diff --git a/.env.sample b/.env.sample
index 50ff850..457c6f1 100644
--- a/.env.sample
+++ b/.env.sample
@@ -11,6 +11,7 @@ PEERTUBE_TRANSCODING_ENABLED=true
 PEERTUBE_CONTACT_FORM_ENABLED=false
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_PEERTUBE_SECRET_VERSION=v1
 
 ## Webseed backend
 #
diff --git a/README.md b/README.md
index 32eb1b3..791a5e2 100644
--- a/README.md
+++ b/README.md
@@ -20,12 +20,13 @@ An ActivityPub-federated video streaming platform using P2P directly in your web
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new peertube --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app new peertube`
+4. `abra app cmd -l YOURAPPDOMAIN generate_secret`
+5. `abra app secret generate YOURAPPDOMAIN -a`
+6. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
-6. Open the configured domain in your browser to finish set-up
+7. `abra app deploy YOURAPPDOMAIN`
+8. Open the configured domain in your browser to finish set-up
 
 ## Host-mode networking
 
diff --git a/abra.sh b/abra.sh
index ec7317c..9a7b108 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,8 +1,12 @@
 # shellcheck disable=SC2034,SC2145
 
 export NGINX_CONFIG_VERSION=v4
-export APP_ENTRYPOINT_VERSION=v6
-export DB_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v7
+export DB_ENTRYPOINT_VERSION=v1
+
+generate_secret() {
+  abra app secret insert "$APP_NAME" peertube_secret v1 "$(openssl rand -hex 32)" --chaos
+}
 
 sub_npm() {
   abra__service_="app"
diff --git a/compose.yml b/compose.yml
index 23fc14a..82aa66b 100644
--- a/compose.yml
+++ b/compose.yml
@@ -54,6 +54,7 @@ services:
       - PEERTUBE_DB_HOSTNAME=db
       - PEERTUBE_DB_PORT=5432
       - PEERTUBE_DB_USERNAME=peertube
+      - PEERTUBE_DB_PASSWORD_FILE=/run/secrets/db_password
       - PEERTUBE_LIVE_CHAT_ENABLED
       - PEERTUBE_LOG_PING_REQUESTS
       - PEERTUBE_REDIS_HOSTNAME=cache
@@ -64,12 +65,14 @@ services:
       - PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN}
       - PEERTUBE_WEBSERVER_HTTPS
       - PEERTUBE_WEBSERVER_PORT
+      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
     volumes:
       - app-data:/data
       - app-config:/config
       - app-assets:/srv/client/dist
     secrets:
       - db_password
+      - peertube_secret
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
@@ -153,3 +156,6 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  peertube_secret:
+    external: true
+    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index bc06aad..e180c71 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -24,7 +24,8 @@ file_env() {
    unset "$fileVar"
 }
 
-export PEERTUBE_DB_PASSWORD=$(cat /run/secrets/db_password)
+file_env "PEERTUBE_DB_PASSWORD"
+file_env "PEERTUBE_SECRET"
 
 {{ if eq (env "PEERTUBE_SMTP_ENABLED") "1" }}
 file_env "PEERTUBE_SMTP_PASSWORD"