diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 52634d4..4d00b8a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -151,6 +151,8 @@ image:publish:secure:
       - tags
 
 .test-script: &test-script
+  - test "$(cat /etc/group | wc -l)" -gt 10
+  - test "$(cat /etc/passwd | wc -l)" -gt 10
   - pacman -Sy
   - pacman -Qqk
   - pacman -Syu --noconfirm docker grep
diff --git a/Makefile b/Makefile
index 21f3dc4..9bbf83a 100644
--- a/Makefile
+++ b/Makefile
@@ -19,11 +19,13 @@ define rootfs
 
 fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust
 	fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen
-	fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers'
 	fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"'
 
 	ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release
 
+	# add system users
+	fakechroot -- fakeroot -- chroot $(BUILDDIR) /usr/bin/systemd-sysusers --root "/"
+
 	# remove passwordless login for root (see CVE-2019-5021 for reference)
 	sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"