Overridden value is still required for evaluation?

So i have been trying to set up freshrss (module) without the services.freshrss.passwordFile option, because i don’t want my password sitting around in git.
I have tried this:

  systemd.services.freshrss-config.script = let
    cfg = config.services.freshrss;
    settingsFlags =
      builtins.concatStringsSep " \\\n    "
      (lib.attrsets.mapAttrsToList (k: v: "${k} ${toString v}") {
        "--default_user" = ''"${cfg.defaultUser}"'';
        "--auth_type" = ''"form"'';
        "--base_url" = ''"${cfg.baseUrl}"'';
        "--language" = ''"${cfg.language}"'';
        "--db-type" = ''"${cfg.database.type}"'';
        # The following attributes are optional depending on the type of
        # database.  Those that evaluate to null on the left hand side
        # will be omitted.
          if cfg.database.name != null
          then "--db-base"
          else null
        } = ''"${cfg.database.name}"'';
          if cfg.database.passFile != null
          then "--db-password"
          else null
        } = ''"$(cat ${cfg.database.passFile})"'';
          if cfg.database.user != null
          then "--db-user"
          else null
        } = ''"${cfg.database.user}"'';
          if cfg.database.tableprefix != null
          then "--db-prefix"
          else null
        } = ''"${cfg.database.tableprefix}"'';
          if cfg.database.host != null && cfg.database.port != null
          then "--db-host"
          else null
        } = ''"${cfg.database.host}:${toString cfg.database.port}"'';
    lib.mkForce ''
      # do installation or reconfigure
      if test -f ${cfg.dataDir}/config.php; then
      # reconfigure with settings
      ./cli/reconfigure.php ${settingsFlags}
      # check correct folders in data folder
      # install with settings
      ./cli/do-install.php ${settingsFlags}

while most of this is just copied from nixpkgs, i removed these two lines from the string

  ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
  ./cli/create-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"

according to github these are the only 2 usages of passwordFile apart from the option declaration, but nix still errors with:

error: The option `services.freshrss.passwordFile' is used but not defined.

--show-trace doesn’t yield anything useful either.

Is this behaviour expected? Are overridden options still evaluated?
If not, what could cause this, and what can i do to find other usages of passwordFile?

Yes, everything being assigned to a variable needs to be more or less valid nix code. mkForce then helps the module system to decide which of the two values it is going to use.

oh…, so is there any way to do this except copying the whole freshrss module and removing these two lines?

set the option to some dummy value.

I am not sure but the option should also take absolute string paths which are only available on the target machine.

i set the option to /dev/random and it worked,
i also confirmed, that the resulting systemd service indeed is overridden.

But using an absolute path and storing the password elsewhere is actually a good alternative.

At first, I thought it would be a security flaw to store the password in plain text, but since anyone with access to the server can change the password anyway (by using freshrss internal php scripts like the systemd service), this doesn’t really matter.