diff --git a/.env.sample b/.env.sample
index 1351659..845a699 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,9 @@ DOMAIN=seafile.example.com
 #EXTRA_DOMAINS=', `www.seafile.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+TIME_ZONE=Etc/UTC
+SEAFILE_ADMIN_EMAIL=me@example.com
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_SEAFILE_ADMIN_PASSWORD_VERSION=v1
\ No newline at end of file
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..8069c2e
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index 8f89f4d..0244f49 100644
--- a/compose.yml
+++ b/compose.yml
@@ -11,12 +11,20 @@ services:
       - data:/shared
     environment:
       - DB_HOST=db
-      - DB_ROOT_PASSWD=db_dev
-      - TIME_ZONE=Etc/UTC 
-      - SEAFILE_ADMIN_EMAIL=me@example.com
-      - SEAFILE_ADMIN_PASSWORD=asecret
+      - DB_ROOT_PASSWD_FILE=/run/secrets/db_root_password
+      - TIME_ZONE
+      - SEAFILE_ADMIN_EMAIL
+      - SEAFILE_ADMIN_PASSWORD_FILE=/run/secrets/seafile_admin_password
       - SEAFILE_SERVER_LETSENCRYPT=false
       # - SEAFILE_SERVER_HOSTNAME=docs.seafile.com # Specifies your host name if https is enabled.
+    configs:
+      - source: entrypoint
+        target: /scripts/custom-entrypoint.sh
+        mode: 0555
+    secrets:
+      - db_root_password
+      - seafile_admin_password
+    entrypoint: /scripts/custom-entrypoint.sh
     deploy:
       restart_policy:
         condition: on-failure
@@ -37,10 +45,12 @@ services:
   db:
     image: mariadb:10.5
     environment:
-      - MYSQL_ROOT_PASSWORD=db_dev
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
       - MYSQL_LOG_CONSOLE=true
     volumes:
       - db:/var/lib/mysql
+    secrets:
+      - db_root_password
 
   memcached:
     image: memcached:1.6
@@ -54,3 +64,17 @@ networks:
   default:
   proxy:
     external: true
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  seafile_admin_password:
+    external: true
+    name: ${STACK_NAME}_seafile_admin_password_${SECRET_SEAFILE_ADMIN_PASSWORD_VERSION}
+  
\ No newline at end of file
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..891e950
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "DB_ROOT_PASSWD"
+file_env "SEAFILE_ADMIN_PASSWORD"
+bash -c "/sbin/my_init -- /scripts/enterpoint.sh"
\ No newline at end of file