diff --git a/data/defaults.yaml b/data/defaults.yaml
--- a/data/defaults.yaml
+++ b/data/defaults.yaml
@@ -1516,13 +1516,12 @@
   - /1/private/[^/]+/[^/]+/[^/]+
   - /1/private/deposits/
 
-swh::deploy::deposit::conf_directory: "%{hiera('swh::conf_directory')}/deposit"
-swh::deploy::deposit::swh_conf_file: "%{hiera('swh::deploy::deposit::conf_directory')}/server.yml"
-swh::deploy::deposit::settings_private_data_file: "%{hiera('swh::deploy::deposit::conf_directory')}/private.yml"
+swh::deploy::deposit::config_directory: "%{hiera('swh::conf_directory')}/deposit"
+swh::deploy::deposit::config_file: "%{hiera('swh::deploy::deposit::config_directory')}/server.yml"
 swh::deploy::deposit::user: swhdeposit
 swh::deploy::deposit::group: swhdeposit
 swh::deploy::deposit::media_root_directory: /srv/storage/space/swh-deposit/uploads/
-# test configuration
+# swh::deploy::deposit::runtime_secret_key in private data
 swh::deploy::deposit::config:
   max_upload_size: 209715200
   tool:
@@ -1531,17 +1530,15 @@
     configuration:
       sword_version: 2
   scheduler: "%{alias('swh::remote_service::scheduler::config::saatchi')}"
-
-# swh::deploy::deposit::runtime_secret_key in private data
-swh::deploy::deposit::settings_private_data:
-  secret_key: "%{hiera('swh::deploy::deposit::runtime_secret_key')}"
-  db:
-    host: db
-    port: 5432
-    name: softwareheritage-deposit
-    user: swhstorage
-    password: "%{hiera('swh::deploy::storage::db::password')}"
-  media_root: "%{hiera('swh::deploy::deposit::media_root_directory')}"
+  private:
+    secret_key: "%{hiera('swh::deploy::deposit::runtime_secret_key')}"
+    db:
+      host: db
+      port: 5432
+      name: softwareheritage-deposit
+      user: swhstorage
+      password: "%{hiera('swh::deploy::storage::db::password')}"
+    media_root: "%{hiera('swh::deploy::deposit::media_root_directory')}"
 
 swh::deploy::worker::loader_deposit::config_file: "%{hiera('swh::conf_directory')}/loader_deposit.yml"
 swh::deploy::worker::loader_deposit::concurrency: 2
diff --git a/site-modules/profile/manifests/swh/deploy/deposit.pp b/site-modules/profile/manifests/swh/deploy/deposit.pp
--- a/site-modules/profile/manifests/swh/deploy/deposit.pp
+++ b/site-modules/profile/manifests/swh/deploy/deposit.pp
@@ -1,9 +1,8 @@
 # Deployment of the swh.deposit server
 
 class profile::swh::deploy::deposit {
-  $conf_directory = lookup('swh::deploy::deposit::conf_directory')
-
-  $swh_conf_file = lookup('swh::deploy::deposit::swh_conf_file')
+  $config_directory = lookup('swh::deploy::deposit::config_directory')
+  $config_file = lookup('swh::deploy::deposit::config_file')
   $user = lookup('swh::deploy::deposit::user')
   $group = lookup('swh::deploy::deposit::group')
   $swh_conf_raw = lookup('swh::deploy::deposit::config')
@@ -12,10 +11,6 @@
 
   $static_dir = '/usr/lib/python3/dist-packages/swh/deposit/static'
 
-  # private data file to read from swh.deposit.settings.production
-  $settings_private_data_file = lookup('swh::deploy::deposit::settings_private_data_file')
-  $settings_private_data = lookup('swh::deploy::deposit::settings_private_data')
-
   $backend_listen_host = lookup('swh::deploy::deposit::backend::listen::host')
   $backend_listen_port = lookup('swh::deploy::deposit::backend::listen::port')
   $backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
@@ -29,7 +24,7 @@
   $vhost_port = lookup('apache::http_port')
   $vhost_aliases = lookup('swh::deploy::deposit::vhost::aliases')
   $vhost_docroot = lookup('swh::deploy::deposit::vhost::docroot')
-  $vhost_basic_auth_file = "${conf_directory}/http_auth"
+  $vhost_basic_auth_file = "${config_directory}/http_auth"
   # swh::deploy::deposit::vhost::basic_auth_content in private
   $vhost_basic_auth_content = lookup('swh::deploy::deposit::vhost::basic_auth_content')
   $vhost_ssl_port = lookup('apache::https_port')
@@ -48,7 +43,7 @@
     notify  => Service['gunicorn-swh-deposit'],
   }
 
-  file {$conf_directory:
+  file {$config_directory:
     ensure => directory,
     owner  => 'root',
     group  => $group,
@@ -56,7 +51,7 @@
   }
 
   # swh's configuration part (upload size, etc...)
-  file {$swh_conf_file:
+  file {$config_file:
     ensure  => present,
     owner   => 'root',
     group   => $group,
@@ -72,21 +67,15 @@
     mode   => '2750',
   }
 
-  # swh's private configuration part (db, secret key, media_root)
-  file {$settings_private_data_file:
-    ensure  => present,
-    owner   => 'root',
-    group   => $group,
-    mode    => '0640',
-    content => inline_template("<%= @settings_private_data.to_yaml %>\n"),
-    notify  => Service['gunicorn-swh-deposit'],
-  }
-
   ::gunicorn::instance {'swh-deposit':
     ensure     => enabled,
     user       => $user,
     group      => $group,
     executable => 'swh.deposit.wsgi',
+    environment => {
+      'SWH_CONFIG_FILENAME'    => $config_file,
+      'DJANGO_SETTINGS_MODULE' => 'swh.deposit.settings.production',
+    },
     settings   => {
       bind             => $backend_listen_address,
       workers          => $backend_workers,