diff --git a/modules/age.nix b/modules/age.nix
index e49d9d8..787a3dd 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -29,7 +29,7 @@ with lib; let
         mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
     '';
   newGeneration = ''
-    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}" || echo 0)")"
     (( ++_agenix_generation ))
     echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
     mkdir -p "${cfg.secretsMountPoint}"
@@ -100,7 +100,7 @@ with lib; let
     cfg.identityPaths;
 
   cleanupAndLink = ''
-    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}" || echo 0)")"
     (( ++_agenix_generation ))
     echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
     ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}