diff --git a/docker-compose.yml b/docker-compose.yml
index dbd948b..7808f8c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,16 +16,25 @@ services:
       - GITEA__database__HOST=db:3306
       - GITEA__database__NAME=gitea
       - GITEA__database__USER=gitea
-      - GITEA__database__PASSWD=gitea
+      - GITEA__database__PASSWD=${DB_PASSWD}
   db:
     image: mysql:8
     networks:
       - gitea
     environment:
-      - MYSQL_ROOT_PASSWORD=gitea
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_passwd
       - MYSQL_USER=gitea
-      - MYSQL_PASSWORD=gitea
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_passwd
       - MYSQL_DATABASE=gitea
+    secrets:
+      - db_passwd
+      - db_root_passwd
 
 networks:
   gitea:
+
+secrets:
+   db_passwd:
+     file: .passwd/mysql_passwd
+   db_root_passwd:
+     file: .passwd/mysql_root_passwd
diff --git a/first-run.sh b/first-run.sh
new file mode 100755
index 0000000..afc8ce5
--- /dev/null
+++ b/first-run.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+[[ ! -d .passwd ]] && mkdir .passwd
+openssl rand -base64 20 > .passwd/mysql_root_passwd
+openssl rand -base64 20 > .passwd/mysql_passwd
+echo "DB_PASSWD=$(cat .passwd/mysql_passwd)" > .env
+chmod 500 .passwd
+chmod 400 .passwd/*
+chmod 400 .env