This is what I do, works great.
Most of my application secrets/configuration/keys/tokens are stored in the database.
The only one that's not is the information about how to connect to the database. That's stored in the DATABASE_URL environment variable and it's stored on each machine. envdir is used to start the apps, reading that environment data.
