diff --git a/compose.yml b/compose.yml
index 539ae81..4f33db4 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,4 +1,4 @@
-version: "3.7"
+version: "3.8"
  
 services:
   nextcloud:
@@ -6,23 +6,32 @@ services:
     depends_on:
       - mariadb
     secrets:
-      - db_root_password
       - db_password
+      - admin_password
     environment:
       - MYSQL_HOST=mariadb
       - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_password
       - DOMAIN=${DOMAIN}
       - STACK_NAME=${STACK_NAME}
     volumes:
-      - nextcloud:/var/www/html
       - nextapps:/var/www/html/custom_apps:cached
       - nextdata:/var/www/html/data:cached
       - nextconfig:/var/www/html/config:cached
     networks:
       - proxy
       - internal
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+        user: www-data
+        group: www-data
     deploy:
       restart_policy:
         condition: on-failure
@@ -34,6 +43,8 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+    #entrypoint: ["setpriv", "--reuid=www-data", "--regid=www-data", "--init-groups", "/docker-entrypoint.sh"]
+    entrypoint: ["tail", "-f", "/dev/null"]
 
   mariadb:
     image: "mariadb:10.5"
@@ -57,9 +68,11 @@ secrets:
   db_password:    
     external: true 
     name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
+  admin_password:    
+    external: true 
+    name: ${STACK_NAME}_admin_password_${ADMIN_PASSWORD_VERSION}
 
 volumes:
-  nextcloud:
   nextapps:
   nextdata:
   nextconfig:
@@ -69,3 +82,9 @@ networks:
   proxy:
     external: true
   internal:
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..f202c81
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -x
+
+SUDO="setpriv --reuid=www-data --regid=www-data --init-groups"
+OCC="php /var/www/html/occ"
+
+if ! $SUDO $OCC status | grep -q 'installed: true'; then
+	$SUDO $OCC --no-ansi -n maintenance:install \
+		--database "mysql" \
+		--database-name "nextcloud" \
+		--database-host "mariadb" \
+		--database-user "nextcloud" \
+		--database-pass "$(tr -d '\n' < /run/secrets/db_password)" \
+		--admin-pass "$(tr -d '\n' < /run/secrets/admin_password)"
+
+fi
+
+$SUDO php $OCC config:system:set trusted_domains 1 --value={{ env "DOMAIN" }}
+
+/entrypoint.sh apache2-foreground