diff --git a/modules/services/activate-system/default.nix b/modules/services/activate-system/default.nix
index d8d8683..127514a 100644
--- a/modules/services/activate-system/default.nix
+++ b/modules/services/activate-system/default.nix
@@ -10,7 +10,14 @@
       script = ''
         set -e
         set -o pipefail
+
         export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+        export USER=root
+        export LOGNAME=root
+        export HOME=~root
+        export SHELL=$BASH
+        export LANG=C
+        export LC_CTYPE=UTF-8
 
         systemConfig=$(cat ${config.system.profile}/systemConfig)
 
diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix
index b95ea32..0143d2b 100644
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@@ -37,16 +37,33 @@ in
   config = {
 
     system.activationScripts.script.text = ''
-      #! ${stdenv.shell}
+      #!/usr/bin/env -i ${stdenv.shell}
+      # shellcheck shell=bash
+      # shellcheck disable=SC2096
+
       set -e
       set -o pipefail
+
       export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+      export USER=root
+      export LOGNAME=root
+      export HOME=~root
+      export SHELL=$BASH
+      export LANG=C
+      export LC_CTYPE=UTF-8
 
       systemConfig=@out@
 
       # Ensure a consistent umask.
       umask 0022
 
+      cd /
+
+      if [[ $(id -u) -ne 0 ]]; then
+        printf >&2 '\e[1;31merror: `activate` must be run as root\e[0m\n'
+        exit 2
+      fi
+
       ${cfg.activationScripts.preActivation.text}
 
       # We run `etcChecks` again just in case someone runs `activate`