diff --git a/module.nix b/module.nix
index afd1c17..38f1241 100644
--- a/module.nix
+++ b/module.nix
@@ -138,8 +138,9 @@ in
         unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/mastodon";
         serviceConfig = {
           loadCredentials = ["client-secret:${oauthClientSecretFP}"];
-          ExecStart = lib.mkForce ''
-            CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret) ${config.services.mastodon.package}/bin/puma -C config/puma.rb`
+          ExecStart = lib.mkForce pkgs.writeShellScript "run-mastodon-with-client-secret" ''
+            export CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret)
+            ${config.services.mastodon.package}/bin/puma -C config/puma.rb`
           '';
         };
         environment = {