diff --git a/.env.docker b/.env.docker
index b512ce5d0..dd7a06887 100644
--- a/.env.docker
+++ b/.env.docker
@@ -1,6 +1,8 @@
 # -*- mode: bash -*-
 # vi: ft=bash
 
+# shellcheck disable=SC2034
+
 ###############################################################
 # Docker-wide configuration
 ###############################################################
@@ -32,6 +34,15 @@ TZ="UTC"
 # Automatically run [artisan migrate --force] if new migrations are detected.
 DOCKER_APPLY_NEW_MIGRATIONS_AUTOMATICALLY="0"
 
+# Automatically run "One-time setup tasks" commands.
+#
+# If you are migrating to this docker-compose setup or have manually run the "One time seutp"
+# tasks (https://docs.pixelfed.org/running-pixelfed/installation/#setting-up-services)
+# you can set this to "0" to prevent them from running.
+#
+# Otherwise, leave it at "1" to have them run *once*.
+DOCKER_RUN_ONE_TIME_SETUP_TASKS="1"
+
 # The e-mail to use for Lets Encrypt certificate requests.
 LETSENCRYPT_EMAIL="__CHANGE_ME__"
 
@@ -294,7 +305,7 @@ DB_HOST="db"
 DB_USERNAME="pixelfed"
 
 # See: https://docs.pixelfed.org/technical-documentation/config/#db_password
-DB_PASSWORD="helloworld"
+DB_PASSWORD="__CHANGE_ME__"
 
 # See: https://docs.pixelfed.org/technical-documentation/config/#db_database
 DB_DATABASE="pixelfed_prod"
@@ -751,7 +762,7 @@ LOG_CHANNEL="stderr"
 # - "null" (default)
 #
 # See: https://docs.pixelfed.org/technical-documentation/config/#broadcast_driver
-BROADCAST_DRIVER=redis
+BROADCAST_DRIVER="redis"
 
 ###############################################################
 # Other settings
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index bf73cc946..bda7004e6 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -102,25 +102,14 @@ jobs:
       packages: write
 
     env:
-      # Set the repo variable [DOCKER_HUB_USERNAME] to override the default at https://github.com/<user>/<project>/settings/variables/actions
-      #
-      # NOTE: no login attempt will happen with Docker Hub until this secret is set
+      # Set the repo variable [DOCKER_HUB_USERNAME] to override the default
+      # at https://github.com/<user>/<project>/settings/variables/actions
       DOCKER_HUB_USERNAME: ${{ vars.DOCKER_HUB_USERNAME || 'pixelfed' }}
 
-      # Set the repo variable [DOCKER_HUB_ORGANISATION] to override the default at https://github.com/<user>/<project>/settings/variables/actions
-      #
-      # NOTE: no login attempt will happen with Docker Hub until this secret is set
-      DOCKER_HUB_ORGANISATION: ${{ vars.DOCKER_HUB_ORGANISATION || 'pixelfed' }}
-
-      # Set the repo variable [DOCKER_HUB_REPO] to override the default at https://github.com/<user>/<project>/settings/variables/actions
-      #
-      # NOTE: no login attempt will happen with Docker Hub until this secret is set
-      DOCKER_HUB_REPO: ${{ vars.DOCKER_HUB_REPO || 'pixelfed' }}
-
       # For Docker Hub pushing to work, you need the secret [DOCKER_HUB_TOKEN]
       # set to your Personal Access Token at https://github.com/<user>/<project>/settings/secrets/actions
       #
-      # NOTE: no login attempt will happen with Docker Hub until this secret is set
+      # ! NOTE: no [login] or [push] will happen to Docker Hub until this secret is set!
       HAS_DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN != '' }}
 
     steps:
@@ -136,6 +125,7 @@ jobs:
         with:
           version: v0.12.0 # *or* newer, needed for annotations to work
 
+        # See: https://github.com/docker/login-action?tab=readme-ov-file#github-container-registry
       - name: Log in to the GitHub Container registry
         uses: docker/login-action@v3
         with:
@@ -143,12 +133,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+        # See: https://github.com/docker/login-action?tab=readme-ov-file#docker-hub
       - name: Login to Docker Hub registry (conditionally)
+        if: ${{ env.HAS_DOCKER_HUB_TOKEN == true }}
         uses: docker/login-action@v3
         with:
           username: ${{ env.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
-        if: ${{ env.HAS_DOCKER_HUB_TOKEN == true }}
 
       - name: Docker meta
         uses: docker/metadata-action@v5
@@ -156,7 +147,7 @@ jobs:
         with:
           images: |
             name=ghcr.io/${{ github.repository }},enable=true
-            name=${{ env.DOCKER_HUB_ORGANISATION }}/${{ env.DOCKER_HUB_REPO }},enable=${{ env.HAS_DOCKER_HUB_TOKEN }}
+            name=${{ vars.GITHUB_REPOSITORY }},enable=${{ env.HAS_DOCKER_HUB_TOKEN }}
           flavor: |
             latest=auto
             suffix=-${{ matrix.target_runtime }}-${{ matrix.php_version }}
diff --git a/docker-compose.yml b/docker-compose.yml
index 574cb1ec8..0e5d2bb19 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -81,7 +81,7 @@ services:
       com.github.nginx-proxy.nginx-proxy.http2.enable: true
       com.github.nginx-proxy.nginx-proxy.http3.enable: true
     ports:
-      - "${DOCKER_WEB_PORT_EXTERNAL_HTTP}:80"
+      - "${DOCKER_WEB_PORT_EXTERNAL_HTTP:-8080}:80"
     depends_on:
       - db
       - redis