
+      src = ./agenix.sh;
+    };
+    dontUnpack = true;
+    doInstallCheck = true;
+    installCheckInputs = [shellcheck];
+    postInstallCheck = ''
+      shellcheck ${bin}
+      ${bin} -h | grep ${version}
 
-  doCheck = true;
-  checkInputs = [shellcheck];
-  postCheck = ''
-    shellcheck $src
-  '';
+      HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+      function cleanup {
+        rm -rf $HOME
+      }
+      trap "cleanup" 0 2 3 15
 
-  installPhase = ''
-    install -D $src ${placeholder "out"}/bin/agenix
-  '';
+      mkdir -p $HOME/.ssh
+      cp -r "${../example}" $HOME/secrets
+      chmod -R u+rw $HOME/secrets
+      (
+      umask u=rw,g=r,o=r
+      cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+      chown $UID $HOME/.ssh/id_ed25519.pub
+      )
+      (
+      umask u=rw,g=,o=
+      cp ${../example_keys/user1} $HOME/.ssh/id_ed25519
+      chown $UID $HOME/.ssh/id_ed25519
+      )
 
-  meta.description = "age-encrypted secrets for NixOS";
-}
+      cd $HOME/secrets
+      test $(${bin} -d secret1.age) = "hello"
+    '';
+
+    installPhase = ''
+      install -D $src ${bin}
+    '';
+
+    meta.description = "age-encrypted secrets for NixOS";
+  }