diff --git a/app/Dockerfile b/app/Dockerfile
index 3658d6e..9c227e4 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.15
 EXPOSE 9000/tcp
 
 ENV SCRIPT_ROOT=/opt/tt-rss
@@ -28,6 +28,29 @@ ADD config.docker.php ${SCRIPT_ROOT}
 ENV OWNER_UID=1000
 ENV OWNER_GID=1000
 
+ENV PHP_WORKER_MAX_CHILDREN=5
+ENV PHP_WORKER_MEMORY_LIMIT=256M
+
+# these are applied on every startup, if set
+ENV ADMIN_USER_PASS=""
+# see classes/UserHelper.php ACCESS_LEVEL_*
+# setting this to -2 would effectively disable built-in admin user
+# unless single user mode is enabled
+ENV ADMIN_USER_ACCESS_LEVEL=""
+
+# these are applied unless user already exists
+ENV AUTO_CREATE_USER=""
+ENV AUTO_CREATE_USER_PASS=""
+ENV AUTO_CREATE_USER_ACCESS_LEVEL="0"
+
+# TODO: remove prefix from container variables not used by tt-rss itself:
+#
+# - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES
+# - TTRSS_XDEBUG_... -> XDEBUG_...
+
+# don't try to update local plugins on startup (except for nginx_xaccel)
+ENV TTRSS_NO_STARTUP_PLUGIN_UPDATES=""
+
 # TTRSS_XDEBUG_HOST defaults to host IP if unset
 ENV TTRSS_XDEBUG_ENABLED=""
 ENV TTRSS_XDEBUG_HOST=""
diff --git a/app/startup.sh b/app/startup.sh
index 0d6a64d..f91fb78 100755
--- a/app/startup.sh
+++ b/app/startup.sh
@@ -10,10 +10,17 @@ unset HTTP_PORT
 unset HTTP_HOST
 
 if ! id app >/dev/null 2>&1; then
-	addgroup -g $OWNER_GID app
-	adduser -D -h /var/www/html -G app -u $OWNER_UID app
+	# what if i actually need a duplicate GID/UID group?
+
+	addgroup -g $OWNER_GID app || echo app:x:$OWNER_GID:app | \
+		tee -a /etc/group
+
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app || \
+		echo app:x:$OWNER_UID:$OWNER_GID:Linux User,,,:/var/www/html:/bin/ash | tee -a /etc/passwd
 fi
 
+update-ca-certificates || true
+
 DST_DIR=/var/www/html/tt-rss
 SRC_REPO=https://git.tt-rss.org/fox/tt-rss.git
 
@@ -42,27 +49,43 @@ fi
 
 if [ ! -d $DST_DIR/plugins.local/nginx_xaccel ]; then
 	echo cloning plugins.local/nginx_xaccel...
-	git clone https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git \
-		$DST_DIR/plugins.local/nginx_xaccel ||  echo error: failed to clone plugin repository.
+	sudo -u app git clone https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git \
+		$DST_DIR/plugins.local/nginx_xaccel ||  echo warning: failed to clone nginx_xaccel.
 else
-	echo updating plugins.local/nginx_xaccel...
-	cd $DST_DIR/plugins.local/nginx_xaccel && \
-		git config core.filemode false && \
-		git config pull.rebase false && \
-	  	git pull origin master || echo error: failed to update plugin repository.
+	if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then
+		echo updating all local plugins...
+
+		find $DST_DIR/plugins.local/ -maxdepth 1 -mindepth 1 -type d | while read PLUGIN; do
+			if [ -d $PLUGIN/.git ]; then
+				echo updating $PLUGIN...
+
+				cd $PLUGIN && \
+					sudo -u app git config core.filemode false && \
+					sudo -u app git config pull.rebase false && \
+					sudo -u app git pull origin master || echo warning: attempt to update plugin $PLUGIN failed.
+			fi
+		done
+	else
+		echo updating plugins.local/nginx_xaccel...
+
+		cd $DST_DIR/plugins.local/nginx_xaccel && \
+			sudo -u app git config core.filemode false && \
+			sudo -u app git config pull.rebase false && \
+			sudo -u app git pull origin master || echo warning: attempt to update plugin nginx_xaccel failed.
+	fi
 fi
 
 cp ${SCRIPT_ROOT}/config.docker.php $DST_DIR/config.php
 chmod 644 $DST_DIR/config.php
 
-chown -R $OWNER_UID:$OWNER_GID $DST_DIR \
-	/var/log/php8
-
 for d in cache lock feed-icons; do
 	chmod 777 $DST_DIR/$d
 	find $DST_DIR/$d -type f -exec chmod 666 {} \;
 done
 
+chown -R $OWNER_UID:$OWNER_GID $DST_DIR \
+	/var/log/php8
+
 RESTORE_SCHEMA=${SCRIPT_ROOT}/restore-schema.sql.gz
 
 if [ -r $RESTORE_SCHEMA ]; then
@@ -88,12 +111,45 @@ xdebug.client_host = ${TTRSS_XDEBUG_HOST}
 EOF
 fi
 
-cd $DST_DIR && sudo -E -u app php8 ./update.php --update-schema=force-yes
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php8/php.ini
+
+sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \
+	/etc/php8/php-fpm.d/www.conf
+
+sudo -Eu app php8 $DST_DIR/update.php --update-schema=force-yes
+
+if [ ! -z "$ADMIN_USER_PASS" ]; then
+	sudo -Eu app php8 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS"
+else
+	if sudo -Eu app php8 $DST_DIR/update.php --user-check-password "admin:password"; then
+		RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16 ; echo '')
+
+		echo "*****************************************************************************"
+		echo "* Setting initial built-in admin user password to '$RANDOM_PASS'        *"
+		echo "* If you want to set it manually, use ADMIN_USER_PASS environment variable. *"
+		echo "*****************************************************************************"
+
+		sudo -Eu app php8 $DST_DIR/update.php --user-set-password "admin:$RANDOM_PASS"
+	fi
+fi
+
+if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then
+	sudo -Eu app php8 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL"
+fi
+
+if [ ! -z "$AUTO_CREATE_USER" ]; then
+	sudo -Eu app /bin/sh -c "php8 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER ||
+		php8 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\""
+fi
 
 rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log
 
 (tail -q -f /tmp/error.log >> /proc/1/fd/2) &
 
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
 touch $DST_DIR/.app_is_ready
 
 exec /usr/sbin/php-fpm8 --nodaemonize --force-stderr