diff --git a/cluster/apps/invidious/invidious-config.yml b/cluster/apps/invidious/invidious-config.yml
new file mode 100644
index 0000000..8bad753
--- /dev/null
+++ b/cluster/apps/invidious/invidious-config.yml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: invidious-config
+  namespace: default
+data:
+  invidious.yml: |
+    db:
+      dbname: invidious
+      user: kemal
+      password: "${INVIDIOUS_DB_PASSWORD}"
+      host: invidious-db-service
+      port: 5432
+    check_tables: true
+    invidious_companion:
+    - private_url: "http://invidious-companion-service:8282"
+    invidious_companion_key: "${INVIDIOUS_COMPANION_KEY}"
+    hmac_key: "${INVIDIOUS_HMAC_KEY}"
diff --git a/cluster/apps/invidious/invidious-helper.yml b/cluster/apps/invidious/invidious-helper.yml
index 4c03a59..48c7501 100644
--- a/cluster/apps/invidious/invidious-helper.yml
+++ b/cluster/apps/invidious/invidious-helper.yml
@@ -52,7 +52,10 @@ spec:
         image: quay.io/invidious/invidious-companion@sha256:67d10d111642563675a11cfa9d2bafef1e0998b7f1fa34c1c1fef767e08990cc
         env:
         - name: SERVER_SECRET_KEY
-          value: "mtRhvm9wMCJhdnGP"
+          valueFrom:
+            secretKeyRef:
+              name: invidious-secrets
+              key: SERVER_SECRET_KEY
         ports:
         - containerPort: 8283
         securityContext:
diff --git a/cluster/apps/invidious/invidious.yml b/cluster/apps/invidious/invidious.yml
index eab026e..d921524 100644
--- a/cluster/apps/invidious/invidious.yml
+++ b/cluster/apps/invidious/invidious.yml
@@ -35,23 +35,32 @@ spec:
             echo "Waiting for database to be ready..."
             sleep 2
           done
+      - name: substitute-config
+        image: alpine
+        envFrom:
+        - secretRef:
+            name: invidious-secrets
+        command:
+        - sh
+        - -c
+        - apk add gettext && envsubst < /mnt/init/invidious.yml > /mnt/invidious.yml
+        volumeMounts:
+        - name: invidious-config
+          mountPath: /mnt/init/invidious.yml
+          subPath: invidious.yml
+        - name: tmp
+          mountPath: /mnt
+          subPath: invidious.yml
       containers:
       - name: invidious
-        image: quay.io/invidious/invidious@sha256:07b54eb82bd7b4d3cf9fe2f1a2cc7dfd18f6e14d23db185c2e34ffb8c21da093
+        image: quay.io/invidious/invidious@sha256:59f72f12bf73bb31b8e920ba3364f5e561d8036b0ca2e36758927e4265f6d74f
+        command:
+        - sh
+        - -c
+        - |
+          export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" &&
+          exec /invidious/invidious
         env:
-        - name: INVIDIOUS_CONFIG
-          value: |
-            db:
-              dbname: invidious
-              user: kemal
-              password: akshun@9501
-              host: invidious-db-service
-              port: 5432
-            check_tables: true
-            invidious_companion:
-            - private_url: "http://invidious-companion-service:8282"
-            invidious_companion_key: "mtRhvm9wMCJhdnGP"
-            hmac_key: "qp/GnTJs5KCB8Ma8"
         - name: INVIDIOUS_PORT
           value: "3000"
         ports:
@@ -67,6 +76,14 @@ spec:
         volumeMounts:
         - name: logging
           mountPath: /var/log/invidious
+        - name: tmp
+          mountPath: /mnt
+          subPath: invidious.yml
       volumes:
       - name: logging
         emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: invidious-config
+        configMap:
+          name: invidious-config