Better secret handling

Currently, secrets are either hard coded in the config file or passed as environment variable. However, many platforms give the option to expose managed secrets as readonly files (ex: docker compose, kubernetes, systemd)

My suggestion is that secret values would also have a configuration that allows specifying the file path from witch to load the secret value. For example, the configuration file would have an option for jwt_secret_path in addition to jwt_secret. On startup, if the app detects that the jwt_secret_path value of a secret is defined, it would attempt to load the secret from the specified file and potentially fall back to the jwt_secret option.

Using secret as files also allows supporting secret rotation without app restart. The server could reload the secret files (or even the whole config) when receiving a SIGHUP.