diff --git a/.env.sample b/.env.sample
index 3ed4f3b..fd1bb24 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,6 +6,13 @@ DOMAIN=cryptpad.example.com
 # This is a separate domain for the secure side of Cryptpad. It can be any other domain (subdomain or separate domain)
 SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 
+# CRYPTPAD_ADMIN_KEYS
+## here is an example of the format for one single key
+# CRYPTPAD_ADMIN_KEYS= '"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]",'
+## here is an example of the format for multiple keys (including here because it was confusing to me)
+# CRYPTPAD_ADMIN_KEYS='"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]","[user2@cryptpad.cctest.autonomic.zone/Z7agNvwPXHm9xuEYOYV2YY53fSofgzum86xvhUxJ4nU=]",'
+
+
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
diff --git a/.gitignore b/.gitignore
index 7a6353d..f1d97b0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .envrc
+.idea
diff --git a/README.md b/README.md
index fd108fe..48ec732 100644
--- a/README.md
+++ b/README.md
@@ -26,5 +26,19 @@
 5. `abra app deploy YOURAPPDOMAIN`
 6. Open the configured domain in your browser to finish set-up
 
+At this point, anyone with this domain can register new users with this cryptpad instance.
+
+After you have registered a first user, here is how you can make this user into an admin.
+After logging in as your user, go to: https://cryptpad.cctest.autonomic.zone/profile/
+
+Click "Copy Public Key". This will copy your public key into your clipboard. 
+Then run `abra app config YOURAPPDOMAIN` and set the value of CRYPTPAD_ADMIN_KEYS
+to include your public key. The example in .env.sample shows the required format. 
+
+Then redeploy with `abra app deploy YOURAPPDOMAIN --force`. 
+
+Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/,
+you should be able to access the admin interface for this cryptpad instance. 
+
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
-[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
+[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
\ No newline at end of file
diff --git a/abra.sh b/abra.sh
index a9a8715..c38f188 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1,3 @@
 export CONFIG_VERSION=v2
+export CONFIG_JS_VERSION=v2
+export NGINX_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 4617c01..1ff2e56 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,18 +3,18 @@ version: "3.8"
 
 services:
   app:
-    image: cryptpad/cryptpad:version-2024.3.0
+    image: cryptpad/cryptpad:version-2025.9.0
     networks:
-      - proxy
+      - backend
     environment:
+      - CRYPTPAD_ADMIN_KEYS
       - "CPAD_MAIN_DOMAIN=${DOMAIN}"
       - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}"
-      # Traefik can't use HTTP2 to communicate with cryptpat_websocket
+      # Traefik can't use HTTP2 to communicate with cryptpad_websocket
       # A workaroung is disabling HTTP2 in Nginx
       - "CPAD_HTTP2_DISABLE=true"
-      - "CPAD_REALIP_RECURSIVE=on"
-      - "CPAD_REALIP_HEADER=X-Real-Ip"
-      - CPAD_CONF=/cryptpad/config/config.js
+      - "CPAD_TRUST_PROXY=1"
+      - "CPAD_CONF=/cryptpad/config/config.js"
 
     volumes:
       - cryptpad_blob:/cryptpad/blob
@@ -31,18 +31,9 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}"
-        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.4.0+version-2024.3.0"
+        - "traefik.enable=false"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=0.4.1+version-2025.9.0"
     # healthcheck:
     #   test: ["CMD", "curl", "-f", "http://localhost"]
     #   interval: 30s
@@ -50,9 +41,32 @@ services:
     #   retries: 10
     #   start_period: 1m
 
+  web:
+    image: nginx:1.25
+    configs:
+      - source: nginx_conf
+        target: /etc/nginx/conf.d/default.conf
+    networks:
+      proxy:
+      backend:
+    depends_on:
+      - app
+    environment:
+      - STACK_NAME
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.routers.${STACK_NAME}.tls=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+
 networks:
   proxy:
     external: true
+  backend:
 
 volumes:
   cryptpad_blob:
@@ -67,3 +81,7 @@ configs:
     name: ${STACK_NAME}_config_${CONFIG_VERSION}
     file: config.js.tmpl
     template_driver: golang
+  nginx_conf:
+    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
+    file: nginx.conf.tmpl
+    template_driver: golang
diff --git a/config.js.tmpl b/config.js.tmpl
index 3dda44d..0559779 100644
--- a/config.js.tmpl
+++ b/config.js.tmpl
@@ -75,7 +75,7 @@ module.exports = {
  *  all addresses, including IPv6, set this to '::'.
  *
  */
-    //httpAddress: '::',
+    httpAddress: '::',
 
 /*  httpPort specifies on which port the nodejs server should listen.
  *  By default it will serve content over port 3000, which is suitable
@@ -111,11 +111,9 @@ module.exports = {
      *  key, which can be found on the settings page for registered users.
      *  Entries should be strings separated by a comma.
      */
-/*
     adminKeys: [
-        //"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+        {{ env "CRYPTPAD_ADMIN_KEYS" }}
     ],
-*/
 
     /* =====================
      *        STORAGE
diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl
new file mode 100644
index 0000000..3fee226
--- /dev/null
+++ b/nginx.conf.tmpl
@@ -0,0 +1,39 @@
+server {
+    listen 8083;
+    server_name localhost;
+
+    access_log /var/log/cpad.log;
+    error_log /var/log/cpad-error.log;
+    #access_log /dev/null;
+    #error_log /dev/null emerg;
+
+    # Main CryptPad app
+    location / {
+        proxy_pass http://{{ env "STACK_NAME" }}_app:3000;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        client_max_body_size 150m;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+    }
+
+    # WebSocket endpoint
+    location ^~ /cryptpad_websocket {
+        proxy_pass http://{{ env "STACK_NAME" }}_app:3003;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+    }
+}
\ No newline at end of file