node.js - Best practice to store secret for generating JWTs in a NodeJS app -

i using jwts authenticating users on spa (nodejs backend, angular frontend). have function in user model generate jwt when user signs in:

// ./models/user.js - waterline orm  var waterline = require('waterline'); var bcrypt = require('bcrypt'); var jwt = require('jsonwebtoken');  // [...]  generatejwt: function() {   // set expiration 60 days   var today = new date();   var exp = new date(today);   exp.setdate(today.getdate() + 60);    return jwt.sign({     _id: this.id,     username: this.username,     exp: parseint(exp.gettime() / 1000),   }, 'secret'); // todo: real secret }  // [...] 

this 'secret' shouldn't hardcoded. , should not in codebase or in repo. best / secure way handle this? config file in shared folder symlinked when deploying? database?