diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index fea3c05..c4af393 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -13,11 +13,13 @@
   # Configure all agenix secrets
   age.secrets = {
     # ZFS encryption key
+    # path is set to /etc/zfs-key to match the ZFS dataset keylocation property
     zfs-key = {
       file = ../secrets/zfs-key.age;
       mode = "0400";
       owner = "root";
       group = "root";
+      path = "/etc/zfs-key";
     };
 
     # Secureboot keys archive
@@ -53,9 +55,9 @@
 
     slskd_env = {
       file = ../secrets/slskd_env.age;
-      mode = "0400";
-      owner = "root";
-      group = "root";
+      mode = "0500";
+      owner = config.services.slskd.user;
+      group = config.services.slskd.group;
     };
 
     # Network configuration
diff --git a/modules/zfs.nix b/modules/zfs.nix
index 1df7971..2da4c73 100644
--- a/modules/zfs.nix
+++ b/modules/zfs.nix
@@ -4,24 +4,7 @@
   pkgs,
   ...
 }:
-let
-  # DO NOT CHANGE
-  # path is set via a zfs property
-  zfs-key = "/etc/zfs-key";
-in
 {
-  system.activationScripts = {
-    # Copy decrypted ZFS key from agenix to expected location
-    # /etc is on tmpfs due to impermanence, so no persistent storage risk
-    "zfs-key".text = ''
-      #!/bin/sh
-      rm -f ${zfs-key} || true
-      cp ${config.age.secrets.zfs-key.path} ${zfs-key}
-      chmod 0400 ${zfs-key}
-      chown root:root ${zfs-key}
-    '';
-  };
-
   boot.zfs.package = pkgs.zfs;
   boot.initrd.kernelModules = [ "zfs" ];
 
diff --git a/services/soulseek.nix b/services/soulseek.nix
index f9ad21b..21e9bff 100644
--- a/services/soulseek.nix
+++ b/services/soulseek.nix
@@ -6,9 +6,6 @@
   username,
   ...
 }:
-let
-  slskd_env = "/etc/slskd_env";
-in
 {
   imports = [
     (lib.serviceMountWithZpool "slskd" "" [
@@ -26,20 +23,10 @@ in
 
   users.groups."music" = { };
 
-  system.activationScripts = {
-    "skskd_env".text = ''
-      #!/bin/sh
-      rm -fr ${slskd_env} || true
-      cp ${config.age.secrets.slskd_env.path} ${slskd_env}
-      chmod 0500 ${slskd_env}
-      chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
-    '';
-  };
-
   services.slskd = {
     enable = true;
     domain = null; # null so we don't use nginx reverse proxy
-    environmentFile = slskd_env;
+    environmentFile = config.age.secrets.slskd_env.path;
 
     settings = {
       web = {