diff --git a/sp-modules/nextcloud/common.nix b/sp-modules/nextcloud/common.nix
index 453ee18..9bb4e4f 100644
--- a/sp-modules/nextcloud/common.nix
+++ b/sp-modules/nextcloud/common.nix
@@ -1,8 +1,6 @@
 config: rec {
   sp = config.selfprivacy;
   domain = sp.domain;
-  secrets-filepath = "/etc/selfprivacy/secrets.json";
-  db-pass-filepath = "/var/lib/nextcloud/db-pass";
   admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
   override-config-fp = "/var/lib/nextcloud/config/override.config.php";
 }
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
index 1cd5831..8901795 100644
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -7,10 +7,8 @@
 let
   inherit (import ./common.nix config)
     admin-pass-filepath
-    db-pass-filepath
     domain
     override-config-fp
-    secrets-filepath
     sp
     ;
 
@@ -184,19 +182,13 @@ in
               serviceConfig.Type = "oneshot";
               path = with pkgs; [
                 coreutils
-                jq
               ];
               script = ''
-                databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
-                adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
-
-                install -C -m 0440 -o nextcloud -g nextcloud -DT \
-                <(printf "%s\n" "$databasePassword") \
-                ${db-pass-filepath}
-
-                install -C -m 0440 -o nextcloud -g nextcloud -DT \
-                <(printf "%s\n" "$adminPassword") \
-                ${admin-pass-filepath}
+                if [ ! -f "${admin-pass-filepath}" ]; then
+                  cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32 > ${admin-pass-filepath}
+                  chown nextcloud:nextcloud ${admin-pass-filepath}
+                  chmod 440 ${admin-pass-filepath}
+                fi
               '';
             };
           };
@@ -252,7 +244,6 @@ in
             dbtype = "sqlite";
             dbuser = "nextcloud";
             dbname = "nextcloud";
-            dbpassFile = db-pass-filepath;
             # TODO review whether admin user is needed at all - admin group works
             adminpassFile = admin-pass-filepath;
             adminuser = "admin";
diff --git a/sp-modules/pleroma/cleanup-module.nix b/sp-modules/pleroma/cleanup-module.nix
deleted file mode 100644
index 9848f53..0000000
--- a/sp-modules/pleroma/cleanup-module.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (import ./common.nix config) secrets-exs sp;
-in
-# FIXME do we really want to delete passwords on module deactivation!?
-{
-  config = lib.mkIf (!sp.modules.pleroma.enable) {
-    system.activationScripts.pleroma = lib.trivial.warn ("pleroma service is disabled, ${secrets-exs} will be removed!") ''
-      rm -f -v ${secrets-exs}
-    '';
-  };
-}
diff --git a/sp-modules/pleroma/common.nix b/sp-modules/pleroma/common.nix
deleted file mode 100644
index ff68e8f..0000000
--- a/sp-modules/pleroma/common.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-config: {
-  sp = config.selfprivacy;
-  secrets-exs = "/var/lib/pleroma/secrets.exs";
-}
diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix
index a8b8c29..724afc3 100644
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@@ -5,9 +5,8 @@
   ...
 }:
 let
-  secrets-filepath = "/etc/selfprivacy/secrets.json";
   cfg = config.selfprivacy.modules.pleroma;
-  inherit (import ./common.nix config) secrets-exs sp;
+  sp = config.selfprivacy;
 in
 {
   options.selfprivacy.modules.pleroma = {
@@ -106,16 +105,12 @@ in
           serviceConfig.Type = "oneshot";
           path = with pkgs; [
             coreutils
-            jq
           ];
           script = ''
             set -o nounset
 
-            password="$(jq -re '.databasePassword' ${secrets-filepath})"
             filecontents=$(cat <<- EOF
             import Config
-            config :pleroma, Pleroma.Repo,
-              password: "$password"
             EOF
             )