diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index b49e1fc..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,39 +0,0 @@
-FROM --platform=${TARGETPLATFORM:-linux/amd64} jc21/alpine-nginx-full:node
-LABEL maintainer="Jamie Curnow <jc@jc21.com>"
-
-ENV SUPPRESS_NO_CONFIG_WARNING=1
-ENV S6_FIX_ATTRS_HIDDEN=1
-ENV NODE_ENV=production
-
-RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
-	&& apk update \
-	&& apk add python3 certbot jq \
-	&& python3 -m ensurepip \
-	&& rm -rf /var/cache/apk/*
-
-# s6 overlay
-COPY scripts/install-s6 /tmp/install-s6
-RUN /tmp/install-s6 "${TARGETPLATFORM}" && rm -f /tmp/install-s6
-
-EXPOSE 80
-EXPOSE 81
-EXPOSE 443
-
-ADD backend             /app
-ADD frontend/dist       /app/frontend
-COPY global             /app/global
-
-WORKDIR /app
-RUN yarn install
-
-# add late to limit cache-busting by modifications
-COPY docker/rootfs      /
-
-# Remove frontend service not required for prod, dev nginx config as well
-RUN rm -rf /etc/services.d/frontend
-RUN rm -f /etc/nginx/conf.d/dev.conf
-
-VOLUME [ "/data", "/etc/letsencrypt" ]
-ENTRYPOINT [ "/init" ]
-
-HEALTHCHECK --interval=5s --timeout=3s CMD /bin/check-health
\ No newline at end of file
diff --git a/docker-compose.yaml b/docker-compose.yaml
deleted file mode 100644
index 60de491..0000000
--- a/docker-compose.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
-# docker-compose.yml
-version: "3.7"
-
-secrets:
-  # paths assume the .secrets folder is sibling depth to folder where docker-compose resides
-  DB_ROOT_PWD:
-    file: ../.secrets/db_root_pwd.txt
-  MYSQL_PWD:
-    file: ../.secrets/mysql_pwd.txt
-
-# networks:
-#   npm-bridge:  # arbitrary name
-#     driver: bridge
-
-services:
-  mariadb:
-    image: ahgraber/mariadb-aria:test
-    container_name: mariadb
-    secrets:
-      - DB_ROOT_PWD
-      - MYSQL_PWD
-    # networks:
-    #   - npm-bridge
-    # ports:
-    #   - 3306:3306
-    environment:
-      # MYSQL_ROOT_PASSWORD: "npm"
-      MYSQL_ROOT_PASSWORD__FILE: /run/secrets/DB_ROOT_PWD
-      MYSQL_DATABASE: "npm"
-      MYSQL_USER: "npm"
-      # MYSQL_PASSWORD: "npm"
-      MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
-    volumes:
-      - ./data/mysql:/var/lib/mysql
-      # - npm-mount:/var/lib/mysql
-    # restart: unless-stopped
-
-  npm:
-    build:   
-      context: .
-      dockerfile: ./Dockerfile
-      # args:
-      #   TARGETPLATFORM: arm64v8
-    image: nginx-proxy-manager:test              # provide a name and tag for the image
-    container_name: npm
-    secrets:
-      - MYSQL_PWD
-    # networks:
-    #   - npm-bridge
-    ports:
-      - 8080:80
-      - 8443:443
-      - 8888:81
-    environment:
-      DISABLE_IPV6: 'true'
-      DB_MYSQL_HOST: "mariadb"
-      DB_MYSQL_PORT: 3306
-      DB_MYSQL_NAME: "npm"
-      DB_MYSQL_USER: "npm"
-      # DB_MYSQL_PASSWORD: "npm"
-      DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD 
-      # DB_MYSQL_PASSWORD: "sqlL3tm3in"
-    volumes:
-      - ./data/npm:/data
-      - ./data/letsencrypt:/etc/letsencrypt
-      # - npm-mount:/data
-      # - letsencrypt-mount:/etc/letsencrypt
-    depends_on:
-      - mariadb
-    # restart: unless-stopped
-
-# ## https://stackoverflow.com/questions/45282608/how-to-directly-mount-nfs-share-volume-in-container-using-docker-compose-v3
-# volumes:
-#   npm-mount:
-#     driver: local
-#     driver_opts:
-#       type: nfs
-#       o: nfsvers=4,addr=10.2.1.1,rw,retry=1,soft,nolock
-#       device: ":/npm"
-#   letsencrypt-mount:
-#     driver: local
-#     driver_opts:
-#       type: nfs
-#       o: nfsvers=4,addr=10.2.1.1,rw,retry=1,soft,nolock
-#       device: ":/letsencrypt"
-  
\ No newline at end of file
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 66bbd92..34ee5c4 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -13,6 +13,7 @@ ARG BUILD_DATE
 
 ENV SUPPRESS_NO_CONFIG_WARNING=1
 ENV S6_FIX_ATTRS_HIDDEN=1
+ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=1
 ENV NODE_ENV=production
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
@@ -31,7 +32,6 @@ EXPOSE 80
 EXPOSE 81
 EXPOSE 443
 
-COPY docker/rootfs      /
 ADD backend             /app
 ADD frontend/dist       /app/frontend
 COPY global             /app/global
@@ -39,6 +39,9 @@ COPY global             /app/global
 WORKDIR /app
 RUN yarn install
 
+# add late to limit cache-busting by modifications
+COPY docker/rootfs      /
+
 # Remove frontend service not required for prod, dev nginx config as well
 RUN rm -rf /etc/services.d/frontend RUN rm -f /etc/nginx/conf.d/dev.conf
 
diff --git a/docker/rootfs/etc/cont-init.d/.gitignore b/docker/rootfs/etc/cont-init.d/.gitignore
index 06b88e3..f04f0f6 100644
--- a/docker/rootfs/etc/cont-init.d/.gitignore
+++ b/docker/rootfs/etc/cont-init.d/.gitignore
@@ -1,3 +1,3 @@
 *
 !.gitignore
-!01_envfile.sh
+!*.sh
diff --git a/docker/rootfs/etc/cont-init.d/01_envfile.sh b/docker/rootfs/etc/cont-init.d/01_s6-secret-init.sh
similarity index 64%
rename from docker/rootfs/etc/cont-init.d/01_envfile.sh
rename to docker/rootfs/etc/cont-init.d/01_s6-secret-init.sh
index 90dee69..f145807 100644
--- a/docker/rootfs/etc/cont-init.d/01_envfile.sh
+++ b/docker/rootfs/etc/cont-init.d/01_s6-secret-init.sh
@@ -1,28 +1,27 @@
-#! /bin/bash
+#!/usr/bin/with-contenv bash
 # ref: https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile
 
 # in s6, environmental variables are written as text files for s6 to monitor
 # seach through full-path filenames for files ending in "__FILE"
 for FILENAME in $(find /var/run/s6/container_environment/ | grep "__FILE$"); do
-    echo "[secret-init] Evaluating ${FILENAME##*/}"
+    echo "[secret-init] Evaluating ${FILENAME##*/} ..."
 
     # set SECRETFILE to the contents of the full-path textfile
     SECRETFILE=$(cat ${FILENAME})
     # SECRETFILE=${FILENAME}
-    echo "[secret-init] Setting SECRETFILE to ${SECRETFILE}..."  # DEBUG - rm for prod!
+    # echo "[secret-init] Set SECRETFILE to ${SECRETFILE}"  # DEBUG - rm for prod!
 
     # if SECRETFILE exists / is not null
     if [[ -f ${SECRETFILE} ]]; then
         # strip the appended "__FILE" from environmental variable name ...
         STRIPFILE=$(echo ${FILENAME} | sed "s/__FILE//g") 
-        echo "[secret-init] Set STRIPFILE to ${STRIPFILE}"  # DEBUG - rm for prod!
+        # echo "[secret-init] Set STRIPFILE to ${STRIPFILE}"  # DEBUG - rm for prod!
         
         # ... and set value to contents of secretfile
         # since s6 uses text files, this is effectively "export ..."
-        # cat ${SECRETFILE} > ${STRIPFILE}
-        cat $(${SECRETFILE} | sed "s/[^\w.-]+//g") > ${STRIPFILE}
-        echo "[secret-init] Set ${STRIPFILE} to $(cat ${STRIPFILE})"  # DEBUG - rm for prod!"
-        echo "[secret-init] Success! ${STRIPFILE} set from ${FILENAME}"
+        printf $(cat ${SECRETFILE}) > ${STRIPFILE}
+        # echo "[secret-init] Set ${STRIPFILE##*/} to $(cat ${STRIPFILE})"  # DEBUG - rm for prod!"
+        echo "[secret-init] Success! ${STRIPFILE##*/} set from ${FILENAME##*/}"
 
     else
         echo "[secret-init] cannot find secret in ${FILENAME}"