diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix
index 82cec5f..7c09f21 100644
--- a/hosts/carbon/ppp.nix
+++ b/hosts/carbon/ppp.nix
@@ -26,25 +26,30 @@
 
   environment.etc."ppp/peers/dtagdsl".enable = false;
 
-  systemd.services."pppd-dtagdsl".serviceConfig = {
+  systemd.services."pppd-dtagdsl".serviceConfig = let
+    preStart = ''
+      mkdir -p /etc/ppp/peers
+
+      # Created files only readable by root
+      umask u=rw,g=,o=
+
+      # Copy config and substitute username
+      rm -f /etc/ppp/peers/dtagdsl
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+
+      # Copy login secrets
+      rm -f /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      rm -f /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+    '';
+
+    preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart;
+  in {
     EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
     ExecStartPre = [
-      "+${utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" ''
-        mkdir -p /etc/ppp/peers
-
-        # Created files only readable by root
-        umask u=rw,g=,o=
-
-        # Copy config and substitute username
-        rm -f /etc/ppp/peers/dtagdsl
-        ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
-
-        # Copy login secrets
-        rm -f /etc/ppp/pap-secrets
-        cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
-        rm -f /etc/ppp/chap-secrets
-        cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
-      ''}"
+      # "+" marks script to be executed without priviledge restrictions
+      "+${preStartFile}"
     ];
   };