Environment file as defined in systemd.exec(5).
Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.
# snippet of sssd-related config
[domain/LDAP]
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
# contents of the environment file
SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword