diff --git a/secrets/mysql_root_password b/secrets/mysql_root_password
new file mode 100644
index 0000000..b1873c6
--- /dev/null
+++ b/secrets/mysql_root_password
@@ -0,0 +1 @@
+wiochohv8foR9eDo5ol5
diff --git a/services/mysql.hcl b/services/mysql.hcl
index 9864b88..fbff15f 100644
--- a/services/mysql.hcl
+++ b/services/mysql.hcl
@@ -14,13 +14,16 @@ job "mysql" {
       driver = "docker"
 
       config {
-        image = "mysql:8.1"
+        image = "mysql:8.2"
         ports = ["db"]
-        volumes = [ "/data/compute/appdata/mysql:/var/lib/mysql" ]
+        volumes = [
+          "/data/compute/appdata/mysql:/var/lib/mysql",
+          "/data/compute/db-backups/mysql:/backup",
+        ]
       }
 
       env {
-        MYSQL_ROOT_PASSWORD = "${var.mysql_root_password}"
+        MYSQL_ROOT_PASSWORD = "{{ with nomadVar \"nomad/jobs/mysql\" }}{{ .root_password }}{{ end }}"
       }
 
       service {
@@ -61,8 +64,3 @@ job "mysql" {
     }
   }
 }
-
-variable "mysql_root_password" {
-  type = string
-  default = "wiochohv8foR9eDo5ol5"
-}
diff --git a/stateful-commands.txt b/stateful-commands.txt
index 1c030cb..85094a1 100644
--- a/stateful-commands.txt
+++ b/stateful-commands.txt
@@ -22,3 +22,6 @@ glusterfs tweaking for wordpress performance:
   * gluster volume set compute server.event-threads 8
   * gluster volume set compute cluster.readdir-optimize on
   * gluster volume set compute server.outstanding-rpc-limit 256
+
+mysql credentials
+  * ./utils/file_to_nomad_var.sh secrets/mysql_root_password jobs/mysql root_password
diff --git a/utils/file_to_nomad_var.sh b/utils/file_to_nomad_var.sh
new file mode 100755
index 0000000..dbf8b1f
--- /dev/null
+++ b/utils/file_to_nomad_var.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# 
+# Loads file contents into a nomad variable.
+# 
+# Usage: file_to_nomad_var.sh <filename> <variablename> <var_key>
+# 
+# filename can be - for stdin.
+# 
+# read the var back out with:
+#  - nomad var get <variablename>
+#
+# From https://github.com/gerrowadat/nomad-homelab/blob/main/utilities/file_to_nomad_var.sh
+
+function print_usage() {
+  echo "Usage: ${0} <file or -> <nomad var> <var key>"
+}
+
+filename=$1
+nomad_var=$2
+var_key=$3
+
+if [ "${filename}" !=  "-" ];
+then
+  if [ ! -f "${filename}" ]
+  then
+    echo "${filename} does not exist"
+    exit
+  fi
+fi
+
+var_contents=$(cat ${filename})
+
+if [[ "${nomad_var}" == "" || "${var_key}" == "" ]];
+then
+  print_usage
+  exit
+fi
+
+echo "Copying ${filename} to ${nomad_var}:${var_key}..."
+
+nomad var put -force -in hcl - <<EOF
+path = "${nomad_var}"
+
+items {
+    ${var_key} = <<OMGUNIQUETOKEN
+${var_contents}
+OMGUNIQUETOKEN
+}
+EOF
+