diff --git a/nix/modules/vault-agent.nix b/nix/modules/vault-agent.nix
index e6fd453..2a39165 100644
--- a/nix/modules/vault-agent.nix
+++ b/nix/modules/vault-agent.nix
@@ -76,6 +76,11 @@ in {
       lib.nameValuePair "vault-agent-${name}" {
         after = ["network.target"];
         wantedBy = ["multi-user.target"];
+
+        # Services that also have `stopIfChanged = false` might wait for secrets
+        # while `vault-agent` is still stopped. This for example happens with nginx.service.
+
+        stopIfChanged = false;
         # Needs getent in PATH
         path = [pkgs.glibc];
         serviceConfig = {