diff --git a/hosts/crossbox/nginx.nix b/hosts/crossbox/nginx.nix
index 1fbcfa4..2e2bcf7 100644
--- a/hosts/crossbox/nginx.nix
+++ b/hosts/crossbox/nginx.nix
@@ -26,10 +26,9 @@ in
       map $http_authorization $auth_status {
         default "unauthorized";
         "" "no_auth";
-        # Add your Bearer tokens here manually, or use include directive
+        # Tokens loaded from file to keep secrets out of the nix store
         # Format: "Bearer YOUR_TOKEN_HERE" "authorized";
-        # You can also create /srv/nginx/secrets.map and include it:
-        # include /srv/nginx/secrets.map;
+        include /srv/nginx/secrets.map;
       }
     '';