diff --git a/common/secrets-permissions.nix b/common/secrets-permissions.nix
index faa0b3c..ac13558 100644
--- a/common/secrets-permissions.nix
+++ b/common/secrets-permissions.nix
@@ -1,24 +1,37 @@
 # This module enforces permissions on secrets stored on the machines.
 
-{ config, ... }:
+{ config, lib, ... }:
 
+with lib;
+
+let
+  cfg = config.custom.secrets;
+in
 {
-  system.activationScripts."secrets-permissions" = ''
-    # Default to restrictive permissions on secrets.
-    # Root can alway read/write/traverse directories no matter the permissions
-    # set.
+  options.custom.secrets = {
+    extraCommands = mkOption {
+      default = "";
+      type = types.lines;
+      description = lib.mdDoc "extra commands to populate /etc/secrets";
+    };
+  };
 
-    mkdir -p /etc/secrets
+  config = {
+    system.activationScripts."secrets-permissions" = ''
+      # Default to restrictive permissions on secrets.
+      # Root can alway read/write/traverse directories no matter the permissions
+      # set.
 
-    chown --recursive root:root /etc/secrets
-    chmod --recursive 600 /etc/secrets
+      mkdir -p /etc/secrets
 
-    # Relax permissions on some secrets.
+      chown --recursive root:root /etc/secrets
+      chmod --recursive 600 /etc/secrets
 
-    # The top directory must be readable and traversable by thoses who need to
-    # access secrets.
-    chmod 755 /etc/secrets
+      # Relax permissions on some secrets.
 
-    # ... add chowns & chmods to specific users/groups when needed
-  '';
+      # The top directory must be readable and traversable by thoses who need to
+      # access secrets.
+      chmod 755 /etc/secrets
+    '' + cfg.extraCommands;
+  };
 }
\ No newline at end of file
diff --git a/pastila/smtp.nix b/pastila/smtp.nix
index 8ab9ab2..437711a 100644
--- a/pastila/smtp.nix
+++ b/pastila/smtp.nix
@@ -922,24 +922,8 @@ dovecot_plain:
     group = config.services.exim.group;
   };
 
-  # FIXME
   environment.systemPackages = [ pkgs.acl ];
-  system.activationScripts."secrets-permissions" = lib.mkForce ''
-    # Default to restrictive permissions on secrets.
-    # Root can alway read/write/traverse directories no matter the permissions
-    # set.
-
-    mkdir -p /etc/secrets
-
-    chown --recursive root:root /etc/secrets
-    chmod --recursive 600 /etc/secrets
-
-    # Relax permissions on some secrets.
-
-    # The top directory must be readable and traversable by thoses who need to
-    # access secrets.
-    chmod 755 /etc/secrets
-
+  custom.secrets.extraCommands = ''
     mkdir -p /etc/secrets/exim/virtual
     mkdir -p /etc/secrets/exim/domains
     chmod 700 /etc/secrets/exim