diff --git a/.env.sample b/.env.sample
index 6e16b7d..666f3b7 100644
--- a/.env.sample
+++ b/.env.sample
@@ -7,7 +7,6 @@ DOMAIN=grist.example.com
 
 LETS_ENCRYPT_ENV=production
 GRIST_SUPPORT_ANON=false
-SECRET_GRIST_SESSION_SECRET_VERSION=v1
 #GRIST_SANDBOX_FLAVOR=
 GRIST_SINGLE_ORG="yourorg"
 GRIST_ORG_IN_PATH=true
@@ -15,3 +14,6 @@ COOKIE_MAX_AGE=7776000000
 GRIST_FORCE_LOGIN=true
 GRIST_HIDE_UI_ELEMENTS=billing,sendToDrive
 GRIST_DEFAULT_EMAIL=grist@example.com
+
+SECRET_GRIST_SESSION_SECRET_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..5c54e9d
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index aab4fe1..0899707 100644
--- a/compose.yml
+++ b/compose.yml
@@ -5,14 +5,14 @@ services:
       - proxy
       - internal
     environment:
-      - GRIST_DATABASE_URL=postgresql://${STACK_NAME}_db:5432/grist
       - TYPEORM_DATABASE=grist
       - TYPEORM_TYPE=postgres
       - TYPEORM_USERNAME=grist
+      - TYPEORM_PASSWORD_FILE=/run/secrets/db_password
       - REDIS_URL=redis://${STACK_NAME}_redis:6379
       - GRIST_DATA_DIR=/var/grist-data
       - GRIST_SUPPORT_ANON
-      - SESSION_SECRET_FILE=/run/secrets/
+      - SESSION_SECRET_FILE=/run/secrets/session_secret
       - GRIST_SANDBOX_FLAVOR=unsandboxed
       - APP_HOME_URL=https://${DOMAIN}
       - APP_DOC_URL=https://${DOMAIN}
@@ -24,6 +24,12 @@ services:
       - GRIST_DEFAULT_EMAIL
     secrets:
       - session_secret
+      - db_password
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     volumes:
       - grist_data:/persist
     depends_on:
@@ -78,3 +84,9 @@ networks:
   proxy:
     external: true
   internal:
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100755
index 0000000..852298d
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+
+file_env TYPEORM_PASSWORD
+file_env SESSION_SECRET
+
+exec ./sandbox/run.sh $@