diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index e48411b..ed10521 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -17,10 +17,10 @@ jobs:
     - run: nix fmt . -- --check
     - run: nix flake check
   tests-darwin:
-    runs-on: macos-12
+    runs-on: macos-latest
     steps:
     - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v24
+    - uses: cachix/install-nix-action@v30
       with:
         extra_nix_config: |
           system-features = nixos-test recursive-nix benchmark big-parallel kvm
@@ -31,12 +31,17 @@ jobs:
     - run: nix flake check
     - name: "Install nix-darwin module"
       run: |
+        # Determine architecture of GitHub runner
+        ARCH=x86_64
+        if [ "$(arch)" = arm64 ]; then
+          ARCH=aarch64
+        fi
         # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
 
         sudo mv /etc/nix/nix.conf{,.bak}
         nix \
           --extra-experimental-features 'nix-command flakes' \
-          build .#checks.x86_64-darwin.integration
+          build .#checks."${ARCH}"-darwin.integration
 
         ./result/activate-user
         sudo ./result/activate
diff --git a/modules/age.nix b/modules/age.nix
index e49d9d8..a9064e6 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -228,22 +228,22 @@ in {
     identityPaths = mkOption {
       type = types.listOf types.path;
       default =
-        if (config.services.openssh.enable or false)
-        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
-        else if isDarwin
+        if isDarwin
         then [
           "/etc/ssh/ssh_host_ed25519_key"
           "/etc/ssh/ssh_host_rsa_key"
         ]
+        else if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
         else [];
       defaultText = literalExpression ''
-        if (config.services.openssh.enable or false)
-        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
-        else if isDarwin
+        if isDarwin
         then [
           "/etc/ssh/ssh_host_ed25519_key"
           "/etc/ssh/ssh_host_rsa_key"
         ]
+        else if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
         else [];
       '';
       description = ''