diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix
index c7d35d029963..5a6ab7fbe083 100644
--- a/nixos/modules/services/web-apps/pretalx.nix
+++ b/nixos/modules/services/web-apps/pretalx.nix
@@ -53,6 +53,17 @@ in
       description = "User under which pretalx should run.";
     };
 
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/run/keys/pretalx-secrets.env";
+      description = ''
+        Environment file to pass secret configuration values.
+
+        Each line must follow the `PRETALX_SECTION_KEY=value` pattern.
+      '';
+    };
+
     plugins = lib.mkOption {
       type = with lib.types; listOf package;
       default = [ ];
@@ -381,6 +392,9 @@ in
           serviceConfig = {
             User = "pretalx";
             Group = "pretalx";
+            EnvironmentFile = lib.optionals (cfg.environmentFile != null) [
+              cfg.environmentFile
+            ];
             StateDirectory = [
               "pretalx"
               "pretalx/media"