diff --git a/hosts/containers/blogs/default.nix b/hosts/containers/blogs/default.nix
index 302ea5d3..cf238c99 100644
--- a/hosts/containers/blogs/default.nix
+++ b/hosts/containers/blogs/default.nix
@@ -14,7 +14,10 @@
   };
 
   # See secrets/hosts/blogs for the .env file with all settings
-  services.plume.enable = true;
+  services.plume = {
+    enable = true;
+    envFile = config.sops.secrets."plume/env".path;
+  };
 
   sops.defaultSopsFile = secretsFile;
   sops.secrets = {
diff --git a/lib/plume.nix b/lib/plume.nix
index 3fed7fa0..a258f781 100644
--- a/lib/plume.nix
+++ b/lib/plume.nix
@@ -8,6 +8,12 @@ in
 {
   options.services.plume = with lib; {
     enable = mkEnableOption "Plume";
+
+    envFile = mkOption {
+      type = types.path;
+      description = "Path to .env file";
+    };
+
     user = mkOption {
       type = types.str;
       default = "plume";
@@ -24,8 +30,6 @@ in
   config = lib.mkIf cfg.enable {
     systemd.tmpfiles.rules = [
       "d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
-      "L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
-      "L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
     ];
 
     ids.uids.plume = 499;
@@ -52,6 +56,16 @@ in
       wantedBy = [ "multi-user.target" ];
       path = [ plume ];
       script = ''
+        ln -sf ${cfg.envFile} .env
+        mkdir -p static/media
+        for f in ${plume}/share/plume/static/*; do
+          n=$(basename "$f")
+          if [ "$n" != media ]; then
+            rm -f "static/$n"
+            ln -s "$f" "static/$n"
+          fi
+        done
+
         plm migration run
         plm search init
         exec plume