Better way to get secrets into systemd units?

The first service could well be something like agenix, by the way - it doesn’t have to be something created specifically for the latter.