diff --git a/custom/modules/secrets-store.nix b/custom/modules/secrets-store.nix
index 20bec88..9a27f11 100644
--- a/custom/modules/secrets-store.nix
+++ b/custom/modules/secrets-store.nix
@@ -39,7 +39,7 @@ let
           apply = toString;
           description = "File to include in the secret store";
         };
-    }; 
+    };
 
   # Turns a nested attrset into a list
   # of (path, value) pairs. It recurs
@@ -55,9 +55,11 @@ let
 
   isFile = v: isAttrs v && v.path != "";
 
-  # Secrets flattened to an index. This is needed
+  # Secret files flattened to an index. This is needed
   # to iterate over the set.
-  flatSecrets = attrsToIndex (v: !isFile v) cfg;
+  secretFiles =
+    filter (pair: isFile pair.value)
+    (attrsToIndex (v: !isFile v) cfg);
 
   # Secrets with paths rewritten to the store location
   storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
@@ -99,27 +101,41 @@ in {
     '';
   };
 
-  # The user activation script may need access to secrets
-  config.system.activationScripts.users.deps = [ "secretsStore" ];
+  # The `users` activation script may need access to secrets
+  config.system.activationScripts.users.deps = [ "secrets-copy" ];
 
-  config.system.activationScripts.secretsStore = {
-    deps = [ "stdio" ];
+  # Install secrets, first
+  config.system.activationScripts.secrets-copy = {
+    deps = [ ];
     text =
     ''
-      # Initialise clean directory
+      echo setting up secrets store...
       rm -rf /run/secrets
     '' + concatMapStrings (pair:
     let
       name = "${concatStringsSep "-" pair.path}";
       secret = pair.value;
     in
-      optionalString (isFile secret)
       ''
         # Install secret ${name}
-        install -m ${secret.mode} \
-                -o ${secret.user} -g ${secret.group} \
-                -D ${secret.path} /run/secrets/${name}
-      '') flatSecrets;
+        install -m ${secret.mode} -D ${secret.path} /run/secrets/${name}
+      '') secretFiles;
+  };
+
+  # Set secrets ownership, later because the
+  # `user` activation script hasn't run yet.
+  config.system.activationScripts.secrets-own = {
+    deps = [ "secrets-copy" "users" ];
+    text = concatMapStrings (pair:
+    let
+      name = "${concatStringsSep "-" pair.path}";
+      secret = pair.value;
+    in
+      ''
+        echo setting secrets store ownership...
+        # Set ownership of ${name}
+        chown ${secret.user}:${secret.group} /run/secrets/${name}
+      '') secretFiles;
   };
 
 }