diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 7fcc697..99fce58 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -51,6 +51,8 @@ jobs:
             --restart unless-stopped \
             -p 3000:3000 \
             -e SERVER_PORT=3000 \
+            -e SERVER_MASTER_KEY="${{ secrets.SERVER_MASTER_KEY }}" \
+            -e SECRETS_FILE_PATH="/app/data/secrets.json" \
             -v /opt/bootstrap-auth-server/data:/app/data \
             -e DATABASE_URL="sqlite:///app/data/data.db?mode=rwc" \
             bootstrap-auth-server:latest
diff --git a/src/main.rs b/src/main.rs
index 9fb40b7..f65d0d9 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -82,10 +82,11 @@ async fn main() {
 
     tracing::info!("Migrations successful.");
 
-    if let Ok(file_content) = std::fs::read_to_string("secrets.json") {
-        tracing::info!("Found secrets.json, provisioning");
+    let secrets_path = std::env::var("SECRETS_FILE_PATH").unwrap_or_else(|_| "secrets.json".to_string());
+    if let Ok(file_content) = std::fs::read_to_string(&secrets_path) {
+        tracing::info!("Found secrets file at {}, provisioning", secrets_path);
         let secrets: HashMap<String, String> =
-            serde_json::from_str(&file_content).expect("Invalid secrets.json format");
+            serde_json::from_str(&file_content).expect("Invalid secrets json format");
 
         for (key, value) in secrets {
             let encrypted_val = encrypt_secret(&master_key, &value);
@@ -99,9 +100,10 @@ async fn main() {
             .expect("Failed to insert secret");
         }
 
-        std::fs::rename("secrets.json", "secrets.json.bak")
-            .expect("Failed to rename secrets.json");
-        tracing::info!("Provisioned secrets and renamed to secrets.json.bak");
+        let bak_path = format!("{}.bak", secrets_path);
+        std::fs::rename(&secrets_path, &bak_path)
+            .expect("Failed to rename secrets file");
+        tracing::info!("Provisioned secrets and renamed to {}", bak_path);
     }
 
     let state = AppState {