From 5f6651e6f09343948680f1573e5e45367062ba48 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sun, 31 Jan 2021 15:05:50 +0300
Subject: [PATCH] initial for env-based setup

---
 .env-dist                  |   8 +-
 README.md                  |   8 +-
 app/Dockerfile             |  39 +++++++++
 app/config.docker.php      | 174 +++++++++++++++++++++++++++++++++++++
 app/config.php-config.d    |   4 +
 app/config.php-dist        | 170 ++++++++++++++++++++++++++++++++++++
 app/prepare-config.php     |   6 ++
 app/prepare-environment.sh |   3 +
 app/startup.sh             |  25 ++----
 app/updater.sh             |   2 +-
 config.d/.empty            |   0
 config.d/README.md         |   1 +
 docker-compose.yml         |  19 +---
 13 files changed, 415 insertions(+), 44 deletions(-)
 create mode 100644 app/config.docker.php
 create mode 100644 app/config.php-config.d
 create mode 100644 app/config.php-dist
 create mode 100755 app/prepare-config.php
 create mode 100755 app/prepare-environment.sh
 create mode 100644 config.d/.empty
 create mode 100644 config.d/README.md

diff --git a/.env-dist b/.env-dist
index b3b3197..a85523e 100644
--- a/.env-dist
+++ b/.env-dist
@@ -4,12 +4,8 @@
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=password
 
-OWNER_UID=1000
-OWNER_GID=1000
-
-# You can keep this as localhost unless you want to use the ssl sidecar 
-# container (I suggest terminating ssl on the reverse proxy instead).
-HTTP_HOST=localhost
+# This is only used by web-ssl container.
+#HTTP_HOST=localhost
 
 # You will likely need to set this to the correct value, see README.md
 # for more information.
diff --git a/README.md b/README.md
index 3339384..e2fd362 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ General outline of the configuration is as follows:
  - ``config.php`` is generated if it is missing
  - database schema is installed automatically if it is missing
  - nginx has its http port exposed to the outside
- - optional SSL support via Caddy w/ automatic letsencrypt certificates
+ - optional SSL support via Caddy w/ automatic letsencrypt certificates (deprecated)
  - feed updates are handled via update daemon started in a separate container (updater)
  - optional backups container which performs tt-rss database backup once a week
 
@@ -33,15 +33,15 @@ You will likely have to change ``SELF_URL_PATH`` which should equal fully qualif
 URL as seen when opening it in your web browser. If this field is set incorrectly, you will
 likely see the correct value in the tt-rss fatal error message.
 
-Note: ``SELF_URL_PATH`` is updated in generated tt-rss ``config.php`` automatically on container
-restart. You don't need to modify ``config.php`` manually for this.
-
 By default, `web` container binds to **localhost** port **8280**. If you want the container to be
 accessible on the net, without using a reverse proxy sharing same host, you will need to
 remove ``127.0.0.1:`` from ``HTTP_PORT`` variable in ``.env``.
 
 Please don't rename the services inside `docker-compose.yml` unless you know what you're doing. Web container expects application container to be named `app`, if you rename it and it's not accessible via Docker DNS as `http://app` you will run into 502 errors on startup.
 
+You can customize other `config.php` defines using environment variables (see `app/Dockerfile` 
+for complete list).
+
 #### Build and start the container
 
 ```sh
diff --git a/app/Dockerfile b/app/Dockerfile
index ae36d3c..57328f7 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -13,10 +13,49 @@ ADD updater.sh /
 ADD index.php /
 ADD dcron.sh /
 ADD backup.sh /etc/periodic/weekly/backup
+ADD config.docker.php /
 
 RUN sed -i.bak 's/^listen = 127.0.0.1:9000/listen = 9000/' /etc/php7/php-fpm.d/www.conf
 RUN sed -i.bak 's/\(memory_limit =\) 128M/\1 256M/' /etc/php7/php.ini
+RUN sed -i.bak 's/;clear_env = .*/clear_env = no/i' /etc/php7/php-fpm.d/www.conf
 
 RUN mkdir -p /var/www
+RUN mkdir -p /opt/tt-rss/config.d
+
+ENV OWNER_UID=1000
+ENV OWNER_GID=1000
+
+ENV DB_TYPE="pgsql"
+ENV DB_HOST="db"
+ENV DB_USER="%DB_USER"
+ENV DB_NAME="%DB_NAME"
+ENV DB_PASS="%DB_PASS"
+ENV DB_PORT="5432"
+
+# config.php defaults
+ENV MYSQL_CHARSET="UTF8"
+ENV SELF_URL_PATH="%SELF_URL_PATH"
+ENV SINGLE_USER_MODE="false"
+ENV SIMPLE_UPDATE_MODE="false"
+ENV PHP_EXECUTABLE="/usr/bin/php"
+ENV LOCK_DIRECTORY="lock"
+ENV CACHE_DIR="cache"
+ENV ICONS_DIR="feed-icons"
+ENV ICONS_URL="feed-icons"
+ENV AUTH_AUTO_CREATE="true"
+ENV AUTH_AUTO_LOGIN="true"
+ENV FORCE_ARTICLE_PURGE="0"
+ENV ENABLE_REGISTRATION="false"
+ENV REG_NOTIFY_ADDRESS="user@your.domain.dom"
+ENV REG_MAX_USERS="10"
+ENV SESSION_COOKIE_LIFETIME="86400"
+ENV SMTP_FROM_NAME="Tiny Tiny RSS"
+ENV SMTP_FROM_ADDRESS="noreply@your.domain.dom"
+ENV DIGEST_SUBJECT="[tt-rss] New headlines for last 24 hours"
+ENV CHECK_FOR_UPDATES="true"
+ENV ENABLE_GZIP_OUTPUT="false"
+ENV PLUGINS="auth_internal, note"
+ENV LOG_DESTINATION="sql"
+ENV CONFIG_VERSION="26"
 
 CMD /startup.sh
diff --git a/app/config.docker.php b/app/config.docker.php
new file mode 100644
index 0000000..58a389f
--- /dev/null
+++ b/app/config.docker.php
@@ -0,0 +1,174 @@
+<?php
+	// *******************************************
+	// *** Database configuration (important!) ***
+	// *******************************************
+
+	define('DB_TYPE', getenv('DB_TYPE')); // pgsql or mysql
+	define('DB_HOST', getenv('DB_HOST'));
+	define('DB_USER', getenv('DB_USER'));
+	define('DB_NAME', getenv('DB_NAME'));
+	define('DB_PASS', getenv('DB_PASS'));
+	define('DB_PORT', getenv('DB_PORT')); // usually 5432 for PostgreSQL, 3306 for MySQL
+
+	define('MYSQL_CHARSET', getenv('MYSQL_CHARSET'));
+	// Connection charset for MySQL. If you have a legacy database and/or experience
+	// garbage unicode characters with this option, try setting it to a blank string.
+
+	// ***********************************
+	// *** Basic settings (important!) ***
+	// ***********************************
+
+	define('SELF_URL_PATH', getenv('SELF_URL_PATH'));
+	// This should be set to a fully qualified URL used to access
+	// your tt-rss instance over the net, such as: https://example.org/tt-rss/
+	// The value should be a constant string literal. Please don't use
+	// PHP server variables here - you might introduce security
+	// issues on your install and cause hard to debug problems.
+	// If your tt-rss instance is behind a reverse proxy, use the external URL.
+
+	define('SINGLE_USER_MODE', getenv('SINGLE_USER_MODE'));
+	// Operate in single user mode, disables all functionality related to
+	// multiple users and authentication. Enabling this assumes you have
+	// your tt-rss directory protected by other means (e.g. http auth).
+
+	define('SIMPLE_UPDATE_MODE', getenv('SIMPLE_UPDATE_MODE'));
+	// Enables fallback update mode where tt-rss tries to update feeds in
+	// background while tt-rss is open in your browser.
+	// If you don't have a lot of feeds and don't want to or can't run
+	// background processes while not running tt-rss, this method is generally
+	// viable to keep your feeds up to date.
+	// Still, there are more robust (and recommended) updating methods
+	// available, you can read about them here: https://tt-rss.org/wiki/UpdatingFeeds
+
+	// *****************************
+	// *** Files and directories ***
+	// *****************************
+
+	define('PHP_EXECUTABLE', getenv('PHP_EXECUTABLE'));
+	// Path to PHP *COMMAND LINE* executable, used for various command-line tt-rss
+	// programs and update daemon. Do not try to use CGI binary here, it won't work.
+	// If you see HTTP headers being displayed while running tt-rss scripts,
+	// then most probably you are using the CGI binary. If you are unsure what to
+	// put in here, ask your hosting provider.
+
+	define('LOCK_DIRECTORY', getenv('LOCK_DIRECTORY'));
+	// Directory for lockfiles, must be writable to the user you run
+	// daemon process or cronjobs under.
+
+	define('CACHE_DIR', getenv('CACHE_DIR'));
+	// Local cache directory for RSS feed content.
+
+	define('ICONS_DIR', getenv('ICONS_DIR'));
+	define('ICONS_URL', getenv('ICONS_URL'));
+	// Local and URL path to the directory, where feed favicons are stored.
+	// Unless you really know what you're doing, please keep those relative
+	// to tt-rss main directory.
+
+	// **********************
+	// *** Authentication ***
+	// **********************
+
+	// Please see PLUGINS below to configure various authentication modules.
+
+	define('AUTH_AUTO_CREATE', getenv('AUTH_AUTO_CREATE'));
+	// Allow authentication modules to auto-create users in tt-rss internal
+	// database when authenticated successfully.
+
+	define('AUTH_AUTO_LOGIN', getenv('AUTH_AUTO_LOGIN'));
+	// Automatically login user on remote or other kind of externally supplied
+	// authentication, otherwise redirect to login form as normal.
+	// If set to true, users won't be able to set application language
+	// and settings profile.
+
+	// *********************
+	// *** Feed settings ***
+	// *********************
+
+	define('FORCE_ARTICLE_PURGE', getenv('FORCE_ARTICLE_PURGE'));
+	// When this option is not 0, users ability to control feed purging
+	// intervals is disabled and all articles (which are not starred)
+	// older than this amount of days are purged.
+
+	// ***********************************
+	// *** Self-registrations by users ***
+	// ***********************************
+
+	define('ENABLE_REGISTRATION', getenv('ENABLE_REGISTRATION'));
+	// Allow users to register themselves. Please be aware that allowing
+	// random people to access your tt-rss installation is a security risk
+	// and potentially might lead to data loss or server exploit. Disabled
+	// by default.
+
+	define('REG_NOTIFY_ADDRESS', getenv('REG_NOTIFY_ADDRESS'));
+	// Email address to send new user notifications to.
+
+	define('REG_MAX_USERS', getenv('REG_MAX_USERS'));
+	// Maximum amount of users which will be allowed to register on this
+	// system. 0 - no limit.
+
+	// **********************************
+	// *** Cookies and login sessions ***
+	// **********************************
+
+	define('SESSION_COOKIE_LIFETIME', getenv('SESSION_COOKIE_LIFETIME'));
+	// Default lifetime of a session (e.g. login) cookie. In seconds,
+	// 0 means cookie will be deleted when browser closes.
+
+	// *********************************
+	// *** Email and digest settings ***
+	// *********************************
+
+	// Tiny Tiny RSS sends mail via PHP mail() function, unless handled
+	// by a plugin.
+
+	// If you need SMTP support, take a look here:
+	// https://git.tt-rss.org/fox/ttrss-mailer-smtp
+
+	define('SMTP_FROM_NAME', getenv('SMTP_FROM_NAME'));
+	define('SMTP_FROM_ADDRESS', getenv('SMTP_FROM_ADDRESS'));
+	// Name, address and subject for sending outgoing mail. This applies
+	// to password reset notifications, digest emails and any other mail.
+
+	define('DIGEST_SUBJECT', getenv('DIGEST_SUBJECT'));
+	// Subject line for email digests
+
+	// ***************************************
+	// *** Other settings (less important) ***
+	// ***************************************
+
+	define('CHECK_FOR_UPDATES', getenv('CHECK_FOR_UPDATES'));
+	// Check for updates automatically if running Git version
+
+	define('ENABLE_GZIP_OUTPUT', getenv('ENABLE_GZIP_OUTPUT'));
+	// Selectively gzip output to improve wire performance. This requires
+	// PHP Zlib extension on the server.
+	// Enabling this can break tt-rss in several httpd/php configurations,
+	// if you experience weird errors and tt-rss failing to start, blank pages
+	// after login, or content encoding errors, disable it.
+
+	define('PLUGINS', getenv('PLUGINS'));
+	// Comma-separated list of plugins to load automatically for all users.
+	// System plugins have to be specified here. Please enable at least one
+	// authentication plugin here (auth_*).
+	// Users may enable other user plugins from Preferences/Plugins but may not
+	// disable plugins specified in this list.
+	// Disabling auth_internal in this list would automatically disable
+	// reset password link on the login form.
+
+	define('LOG_DESTINATION', getenv('LOG_DESTINATION'));
+	// Error log destination to use. Possible values: sql (uses internal logging
+	// you can read in Preferences -> System), syslog - logs to system log.
+	// Setting this to blank uses PHP logging (usually to http server
+	// error.log).
+	// Note that feed updating daemons don't use this logging facility
+	// for normal output.
+
+	define('CONFIG_VERSION', getenv('CONFIG_VERSION'));
+	// Expected config version. Please update this option in config.php
+	// if necessary (after migrating all new options from this file).
+
+	// vim:ft=php
+	$snippets = glob("/opt/tt-rss/config.d/*.php");
+
+	foreach ($snippets as $snippet) 
+		require_once $snippet;
diff --git a/app/config.php-config.d b/app/config.php-config.d
new file mode 100644
index 0000000..2091a6f
--- /dev/null
+++ b/app/config.php-config.d
@@ -0,0 +1,4 @@
+	$snippets = glob("/opt/tt-rss/config.d/*.php");
+
+	foreach ($snippets as $snippet) 
+		require_once $snippet;
diff --git a/app/config.php-dist b/app/config.php-dist
new file mode 100644
index 0000000..eed1a69
--- /dev/null
+++ b/app/config.php-dist
@@ -0,0 +1,170 @@
+<?php
+	// *******************************************
+	// *** Database configuration (important!) ***
+	// *******************************************
+
+	define('DB_TYPE', '%DB_TYPE'); // pgsql or mysql
+	define('DB_HOST', '%DB_HOST');
+	define('DB_USER', '%DB_USER');
+	define('DB_NAME', '%DB_NAME');
+	define('DB_PASS', '%DB_PASS');
+	define('DB_PORT', '%DB_PORT'); // usually 5432 for PostgreSQL, 3306 for MySQL
+
+	define('MYSQL_CHARSET', 'UTF8');
+	// Connection charset for MySQL. If you have a legacy database and/or experience
+	// garbage unicode characters with this option, try setting it to a blank string.
+
+	// ***********************************
+	// *** Basic settings (important!) ***
+	// ***********************************
+
+	define('SELF_URL_PATH', '%SELF_URL_PATH');
+	// This should be set to a fully qualified URL used to access
+	// your tt-rss instance over the net, such as: https://example.org/tt-rss/
+	// The value should be a constant string literal. Please don't use
+	// PHP server variables here - you might introduce security
+	// issues on your install and cause hard to debug problems.
+	// If your tt-rss instance is behind a reverse proxy, use the external URL.
+
+	define('SINGLE_USER_MODE', false);
+	// Operate in single user mode, disables all functionality related to
+	// multiple users and authentication. Enabling this assumes you have
+	// your tt-rss directory protected by other means (e.g. http auth).
+
+	define('SIMPLE_UPDATE_MODE', false);
+	// Enables fallback update mode where tt-rss tries to update feeds in
+	// background while tt-rss is open in your browser.
+	// If you don't have a lot of feeds and don't want to or can't run
+	// background processes while not running tt-rss, this method is generally
+	// viable to keep your feeds up to date.
+	// Still, there are more robust (and recommended) updating methods
+	// available, you can read about them here: https://tt-rss.org/wiki/UpdatingFeeds
+
+	// *****************************
+	// *** Files and directories ***
+	// *****************************
+
+	define('PHP_EXECUTABLE', '/usr/bin/php');
+	// Path to PHP *COMMAND LINE* executable, used for various command-line tt-rss
+	// programs and update daemon. Do not try to use CGI binary here, it won't work.
+	// If you see HTTP headers being displayed while running tt-rss scripts,
+	// then most probably you are using the CGI binary. If you are unsure what to
+	// put in here, ask your hosting provider.
+
+	define('LOCK_DIRECTORY', 'lock');
+	// Directory for lockfiles, must be writable to the user you run
+	// daemon process or cronjobs under.
+
+	define('CACHE_DIR', 'cache');
+	// Local cache directory for RSS feed content.
+
+	define('ICONS_DIR', "feed-icons");
+	define('ICONS_URL', "feed-icons");
+	// Local and URL path to the directory, where feed favicons are stored.
+	// Unless you really know what you're doing, please keep those relative
+	// to tt-rss main directory.
+
+	// **********************
+	// *** Authentication ***
+	// **********************
+
+	// Please see PLUGINS below to configure various authentication modules.
+
+	define('AUTH_AUTO_CREATE', true);
+	// Allow authentication modules to auto-create users in tt-rss internal
+	// database when authenticated successfully.
+
+	define('AUTH_AUTO_LOGIN', true);
+	// Automatically login user on remote or other kind of externally supplied
+	// authentication, otherwise redirect to login form as normal.
+	// If set to true, users won't be able to set application language
+	// and settings profile.
+
+	// *********************
+	// *** Feed settings ***
+	// *********************
+
+	define('FORCE_ARTICLE_PURGE', 0);
+	// When this option is not 0, users ability to control feed purging
+	// intervals is disabled and all articles (which are not starred)
+	// older than this amount of days are purged.
+
+	// ***********************************
+	// *** Self-registrations by users ***
+	// ***********************************
+
+	define('ENABLE_REGISTRATION', false);
+	// Allow users to register themselves. Please be aware that allowing
+	// random people to access your tt-rss installation is a security risk
+	// and potentially might lead to data loss or server exploit. Disabled
+	// by default.
+
+	define('REG_NOTIFY_ADDRESS', 'user@your.domain.dom');
+	// Email address to send new user notifications to.
+
+	define('REG_MAX_USERS', 10);
+	// Maximum amount of users which will be allowed to register on this
+	// system. 0 - no limit.
+
+	// **********************************
+	// *** Cookies and login sessions ***
+	// **********************************
+
+	define('SESSION_COOKIE_LIFETIME', 86400);
+	// Default lifetime of a session (e.g. login) cookie. In seconds,
+	// 0 means cookie will be deleted when browser closes.
+
+	// *********************************
+	// *** Email and digest settings ***
+	// *********************************
+
+	// Tiny Tiny RSS sends mail via PHP mail() function, unless handled
+	// by a plugin.
+
+	// If you need SMTP support, take a look here:
+	// https://git.tt-rss.org/fox/ttrss-mailer-smtp
+
+	define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+	define('SMTP_FROM_ADDRESS', 'noreply@your.domain.dom');
+	// Name, address and subject for sending outgoing mail. This applies
+	// to password reset notifications, digest emails and any other mail.
+
+	define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+	// Subject line for email digests
+
+	// ***************************************
+	// *** Other settings (less important) ***
+	// ***************************************
+
+	define('CHECK_FOR_UPDATES', true);
+	// Check for updates automatically if running Git version
+
+	define('ENABLE_GZIP_OUTPUT', false);
+	// Selectively gzip output to improve wire performance. This requires
+	// PHP Zlib extension on the server.
+	// Enabling this can break tt-rss in several httpd/php configurations,
+	// if you experience weird errors and tt-rss failing to start, blank pages
+	// after login, or content encoding errors, disable it.
+
+	define('PLUGINS', 'auth_internal, note');
+	// Comma-separated list of plugins to load automatically for all users.
+	// System plugins have to be specified here. Please enable at least one
+	// authentication plugin here (auth_*).
+	// Users may enable other user plugins from Preferences/Plugins but may not
+	// disable plugins specified in this list.
+	// Disabling auth_internal in this list would automatically disable
+	// reset password link on the login form.
+
+	define('LOG_DESTINATION', 'sql');
+	// Error log destination to use. Possible values: sql (uses internal logging
+	// you can read in Preferences -> System), syslog - logs to system log.
+	// Setting this to blank uses PHP logging (usually to http server
+	// error.log).
+	// Note that feed updating daemons don't use this logging facility
+	// for normal output.
+
+	define('CONFIG_VERSION', 26);
+	// Expected config version. Please update this option in config.php
+	// if necessary (after migrating all new options from this file).
+
+	// vim:ft=php
diff --git a/app/prepare-config.php b/app/prepare-config.php
new file mode 100755
index 0000000..9641daf
--- /dev/null
+++ b/app/prepare-config.php
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+sed -e "s/define('\([A-Z_]\+\)', [^)]\+/define('\1', getenv('\1')/" \
+	< config.php-dist > config.docker.php
+
+cat config.php-config.d >> config.docker.php
diff --git a/app/prepare-environment.sh b/app/prepare-environment.sh
new file mode 100755
index 0000000..9d376c3
--- /dev/null
+++ b/app/prepare-environment.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+grep define config.php-dist | sed -e "s/[ \t]*define('\([A-Z_]\+\)', ['\"]\?\([^'\")]\+\).*/ENV \1=\"\2\"/"
diff --git a/app/startup.sh b/app/startup.sh
index 43a1278..39cbad6 100755
--- a/app/startup.sh
+++ b/app/startup.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/sh -ex
 
 while ! pg_isready -h $DB_HOST -U $DB_USER; do
 	echo waiting until $DB_HOST is ready...
@@ -66,35 +66,24 @@ elif ! $PSQL -c 'select * from ttrss_version'; then
 	$PSQL < /var/www/html/tt-rss/schema/ttrss_schema_pgsql.sql
 fi
 
-SELF_URL_PATH=$(echo $SELF_URL_PATH | sed -e 's/[\/&]/\\&/g')
+export SELF_URL_PATH=$(echo $SELF_URL_PATH | sed -e 's/[\/&]/\\&/g')
+
+env
 
 if [ ! -s $DST_DIR/config.php ]; then
-	sed \
-		-e "s/define('DB_HOST'.*/define('DB_HOST', '$DB_HOST');/" \
-		-e "s/define('DB_USER'.*/define('DB_USER', '$DB_USER');/" \
-		-e "s/define('DB_NAME'.*/define('DB_NAME', '$DB_NAME');/" \
-		-e "s/define('DB_PASS'.*/define('DB_PASS', '$DB_PASS');/" \
-		-e "s/define('DB_TYPE'.*/define('DB_TYPE', 'pgsql');/" \
-		-e "s/define('DB_PORT'.*/define('DB_PORT', 5432);/" \
-		-e "s/define('PLUGINS'.*/define('PLUGINS', 'auth_internal, note, nginx_xaccel');/" \
-		-e "s/define('SELF_URL_PATH'.*/define('SELF_URL_PATH','$SELF_URL_PATH');/" \
-		< $DST_DIR/config.php-dist > $DST_DIR/config.php
+	cp /config.docker.php $DST_DIR/config.php
 
 	cat >> $DST_DIR/config.php << EOF
 		define('NGINX_XACCEL_PREFIX', '/tt-rss');
 EOF
-else
-	sed \
-		-e "s/define('SELF_URL_PATH'.*/define('SELF_URL_PATH','$SELF_URL_PATH');/" \
-		-i $DST_DIR/config.php
 fi
 
 # this was previously generated
 rm -f $DST_DIR/config.php.bak
 
-cd $DST_DIR && sudo -u app php ./update.php --update-schema=force-yes
+cd $DST_DIR && sudo -E -u app php ./update.php --update-schema=force-yes
 
 touch $DST_DIR/.app_is_ready
 
-sudo -u app /usr/sbin/php-fpm7 -F
+sudo -E -u app /usr/sbin/php-fpm7 -F
 
diff --git a/app/updater.sh b/app/updater.sh
index e6d5a21..2ddea88 100755
--- a/app/updater.sh
+++ b/app/updater.sh
@@ -20,4 +20,4 @@ while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do
 	sleep 3
 done
 
-sudo -u app /usr/bin/php /var/www/html/tt-rss/update_daemon2.php
+sudo -E -u app /usr/bin/php /var/www/html/tt-rss/update_daemon2.php
diff --git a/config.d/.empty b/config.d/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/config.d/README.md b/config.d/README.md
new file mode 100644
index 0000000..70c206b
--- /dev/null
+++ b/config.d/README.md
@@ -0,0 +1 @@
+Put anything else you need included into `config.php` to this directory as separate `.php` files.
diff --git a/docker-compose.yml b/docker-compose.yml
index 2668fb7..a2d0b73 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,11 +7,10 @@ services:
   db:
     image: postgres:12-alpine
     restart: unless-stopped
+    env_file:
+      - .env
     volumes:
       - db:/var/lib/postgresql/data
-    environment:    
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - POSTGRES_USER=${POSTGRES_USER}
 
   app:
     build: 
@@ -19,16 +18,13 @@ services:
         ./app
     restart: unless-stopped
     environment:
-      - DB_TYPE=pgsql
-      - DB_HOST=db
       - DB_NAME=${POSTGRES_USER}
       - DB_USER=${POSTGRES_USER}
       - DB_PASS=${POSTGRES_PASSWORD}
-      - OWNER_UID=${OWNER_UID}
-      - OWNER_GID=${OWNER_GID}
       - SELF_URL_PATH=${SELF_URL_PATH}
     volumes:
       - app:/var/www/html
+      - ./config.d:/opt/tt-rss/config.d:ro
     depends_on:
       - db
 
@@ -38,13 +34,9 @@ services:
         ./app
     restart: unless-stopped
     environment:
-      - DB_TYPE=pgsql
-      - DB_HOST=db
       - DB_NAME=${POSTGRES_USER}
       - DB_USER=${POSTGRES_USER}
       - DB_PASS=${POSTGRES_PASSWORD}
-      - OWNER_UID=${OWNER_UID}
-      - OWNER_GID=${OWNER_GID}
     volumes:
       - backups:/backups
       - app:/var/www/html
@@ -58,16 +50,13 @@ services:
         ./app
     restart: unless-stopped
     environment:
-      - DB_TYPE=pgsql
-      - DB_HOST=db
       - DB_NAME=${POSTGRES_USER}
       - DB_USER=${POSTGRES_USER}
       - DB_PASS=${POSTGRES_PASSWORD}
-      - OWNER_UID=${OWNER_UID}
-      - OWNER_GID=${OWNER_GID}
       - SELF_URL_PATH=${SELF_URL_PATH}
     volumes:
       - app:/var/www/html
+      - ./config.d:/opt/tt-rss/config.d:ro
     depends_on:
       - app
     command: /updater.sh