diff --git a/modules/gitea.nix b/modules/gitea.nix
index 41a0749..49e124d 100644
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@@ -23,10 +23,6 @@
     };
   };
 
-  systemd.services.gitea.serviceConfig = {
-    EnvironmentFile = config.clan.core.vars.generators.gitea-s3-storage.files.gitea-env.path;
-  };
-
   systemd.services.gitea.environment = {
     GITEA__storage__STORAGE_TYPE = "minio";
     GITEA__storage__MINIO_ENDPOINT = "localhost:3900";
@@ -35,24 +31,28 @@
     GITEA__storage__MINIO_USE_SSL = "false";
   };
 
+  systemd.services.gitea.serviceConfig = {
+    LoadCredential = [
+      "minio_access_key_id:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-id.path}"
+      "minio_secret_access_key:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-secret.path}"
+    ];
+    Environment = [
+      "GITEA__storage__MINIO_ACCESS_KEY_ID=%d/minio_access_key_id"
+      "GITEA__storage__MINIO_SECRET_ACCESS_KEY=%d/minio_secret_access_key"
+    ];
+  };
+
   clan.core.vars.generators.gitea-s3-storage = {
     prompts.access-key-id = {
       description = "s3 access key id";
       type = "line";
+      persist = true;
     };
     prompts.access-key-secret = {
       description = "s3 access key secret";
       type = "hidden";
+      persist = true;
     };
-    files.gitea-env = {
-      secret = true;
-    };
-    script = ''
-      printf %s "GITEA__storage__MINIO_ACCESS_KEY_ID=" >> $out/gitea-env
-      cat $prompts/access-key-id >> $out/gitea-env
-      printf "\n%s" "GITEA__storage__MINIO_SECRET_ACCESS_KEY=" >> $out/gitea-env
-      cat $prompts/access-key-secret >> $out/gitea-env
-    '';
   };
 
   services.nginx.virtualHosts."git.turifer.dev" = {