diff --git a/nixosModules/services/navidrome/default.nix b/nixosModules/services/navidrome/default.nix
index 19e53423..e960dcc6 100644
--- a/nixosModules/services/navidrome/default.nix
+++ b/nixosModules/services/navidrome/default.nix
@@ -5,12 +5,33 @@
   ...
 }: {
   config = lib.mkIf config.ar.services.navidrome.enable {
-    age.secrets.lastFMApiKey.file = ../../../secrets/lastFM/apiKey.age;
-    age.secrets.lastFMSecret.file = ../../../secrets/lastFM/secret.age;
-    age.secrets.spotifyClientId.file = ../../../secrets/spotify/clientId.age;
-    age.secrets.spotifyClientSecret.file = ../../../secrets/spotify/clientSecret.age;
+    age.secrets = let
+      owner = "navidrome";
+    in {
+      lastFMApiKey = {
+        inherit owner;
+        file = ../../../secrets/lastFM/apiKey.age;
+      };
 
-    system.activationScripts."navidrome-secrets" = let
+      lastFMSecret = {
+        inherit owner;
+        file = ../../../secrets/lastFM/secret.age;
+      };
+
+      spotifyClientId = {
+        inherit owner;
+        file = ../../../secrets/spotify/clientId.age;
+      };
+
+      spotifyClientSecret = {
+        inherit owner;
+        file = ../../../secrets/spotify/clientSecret.age;
+      };
+    };
+
+    services.navidrome.enable = true;
+
+    systemd.services.navidrome.serviceConfig = let
       navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} {
         Address = "0.0.0.0";
         DefaultTheme = "Auto";
@@ -25,26 +46,30 @@
         "LastFM.Secret" = "@lastFMSecret@";
         "LastFM.Language" = "en";
       });
-    in ''
-      lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}")
-      lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}")
-      spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}")
-      spotifyClientSecret=$(cat "${config.age.secrets.spotifyClientSecret.path}")
-      ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
-        -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
-        ${navidromeConfig} > /var/lib/navidrome/navidrome.json
-    '';
 
-    systemd.services.navidrome.serviceConfig = {
-      BindReadOnlyPaths = "${config.ar.services.navidrome.musicDirectory}";
+      navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" ''
+        lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}")
+        lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}")
+        spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}")
+        spotifyClientSecret=$(cat "${config.age.secrets.spotifyClientSecret.path}")
+        ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
+          -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
+          ${navidromeConfig} > /var/lib/navidrome/navidrome.json
+      '';
+    in {
+      BindReadOnlyPaths = [
+        config.age.secrets.lastFMApiKey.path
+        config.age.secrets.lastFMSecret.path
+        config.age.secrets.spotifyClientId.path
+        config.age.secrets.spotifyClientSecret.path
+        config.ar.services.navidrome.musicDirectory
+      ];
+
+      ExecStartPre = navidrome-secrets;
       ExecStart = lib.mkForce ''
         ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \
           --datafolder /var/lib/navidrome/
       '';
     };
-
-    services.navidrome = {
-      enable = true;
-    };
   };
 }