diff --git a/.env.sample b/.env.sample
index 4dc560a..a5a34fe 100644
--- a/.env.sample
+++ b/.env.sample
@@ -1,12 +1,17 @@
 TYPE=wallabag
 
-DOMAIN=wallabag.example.com
+DOMAIN={{ .Domain }}
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wallabag.example.com`'
 LETS_ENCRYPT_ENV=production
 
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_APP_SECRET_VERSION=v1
+SECRET_SMTP_PASSWORD=v1
 
 # Wallabag options, see https://github.com/wallabag/docker
-SYMFONY__ENV__FOSUSER_REGISTRATION=false
+SYMFONY__ENV__FOSUSER_REGISTRATION=true
+SYMFONY__ENV__MAILER_HOST=127.0.0.1
+SYMFONY__ENV__MAILER_USER=~
+SYMFONY__ENV__FROM_EMAIL=
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..e6c130b
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
diff --git a/compose.yml b/compose.yml
index c38161a..a2209ed 100644
--- a/compose.yml
+++ b/compose.yml
@@ -12,16 +12,15 @@ services:
       - SYMFONY__ENV__DATABASE_USER=wallabag
       # FIXME: use Docker secrets, see
       # https://github.com/wallabag/docker/issues/186
-      - SYMFONY__ENV__DATABASE_PASSWORD=$DB_PASSWORD
+      - SYMFONY__ENV__DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - SYMFONY__ENV__DATABASE_CHARSET=utf8mb4
-      - SYMFONY__ENV__MAILER_HOST=127.0.0.1
-      - SYMFONY__ENV__MAILER_USER=~
-      - SYMFONY__ENV__MAILER_PASSWORD=~
-      - SYMFONY__ENV__FROM_EMAIL=${FROM_EMAIL}
+      - SYMFONY__ENV__MAILER_HOST
+      - SYMFONY__ENV__MAILER_USER
+      - SYMFONY__ENV__MAILER_PASSWORD=/run/secrets/smtp_password
+      - SYMFONY__ENV__FROM_EMAIL
       - SYMFONY__ENV__DOMAIN_NAME=https://${DOMAIN}
       - SYMFONY__ENV__FOSUSER_REGISTRATION
-    ports:
-      - "80"
+      - SYMFONY__ENV__SECRET_FILE=/run/secrets/app_secret
     volumes:
       - images:/var/www/wallabag/web/assets/images
     networks:
@@ -30,6 +29,13 @@ services:
     secrets:
       - db_password
       #- admin_password
+      - app_secret
+      - smtp_password
+    entrypoint: /custom-entrypoint.sh
+    configs:
+      - source: entrypoint 
+        target: /custom-entrypoint.sh
+        mode: 0555
     deploy:
       restart_policy:
         condition: on-failure
@@ -65,14 +71,28 @@ services:
 volumes:
   images:
   mariadb:
+
 networks:
   proxy:
     external: true
   internal:
+
 secrets:
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
   db_root_password:
     external: true
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  app_secret:
+    external: true
+    name: ${STACK_NAME}_app_secret_${SECRET_APP_SECRET_VERSION}
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD}
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..97bdd3e
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "SYMFONY__ENV__DATABASE_PASSWORD"
+file_env "SYMFONY__ENV__SECRET"
+
+# https://github.com/wallabag/docker/blob/master/root/entrypoint.sh
+sh -c "/entrypoint.sh migrate"
+sh -c "/entrypoint.sh wallabag"