diff --git a/.env.sample b/.env.sample
index 5fdbedb..296379a 100644
--- a/.env.sample
+++ b/.env.sample
@@ -1,8 +1,27 @@
 TYPE=ohmyform
 
-DOMAIN=ohmyform.example.com
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.ohmyform.example.com`'
+DOMAIN={{ .Domain }}
 
 LETS_ENCRYPT_ENV=production
+
+# https://ohmyform.com/docs/env/
+
+ADMIN_EMAIL=me@example.com
+CREATE_ADMIN="TRUE"
+
+LOGIN_NOTE="destroy google forms comrades"
+
+SIGNUP_DISABLED="FALSE"
+
+DEFAULT_ROLE=user
+
+HIDE_CONTRIB="TRUE"
+
+SECRET_ADMIN_PASSWORD_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
+
+# SMTP
+#SMTP_ENABLED=1
+#MAILER_HOST=mail.example.com
+#MAILER_FROM=noreply@example.com
+#SECRET_SMTP_PASSWORD_VERSION=v1
diff --git a/README.md b/README.md
index fa9e834..ce5d00f 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # ohmyform
 
-> One line description of the recipe
+> Craft beautiful forms in seconds
 
 <!-- metadata -->
 
diff --git a/compose.smtp.yml b/compose.smtp.yml
new file mode 100644
index 0000000..af8c3a9
--- /dev/null
+++ b/compose.smtp.yml
@@ -0,0 +1,17 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - MAILER_FROM
+      - MAILER_HOST
+      - SMTP_ENABLED
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
diff --git a/compose.yml b/compose.yml
index a2c3805..3e36431 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,30 +3,54 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:1.20.0
+    image: ohmyform/ohmyform:1.0.3
     networks:
       - proxy
+    volumes:
+      - form-data:/data
+    secrets:
+      - secret_key
+      - admin_password
+    environment:
+      - ADMIN_EMAIL
+      - ADMIN_PASSWORD_FILE=/run/secrets/admin_password
+      - ADMIN_USERNAME=admin
+      - CREATE_ADMIN
+      - DATABASE_DRIVER=sqlite
+      - DATABASE_URL="sqlite:///data/data.sqlite"
+      - DEFAULT_ROLE
+      - LOGIN_NOTE
+      - NODE_ENV=production
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - SIGNUP_DISABLED
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    command: "/usr/bin/supervisord -c /etc/supervisord.conf"
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "coop-cloud.${STACK_NAME}.version="
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
+
+volumes:
+  form-data:
 
 networks:
   proxy:
     external: true
+
+secrets:
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..c37c6fb
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "ADMIN_PASSWORD"
+
+file_env "SECRET_KEY"
+
+{{ if eq (env "SMTP_ENABLED") "1" }}
+file_env "SMTP_PASSWORD"
+export MAILER_URI="smtp://{{ env "MAILER_FROM" }}:${SMTP_PASSWORD}@{{ env "MAILER_HOST" }}"
+{{ end }}
+
+# upstream entrypoint (missing, so thread CMD)
+# https://github.com/ohmyform/ohmyform/blob/master/Dockerfile
+exec "$@"