diff --git a/abra.sh b/abra.sh
index 09b6f31..9af2fa4 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,4 +1,5 @@
 # shellcheck disable=SC2148
+export ENTRYPOINT_CONF_VERSION=v1
 #MASTO_APP_DIR="mastodon/public"
 
 sub_rake() {
diff --git a/compose.yml b/compose.yml
index a47d519..599d365 100644
--- a/compose.yml
+++ b/compose.yml
@@ -76,6 +76,11 @@ services:
         # - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
         # - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
 
+    configs: &configs
+      - source: entrypoint_sh
+        target: /usr/local/bin/entrypoint.sh
+        mode: 0555
+    entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
     volumes: &appVolume
       - app:/mastodon
     secrets: &secrets
@@ -88,7 +93,7 @@ services:
       - DB_HOST
       - DB_USER
       - DB_NAME
-      - DB_PASS
+      - DB_PASS_FILE=/run/secrets/db_password
       - DB_PORT
       - REDIS_HOST
       - REDIS_PORT
@@ -104,10 +109,10 @@ services:
       - ES_PREFIX
       - STATSD_ADDR
       - STATSD_NAMESPACE
-      - VAPID_PRIVATE_KEY
+      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
       - VAPID_PUBLIC_KEY
-      - OTP_SECRET
-      - SECRET_KEY_BASE
+      - OTP_SECRET_FILE=/run/secrets/otp_secret
+      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
       - LOCAL_DOMAIN
       - WEB_DOMAIN
       - ALTERNATE_DOMAINS
@@ -124,7 +129,7 @@ services:
       - SMTP_SERVER
       - SMTP_PORT
       - SMTP_LOGIN
-      - SMTP_PASSWORD
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
       - SMTP_FROM_ADDRESS
       - SMTP_DOMAIN
       - SMTP_DELIVERY_METHOD
@@ -174,6 +179,8 @@ services:
   streaming:
     image: *image
     command: node ./streaming
+    configs: *configs
+    entrypoint: *entrypoint
     secrets: *secrets
     networks: *bothNetworks
     healthcheck:
@@ -205,6 +212,8 @@ services:
     image: *image
     secrets: *secrets
     command: bundle exec sidekiq
+    configs: *configs
+    entrypoint: *entrypoint
     deploy:
       update_config:
         failure_action: rollback
@@ -241,3 +250,9 @@ networks:
     external: true
   internal_network:
     internal: true
+
+configs:
+  entrypoint_sh:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..b9cc5c1
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "DB_PASS"
+file_env "OTP_SECRET"
+file_env "SECRET_KEY_BASE"
+file_env "SMTP_PASSWORD"
+file_env "VAPID_PRIVATE_KEY"
+
+/usr/bin/tini -- "$@"