diff --git a/modules/programs/opencode.nix b/modules/programs/opencode.nix
index 21199c80..f0d876a5 100644
--- a/modules/programs/opencode.nix
+++ b/modules/programs/opencode.nix
@@ -115,6 +115,20 @@ in
           See <https://opencode.ai/docs/web/#config-file> for available options.
         '';
       };
+
+      environmentFile = mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/run/secrets/opencode-web";
+        description = ''
+          Path to a file containing environment variables for the opencode web
+          service, in the format of an EnvironmentFile as described by
+          {manpage}`systemd.exec(5)` (i.e. `KEY=VALUE` pairs, one per line).
+
+          This is the recommended way to set `OPENCODE_SERVER_PASSWORD` without
+          exposing the secret value in the Nix store.
+        '';
+      };
     };
 
     rules = lib.mkOption {
@@ -501,6 +515,9 @@ in
           ExecStart = "${lib.getExe cfg.package} serve ${lib.escapeShellArgs webCfg.extraArgs}";
           Restart = "always";
           RestartSec = 5;
+        }
+        // lib.optionalAttrs (webCfg.environmentFile != null) {
+          EnvironmentFile = webCfg.environmentFile;
         };
 
         Install = {
@@ -513,11 +530,24 @@ in
       opencode-web = {
         enable = true;
         config = {
-          ProgramArguments = [
-            (lib.getExe cfg.package)
-            "serve"
-          ]
-          ++ webCfg.extraArgs;
+          ProgramArguments =
+            let
+              programArguments = [
+                (lib.getExe cfg.package)
+                "serve"
+              ]
+              ++ webCfg.extraArgs;
+              opencodeLaunchdWrapper = pkgs.writeShellScriptBin "opencode-launchd-wrapper" ''
+                source ${webCfg.environmentFile}
+                ${lib.escapeShellArgs programArguments}
+              '';
+            in
+            if webCfg.environmentFile == null then
+              programArguments
+            else
+              [
+                (lib.getExe opencodeLaunchdWrapper)
+              ];
           KeepAlive = {
             Crashed = true;
             SuccessfulExit = false;
diff --git a/tests/modules/programs/opencode/default.nix b/tests/modules/programs/opencode/default.nix
index 22be9e6d..251a8d26 100644
--- a/tests/modules/programs/opencode/default.nix
+++ b/tests/modules/programs/opencode/default.nix
@@ -25,4 +25,5 @@
   opencode-mcp-integration = ./mcp-integration.nix;
   opencode-mcp-integration-with-override = ./mcp-integration-with-override.nix;
   opencode-web-service = ./web-service.nix;
+  opencode-web-service-environment-file = ./web-service-environment-file.nix;
 }
diff --git a/tests/modules/programs/opencode/web-service-environment-file.nix b/tests/modules/programs/opencode/web-service-environment-file.nix
new file mode 100644
index 00000000..8861ad86
--- /dev/null
+++ b/tests/modules/programs/opencode/web-service-environment-file.nix
@@ -0,0 +1,29 @@
+{
+  pkgs,
+  ...
+}:
+{
+  programs.opencode = {
+    enable = true;
+
+    web = {
+      enable = true;
+      environmentFile = "/run/secrets/opencode";
+    };
+  };
+
+  nmt.script =
+    if pkgs.stdenv.hostPlatform.isDarwin then
+      ''
+        serviceFile=LaunchAgents/org.nix-community.home.opencode-web.plist
+        assertFileExists "$serviceFile"
+        serviceFileNormalized="$(normalizeStorePaths "$serviceFile")"
+        assertFileContent "$serviceFileNormalized" ${./web-service-environment-file.plist}
+      ''
+    else
+      ''
+        serviceFile=home-files/.config/systemd/user/opencode-web.service
+        assertFileExists "$serviceFile"
+        assertFileContent "$serviceFile" ${./web-service-environment-file.service}
+      '';
+}
diff --git a/tests/modules/programs/opencode/web-service-environment-file.plist b/tests/modules/programs/opencode/web-service-environment-file.plist
new file mode 100644
index 00000000..7c91f87a
--- /dev/null
+++ b/tests/modules/programs/opencode/web-service-environment-file.plist
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>org.nix-community.home.opencode-web</string>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/bin/sh</string>
+		<string>-c</string>
+		<string>/bin/wait4path /nix/store &amp;&amp; exec /nix/store/00000000000000000000000000000000-opencode-launchd-wrapper/bin/opencode-launchd-wrapper</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>
\ No newline at end of file
diff --git a/tests/modules/programs/opencode/web-service-environment-file.service b/tests/modules/programs/opencode/web-service-environment-file.service
new file mode 100644
index 00000000..be88d6a4
--- /dev/null
+++ b/tests/modules/programs/opencode/web-service-environment-file.service
@@ -0,0 +1,12 @@
+[Install]
+WantedBy=default.target
+
+[Service]
+EnvironmentFile=/run/secrets/opencode
+ExecStart=@opencode@/bin/opencode serve 
+Restart=always
+RestartSec=5
+
+[Unit]
+After=network.target
+Description=OpenCode Web Service