diff --git a/hosts/dosei/services/wstunnel.nix b/hosts/dosei/services/wstunnel.nix
index 2635229..8937606 100644
--- a/hosts/dosei/services/wstunnel.nix
+++ b/hosts/dosei/services/wstunnel.nix
@@ -7,11 +7,16 @@
     "services/networking/wstunnel.nix"
   ];
 
-  # NOTE: Contains
-  # - WSTUNNEL_HTTP_UPGRADE_PATH_PREFIX
-  # - WSTUNNEL_RESTRICT_HTTP_UPGRADE_PATH_PREFIX
-  sops.secrets."wstunnel/http-upgrade-path-prefix-envvars" = {
-    sopsFile = ../../../secrets/common.yaml;
+  sops = {
+    secrets."wstunnel/http-upgrade-path-prefix" = {
+      sopsFile = ../../../secrets/common.yaml;
+    };
+    templates."wstunnel-environment.env".content = let
+      inherit (config.sops) placeholder;
+    in ''
+      WSTUNNEL_HTTP_UPGRADE_PATH_PREFIX=${placeholder."wstunnel/http-upgrade-path-prefix"}
+      WSTUNNEL_RESTRICT_HTTP_UPGRADE_PATH_PREFIX=${placeholder."wstunnel/http-upgrade-path-prefix"}
+    '';
   };
 
   services.wstunnel = {
@@ -21,7 +26,7 @@
       localToRemote = [
         "tcp://10022:localhost:22"
       ];
-      environmentFile = config.sops.secrets."wstunnel/http-upgrade-path-prefix-envvars".path;
+      environmentFile = config.sops.templates."wstunnel-environment.env".path;
     };
   };
 }
diff --git a/hosts/tsuki/services/wstunnel.nix b/hosts/tsuki/services/wstunnel.nix
index 5496d94..96ccc6a 100644
--- a/hosts/tsuki/services/wstunnel.nix
+++ b/hosts/tsuki/services/wstunnel.nix
@@ -7,11 +7,16 @@
     "services/networking/wstunnel.nix"
   ];
 
-  # NOTE: Contains
-  # - WSTUNNEL_HTTP_UPGRADE_PATH_PREFIX
-  # - WSTUNNEL_RESTRICT_HTTP_UPGRADE_PATH_PREFIX
-  sops.secrets."wstunnel/http-upgrade-path-prefix-envvars" = {
-    sopsFile = ../../../secrets/common.yaml;
+  sops = {
+    secrets."wstunnel/http-upgrade-path-prefix" = {
+      sopsFile = ../../../secrets/common.yaml;
+    };
+    templates."wstunnel-environment.env".content = let
+      inherit (config.sops) placeholder;
+    in ''
+      WSTUNNEL_HTTP_UPGRADE_PATH_PREFIX=${placeholder."wstunnel/http-upgrade-path-prefix"}
+      WSTUNNEL_RESTRICT_HTTP_UPGRADE_PATH_PREFIX=${placeholder."wstunnel/http-upgrade-path-prefix"}
+    '';
   };
 
   services.wstunnel = {
@@ -22,7 +27,7 @@
         port = 8789;
       };
       enableHTTPS = false;
-      environmentFile = config.sops.secrets."wstunnel/http-upgrade-path-prefix-envvars".path;
+      environmentFile = config.sops.templates."wstunnel-environment.env".path;
     };
   };
 }
diff --git a/secrets/common.yaml b/secrets/common.yaml
index 243b78f..fcf6cdc 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -1,7 +1,7 @@
 nix:
-    access-tokens: ENC[AES256_GCM,data:LqviV34jmMPif7jLiVJM0V2cyyIzF7sPVxKlhDiX2lptmGZ6NLs8dh9xmPeU2YGVrd6fvEq/5tiNYVD8pln5phSOPH16EeBd0e51Tm+8Km2Sp9Q4rWpuE+wrIKtYrZZEvGys2Xu9umI+sFJf4zol0glkcZYPbsuISg==,iv:bdMMGlkqdmfuySAuAr2OcgtVJ7FsKbxpcWMrmHA3eE8=,tag:Kil/ioH5l3VmU9mK597LMA==,type:str]
+    access-tokens: ENC[AES256_GCM,data:I2wXlh6XQL89k3Fko4uNvgxU26qKvRjTwq6dQXytW8tId51WRaHGs1qqEyxiVnwtpjXWcD4/5iAip/oSEyQzlR1zhTu01QwgeHYI6kxzyJDFGg4IbYZ6ReWy5RYIh8jji0+hfVzuLenmZLY365DjGAwg+z5KXDy2tKm4zEL8c+Pbv4Wt6LGQdYS74/xrc0KqPGNRMz/T/EALradx9T9+gdgnLBAPGfJV130fBbQijDuaCw==,iv:enw8eyh0yuqTyVucXCrQ+zSbNEaOrlTPqec8brUNA6M=,tag:pL4vYTE6lLKLjD10mVeAXw==,type:str]
 wstunnel:
-    http-upgrade-path-prefix-envvars: ENC[AES256_GCM,data:aS7Kvpj9aHtaiKZiakDuvdiDcVYFMkYv9FIH060Dbkahk6v+2bbxzgKcRtnDnLlphtGlZD7yWRcbvlYiG7Y5mRNS1X5PkspQwFKKnwGGHiWgfun9yxB6VHvPdb4W4SNA8QfRmqH4XmJUfDSPmZfh5Ggzhy7/74avC0vfqKBvQ+ml4fjqTmdS6EkFGrrUwIXFrjiCqdxnNYmp8I/L1b22R5YoY/JTsc4mG6N9s3B75GvsYI2EDG4vQ7EMyktd2CHsXJgNFRQUM+GzBbkO4VvG,iv:EbuV/2L+p4A+aloC6uQYiFFF7Lsz5A5RTGMuHMqtTpI=,tag:DThZOERbXuUdDJso7ertbg==,type:str]
+    http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str]
 ssh:
     secret-config: ""
     nix-builders:
@@ -65,8 +65,8 @@ sops:
             cm15UjQ4S0xoclpLV0pYcmJzM1g2eDAKAjJUhGgicEG3dj8BdMjPvr9MC/c+oIGx
             kPxtKQ5REb5UolEuBBsWapKhKeXLFtTsV/qGOokO34HT1PqZI37Ikw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-29T07:17:06Z"
-    mac: ENC[AES256_GCM,data:KkW9TTekjw+jB2MWvCa5CEL6fVLgaCnAtIFw6aJUGkpMpyf20xMsHmWbRI0/p7wqFZx919f7klA+yOUfZje8MC60CB6ZHHFE2wnVwOSqSpK4J9Cpr30uvpiffeyseHJVz1HTX7Y8vQ5e4OpueC6e+ndRrkZeKcJCc7/vQPipLrU=,iv:iN3yMOxam2s1FI3D/Nw7vecIUMj4pg6QRgKwi4FF+nY=,tag:s/LJ8hgN1KEvQ+a9pCX6lA==,type:str]
+    lastmodified: "2024-11-25T09:09:38Z"
+    mac: ENC[AES256_GCM,data:virqHg0KoyhLVP9yynReVwSGhTBWz2mO5uBRXqzae7plALvRS+mzErfR+h63bX4TF/iLxQ/pJZb+KqQugweWEon9cycIyoKfRaIqaIZ4t8SnVWmDt6xEebkZC4JT7FD9xf27YTzxnamyINRdiCirTfJOeF4PKEow0EjH0WoS1DQ=,iv:giJ6JOXJQInavkdZbkDABG66B45ciNTetGHcwcz73dA=,tag:rvCbdxNFwoYjGuFi/YwI2Q==,type:str]
     pgp:
         - created_at: "2024-07-17T14:18:35Z"
           enc: |-
@@ -89,4 +89,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1