diff --git a/abra.sh b/abra.sh
index a554e45..4b12b3d 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
-export NGINX_CONFIG_VERSION=v1
-export APP_ENTRYPOINT_VERSION=v1
+export NGINX_CONFIG_VERSION=v7
+export APP_ENTRYPOINT_VERSION=v4
 
 secrets() {
   docker context use default > /dev/null 2>&1
@@ -12,10 +12,33 @@ secrets() {
 
 migrate(){
   # run against the "api" service
+
+  export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
+
+  DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+  export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
+
   python manage.py migrate
 }
 
 admin() {
   # run against the "api" service
+
+  export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
+
+  DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+  export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
+
   python manage.py createsuperuser
 }
+
+static() {
+  # run against the "api" service
+
+  export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
+
+  DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+  export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
+
+  python manage.py collectstatic --no-input
+}
diff --git a/compose.yml b/compose.yml
index f38802b..0cf8b11 100644
--- a/compose.yml
+++ b/compose.yml
@@ -2,7 +2,7 @@
 version: "3.8"
 
 x-environment: &default-env
-  - CACHE_URL="redis://cache:6379/0"
+  - CACHE_URL=redis://cache:6379/0
   - CELERYD_CONCURRENCY
   - C_FORCE_ROOT=true
   - DATABASE_PASSWORD_FILE=/run/secrets/db_password
@@ -10,6 +10,7 @@ x-environment: &default-env
   - DJANGO_SETTINGS_MODULE
   - DOMAIN
   - FUNKWHALE_HOSTNAME
+  - FUNKWHALE_SPA_HTML_ROOT=/srv/funkwhale/front/dist/
   - FUNKWHALE_WEB_WORKERS
   - LOGLEVEL
   - REVERSE_PROXY_TYPE
@@ -23,21 +24,24 @@ services:
   app:
     image: nginx:1.20.0
     environment: *default-env
-    networks:
-      - proxy
-      - internal
+    configs:
+      - source: nginx_config
+        target: /etc/nginx/nginx.conf
     volumes:
       - music-data:/srv/funkwhale/data/music:ro
       - media-data:/srv/funkwhale/data/media
       - static-data:/srv/funkwhale/data/static
-      - frontend-data:/src/funkwhale/front/dist:ro
+      - frontend-data:/srv/funkwhale/front/dist:ro
+    networks:
+      - proxy
+      - internal
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "coop-cloud.${STACK_NAME}.version="
@@ -45,11 +49,16 @@ services:
   celeryworker:
     image: funkwhale/funkwhale:1.2
     depends_on:
-      - postgres
-      - redis
-    command: celery -A funkwhale_api.taskapp worker -l INFO
+      - db
+      - cache
     environment: *default-env
     secrets: *default-secrets
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    command: celery -A funkwhale_api.taskapp worker -l INFO
     volumes:
       - music-data:/srv/funkwhale/data/music:ro
       - media-data:/srv/funkwhale/data/media
@@ -61,8 +70,13 @@ services:
     environment: *default-env
     secrets: *default-secrets
     depends_on:
-      - postgres
-      - redis
+      - db
+      - cache
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
     networks:
       - internal
@@ -72,13 +86,19 @@ services:
     environment: *default-env
     secrets: *default-secrets
     depends_on:
-      - postgres
-      - redis
+      - db
+      - cache
     volumes:
       - music-data:/srv/funkwhale/data/music:ro
       - media-data:/srv/funkwhale/data/media
       - static-data:/srv/funkwhale/data/static
-      - frontend-data:/src/funkwhale/front/dist
+      - frontend-data:/srv/funkwhale/front/dist
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    command: /app/compose/django/server.sh
     networks:
       - internal
 
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 584e00b..f0c7f16 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -1,4 +1,3 @@
-
 #!/bin/bash
 
 set -e
@@ -32,4 +31,4 @@ file_env "DJANGO_SECRET_KEY"
 
 # upstream entrypoint
 # https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
-./compose/django/entrypoint.sh "$@"
+/app/compose/django/entrypoint.sh "$@"
diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl
index 1142362..7ff3583 100644
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@@ -1,9 +1,15 @@
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
+user www-data;
+
+events {
+  worker_connections 768;
 }
 
 http {
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
     upstream funkwhale-api {
         server {{ env "STACK_NAME" }}_api:5000;
     }
@@ -12,7 +18,6 @@ http {
         listen 80;
         listen [::]:80;
         server_name {{ env "FUNKWHALE_HOSTNAME" }};
-        location / { return 301 https://$host$request_uri; }
 
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
@@ -71,6 +76,7 @@ http {
             add_header Pragma public;
             add_header Cache-Control "public, must-revalidate, proxy-revalidate";
         }
+
         location = /front/embed.html {
             add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
             add_header Referrer-Policy "strict-origin-when-cross-origin";
@@ -83,12 +89,34 @@ http {
         }
 
         location /federation/ {
-            include /etc/nginx/funkwhale_proxy.conf;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host:$server_port;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_redirect off;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+
             proxy_pass   http://funkwhale-api/federation/;
         }
 
         location /rest/ {
-            include /etc/nginx/funkwhale_proxy.conf;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host:$server_port;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_redirect off;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+
             proxy_pass   http://funkwhale-api/api/subsonic/rest/;
         }
 
@@ -104,6 +132,7 @@ http {
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection $connection_upgrade;
+
             proxy_pass   http://funkwhale-api/.well-known/;
         }