diff --git a/.drone.yml b/.drone.yml
index 7e799f4..fa68dc3 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -17,6 +17,7 @@ steps:
       DOMAIN: {{ .Name }}.swarm-test.autonomic.zone
       STACK_NAME: {{ .Name }}
       LETS_ENCRYPT_ENV: production
+      SECRET_DB_PASSWORD_VERSION: v1
 trigger:
   branch:
     - main
diff --git a/.env.sample b/.env.sample
index 37390ed..2d11ca2 100644
--- a/.env.sample
+++ b/.env.sample
@@ -17,11 +17,9 @@ DB_DATA_LOCATION=./postgres
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 # TZ=Etc/UTC
 
-# Connection secret for postgres. You should change it to a random password
-# Please use only the characters `A-Za-z0-9`, without special characters or spaces
-DB_PASSWORD=postgres
-
 # The values below this line do not need to be changed
 ###################################################################################
 DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
+
+SECRET_DB_PASSWORD_VERSION=v1
diff --git a/README.md b/README.md
index c3fa6e6..0f9a0b2 100644
--- a/README.md
+++ b/README.md
@@ -5,13 +5,13 @@
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 0
+* **Status**: 1
 * **Image**: [`immich`](https://hub.docker.com/r/immich), 4, upstream
 * **Healthcheck**: No
 * **Backups**: No
-* **Email**: No
+* **Email**: 1
 * **Tests**: No
-* **SSO**: No
+* **SSO**: 1 (Oauth)
 
 <!-- endmetadata -->
 
@@ -23,6 +23,9 @@
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
 
+## How do I integrate with Keycloak SSO?
+
+See https://docs.immich.app/administration/oauth/. The `ISSUER_URL` in the Immich settings should be `https://<sso-domain>/realms/<realm_name>/.well-known/openid-configuration`.
 
 ## Volume
 
diff --git a/compose.yml b/compose.yml
index c5d99a4..e28d6b2 100644
--- a/compose.yml
+++ b/compose.yml
@@ -12,9 +12,11 @@ services:
       - DB_DATA_LOCATION
       - TZ
       - IMMICH_VERSION
-      - DB_PASSWORD
+      - DB_PASSWORD_FILE=/run/secrets/db_password
       - DB_USERNAME
       - DB_DATABASE_NAME
+    secrets:
+      - db_password
     networks:
       - proxy
       - backend
@@ -40,24 +42,33 @@ services:
       - backend
     healthcheck:
       disable: false
+
   redis:
     image: redis:8.2-alpine
     healthcheck:
       test: redis-cli ping || exit 1
     networks:
       - backend
+
   database:
     image: tensorchord/pgvecto-rs:pg14-v0.2.0
     environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
+    secrets:
+      - db_password
     volumes:
       - postgres:/var/lib/postgresql/data
     networks:
       - backend
 
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
 networks:
   proxy:
     external: true