diff --git a/.env-dist b/.env-dist
index e124c29..4b7b193 100644
--- a/.env-dist
+++ b/.env-dist
@@ -1,13 +1,38 @@
 # Copy this file to .env before building the container.
 # Put any local modifications here.
 
+# Run under this UID/GID.
+# OWNER_UID=1000
+# OWNER_GID=1000
+
+# FPM settings.
+#PHP_WORKER_MAX_CHILDREN=5
+#PHP_WORKER_MEMORY_LIMIT=256M
+
+# ADMIN_USER_* settings are applied on every startup.
+
+# Set admin user password to this value.
+#ADMIN_USER_PASS=
+
+# Sets admin user access level to this value.
+# Valid values:
+# -2 - forbidden to login
+# -1 - readonly
+#  0 - default user
+# 10 - admin
+#ADMIN_USER_ACCESS_LEVEL=
+
+# Auto create another user (in addition to built-in admin) unless it
+# already exists.
+#AUTO_CREATE_USER=
+#AUTO_CREATE_USER_PASS=
+#AUTO_CREATE_USER_ACCESS_LEVEL=0 # see above
+
+# Default database credentials.
 TTRSS_DB_USER=postgres
 TTRSS_DB_NAME=postgres
 TTRSS_DB_PASS=password
 
-# This is only used by web-ssl container.
-#HTTP_HOST=localhost
-
 # You will likely need to set this to the correct value, see README.md
 # for more information.
 TTRSS_SELF_URL_PATH=http://localhost:8280/tt-rss
diff --git a/app/Dockerfile b/app/Dockerfile
index dcb1bf9..d45c0c8 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -31,6 +31,18 @@ ENV OWNER_GID=1000
 ENV PHP_WORKER_MAX_CHILDREN=5
 ENV PHP_WORKER_MEMORY_LIMIT=256M
 
+# these are applied on every startup, if set
+ENV ADMIN_USER_PASS=""
+# see classes/UserHelper.php ACCESS_LEVEL_*
+# setting this to -2 would effectively disable built-in admin user
+# unless single user mode is enabled
+ENV ADMIN_USER_ACCESS_LEVEL=""
+
+# these are applied unless user already exists
+ENV AUTO_CREATE_USER=""
+ENV AUTO_CREATE_USER_PASS=""
+ENV AUTO_CREATE_USER_ACCESS_LEVEL="0"
+
 # TODO: remove prefix from container variables not used by tt-rss itself:
 #
 # - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES
diff --git a/app/startup.sh b/app/startup.sh
index e3fb6f3..42990c5 100755
--- a/app/startup.sh
+++ b/app/startup.sh
@@ -118,12 +118,28 @@ sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
 sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \
 	/etc/php8/php-fpm.d/www.conf
 
-cd $DST_DIR && sudo -E -u app php8 ./update.php --update-schema=force-yes
+sudo -Eu app php8 $DST_DIR/update.php --update-schema=force-yes
+
+if [ ! -z "$ADMIN_USER_PASS" ]; then
+	sudo -Eu app php8 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS"
+fi
+
+if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then
+	sudo -Eu app php8 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL"
+fi
+
+if [ ! -z "$AUTO_CREATE_USER" ]; then
+	sudo -Eu app /bin/sh -c "php8 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER ||
+		php8 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\""
+fi
 
 rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log
 
 (tail -q -f /tmp/error.log >> /proc/1/fd/2) &
 
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
 touch $DST_DIR/.app_is_ready
 
 exec /usr/sbin/php-fpm8 --nodaemonize --force-stderr -R