diff --git a/.env.sample b/.env.sample
index 5640a81..7db8d1c 100644
--- a/.env.sample
+++ b/.env.sample
@@ -18,6 +18,12 @@ COMPOSE_FILE=compose.yml
 
 #VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
 
+# uncomment to enable local authentication
+# LOCAL_AUTH_ENABLED=true
+# uncomment to enable self-registration (if disabled, can be done via
+# command line in the api container with vikunja user command)
+# LOCAL_REGISTRATION_ENABLED=true
+
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.oauth.yml"
diff --git a/abra.sh b/abra.sh
index 703aedb..4d8a47b 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1 @@
-export CONFIG_YML_VERSION=v4
+export CONFIG_YML_VERSION=v6
diff --git a/compose.yml b/compose.yml
index 4c8612c..ac43d32 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,6 +8,8 @@ services:
       - DOMAIN
       - LOG_LEVEL
       - VIKUNJA_RATELIMIT_NOAUTHLIMIT
+      - LOCAL_AUTH_ENABLED
+      - LOCAL_REGISTRATION_ENABLED
     volumes:
       - files:/app/vikunja/files
     networks:
diff --git a/config.yml.tmpl b/config.yml.tmpl
index 23c893d..adb8c96 100644
--- a/config.yml.tmpl
+++ b/config.yml.tmpl
@@ -33,7 +33,11 @@ service:
 #   # Enable sharing of lists via a link
 #   enablelinksharing: true
 #   # Whether to let new users registering themselves or not
-#   enableregistration: true
+{{ if eq (env "LOCAL_REGISTRATION_ENABLED") "true" }}
+  enableregistration: true
+{{ else }}
+  enableregistration: false
+{{ end }}
 #   # Whether to enable task attachments or not
 #   enabletaskattachments: true
 #   # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
@@ -290,7 +294,11 @@ auth:
   # This is the default auth mechanism and does not require any additional configuration.
   local:
     # Enable or disable local authentication
+{{ if eq (env "LOCAL_AUTH_ENABLED") "true" }}
+    enabled: true
+{{ else }}
     enabled: false
+{{ end }}
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
   # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
