diff --git a/nixos/modules/services/home-automation/zwave-js.nix b/nixos/modules/services/home-automation/zwave-js.nix
index 3d04ad7fa558..ab5deeefecd2 100644
--- a/nixos/modules/services/home-automation/zwave-js.nix
+++ b/nixos/modules/services/home-automation/zwave-js.nix
@@ -108,8 +108,9 @@ in
         description = "Z-Wave JS Server";
         serviceConfig = {
           ExecStartPre = ''
-            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}"
+            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}"
           '';
+          LoadCredential = "secrets.json:${cfg.secretsConfigFile}";
           ExecStart = lib.concatStringsSep " " [
             "${cfg.package}/bin/zwave-server"
             "--config ${mergedConfigFile}"
diff --git a/nixos/tests/zwave-js.nix b/nixos/tests/zwave-js.nix
index 2815508211f8..a4d9dbdc98b2 100644
--- a/nixos/tests/zwave-js.nix
+++ b/nixos/tests/zwave-js.nix
@@ -1,25 +1,24 @@
-{ pkgs, lib, ... }:
+{ lib, ... }:
 
-let
-  secretsConfigFile = pkgs.writeText "secrets.json" (
-    builtins.toJSON {
-      securityKeys = {
-        "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
-      };
-    }
-  );
-in
 {
   name = "zwave-js";
   meta.maintainers = with lib.maintainers; [ graham33 ];
 
   nodes = {
     machine = {
+      # show that 0400 secrets can be used by the DynamicUser; ideally
+      # this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json
+      environment.etc."zwavejs/secrets.json" = {
+        mode = "0400";
+        text = builtins.toJSON {
+          securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+        };
+      };
       services.zwave-js = {
         enable = true;
         serialPort = "/dev/null";
         extraFlags = [ "--mock-driver" ];
-        inherit secretsConfigFile;
+        secretsConfigFile = "/etc/zwavejs/secrets.json";
       };
     };
   };