diff --git a/Dockerfile b/Dockerfile
index 42f3d4c..fbef174 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ RUN apk add --no-cache git && \
 # Stage 2: runtime (PHP 8, Apache)
 ############################################
 FROM php:8.3-apache
-ENV TZ=UTC
+ENV TZ=UTC DBPORT=3306
 
 # System deps
 RUN apt-get update && apt-get -y upgrade && \
@@ -42,38 +42,22 @@ RUN curl -fsSL https://pear.php.net/install-pear-nozlib.phar -o /tmp/pear.phar \
 COPY --from=source /src/app/ /var/www/html/daloradius/
 COPY --from=source /src/app/common/includes/daloradius.conf.php.sample /opt/daloradius.conf.php.tmpl
 
-# Our Apache vhost (replace default)
+# Our Apache vhost (serve operators UI at /)
 COPY apache/000-default.conf /etc/apache2/sites-available/000-default.conf
-RUN a2enmod rewrite && apache2ctl -t
+RUN a2enmod rewrite && apache2ctl -t && \
+    printf 'ServerName localhost\n' > /etc/apache2/conf-available/servername.conf && a2enconf servername
 
-# (Optional) silence ServerName warning
-RUN printf 'ServerName localhost\n' > /etc/apache2/conf-available/servername.conf && a2enconf servername
-
-# Entry script: seed/refresh config from env only when needed
-COPY <<'EOF' /entrypoint.sh
-#!/usr/bin/env bash
-set -euo pipefail
-CFG="/var/www/html/daloradius/common/includes/daloradius.conf.php"
-TMPL="/opt/daloradius.conf.php.tmpl"
-
-# Seed if missing
-if [ ! -f "$CFG" ]; then cp "$TMPL" "$CFG"; fi
-
-# Render if forced or empty
-if [ "${FORCE_RENDER:-0}" = "1" ] || [ ! -s "$CFG" ]; then
-  : "${DBHOST:?set DBHOST}"; : "${DBNAME:?set DBNAME}"; : "${DBUSER:?set DBUSER}"; : "${DBPASS:?set DBPASS}"
-  sed -i \
-    -e "s|\$configValues\['CONFIG_DB_HOST'\].*|\$configValues['CONFIG_DB_HOST']   = '${DBHOST}';|g" \
-    -e "s|\$configValues\['CONFIG_DB_USER'\].*|\$configValues['CONFIG_DB_USER']   = '${DBUSER}';|g" \
-    -e "s|\$configValues\['CONFIG_DB_PASS'\].*|\$configValues['CONFIG_DB_PASS']   = '${DBPASS}';|g" \
-    -e "s|\$configValues\['CONFIG_DB_NAME'\].*|\$configValues['CONFIG_DB_NAME']   = '${DBNAME}';|g" \
-    "$CFG"
-fi
-
-exec apachectl -DFOREGROUND
-EOF
+# DB override snippet + entrypoint
+COPY config/override-db.php /opt/override-db.php
+COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
+# Permissions (readable by Apache)
+RUN chown -R www-data:www-data /var/www/html && \
+    find /var/www/html -type d -exec chmod 755 {} \; && \
+    find /var/www/html -type f -exec chmod 644 {} \;
+
 EXPOSE 80
 HEALTHCHECK --interval=30s --timeout=5s --retries=5 CMD curl -fsS http://localhost/ || exit 1
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/apache/000-default.conf b/apache/000-default.conf
index b7869a4..4bdd009 100644
--- a/apache/000-default.conf
+++ b/apache/000-default.conf
@@ -7,4 +7,6 @@
     Require all granted
   </Directory>
   DirectoryIndex index.php
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>
diff --git a/config/override-db.php b/config/override-db.php
new file mode 100644
index 0000000..05417e8
--- /dev/null
+++ b/config/override-db.php
@@ -0,0 +1,8 @@
+<?php
+// ---- overrides injected at runtime ----
+$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
+$configValues['CONFIG_DB_HOST']   = getenv('DBHOST') ?: 'db';
+$configValues['CONFIG_DB_PORT']   = getenv('DBPORT') ?: '3306';
+$configValues['CONFIG_DB_USER']   = getenv('DBUSER') ?: 'radius';
+$configValues['CONFIG_DB_PASS']   = getenv('DBPASS') ?: '';
+$configValues['CONFIG_DB_NAME']   = getenv('DBNAME') ?: 'radius';
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..0448b39
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CFG="/var/www/html/daloradius/common/includes/daloradius.conf.php"
+TMPL="/opt/daloradius.conf.php.tmpl"
+OVR="/opt/override-db.php"
+
+# Always (re)seed from upstream sample, then append our override
+mkdir -p "$(dirname "$CFG")"
+cp -f "$TMPL" "$CFG"
+cat "$OVR" >> "$CFG"
+
+# Start Apache in foreground
+exec apachectl -DFOREGROUND