diff --git a/Dockerfile.template b/Dockerfile.template
index 904004d..0320331 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -22,7 +22,6 @@ FROM scratch AS root
 COPY --from=verify /rootfs/ /
 
 RUN ldconfig
-RUN /usr/share/libalpm/scripts/systemd-hook sysusers
 
 ENV LANG=en_US.UTF-8
 CMD ["/usr/bin/bash"]
diff --git a/Makefile b/Makefile
index 939c24a..9bbf83a 100644
--- a/Makefile
+++ b/Makefile
@@ -23,6 +23,9 @@ fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust
 
 	ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release
 
+	# add system users
+	fakechroot -- fakeroot -- chroot $(BUILDDIR) /usr/bin/systemd-sysusers --root "/"
+
 	# remove passwordless login for root (see CVE-2019-5021 for reference)
 	sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"