diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix
index 07b6eabf2c836..de01211e500ac 100644
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@@ -191,10 +191,7 @@ in
 
       configFile = lib.mkOption {
         type = lib.types.path;
-        default = configFile;
-        defaultText = ''
-          A configuration file automatically generated by NixOS.
-        '';
+        default = "/etc/logrotate.conf";
         description = ''
           Override the configuration file used by logrotate. By default,
           NixOS generates one automatically from [](#opt-services.logrotate.settings).
@@ -240,6 +237,18 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # logrotate config has an include directive. As such, always generate the built-in config
+    # in case it is useful to the user.
+    # Users could choose to disable it with environment.etc."logrotate.conf".enable = false;
+    environment.etc."logrotate.conf" = {
+      source = configFile;
+      # logrotate mandates that its config is always owned by root.
+      # Copy into /etc to avoid user namespacing issues.
+      mode = "0600";
+      user = "root";
+      group = "root";
+    };
+
     systemd.services.logrotate = {
       description = "Logrotate Service";
       documentation = [
diff --git a/nixos/tests/logrotate.nix b/nixos/tests/logrotate.nix
index 1efbcc4cfed5d..b47f0118b31eb 100644
--- a/nixos/tests/logrotate.nix
+++ b/nixos/tests/logrotate.nix
@@ -115,15 +115,13 @@ import ./make-test-python.nix (
           machine.succeed("systemctl cat logrotate.service | grep -- --mail")
       with subtest("check generated config matches expectation"):
           machine.succeed(
-              # copy conf to /tmp/logrotate.conf for easy grep
-              "conf=$(systemctl cat logrotate | grep -oE '/nix/store[^ ]*logrotate.conf'); cp $conf /tmp/logrotate.conf",
-              "! grep weekly /tmp/logrotate.conf",
-              "grep -E '^delaycompress' /tmp/logrotate.conf",
-              "tail -n 1 /tmp/logrotate.conf | grep shred",
-              "sed -ne '/\"sendmail\" {/,/}/p' /tmp/logrotate.conf | grep 'mail user@domain.tld'",
-              "sed -ne '/\"postrotate\" {/,/}/p' /tmp/logrotate.conf | grep endscript",
-              "grep '\"file1\"\n\"file2\" {' /tmp/logrotate.conf",
-              "sed -ne '/\"import\" {/,/}/p' /tmp/logrotate.conf | grep noolddir",
+              "! grep weekly /etc/logrotate.conf",
+              "grep -E '^delaycompress' /etc/logrotate.conf",
+              "tail -n 1 /etc/logrotate.conf | grep shred",
+              "sed -ne '/\"sendmail\" {/,/}/p' /etc/logrotate.conf | grep 'mail user@domain.tld'",
+              "sed -ne '/\"postrotate\" {/,/}/p' /etc/logrotate.conf | grep endscript",
+              "grep '\"file1\"\n\"file2\" {' /etc/logrotate.conf",
+              "sed -ne '/\"import\" {/,/}/p' /etc/logrotate.conf | grep noolddir",
           )
           # also check configFile option
           failingMachine.succeed(