diff --git a/.env.sample b/.env.sample
index 4934b92..1e44c2a 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,6 +2,9 @@ TYPE=funkwhale
 DOMAIN={{ .Domain }}
 LETS_ENCRYPT_ENV=production
 
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DJANGO_SECRET_KEY_VERSION=v1
+
 # If you have any doubts about what a setting does,
 # check https://docs.funkwhale.audio/configuration.html#configuration-reference
 
diff --git a/compose.yml b/compose.yml
index 9f2e748..41dc4d1 100644
--- a/compose.yml
+++ b/compose.yml
@@ -7,6 +7,7 @@ x-environment:
     - CELERYD_CONCURRENCY
     - C_FORCE_ROOT=true
     - DATABASE_PASSWORD_FILE=/run/secrets/db_password
+    - DJANGO_SECRET_KEY_FILE=/run/secrets/django_secret_key
     - DJANGO_SETTINGS_MODULE
     - DOMAIN
     - FUNKWHALE_HOSTNAME
@@ -15,6 +16,11 @@ x-environment:
     - REVERSE_PROXY_TYPE
     - STACK_NAME
 
+x-secrets:
+  &default-sec:
+    - db_password
+    - django_secret_key
+
 services:
   app:
     image: nginx:1.20.0
@@ -45,6 +51,7 @@ services:
       - redis
     command: celery -A funkwhale_api.taskapp worker -l INFO
     environment: *default-env
+    secrets: *default-sec
     volumes:
       - music-data:/srv/funkwhale/data/music:ro
       - media-data:/srv/funkwhale/data/media
@@ -54,6 +61,7 @@ services:
   celerybeat:
     image: funkwhale/funkwhale:1.2
     environment: *default-env
+    secrets: *default-sec
     depends_on:
       - postgres
       - redis
@@ -64,12 +72,10 @@ services:
   api:
     image: funkwhale/funkwhale:1.2
     environment: *default-env
+    secrets: *default-sec
     depends_on:
       - postgres
       - redis
-    secrets:
-      - django_secret_key
-      - db_password
     volumes:
       - music-data:/srv/funkwhale/data/music:ro
       - media-data:/srv/funkwhale/data/media
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index b9a6746..584e00b 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -26,7 +26,9 @@ file_env() {
 }
 
 file_env "DATABASE_PASSWORD"
-export DATABASE_URL=postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale
+export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
+
+file_env "DJANGO_SECRET_KEY"
 
 # upstream entrypoint
 # https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl
index 1d1daf1..1142362 100644
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@@ -93,7 +93,17 @@ http {
         }
 
         location /.well-known/ {
-            include /etc/nginx/funkwhale_proxy.conf;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host:$server_port;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_redirect off;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
             proxy_pass   http://funkwhale-api/.well-known/;
         }