diff --git a/nixos_module.nix b/nixos_module.nix
index d4e2d5b..4d9dc74 100644
--- a/nixos_module.nix
+++ b/nixos_module.nix
@@ -154,12 +154,21 @@ in
     };
   };
 
-  config = {
+  config = let
+    configPath = writeTOML "idcoop_config.toml" cfg.settings;
+  in {
     users.users.idcoop = mkIf (cfg.enable && cfg.user == defaultUser) {
       isSystemUser = true;
       group = cfg.group;
       home = mkDefault "/var/lib/idcoop";
       createHome = true;
+
+      packages = [
+        # Add a wrapper for the idcoop command so the user can use the CLI conveniently
+        (pkgs.writeShellScriptBin "idcoop" ''
+          IDCOOP_CONFIG=${pkgs.lib.escapeShellArg configPath} IDCOOP_SECRETS=${pkgs.lib.escapeShellArg cfg.secretsPath} exec ${idcoop}/bin/idcoop "$@"
+        '')
+      ];
     };
     users.groups.idcoop = mkIf (cfg.enable && cfg.group == defaultUser) {};
 
@@ -169,11 +178,8 @@ in
       after = [ "networking.target" "network-online.target" "postgresql.service" ];
 
       serviceConfig =
-        let
-          configPath = writeTOML "idcoop_config.toml" cfg.settings;
-        in
         {
-          ExecStart = "${idcoop}/bin/idcoop --config ${configPath} --secrets ${cfg.secretsPath} serve";
+          ExecStart = "${idcoop}/bin/idcoop --config ${pkgs.lib.escapeShellArg configPath} --secrets ${pkgs.lib.escapeShellArg cfg.secretsPath} serve";
           User = cfg.user;
           Group = cfg.group;
         };