diff --git a/bin/copy-secrets b/bin/copy-secrets
index f38e9249e..d155399e9 100755
--- a/bin/copy-secrets
+++ b/bin/copy-secrets
@@ -18,7 +18,7 @@ fi
 retiolum_secret=$(nixos-query $system_name tv.retiolum.privateKeyFile)
 retiolum_uid=$(nixos-query $system_name users.extraUsers.retiolum-tinc.uid)
 
-ejabberd_secret=/etc/ejabberd/ejabberd.pem
+ejabberd_secret=$(nixos-query $system_name services.ejabberd-cd.certFile)
 ejabberd_uid=$(nixos-query $system_name users.extraUsers.ejabberd.uid)
 
 rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/"
diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix
index 008fe2cda..54a9aad0f 100644
--- a/modules/tv/ejabberd.nix
+++ b/modules/tv/ejabberd.nix
@@ -9,7 +9,8 @@ let
 
   cfg = config.services.ejabberd-cd;
 
-
+  # XXX this is a placeholder that happens to work the default strings.
+  toErlang = builtins.toJSON;
 
 in
 
@@ -26,6 +27,16 @@ in
         description = "Whether to enable ejabberd server";
       };
 
+      certFile = mkOption {
+        # TODO if it's types.path then it gets copied to /nix/store with
+        #      bad unsafe permissions...
+        type = types.string;
+        default = "/etc/ejabberd/ejabberd.pem";
+        description = ''
+          TODO
+        '';
+      };
+
       config = mkOption {
         type = types.string;
         default = "";
@@ -221,7 +232,7 @@ in
                 %% file and uncomment this line:
                 %%
                 starttls,
-                {certfile, "/etc/ejabberd/ejabberd.pem"},
+                {certfile, ${toErlang cfg.certFile}},
 
                 {access, c2s},
                 {shaper, c2s_shaper},
@@ -274,7 +285,7 @@ in
           %%
           %% s2s_certfile: Specify a certificate file.
           %%
-          {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
+          {s2s_certfile, ${toErlang cfg.certFile}}.
 
           %%
           %% domain_certfile: Specify a different certificate for each served hostname.