diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix
index 7e52686f32f7..ba970b95bc04 100644
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@@ -319,10 +319,6 @@ in
 
     system.activationScripts.nix = stringAfter [ "etc" "users" ]
       ''
-        # Set up Nix.
-        chown root:nixbld /nix/store
-        chmod 1775 /nix/store
-
         # Nix initialisation.
         mkdir -m 0755 -p \
           /nix/var/nix/gcroots \
@@ -334,9 +330,10 @@ in
           /nix/var/log/nix/drvs \
           /nix/var/nix/channel-cache \
           /nix/var/nix/chroots
-        mkdir -m 1777 -p /nix/var/nix/gcroots/per-user
-        mkdir -m 1777 -p /nix/var/nix/profiles/per-user
-        mkdir -m 1777 -p /nix/var/nix/gcroots/tmp
+        mkdir -m 1777 -p \
+          /nix/var/nix/gcroots/per-user \
+          /nix/var/nix/profiles/per-user \
+          /nix/var/nix/gcroots/tmp
 
         ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
         ln -sf /nix/var/nix/manifests /nix/var/nix/gcroots/
diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh
index 3aab7a59504b..55e61ffb69a5 100644
--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@@ -43,6 +43,8 @@ fi
 
 # Make /nix/store a read-only bind mount to enforce immutability of
 # the Nix store.
+chown root:nixbld /nix/store
+chmod 1775 /nix/store
 if [ -n "@readOnlyStore@" ]; then
     if ! mountpoint /nix/store; then
         mkdir -p /nix/rw-store