Generate all secrets currently stored in `settings.env` the first time an instance is spun up

For configuration, we should switch to a YAML file that is updated with the secrets accordingly (if necessary to expose them to the user). In most cases, we may as well just keep them in the DB if they are not required to, e.g., restore the instance itself.