diff --git a/modules/default.nix b/modules/default.nix
index 9272ae0b..66084727 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -10,5 +10,6 @@
     ./impermanence
     ./nixcache.nix
     ./services
+    ./sops.nix
   ];
 }
diff --git a/modules/impermanence/default.nix b/modules/impermanence/default.nix
index e1b073b6..aefa78e5 100644
--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@@ -7,8 +7,6 @@
 with lib;
 let
   cfg = config.sane.impermanence;
-  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
-  secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
   getStore = { encryptedClearOnBoot, ... }: (
     if encryptedClearOnBoot then {
       device = "/mnt/impermanence/crypt/clearedonboot";
@@ -300,27 +298,6 @@ in
       }
     )
 
-    (lib.mkIf secrets-for-users {
-      # secret decoding depends on /etc/ssh keys, so make sure those are present.
-      system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
-        deps = [ "etc" ];
-      };
-      system.activationScripts.etc.deps = lib.mkForce [];
-      assertions = builtins.concatLists (builtins.attrValues (
-        builtins.mapAttrs
-          (path: value: [
-            {
-              assertion = (builtins.substring 0 1 value.user) == "+";
-              message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
-            }
-            {
-              assertion = (builtins.substring 0 1 value.group) == "+";
-              message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
-            }
-          ])
-          config.environment.etc
-      ));
-    })
   ]);
 }
 
diff --git a/modules/sops.nix b/modules/sops.nix
new file mode 100644
index 00000000..5db00e5c
--- /dev/null
+++ b/modules/sops.nix
@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+
+let
+  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
+  secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
+  sops-files = config.sops.age.sshKeyPaths ++ config.sops.gnupg.sshKeyPaths ++ [ config.sops.age.keyFile ];
+  keys-in-etc = builtins.any (p: builtins.substring 0 5 p == "/etc/") sops-files;
+in
+{
+  config = lib.mkIf (secrets-for-users && keys-in-etc) {
+    # secret decoding depends on keys in /etc/ (like the ssh host key), so make sure those are present.
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
+      deps = [ "etc" ];
+    };
+    # TODO: we should selectively remove "users" and "groups", but keep manually specified deps?
+    system.activationScripts.etc.deps = lib.mkForce [];
+    assertions = builtins.concatLists (builtins.attrValues (
+      builtins.mapAttrs
+        (path: value: [
+          {
+            assertion = (builtins.substring 0 1 value.user) == "+";
+            message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
+          }
+          {
+            assertion = (builtins.substring 0 1 value.group) == "+";
+            message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
+          }
+        ])
+        config.environment.etc
+    ));
+  };
+}