diff --git a/mod-seafile-server.nix b/mod-seafile-server.nix
index 50ad7cf..4b65806 100644
--- a/mod-seafile-server.nix
+++ b/mod-seafile-server.nix
@@ -2,6 +2,8 @@
 with lib;
 let
   cfg = config.services.seafile-server;
+  seafileConfigFile = pkgs.writeText "seafile.conf"
+    (generators.toINI {} cfg.seafileSettings);
   # fix permissions at start
 in
   {
@@ -12,6 +14,13 @@ in
         default = "/srv/seafile";
         description = "where to store uploaded file data";
       };
+      seafileSettings = mkOption {
+        type = with types; attrsOf (attrsOf (oneOf [ bool int str ]));
+        default = {};
+        description = ''
+          all possible seafile.conf settings
+          '';
+        };
       autorun = mkOption {
         type = types.bool;
         default = true;
@@ -33,20 +42,12 @@ in
           default = "seafile";
           description = "Database name. Not required for sqlite.";
         };
-        password = mkOption {
-          type = types.nullOr types.str;
-          default = null;
-          description = ''
-            Database password. Use <literal>passwordFile</literal> to avoid this
-            being world-readable in the <literal>/nix/store</literal>.
-
-            Not required for sqlite.'';
-          };
-          passwordFile = mkOption {
+        passwordFile = mkOption {
             type = types.nullOr types.str;
             default = null;
             description = ''
               The full path to a file that contains the database password.
+              Not required for sqlite.
             '';
           };
           host = mkOption {
@@ -172,6 +173,39 @@ in
         directoriesToManage = [ cfg.storagePath ];
       in
       mkIf cfg.enable {
+        services.seafile-server.seafileSettings = {
+          library_trash.expire_days = cfg.trashExpirationTime;
+          fileserver = {
+            host = cfg.fileserverBindAddress;
+            port = cfg.fileserverPort;
+            worker_threads = cfg.fileserverWorkers;
+            max_indexing_threads = cfg.fileserverIndexers;
+            fixed_block_size = cfg.fileserverBlockSize;
+          };
+          quota = mkIf (! isNull cfg.defaultQuota) {
+            default = cfg.defaultQuota;
+          };
+          history = mkIf (! isNull cfg.fileRevisionHistoryDays) {
+            keep_days = cfg.fileRevisionHistoryDays;
+          };
+          database = mkMerge [
+            {
+              type = cfg.db.type;
+            }
+            # while just using the cfg.db set directly might be possible and
+            # save lines of code, I prefer hand-picking options
+            (mkIf (cfg.db.type == "mysql") {
+              host = cfg.db.host;
+              port = cfg.db.port;
+              user = cfg.db.user;
+              connection_charset = "utf8";
+              db_name = cfg.db.dbname;
+              max_connections = 100;
+              password = "#dbpass#";
+            })
+          ];
+        };
+
         systemd = {
           # state directory permissions managed by systemd
           tmpfiles.rules = [
@@ -209,48 +243,17 @@ in
 
                 # seafile.conf generation
 
-                echo '[library_trash]
-                expire_days ${toString cfg.trashExpirationTime}
-
-                [fileserver]
-                host = ${cfg.fileserverBindAddress}
-                port = ${toString cfg.fileserverPort}
-                worker_threads = ${toString cfg.fileserverWorkers}
-                max_indexing_threads = ${toString cfg.fileserverIndexers}
-                fixed_block_size = ${toString cfg.fileserverIndexers}' > ./conf/seafile.conf
-
-                if [ ${toString (! isNull cfg.defaultQuota)} ]; then
-                  echo '[quota]' >> ./conf/seafile.conf
-                  echo 'default = ${toString cfg.defaultQuota}' >> ./conf/seafile.conf
-                fi
-
-                if [ ${toString (! isNull cfg.fileRevisionHistoryDays)} ]; then
-                  echo '[history]' >> ./conf/seafile.conf
-                  echo 'keep_days = ${toString cfg.defaultQuota}' >> ./conf/seafile.conf
-                fi
-
-                # seafile database settings
-
-                if [ ${cfg.db.type} = "mysql" ]; then
-                echo '[database]
-                type = mysql
-                host = ${cfg.db.host}
-                port = ${toString cfg.db.dbport}
-                user = ${cfg.db.user}
-                connection_charset = utf8
-                db_name = ${cfg.db.dbname}
-                max_connections = 100' >> ./conf/seafile.conf
-
-                if [ ${toString (! isNull cfg.db.password)}; then
-                echo 'password = ${toString cfg.db.password}' >> ./conf/seafile.conf
-                else
-                echo "password = $(cat ${toString cfg.db.passwordFile})" >> ./conf/seafile.conf
-                fi
-                else
-                echo '[database]
-                type = sqlite' >> ./conf/seafile.conf
-                fi
+                # move seafile.conf template from nix store
+                cp ${seafileConfigFile} ./conf/seafile.conf
+                # replace placeholder secrets with real secret read from file
+                ${if (isNull cfg.db.passwordFile) then ''
+                  DBPASS="$(head -n1 ${toString cfg.db.passwordFile})"
+                  sed -e "s,#dbpass#,$DBPASS,g" -i ./conf/seafile.conf
+                  ''
+                  else ""
+                }
 
+                
                 ln -s ${pkgs.seafile-server} seafile-server
                 ./seafile-server/seafile-server-latest/bin/seafile-admin setup
               ''}")
diff --git a/seafile-test.nix b/seafile-test.nix
index c1401be..5022de2 100644
--- a/seafile-test.nix
+++ b/seafile-test.nix
@@ -16,7 +16,7 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     #hashedPassword = "$6$SZCzE/xB$Hr9sfsJ7xAcBCoptG39cxxQk8RZfldDjjGpSngOvn9Ufex5dHBEbdncXRZnfrGATsGcYPvLi7m4wIu.f8tY9B.";
-    password = "";
+    password = "test";
     home = "/home/test";
     createHome = true;
   };