It's broad, yes, but systemd also probably thought of that thing you want to do.

systemd.services.backend = {
  wantedBy = [ "multi-user.target" ];
  after = [ "network.target" ];
  serviceConfig = {
	LoadCredential = [
	  "credentials.json:${config.age.secrets.backend.path}"
	];
	ExecStart = ''
	  ${pkg.backend}/bin/server \
		--creds ''${CREDENTIALS_DIRECTORY}/credentials.json
	'';
	Restart = "always";
	RestartSec = 5;
	DynamicUser = true;
  };
};

Of note:

• System and Service Credentials - systemd
• agenix
• Systemd, agenix and dynamic users - monotux.tech