diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index b1b6c63d..6c253155 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -82,19 +82,8 @@ in
       ];
     };
 
-    systemd.services.sane-sops = {
-      # TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
-      # /run/current-system/activate contains the precise ordering logic.
-      # it's largely unaware of systemd.
-      # maybe we could insert some activation script which simply waits for /etc/ssh to appear?
-      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-      script = ''
-      ${config.system.activationScripts.setupSecrets.text}
-      ${config.system.activationScripts.linkIwdKeys.text}
-      '';
-      after = [ "fs-local.target" ];
-      wantedBy = [ "multi-user.target" ];
-    };
+    # secret decoding depends on /etc/ssh keys, which are persisted
+    system.activationScripts.setupSecrets.deps = [ "persist-files" ];
   };
 }
 
diff --git a/modules/universal/net.nix b/modules/universal/net.nix
index 3b4433fb..4ae4d173 100644
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -22,6 +22,7 @@
   networking.wireless.iwd.enable = true;
   networking.networkmanager.wifi.backend = "iwd";
 
+  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
   system.activationScripts.linkIwdKeys = let
     unwrapped = ../../scripts/install-iwd;
     install-iwd = pkgs.writeShellApplication {
@@ -30,7 +31,7 @@
       text = ''${unwrapped} "$@"'';
     };
   in (lib.stringAfter
-    [ "setupSecrets" ]
+    [ "setupSecrets" "binsh" ]
     ''
     mkdir -p /var/lib/iwd
     ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd