diff --git a/modules/lib/write-text.nix b/modules/lib/write-text.nix
index b8f2ad55a..40501579a 100644
--- a/modules/lib/write-text.nix
+++ b/modules/lib/write-text.nix
@@ -58,6 +58,15 @@ in
       type = types.listOf types.str;
       default = [];
     };
+
+    force = mkOption {
+      type = types.bool;
+      default = false;
+      internal = true;
+      description = lib.mdDoc ''
+        Whether this file should be replaced even if an unknown version of the file already exists.
+      '';
+    };
   };
 
   config = {
diff --git a/modules/system/etc.nix b/modules/system/etc.nix
index 1c415266d..1ba1b29e3 100644
--- a/modules/system/etc.nix
+++ b/modules/system/etc.nix
@@ -48,6 +48,12 @@ in
           etc}
       )
 
+      declare -A etcForced=(
+        ${concatMapStringsSep "\n  "
+          (attr: "[${escapeShellArg attr.target}]=" + (builtins.toJSON attr.force))
+          etc}
+      )
+
       declare -a etcProblems=()
 
       while IFS= read -r -d "" configFile; do
@@ -69,6 +75,11 @@ in
           # everything else (e.g. directories) we complain about
           # unconditionally.
           if [[ -f $(readlink -f "$etcFile") ]]; then
+            # Skip checking hashes for files marked force.
+            if [[ ''${etcForced[$subPath]} == "true" ]]; then
+              continue
+            fi
+
             etcFileSha256Output=$(shasum -a 256 "$etcFile")
             etcFileSha256Hash=''${etcFileSha256Output%% *}
             for knownSha256Hash in ''${etcSha256Hashes[$subPath]}; do