diff --git a/nixos/modules/services/web-apps/codimd.nix b/nixos/modules/services/web-apps/codimd.nix
index ab922a38e5c6..c787c36b877c 100644
--- a/nixos/modules/services/web-apps/codimd.nix
+++ b/nixos/modules/services/web-apps/codimd.nix
@@ -877,6 +877,37 @@ in
         description = "Configure the SAML integration.";
       };
     };
+
+
+    environmentFile = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      example = "/var/lib/codimd/codimd.env";
+      description = ''
+        Environment file as defined in <citerefentry>
+        <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
+        </citerefentry>.
+
+        Secrets may be passed to the service without adding them to the world-readable
+        Nix store, by specifying placeholder variables as the option value in Nix and
+        setting these variables accordingly in the environment file.
+
+        <programlisting>
+          # snippet of CodiMD-related config
+          services.codimd.configuration.dbURL = "postgres://codimd:\''${DB_PASSWORD}@db-host:5432/codimddb";
+          services.codimd.configuration.minio.secretKey = "$MINIO_SECRET_KEY";
+        </programlisting>
+
+        <programlisting>
+          # content of the environment file
+          DB_PASSWORD=verysecretdbpassword
+          MINIO_SECRET_KEY=verysecretminiokey
+        </programlisting>
+
+        Note that this file needs to be available on the host on which
+        <literal>CodiMD</literal> is running.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -900,11 +931,17 @@ in
       description = "CodiMD Service";
       wantedBy = [ "multi-user.target" ];
       after = [ "networking.target" ];
+      preStart = ''
+        ${pkgs.envsubst}/bin/envsubst \
+          -o ${cfg.workDir}/config.json \
+          -i ${prettyJSON cfg.configuration}
+      '';
       serviceConfig = {
         WorkingDirectory = cfg.workDir;
         ExecStart = "${pkgs.codimd}/bin/codimd";
+        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
         Environment = [
-          "CMD_CONFIG_FILE=${prettyJSON cfg.configuration}"
+          "CMD_CONFIG_FILE=${cfg.workDir}/config.json"
           "NODE_ENV=production"
         ];
         Restart = "always";
diff --git a/nixos/tests/codimd.nix b/nixos/tests/codimd.nix
index b1acbf4a8322..aa581dfeb584 100644
--- a/nixos/tests/codimd.nix
+++ b/nixos/tests/codimd.nix
@@ -21,7 +21,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
       services = {
         codimd = {
           enable = true;
-          configuration.dbURL = "postgres://codimd:snakeoilpassword@localhost:5432/codimddb";
+          configuration.dbURL = "postgres://codimd:\${DB_PASSWORD}@localhost:5432/codimddb";
+
+          /*
+           * Do not use pkgs.writeText for secrets as
+           * they will end up in the world-readable Nix store.
+           */
+          environmentFile = pkgs.writeText "codimd-env" ''
+            DB_PASSWORD=snakeoilpassword
+          '';
         };
         postgresql = {
           enable = true;