Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD should be passed to the service without adding them to the world-readable Nix store. Note that either this file needs to be available on the host on which pinchflat is running, or the option selfhosted must be true. Further, SECRET_KEY_BASE has a minimum length requirement of 64 bytes. One way to generate such a secret is to use openssl rand -hex 64. As an example, the contents of the file might look like this: SECRET_KEY_BASE=...copy-paste a secret token here... BASIC_AUTH_USERNAME=...basic auth username... BASIC_AUTH_PASSWORD=...basic auth password...

null

"/run/secrets/pinchflat"