diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index 96659c6cbdd0..a34c58f8c367 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -190,6 +190,10 @@
 
 - Linux 5.4 and all its variants have been removed since mainline will reach its end of life within the support-span of 25.11.
 
+- The `services.nginx.sso` module has switched to generating its configuration
+  file in `/run`. You should manually delete `/var/lib/nginx-sso/config.yaml` to
+  avoid storing secret values to disk.
+
 - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
 
 - `boot.enableContainers` is only turned on when a declarative NixOS container is defined in `containers`.
diff --git a/nixos/modules/services/security/nginx-sso.nix b/nixos/modules/services/security/nginx-sso.nix
index 273b860c359d..437eb0c62796 100644
--- a/nixos/modules/services/security/nginx-sso.nix
+++ b/nixos/modules/services/security/nginx-sso.nix
@@ -8,7 +8,7 @@
 let
   cfg = config.services.nginx.sso;
   format = pkgs.formats.yaml { };
-  configPath = "/var/lib/nginx-sso/config.yaml";
+  configPath = "/run/nginx-sso/config.yaml";
   secretsReplacement = utils.genJqSecretsReplacement {
     loadCredential = true;
   } cfg.configuration configPath;
@@ -60,14 +60,11 @@ in
       description = "Nginx SSO Backend";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      preStart = secretsReplacement.script;
       serviceConfig = {
         StateDirectory = "nginx-sso";
         WorkingDirectory = "/var/lib/nginx-sso";
-        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
-          rm -f '${configPath}'
-          # Relies on YAML being a superset of JSON
-          ${secretsReplacement.script}
-        '';
+        RuntimeDirectory = "nginx-sso";
         ExecStart = ''
           ${lib.getExe cfg.package} \
             --config ${configPath} \