diff --git a/.env.sample b/.env.sample
index 88dd5b1..ac86068 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,7 @@ DOMAIN=limesurvey.example.com
 #EXTRA_DOMAINS=', `www.limesurvey.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION=v1
\ No newline at end of file
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..8069c2e
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index 4130131..0a2f167 100644
--- a/compose.yml
+++ b/compose.yml
@@ -11,10 +11,20 @@ services:
       - internal
     environment:
       - "DB_HOST=${STACK_NAME}_db"
-      - "DB_PASSWORD=secret"
-      - "ADMIN_PASSWORD=foobar"
+      - "DB_PASSWORD_FILE=/run/secrets/db_password"
+      - "ADMIN_PASSWORD_FILE=/run/secrets/limesurvey_admin_password"
       - "PUBLIC_URL=https://${DOMAIN}"
       - "BASE_URL=https://${DOMAIN}"
+    configs:
+      - source: entrypoint
+        target: /usr/local/bin/custom-entrypoint.sh
+        mode: 0555
+    secrets:
+      - db_password
+      - limesurvey_admin_password
+    entrypoint: /usr/local/bin/custom-entrypoint.sh
+    volumes:
+      - app:/var/www/html/upload/surveys
     deploy:
       labels:
         - "traefik.enable=true"
@@ -27,6 +37,12 @@ services:
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "coop-cloud.${STACK_NAME}.version="
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
   db:
     image: mysql:5.7
     networks:
@@ -34,15 +50,35 @@ services:
     environment:
       - "MYSQL_USER=limesurvey"
       - "MYSQL_DATABASE=limesurvey"
-      - "MYSQL_PASSWORD=secret"
-      - "MYSQL_ROOT_PASSWORD=secret"
+      - "MYSQL_PASSWORD_FILE=/run/secrets/db_password"
+      - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password"
     volumes:
       - mariadb:/var/lib/mysql
+    secrets:
+      - db_password
+      - db_root_password
 
 volumes:
+  app:
   mariadb:
 
 networks:
   proxy:
     external: true
   internal:
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  limesurvey_admin_password:
+    external: true
+    name: ${STACK_NAME}_limesurvey_admin_password_${SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION}
\ No newline at end of file
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..5f78f01
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "ADMIN_PASSWORD"
+file_env "DB_PASSWORD"
+bash -c "/usr/local/bin/entrypoint.sh apache2-foreground"
\ No newline at end of file