diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 89291d4438ff..7e3c230fff71 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -133,7 +133,7 @@ in
       };
 
       initialScript = mkOption {
-        type = types.nullOr types.lines;
+        type = types.nullOr types.path;
         default = null;
         description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";
       };
@@ -360,9 +360,11 @@ in
                         echo "Creating initial database: ${database.name}"
                         ( echo 'create database `${database.name}`;'
 
-                          ${optionalString (database ? "schema") ''
+                          ${optionalString (database.schema != null) ''
                           echo 'use `${database.name}`;'
 
+                          # TODO: this silently falls through if database.schema does not exist,
+                          # we should catch this somehow and exit, but can't do it here because we're in a subshell.
                           if [ -f "${database.schema}" ]
                           then
                               cat ${database.schema}
@@ -399,7 +401,9 @@ in
                 ${optionalString (cfg.initialScript != null)
                   ''
                     # Execute initial script
-                    cat ${cfg.initialScript} | ${mysql}/bin/mysql -u root -N
+                    # using toString to avoid copying the file to nix store if given as path instead of string,
+                    # as it might contain credentials
+                    cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                   ''}
 
                 ${optionalString (cfg.rootPassword != null)
diff --git a/nixos/tests/mysql.nix b/nixos/tests/mysql.nix
index fedc7f0ab1f0..cfe10bc41b0c 100644
--- a/nixos/tests/mysql.nix
+++ b/nixos/tests/mysql.nix
@@ -10,7 +10,15 @@ import ./make-test.nix ({ pkgs, ...} : {
 
       {
         services.mysql.enable = true;
-        services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
+        services.mysql.initialDatabases = [
+          { name = "testdb"; schema = ./testdb.sql; }
+          { name = "empty_testdb"; }
+        ];
+        # note that using pkgs.writeText here is generally not a good idea,
+        # as it will store the password in world-readable /nix/store ;)
+        services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
+          CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
+        '';
         services.mysql.package = pkgs.mysql;
       };
 
@@ -36,11 +44,14 @@ import ./make-test.nix ({ pkgs, ...} : {
     startAll;
 
     $mysql->waitForUnit("mysql");
-    $mysql->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4");
+    $mysql->succeed("echo 'use empty_testdb;' | mysql -u root");
+    $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4");
+    # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
+    $mysql->succeed("echo ';' | mysql -u passworduser --password=password123");
 
     $mariadb->waitForUnit("mysql");
     $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser");
     $mariadb->succeed("echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser");
-    $mariadb->succeed("echo 'use testdb; select test_id from tests' | sudo -u testuser mysql -u testuser -N | grep 42");
+    $mariadb->succeed("echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42");
   '';
 })