diff --git a/modules/services/immich.nix b/modules/services/immich.nix
index 6540f7e..7b94965 100644
--- a/modules/services/immich.nix
+++ b/modules/services/immich.nix
@@ -51,7 +51,7 @@ helper.mkPodmanService {
           - $UPLOAD_LOCATION:/data
           - /etc/localtime:/etc/localtime:ro
         env_file:
-          - .env
+          - /var/lib/numbus-server/immich/.env
         depends_on:
           - immich-redis
           - immich-database
@@ -74,7 +74,7 @@ helper.mkPodmanService {
           - ${cfg.configDir}/machine-learning-config:/usr/src/.config
           - ${cfg.configDir}/machine-learning-cache:/usr/src/.cache/
         env_file:
-          - .env
+          - /var/lib/numbus-server/immich/.env
         healthcheck:
           disable: false
         security_opt:
diff --git a/modules/services/lib.nix b/modules/services/lib.nix
index bdf1945..6997f1a 100644
--- a/modules/services/lib.nix
+++ b/modules/services/lib.nix
@@ -22,15 +22,13 @@ with lib;
     dirPermissions ? [],
     generatedSecrets ? {},
     importedSecrets ? {},
-    envFile ? null,
     ...
   }:
 
   let
     cfg = config.numbus.services.${name};
     hasSecrets = (generatedSecrets != {}) || (importedSecrets != {});
-    envFilePath = if envFile == null then "/var/lib/numbus-server/${name}/.env" else envFile;
-    envFileArg = if hasSecrets || envFile != null then "--env-file ${envFilePath}" else "";
+    envFileArg = if hasSecrets != null then "/var/lib/numbus-server/${name}/.env" else "";
   in
 
   {
@@ -112,7 +110,7 @@ ${concatStringsSep "\n" (map (m: "                  - ${m}") middlewares)}
             TimeoutStartSec = "1000";
             ExecStartPre = [
               "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
-              "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} -f /etc/podman/${name}/compose.yaml pull"
+              "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull"
             ];
             ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans";
             ExecStop = "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down";
@@ -176,7 +174,7 @@ ${concatStringsSep "\n" (map (m: "                  - ${m}") middlewares)}
             # Generated Secrets (only if missing)
             ${concatStringsSep "\n" (mapAttrsToList (k: v: ''
               if ! grep -q "^${k}=" "$SECRETS_FILE"; then
-                echo "${k}=$(${v})" >> "$SECRETS_FILE"
+                echo "${k}=\"$(${v})\"" >> "$SECRETS_FILE"
               fi
             '') generatedSecrets)}
 
@@ -186,7 +184,7 @@ ${concatStringsSep "\n" (map (m: "                  - ${m}") middlewares)}
                 grep -v "^${k}=" "$SECRETS_FILE" > "$SECRETS_FILE.tmp"
                 mv "$SECRETS_FILE.tmp" "$SECRETS_FILE"
               fi
-              echo "${k}=${lib.escapeShellArg v}" >> "$SECRETS_FILE"
+              echo "${k}=\"${lib.escapeShellArg v}\"" >> "$SECRETS_FILE"
             '') importedSecrets)}
 
             chown numbus-admin:users "$SECRETS_FILE"