diff --git a/.gitea/workflows/deploy-socialize.yml b/.gitea/workflows/deploy-socialize.yml
index f131bcc..6949194 100644
--- a/.gitea/workflows/deploy-socialize.yml
+++ b/.gitea/workflows/deploy-socialize.yml
@@ -46,9 +46,24 @@ jobs:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
           DEPLOY_SSH_PRIVATE_KEY_B64: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY_B64 }}
+          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
         run: |
+          : "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD secret is required}"
+
           mkdir -p ~/.ssh
           printf '%s' "$DEPLOY_SSH_PRIVATE_KEY_B64" | base64 -d > ~/.ssh/deploy_key
           chmod 600 ~/.ssh/deploy_key
+
+          deploy_env="$(mktemp)"
+          {
+            printf 'POSTGRES_USER=sa\n'
+            printf 'POSTGRES_PASSWORD=%s\n' "$POSTGRES_PASSWORD"
+            printf 'POSTGRES_DB=socialize\n'
+            printf 'ASPNETCORE_ENVIRONMENT=Production\n'
+          } > "$deploy_env"
+
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$deploy_env" "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/.env"
+          rm -f "$deploy_env"
+
           ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$DEPLOY_USER@$DEPLOY_HOST" \
             'cd /srv/prod/socialize && ./deploy.sh'
diff --git a/.gitignore b/.gitignore
index e24fd68..de2be00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,6 +34,7 @@ dist/
 .vite/
 
 # Local environment files
+.env
 *.local
 .env.local
 .env.*.local
diff --git a/README.md b/README.md
index c5d10a6..baff943 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,9 @@ http://localhost:8080
 http://<this-machine-lan-ip>:8080
 ```
 
+For preprod deployment, configure the `POSTGRES_PASSWORD` Gitea secret.
+The deploy workflow writes the remote `.env` file before running the server deploy script.
+
 ## Solution
 
 ```bash
diff --git a/docker-compose.yml b/docker-compose.yml
index 8624381..7373eed 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,9 +2,9 @@ services:
   postgres:
     image: postgres:latest
     environment:
-      POSTGRES_USER: sa
-      POSTGRES_PASSWORD: P@ssword123!
-      POSTGRES_DB: socialize
+      POSTGRES_USER: ${POSTGRES_USER:-sa}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
+      POSTGRES_DB: ${POSTGRES_DB:-socialize}
     ports:
       - "5433:5432"
     healthcheck:
@@ -18,9 +18,9 @@ services:
       context: .
       dockerfile: backend/src/Socialize.Api/Dockerfile
     environment:
-      ASPNETCORE_ENVIRONMENT: Development
+      ASPNETCORE_ENVIRONMENT: ${ASPNETCORE_ENVIRONMENT:-Development}
       ASPNETCORE_URLS: http://0.0.0.0:8080
-      ConnectionStrings__PostgresConnection: Host=postgres;Port=5432;Database=socialize;Username=sa;Password=P@ssword123!
+      ConnectionStrings__PostgresConnection: Host=postgres;Port=5432;Database=${POSTGRES_DB:-socialize};Username=${POSTGRES_USER:-sa};Password=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
     depends_on:
       postgres:
         condition: service_healthy