diff --git a/salt/mysql/etc/mypass b/salt/mysql/etc/mypass
index f5f781c10..b38bf75ec 100644
--- a/salt/mysql/etc/mypass
+++ b/salt/mysql/etc/mypass
@@ -1,2 +1 @@
-{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
 {{ MYSQLPASS }}
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index d958f55de..750ae1c5e 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -45,14 +45,24 @@ mysqlpiddir:
     - group: 939
     - makedirs: True
 
-mysqletc:
-  file.recurse:
-    - name: /opt/so/conf/mysql/etc
-    - source: salt://mysql/etc
+mysqlcnf:
+  file.managed:
+    - name: /opt/so/conf/mysql/etc/my.cnf
+    - source: salt://mysql/etc/my.cnf
+    - user: 939
+    - group: 939
+    - file_mode: 640
+
+mysqlpass:
+  file.managed:
+    - name: /opt/so/conf/mysql/etc/mypass
+    - source: salt://mysql/etc/mypass
     - user: 939
     - group: 939
     - template: jinja
     - file_mode: 640
+    - defaults:
+        MYSQLPASS: {{ MYSQLPASS }}
 
 mysqllogdir:
   file.directory:
@@ -89,13 +99,15 @@ so-mysql:
       - MYSQL_ROOT_HOST={{ MAINIP }}
       - MYSQL_ROOT_PASSWORD=/etc/mypass
     - binds:
-      - /opt/so/conf/mysql/etc/:/etc/:ro
+      - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro
+      - /opt/so/conf/mysql/etc/mypass:/etc/mypass
       - /nsm/mysql:/var/lib/mysql:rw
       - /opt/so/log/mysql:/var/log/mysql:rw
     - watch:
       - /opt/so/conf/mysql/etc
     - require:
-      - file: mysqletc
+      - file: mysqlcnf
+      - file: mysqlpass
   cmd.run:
     - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
     - timeout: 600