diff --git a/.github/workflows/blank.yml b/.github/workflows/blank.yml
index 46ef286d..19523f5a 100644
--- a/.github/workflows/blank.yml
+++ b/.github/workflows/blank.yml
@@ -95,6 +95,11 @@ jobs:
           script: |
             mkdir -p /var/www/csr/stage/
             echo '${{ secrets.DEPLOY_CONFIG }}' > /var/www/csr/stage/config.json
+            sudo rm /etc/systemd/system/stage.csr.env
+            echo -e "JWT_SECRET_KEY=${{ secrets.JWT_SECRET_KEY }}\n\
+            EMAIL_PASSWORD=${{ secrets.EMAIL_PASSWORD }}\n\
+            DB_USER=${{ secrets.DB_USER }}" > stage.csr.env    
+            sudo mv stage.csr.env /etc/systemd/system/stage.csr.env    
             sudo systemctl daemon-reload && sudo service stage.csr stop
             cp ~/csr /var/www/csr/stage/server
             sudo service stage.csr start
diff --git a/config.json b/config.json
index 80643e93..64049242 100644
--- a/config.json
+++ b/config.json
@@ -2,15 +2,12 @@
   "db": {
     "host": "postgres",
     "port": "5432",
-    "user": "csr",
     "database": "csr",
     "showSql": false
   },
-  "JWTSecretKey": 123,
   "email": {
     "serverHost": "any",
     "serverPort": 1,
-    "password": "any",
     "senderFromAddress": "any",
     "senderFromName": "any",
     "confirmLinkExpiration": "15m",
diff --git a/deploy/centos/stage/rootfs/etc/systemd/system/stage.csr.service b/deploy/centos/stage/rootfs/etc/systemd/system/stage.csr.service
index a4a4e7dd..889aa11d 100644
--- a/deploy/centos/stage/rootfs/etc/systemd/system/stage.csr.service
+++ b/deploy/centos/stage/rootfs/etc/systemd/system/stage.csr.service
@@ -3,6 +3,7 @@ Description=stage.csr
 After=network.target
 
 [Service]
+EnvironmentFile=/etc/systemd/system/stage.csr.env
 Type=simple
 WorkingDirectory=/var/www/csr/stage
 User=csr
diff --git a/internal/config/app.go b/internal/config/app.go
index abf850cc..4b09865c 100644
--- a/internal/config/app.go
+++ b/internal/config/app.go
@@ -85,6 +85,7 @@ func GetAppConfig(additionalDirectories ...string) (*AppConfig, error) {
 	if err := viper.ReadInConfig(); err != nil {
 		return nil, fmt.Errorf("failed to read in config: %w", err)
 	}
+	bindEnvVars()
 
 	conf := getDefaultConfig()
 	if err := viper.Unmarshal(&conf); err != nil {
@@ -100,16 +101,18 @@ func GetAppConfig(additionalDirectories ...string) (*AppConfig, error) {
 
 func getDefaultConfig() *AppConfig {
 	return &AppConfig{
+		JWTSecretKey: "default_value",
 		DB: DB{
 			Host:     "localhost",
 			User:     "csr",
-			Password: "password",
+			Database: "stage_csr",
 		},
 		Password: Password{
 			Length:              8,
 			ResetLinkExpiration: 15 * time.Minute,
 		},
 		Email: Email{
+			Password:              "default_value",
 			SenderWebsiteUrl:      "https://csr.golangforall.com/",
 			ConfirmLinkExpiration: 15 * time.Minute,
 		},
@@ -119,3 +122,11 @@ func getDefaultConfig() *AppConfig {
 		},
 	}
 }
+
+func bindEnvVars() {
+	viper.BindEnv("jwtsecretkey", "JWT_SECRET_KEY")
+	viper.BindEnv("email.password", "EMAIL_PASSWORD")
+	viper.BindEnv("db.user", "DB_USER")
+
+	viper.AutomaticEnv()
+}