diff --git a/nixos/modules/services/misc/anki-sync-server.nix b/nixos/modules/services/misc/anki-sync-server.nix
index c77afe8c3819..923811d845c8 100644
--- a/nixos/modules/services/misc/anki-sync-server.nix
+++ b/nixos/modules/services/misc/anki-sync-server.nix
@@ -16,7 +16,7 @@ with lib; let
     cfg.users;
   usersWithIndexesFile = filter (x: x.user.passwordFile != null) usersWithIndexes;
   usersWithIndexesNoFile = filter (x: x.user.passwordFile == null && x.user.password != null) usersWithIndexes;
-  anki-sync-server-run = pkgs.writeShellScriptBin "anki-sync-server-run" ''
+  anki-sync-server-run = pkgs.writeShellScript "anki-sync-server-run" ''
     # When services.anki-sync-server.users.passwordFile is set,
     # each password file is passed as a systemd credential, which is mounted in
     # a file system exposed to the service. Here we read the passwords from
@@ -25,7 +25,10 @@ with lib; let
     ${
       concatMapStringsSep
       "\n"
-      (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:"''$(cat "''${CREDENTIALS_DIRECTORY}/"${escapeShellArg x.user.username})"'')
+      (x: ''
+        read -r pass < "''${CREDENTIALS_DIRECTORY}/"${escapeShellArg x.user.username}
+        export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:"$pass"
+      '')
       usersWithIndexesFile
     }
     # For users where services.anki-sync-server.users.password isn't set,
@@ -36,7 +39,7 @@ with lib; let
       (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:${escapeShellArg x.user.password}'')
       usersWithIndexesNoFile
     }
-    exec ${cfg.package}/bin/anki-sync-server
+    exec ${lib.getExe cfg.package}
   '';
 in {
   options.services.anki-sync-server = {
@@ -130,7 +133,7 @@ in {
         Type = "simple";
         DynamicUser = true;
         StateDirectory = name;
-        ExecStart = "${anki-sync-server-run}/bin/anki-sync-server-run";
+        ExecStart = anki-sync-server-run;
         Restart = "always";
         LoadCredential =
           map