diff --git a/files/app.ini b/files/app.ini
index ee88f61..aeaba57 100644
--- a/files/app.ini
+++ b/files/app.ini
@@ -35,7 +35,7 @@ APP_DATA_PATH = /var/lib/forgejo/data
 DISABLE_SSH = false
 SSH_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = <REDACTED 2024-01-14>
+LFS_JWT_SECRET_URI = file:/etc/forgejo/secrets/lfs_jwt_secret
 OFFLINE_MODE = true
 LANDING_PAGE = /OpenNeo
 
@@ -80,8 +80,8 @@ DEFAULT_TRUST_MODEL = committer
 
 [security]
 INSTALL_LOCK = true
-INTERNAL_TOKEN = <REDACTED 2024-01-14>
+INTERNAL_TOKEN_URI = file:/etc/forgejo/secrets/internal_token
 PASSWORD_HASH_ALGO = pbkdf2_hi
 
 [oauth2]
-JWT_SECRET = <REDACTED 2024-01-14>
+JWT_SECRET_URI = file:/etc/forgejo/secrets/oauth2_jwt_secret
diff --git a/files/secrets/.gitignore b/files/secrets/.gitignore
new file mode 100644
index 0000000..fba7e80
--- /dev/null
+++ b/files/secrets/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+!README
\ No newline at end of file
diff --git a/files/secrets/README b/files/secrets/README
new file mode 100644
index 0000000..ddf7731
--- /dev/null
+++ b/files/secrets/README
@@ -0,0 +1,10 @@
+This folder should have three files:
+
+- internal_token
+- lfs_jwt_secret
+- oauth2_jwt_secret
+
+Each of these should contain a long securely-generated token, which will be
+copied to /etc/forgejo/secrets, and loaded by app.ini.
+
+These are secret information, so they're not committed to this public codebase!
diff --git a/setup-forgejo.yml b/setup-forgejo.yml
index 30e1aab..fe339ce 100644
--- a/setup-forgejo.yml
+++ b/setup-forgejo.yml
@@ -54,6 +54,17 @@
       notify:
         - Restart Forgejo
 
+    - name: Copy secrets directory to Forgejo's config directory
+      copy:
+        src: files/secrets
+        dest: /etc/forgejo
+        directory_mode: "750"
+        mode: "640"
+        owner: root
+        group: git
+      notify:
+        - Restart Forgejo
+
     - name: Install systemd service for Forgejo
       copy:
         src: files/forgejo.service