diff --git a/module.nix b/module.nix
index 3312c5a..9d13c86 100644
--- a/module.nix
+++ b/module.nix
@@ -113,6 +113,7 @@ in
           token_endpoint = "/oauth2/token";
           inspect_endpoint = "/oauth2/openid/${oauthClientID}/userinfo";
           auth_endpoint = "/ui/oauth2";
+          client_secret = "@replace_oauth_secret@";
         };
       };
     };
@@ -124,9 +125,13 @@ in
         serviceConfig.Slice = "writefreely.slice";
       };
 
-      services.writefreely-sqlite-init = {
+      services.writefreely-sqlite-init = let
+        cfgFile = "${config.services.writefreely.stateDir}/config.ini";
+      in {
         postStart = ''
-          ${lib.getExe pkgs.crudini} --set ${config.services.writefreely.stateDir}/config.ini oauth.generic client_secret '$(cat ${oauthClientSecretFP})'
+          chmod 550 '${cfgFile}'
+          ${lib.getExe pkgs.replace-secret} "@replace_oauth_secret@" "${oauthClientSecretFP}" "${cfgFile}"
+          chmod 440 '${cfgFile}'
         '';
 
         unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/writefreely";