diff --git a/keycloak-cli-config/configcreator.nix b/keycloak-cli-config/configcreator.nix
index 89da343..f8e95ff 100644
--- a/keycloak-cli-config/configcreator.nix
+++ b/keycloak-cli-config/configcreator.nix
@@ -60,6 +60,14 @@ let
       enabled = "true";
 
       inherit (config) email firstName lastName realmRoles;
+    } // optionalAttrs (hasAttr "initialPassword" config && config.initialPassword) {
+      credentials = [
+        {
+          type = "password";
+          userLabel = "initial";
+          value = "$(keycloak.users.${k}.password)";
+        }
+      ];
     };
 
 in
diff --git a/keycloak-cli-config/unit.nix b/keycloak-cli-config/unit.nix
index dfa6080..4eb1ecd 100644
--- a/keycloak-cli-config/unit.nix
+++ b/keycloak-cli-config/unit.nix
@@ -30,6 +30,7 @@ let
     "KEYCLOAK_USER=${keycloakUser}"
     "KEYCLOAK_AVAILABILITYCHECK_ENABLED=true"
     "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=${keycloakAvailabilityTimeout}"
+    "IMPORT_VARSUBSTITUTION_ENABLED=true"
     "IMPORT_FILES_LOCATIONS=${configFileLocation}"
   ] ++ (if !debug then [] else [
     "DEBUG=true"
@@ -39,6 +40,10 @@ let
     "LOGGING_LEVEL_KEYCLOAKCONFIGCLI=debug"
   ]));
 
+  envfiles = lib.concatMapStrings (x: "\nEnvironmentFile=" + x) ([
+    "/run/keys/keycloakusers"
+  ]);
+
   keycloak-cli-config = pkgs.stdenv.mkDerivation rec {
     pname = "keycloak-cli-config";
     version = "5.3.1";
@@ -74,7 +79,7 @@ utils.systemd.mkService rec {
   User=keycloakcli
   Group=keycloakcli
 
-  Type=oneshot${envs}
+  Type=oneshot${envs}${envfiles}
   ExecStart=${pkgs.jre}/bin/java -jar ${keycloak-cli-config}/bin/keycloak-cli-config.jar
 
   RuntimeDirectory=keycloak-cli-config