diff --git a/modules/age.nix b/modules/age.nix
index 86c4447..e45aed5 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -14,6 +14,11 @@ with lib; let
 
   users = config.users.users;
 
+  sysusersEnabled =
+    if isDarwin
+    then false
+    else options.systemd ? sysusers;
+
   mountCommand =
     if isDarwin
     then ''
@@ -262,7 +267,28 @@ in {
       ];
     }
 
-    (optionalAttrs (!isDarwin) {
+    (optionalAttrs sysusersEnabled {
+      # When using sysusers we no longer be started as an activation script because those
+      # are started in initrd while sysusers is started later.
+      systemd.services.agenix-install-secrets = {
+        wantedBy = ["sysinit.target"];
+        after = ["systemd-sysusers.service"];
+        unitConfig.DefaultDependencies = "no";
+
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "agenix-install" (
+            builtins.concatStringsSep "\n" [
+              newGeneration
+              installSecrets
+              chownSecrets
+            ]
+          );
+          RemainAfterExit = true;
+        };
+      };
+    })
+    (optionalAttrs (!isDarwin && !sysusersEnabled) {
       # Create a new directory full of secrets for symlinking (this helps
       # ensure removed secrets are actually removed, or at least become
       # invalid symlinks).