Accept secrets as paths instead of literal values

The server accepts the Ristretto signing key as a value in argv. This leaks in various ways - into /nix/store, into the process table (visible to anyone who can run ps), likely into the systemd journal, possibly even into shell history if someone gets really creative.

Secrets shouldn't go to any of these places. Instead, accepts paths which point to files containing the secrets. The paths themselves are not sensitive. The files can be protected with appropriate filesystem-level protection. This closes off a number of vectors for secrets to be compromised.

This issue will probably also apply to the Stripe secret key which is being introduced in #30.