diff --git a/machines/uninsane/services/pleroma.nix b/machines/uninsane/services/pleroma.nix
index c12a9169..5101c0f5 100644
--- a/machines/uninsane/services/pleroma.nix
+++ b/machines/uninsane/services/pleroma.nix
@@ -1,20 +1,21 @@
 # docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, secrets, ... }:
 
 {
   services.pleroma.enable = true;
-  # XXX colin: this isn't checked into git, so make sure to create it first:
-  services.pleroma.secretConfigFile = "/etc/nixos/secrets/pleroma.secret.exs";
-  # services.pleroma.secretConfigFile = "/var/lib/pleroma/prod.secret.exs";
+  # TODO: we should write a config file somewhere outside the store... somehow.
+  services.pleroma.secretConfigFile = "/dev/null";
   services.pleroma.configs = [
     ''
     import Config
     
     config :pleroma, Pleroma.Web.Endpoint,
       url: [host: "fed.uninsane.org", scheme: "https", port: 443],
-      http: [ip: {127, 0, 0, 1}, port: 4000]
+      http: [ip: {127, 0, 0, 1}, port: 4000],
+      secret_key_base: "${secrets.pleroma.secret_key_base}",
+      signing_salt: "${secrets.pleroma.signing_salt}"
     
     config :pleroma, :instance,
       name: "Perfectly Sane",
@@ -45,6 +46,7 @@
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "pleroma",
+      password: "${secrets.pleroma.db_password}",
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
@@ -52,6 +54,14 @@
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]
+
+    # Configure web push notifications
+    config :web_push_encryption, :vapid_details,
+      subject: "mailto:notify.pleroma@uninsane.org",
+      public_key: "${secrets.pleroma.vapid_public_key}",
+      private_key: "${secrets.pleroma.vapid_private_key}"
+
+    config :joken, default_signer: "${secrets.pleroma.joken_default_signer}"
     
     config :pleroma, :database, rum_enabled: false
     config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
diff --git a/secrets.nix b/secrets.nix
index 0cbfd13d..d5435876 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -11,4 +11,12 @@
   # wg genkey > wg0.private
   # wg pubkey < wg0.private > wg0.public
   wireguard.privateKey = "<REPLACEME>";
+
+  # these would otherwise be found in 'pleroma.secret.exs'
+  pleroma.secret_key_base = "<REPLACEME>";
+  pleroma.signing_salt = "<REPLACEME>";
+  pleroma.db_password = "<REPLACEME>";
+  pleroma.vapid_public_key = "<REPLACEME>";
+  pleroma.vapid_private_key = "<REPLACEME>";
+  pleroma.joken_default_signer = "<REPLACEME>";
 }