diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix
index 47364ecb846..12ff89fe849 100644
--- a/nixos/modules/services/networking/knot.nix
+++ b/nixos/modules/services/networking/knot.nix
@@ -5,14 +5,16 @@ with lib;
 let
   cfg = config.services.knot;
 
-  configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
-  socketFile = "/run/knot/knot.sock";
+  configFile = pkgs.writeTextFile {
+    name = "knot.conf";
+    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
+           cfg.extraConfig;
+    checkPhase = lib.optionalString (cfg.keyFiles == []) ''
+      ${cfg.package}/bin/knotc --config=$out conf-check
+    '';
+  };
 
-  knotConfCheck = file: pkgs.runCommand "knot-config-checked"
-    { buildInputs = [ cfg.package ]; } ''
-    ln -s ${configFile} $out
-    knotc --config=${configFile} conf-check
-  '';
+  socketFile = "/run/knot/knot.sock";
 
   knot-cli-wrappers = pkgs.stdenv.mkDerivation {
     name = "knot-cli-wrappers";
@@ -45,6 +47,19 @@ in {
         '';
       };
 
+      keyFiles = mkOption {
+        type = types.listOf types.path;
+        default = [];
+        description = ''
+          A list of files containing additional configuration
+          to be included using the include directive. This option
+          allows to include configuration like TSIG keys without
+          exposing them to the nix store readable to any process.
+          Note that using this option will also disable configuration
+          checks at build time.
+        '';
+      };
+
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -65,6 +80,13 @@ in {
   };
 
   config = mkIf config.services.knot.enable {
+    users.users.knot = {
+      isSystemUser = true;
+      group = "knot";
+      description = "Knot daemon user";
+    };
+
+    users.groups.knot.gid = null;
     systemd.services.knot = {
       unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
       description = cfg.package.meta.description;
@@ -74,12 +96,12 @@ in {
 
       serviceConfig = {
         Type = "notify";
-        ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
+        ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
         ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
         AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
         NoNewPrivileges = true;
-        DynamicUser = "yes";
+        User = "knot";
         RuntimeDirectory = "knot";
         StateDirectory = "knot";
         StateDirectoryMode = "0700";
diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix
index 0588cf86ac0..8bab917a351 100644
--- a/nixos/tests/knot.nix
+++ b/nixos/tests/knot.nix
@@ -28,6 +28,13 @@ let
     name = "knot-zones";
     paths = [ exampleZone delegatedZone ];
   };
+  # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
+  tsigFile = pkgs.writeText "tsig.conf" ''
+    key:
+      - id: slave_key
+        algorithm: hmac-sha256
+        secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
+  '';
 in {
   name = "knot";
   meta = with pkgs.stdenv.lib.maintainers; {
@@ -48,6 +55,7 @@ in {
       };
       services.knot.enable = true;
       services.knot.extraArgs = [ "-v" ];
+      services.knot.keyFiles = [ tsigFile ];
       services.knot.extraConfig = ''
         server:
             listen: 0.0.0.0@53
@@ -56,6 +64,7 @@ in {
         acl:
           - id: slave_acl
             address: 192.168.0.2
+            key: slave_key
             action: transfer
 
         remote:
@@ -103,6 +112,7 @@ in {
         ];
       };
       services.knot.enable = true;
+      services.knot.keyFiles = [ tsigFile ];
       services.knot.extraArgs = [ "-v" ];
       services.knot.extraConfig = ''
         server:
@@ -117,6 +127,7 @@ in {
         remote:
           - id: master
             address: 192.168.0.1@53
+            key: slave_key
 
         template:
           - id: default
@@ -155,10 +166,10 @@ in {
         ];
       };
       environment.systemPackages = [ pkgs.knot-dns ];
-    };    
+    };
   };
 
-  testScript = { nodes, ... }: let 
+  testScript = { nodes, ... }: let
     master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
     master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
 
diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix
index c3d63a54ac0..234a3957450 100644
--- a/pkgs/servers/dns/knot-dns/default.nix
+++ b/pkgs/servers/dns/knot-dns/default.nix
@@ -1,5 +1,6 @@
 { stdenv, fetchurl, pkgconfig, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring
 , systemd, nettle, libedit, zlib, libiconv, libintl
+, autoreconfHook
 }:
 
 let inherit (stdenv.lib) optional optionals; in
@@ -16,7 +17,19 @@ stdenv.mkDerivation rec {
 
   outputs = [ "bin" "out" "dev" ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  configureFlags = [
+    "--with-configdir=/etc/knot"
+    "--with-rundir=/run/knot"
+    "--with-storage=/var/lib/knot"
+  ];
+
+  patches = [
+    # Don't try to create directories like /var/lib/knot at build time.
+    # They are later created from NixOS itself.
+    ./dont-create-run-time-dirs.patch
+  ];
+
+  nativeBuildInputs = [ pkgconfig autoreconfHook ];
   buildInputs = [
     gnutls liburcu libidn2 libunistring
     nettle libedit
@@ -33,7 +46,9 @@ stdenv.mkDerivation rec {
   doCheck = true;
   doInstallCheck = false; # needs pykeymgr?
 
-  postInstall = ''rm -r "$out"/var "$out"/lib/*.la'';
+  postInstall = ''
+    rm -r "$out"/lib/*.la
+  '';
 
   meta = with stdenv.lib; {
     description = "Authoritative-only DNS server from .cz domain registry";
diff --git a/pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch b/pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
new file mode 100644
index 00000000000..9fe165e7681
--- /dev/null
+++ b/pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
@@ -0,0 +1,32 @@
+diff --git a/samples/Makefile.am b/samples/Makefile.am
+index c253c91..107401d 100644
+--- a/samples/Makefile.am
++++ b/samples/Makefile.am
+@@ -19,11 +19,6 @@ EXTRA_DIST = knot.sample.conf.in example.com.zone
+ 
+ if HAVE_DAEMON
+ 
+-install-data-local: knot.sample.conf
+-	if [ \! -f $(DESTDIR)/$(config_dir)/knot.sample.conf ]; then \
+-	  $(INSTALL) -d $(DESTDIR)/$(config_dir); \
+-	  $(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
+-	fi
+ uninstall-local:
+ 	-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
+ 	        $(DESTDIR)/$(config_dir)/example.com.zone
+diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc
+index e6765d9..d859d23 100644
+--- a/src/utils/Makefile.inc
++++ b/src/utils/Makefile.inc
+@@ -79,11 +79,6 @@ endif HAVE_DNSTAP
+ endif HAVE_UTILS
+ 
+ if HAVE_DAEMON
+-# Create storage and run-time directories
+-install-data-hook:
+-	$(INSTALL) -d $(DESTDIR)/@config_dir@
+-	$(INSTALL) -d $(DESTDIR)/@run_dir@
+-	$(INSTALL) -d $(DESTDIR)/@storage_dir@
+ 
+ sbin_PROGRAMS = knotc knotd
+