diff --git a/.env.sample b/.env.sample
index 90851a3..ae36ba6 100644
--- a/.env.sample
+++ b/.env.sample
@@ -7,6 +7,8 @@ DOMAIN=bigbluebutton.example.com
 
 LETS_ENCRYPT_ENV=production
 
+SECRET_POSTGRES_PASSWORD_VERSION=v1
+
 # ====================================
 # ADDITIONS to BigBlueButton
 # ====================================
diff --git a/compose.yml b/compose.yml
index f7740b9..84bc6e8 100644
--- a/compose.yml
+++ b/compose.yml
@@ -359,7 +359,8 @@ services:
       - postgres
       - redis
     environment:
-      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3 # how to add docker secret here?
+      # DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3
+      # DATABASE_URL is being set by entrypoint-greenlight.sh
       REDIS_URL: redis://redis:6379
       BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api
       BIGBLUEBUTTON_SECRET: /run/secret/shared_secret # can this use docker secrets?
@@ -367,6 +368,13 @@ services:
       RELATIVE_URL_ROOT: /
     volumes:
        - greenlight_data:/usr/src/app/storage
+    configs:
+       - source: abra_entrypoint_greenlight
+         target: /entrypoint-greenlight.sh
+         mode: 0555
+    secrets: 
+       - postgres_password
+    entrypoint: /entrypoint-greenlight.sh
     networks:
       bbb-net:
         ipv4_address: 10.7.7.21
@@ -385,7 +393,7 @@ services:
     environment:
       POSTGRES_DB: greenlight-v3
       POSTGRES_USER: postgres
-      POSTGRES_PASSWORD_FILE: /run/secret/postgresql_secret
+      POSTGRES_PASSWORD_FILE: /run/secret/postgres_password
     #healthcheck:
       #test: ["CMD-SHELL", "pg_isready -U postgres"]
       #interval: 10s
@@ -393,6 +401,8 @@ services:
       #retries: 5
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
+    secrets:
+      - postgres_password
     networks:
       bbb-net:
         ipv4_address: 10.7.7.22
@@ -412,7 +422,9 @@ volumes:
 configs:
   turnserver_conf:
     name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
-
+  abra_entrypoint_greenlight:
+    name: ${STACK_NAME}_entrypoint_greenlight_${ENTRYPOINT_GREENLIGHT_VERSION}
+    file: ./entrypoint-greenlight.sh
 
 secrets:
   shared_secret:
@@ -424,9 +436,9 @@ secrets:
   rails_secret:
     external: true
     name: ${STACK_NAME}_rails_secret_${RAILS_SECRET_VERSION}
-  postgresql_secret:
+  postgres_password:
     external: true
-    name: ${STACK_NAME}_postgresql_secret_${POSTGRESQL_SECRET_VERSION}
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
   fsesl_password:
     external: true
     name: ${STACK_NAME}_fsesl_password_${FSESL_PASSWORD_VERSION}
diff --git a/entrypoint-greenlight.sh b/entrypoint-greenlight.sh
new file mode 100644
index 0000000..b3ab6f6
--- /dev/null
+++ b/entrypoint-greenlight.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+if test -f "/run/secrets/postgres_password"; then
+    pwd=`cat /run/secrets/postgres_password`
+    if [ -z $pwd ]; then
+        echo >&2 "error: /run/secrets/postgres_password is empty"
+        exit 1
+    fi
+    echo "entrypoint-greenlight.sh setting DATABASE_URL"
+    export "DATABASE_URL"="postgres://postgres:${pwd}@postgres:5432/greenlight-v3"
+    unset "pwd"
+else
+    echo >&2 "error: /run/secrets/postgres_password does not exist"
+    exit 1
+fi
+
+# https://github.com/bigbluebutton/greenlight/blob/master/dockerfiles/v3/alpine
+./bin/start