diff --git a/.env b/.env
new file mode 100644
index 0000000..38e1ef2
--- /dev/null
+++ b/.env
@@ -0,0 +1,6 @@
+CATALINA_HOME=/opt/tomcat9
+SC_PUBLISHED_HOST=smartconnect.internal.yel.or.id
+SC_FILESTORE_LOCATION=/data/SMARTConnect
+SC_SERVER_ADMIN=hendra@yel.or.id
+DNS_CLOUDFLARE_API_TOKEN=3WedMWHhoDPxge5yMPJgQPFhRXCTp6zpasTIlaIu
+POSTGRES_PASSWORD=Sm@rtConnIX3
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index c9558f0..39e18cc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,41 +4,74 @@ LABEL org.opencontainers.image.authors="Hazza"
 
 ENV DOCKER_NAME="docker-smartconnect7"
 
+ARG CATALINA_HOME
+
+ARG SC_PUBLISHED_HOST
+
+ARG SC_FILESTORE_LOCATION
+
+ARG SC_SERVER_ADMIN
+
+ARG DNS_CLOUDFLARE_API_TOKEN
+
 ENV TIME_ZONE="Asia/Jakarta"
 
-ENV CATALINA_HOME /opt/tomcat9
+ENV CATALINA_HOME=$CATALINA_HOME
 
-ENV PATH $CATALINA_HOME/bin:$PATH
+ENV PATH=$CATALINA_HOME/bin:$PATH
 
-RUM mkdir /data
+RUN mkdir /app && mkdir -p $SC_FILESTORE_LOCATION
 
-WORKDIR /data
+WORKDIR /app
 
-ENV SMARTCONNECT_DATA /data/SMARTConnect
+ADD ./app /app/
+
+ENV SMARTCONNECT_DATA=$SC_FILESTORE_LOCATION
+
+RUN apt update
+
+RUN apt install postgresql-client certbot python3-certbot-dns-cloudflare -y && apt clean && rm -rf /var/lib/apt/lists/*
 
 RUN set -eux; \
-	export TOMCAT_VERSION=$(curl --silent https://dlcdn.apache.org/tomcat/tomcat-9/ | grep v9 | tail -n 1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | tail -n 1); \
-	echo ">>> latest Tomcat version: ${TOMCAT_VERSION}"; \
-	export TOMCAT_URL="https://dlcdn.apache.org/tomcat/tomcat-9/${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION#v}.tar.gz"; \
-	export TOMCAT_FILE=tomcat.tar.gz; \
-	export TOMCAT_SHA512_URL="https://dlcdn.apache.org/tomcat/tomcat-9/${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION#v}.tar.gz.sha512"; \
-	export TOMCAT_SHA512_FILE=tomcat.tar.gz.sha512; \
-	wget -O "$TOMCAT_FILE" "$TOMCAT_URL"; \
-	wget -O "$TOMCAT_SHA512_FILE" "$TOMCAT_SHA512_URL"; \
-	HASH=$(cat $TOMCAT_SHA512_FILE | cut -d ' ' -f 1); \
-	HASH="$HASH $TOMCAT_FILE"; \
-	echo ">>> $HASH"; \
-	echo $HASH | sha512sum -c; \
-	mkdir -p "$CATALINA_HOME"; \
-	tar --extract \
-		--file "$TOMCAT_FILE" \
-		--directory "$CATALINA_HOME" \
-		--strip-components 1 \
-		--no-same-owner \
-	; \
-	rm "$TOMCAT_FILE"; \
-	echo "[$(date)]  [$DOCKER_NAME] [$TOMCAT_URL]" >> /.components;
+export TOMCAT_VERSION=$(curl --silent https://dlcdn.apache.org/tomcat/tomcat-9/ | grep v9 | tail -n 1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | tail -n 1); \
+echo ">>> latest Tomcat version: ${TOMCAT_VERSION}"; \
+export TOMCAT_URL="https://dlcdn.apache.org/tomcat/tomcat-9/${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION#v}.tar.gz"; \
+export TOMCAT_FILE=tomcat.tar.gz; \
+export TOMCAT_SHA512_URL="https://dlcdn.apache.org/tomcat/tomcat-9/${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION#v}.tar.gz.sha512"; \
+export TOMCAT_SHA512_FILE=tomcat.tar.gz.sha512; \
+wget -O "$TOMCAT_FILE" "$TOMCAT_URL"; \
+wget -O "$TOMCAT_SHA512_FILE" "$TOMCAT_SHA512_URL"; \
+HASH=$(cat $TOMCAT_SHA512_FILE | cut -d ' ' -f 1); \
+HASH="$HASH $TOMCAT_FILE"; \
+echo ">>> $HASH"; \
+echo $HASH | sha512sum -c; \
+mkdir -p "$CATALINA_HOME"; \
+tar --extract --file "$TOMCAT_FILE" --directory "$CATALINA_HOME" --strip-components 1 --no-same-owner; \
+rm "$TOMCAT_FILE"; \
+echo "[$(date)]  [$DOCKER_NAME] [$TOMCAT_URL]" >> /.components;
+
+RUN mkdir -p ~/.secrets/certbot && printf "dns_cloudflare_api_token=$DNS_CLOUDFLARE_API_TOKEN" >>  ~/.secrets/certbot/cloudflare.ini && chmod 600 ~/.secrets/certbot/cloudflare.ini
+
+RUN printf "pgsql-postgis:5432:*:postgres:${POSTGRES_PASSWORD}" >>  ~/.pgpass && chmod 600 ~/.pgpass
+
+RUN psql -h pgsql-postgis -p 5432 -U postgres -f db/db_preparation.sql
+
+RUN psql -h pgsql-postgis -p 5432 -d yel_scdb -U postgres -f db/scdb_import.sql
+
+RUN certbot certonly \
+-a dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
+--non-interactive --agree-tos --no-eff-email -m $SC_SERVER_ADMIN \
+-d $SC_PUBLISHED_HOST
+
+RUN rm -rf $CATALINA_HOME/webapps && mkdir $CATALINA_HOME/conf/cert && cp -f conf/server.xml $CATALINA_HOME/conf/ && cp webapps $CATALINA_HOME/ && cp lib/* $CATALINA_HOME/lib/
+
+RUN cp -Lf /etc/letsencrypt/live/$SC_PUBLISHED_HOST/{cert,chain,privkey}.pem $CATALINA_HOME/conf/cert/
+
+RUN printf "#!/bin/sh\n\n\
+cp -Lf /etc/letsencrypt/live/$SC_PUBLISHED_HOST/{cert,chain,privkey}.pem /opt/tomcat9/conf/cert/\n" >> /etc/letsencrypt/renewal-hooks/deploy/sc7_certbot_deploy.sh \
+&& chmod 750 /etc/letsencrypt/renewal-hooks/deploy/sc7_certbot_deploy.sh
+
+
 
-EXPOSE 8080
 
 CMD ["sh"]
\ No newline at end of file
diff --git a/app/conf/server.xml b/app/conf/server.xml
new file mode 100644
index 0000000..a050888
--- /dev/null
+++ b/app/conf/server.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Server port="-1" shutdown="SHUTDOWN">
+	<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
+	<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
+	<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
+	<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
+	<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
+
+	<GlobalNamingResources>
+
+		<Resource auth="Container"
+			driverClassName="org.postgresql.Driver"
+			type="javax.sql.DataSource"
+			factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
+			name="org.wcs.smart.connect.datasource.postgresql"
+			username="scadmin"
+			password="Sm@rtConnIX3"
+			url="jdbc:postgresql://pgsql-postgis:5432/yel_scdb"
+			alternateUsernameAllowed="true"
+			maxActive="20"
+			maxIdle="10"
+			minIdle="2"
+			socketTimeout="6000"
+			initialSize="2"
+			validationQuery = "SELECT 1;"
+			testWhileIdle = "true"
+			testOnBorrow = "true"
+			testOnConnect = "true"
+			testOnReturn = "true"
+			timeBetweenEvictionRunsMillis = "34000"
+			minEvictableIdleTimeMillis = "55000"
+			validationInterval = "15000"
+			removeAbandoned = "false"
+			removeAbandonedTimeout = "6000"
+			logAbandoned = "true"
+			initSQL = "SELECT 1;"
+			logValidationErrors = "true"
+			logSlow = "true"
+			logFailed = "true"/>
+
+		<Environment name="smartconnect.filestorelocation" value="/opt/SMARTConnect/Data" type="java.lang.String" override="false"/>
+		<Environment name="smartconnect.gfw_cleanup_days" value="30" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.dataqueue_cleanup_days" value="2" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.spatial_ref_sys_table" value="public.spatial_ref_sys" type="java.lang.String" override="false"/>
+		<Environment name="smartconnect.number_background_threads" value="5" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.work_item_history_days_available" value="5" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.changelog_cleanup_days" value="5" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.ca_export_days_available" value="5" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.sync_download_hours_available" value="5" type="java.lang.Integer" override="false"/>
+		<Environment name="smartconnect.cleanup_task_interval_hours value="5" type="java.lang.Integer" override="false"/>
+
+		<Resource name="mail/Session"
+			auth="Container"
+			type="javax.mail.Session"
+			mail.smtp.auth="true"
+			mail.smtp.from="no_reply@yel.or.id"
+			mail.smtp.host="smtp.gmail.com"
+			mail.smtp.starttls.enable="true"
+			mail.smtp.port="587"
+			mail.smtp.user="no_reply@yel.or.id"
+			password="aeynxbgypznsxmdz"/>
+
+	</GlobalNamingResources>
+
+	<Service name="Catalina">
+		<Engine name="Catalina" defaultHost="smartconnect.internal.yel.or.id">
+			<Realm className="org.apache.catalina.realm.LockOutRealm">
+				<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
+			</Realm>
+			<Host name="smartconnect.internal.yel.or.id" appBase="webapps" unpackWARs="true" autoDeploy="true">
+				<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="sc_access" suffix=".log" pattern="%h %l %u %t &quot;%r&quot; %s %b"/>
+			</Host>
+		</Engine>
+		<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="300" processorCache="300" SSLEnabled="true">
+			<SSLHostConfig>
+				<Certificate certificateFile="conf/cert/cert.pem" certificateKeyFile="conf/cert/privkey.pem" certificateChainFile="conf/cert/chain.pem"/>
+			</SSLHostConfig>
+		</Connector>
+	</Service>
+</Server>
diff --git a/app/db/db_preparation.sql b/app/db/db_preparation.sql
new file mode 100644
index 0000000..306f208
--- /dev/null
+++ b/app/db/db_preparation.sql
@@ -0,0 +1,17 @@
+-- SMART7 database preparation
+
+-- 1) install postgis extension
+-- Not Needed: already installed because we use postgis/postgis:11-2.5 docker image
+-- CREATE EXTENSION postgis;
+
+-- 2) install uuid-ossp extension
+CREATE EXTENSION "uuid-ossp";
+
+-- 3) Create Specific User for SMARTConnect 7 with password
+CREATE USER scadmin PASSWORD 'Sm@rtConnIX3';
+
+-- 4) Create DB for SMARTConnect 7 and make newly created user above as the owner
+CREATE DATABASE yel_scdb WITH OWNER scadmin;
+
+-- 5) Grant all privileges on database yel_scdb to scadmin
+GRANT ALL PRIVILEGES ON DATABASE yel_scdb TO scadmin;
diff --git a/db/connect.sql b/app/db/scdb_import.sql
similarity index 100%
rename from db/connect.sql
rename to app/db/scdb_import.sql
diff --git a/lib/jBCrypt-0.4.jar b/app/lib/jBCrypt-0.4.jar
similarity index 100%
rename from lib/jBCrypt-0.4.jar
rename to app/lib/jBCrypt-0.4.jar
diff --git a/lib/javax.activation-1.2.0.jar b/app/lib/javax.activation-1.2.0.jar
similarity index 100%
rename from lib/javax.activation-1.2.0.jar
rename to app/lib/javax.activation-1.2.0.jar
diff --git a/lib/javax.mail-1.6.2.jar b/app/lib/javax.mail-1.6.2.jar
similarity index 100%
rename from lib/javax.mail-1.6.2.jar
rename to app/lib/javax.mail-1.6.2.jar
diff --git a/lib/postgresql-42.7.7.jar b/app/lib/postgresql-42.7.7.jar
similarity index 100%
rename from lib/postgresql-42.7.7.jar
rename to app/lib/postgresql-42.7.7.jar
diff --git a/lib/smart-bcrypt.jar b/app/lib/smart-bcrypt.jar
similarity index 100%
rename from lib/smart-bcrypt.jar
rename to app/lib/smart-bcrypt.jar
diff --git a/webapps/server.war b/app/webapps/ROOT.war
similarity index 100%
rename from webapps/server.war
rename to app/webapps/ROOT.war
diff --git a/conf/server.xml b/conf/server.xml
deleted file mode 100644
index cbc7f4a..0000000
--- a/conf/server.xml
+++ /dev/null
@@ -1,138 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Server port="-1" shutdown="SHUTDOWN">
-	<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
-	<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
-	<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
-	<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
-	<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
-
-	<GlobalNamingResources>
-		<Resource name="UserDatabase"
-			auth="Container"
-			type="org.apache.catalina.UserDatabase"
-			description="User database that can be updated and saved"
-			factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-			pathname="conf/tomcat-users.xml"/>
-
-
-		<Resource auth="Container"
-			driverClassName="org.postgresql.Driver"
-			type="javax.sql.DataSource"
-			factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
-			name="org.wcs.smart.connect.datasource.postgresql"
-			username="postgres"
-			password="smart1234"
-			url="jdbc:postgresql://localhost:5432/connectsmart"
-			alternateUsernameAllowed="true"
-			maxActive="20"
-			maxIdle="10"
-			minIdle="2"
-			socketTimeout="6000"
-			initialSize="2"
-			validationQuery = "SELECT 1;"
-			testWhileIdle = "true"
-			testOnBorrow = "true"
-			testOnConnect = "true"
-			testOnReturn = "true"
-			timeBetweenEvictionRunsMillis = "34000"
-			minEvictableIdleTimeMillis = "55000"
-			validationInterval = "15000"
-			removeAbandoned = "false"
-			removeAbandonedTimeout = "6000"
-			logAbandoned = "true"
-			initSQL = "SELECT 1;"
-			logValidationErrors = "true"
-			logSlow = "true"
-			logFailed = "true"/>
-
-		<Environment name="smartconnect.filestorelocation"
-			value="/opt/SMARTConnect/Data"
-			type="java.lang.String"
-			override="false"/>
-
-		<Environment name="smartconnect.gfw_cleanup_days"
-		             value="30"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.dataqueue_cleanup_days"
-		             value="2"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.spatial_ref_sys_table"
-		             value="public.spatial_ref_sys"
-		             type="java.lang.String"
-		             override="false"/>
-		<Environment name="smartconnect.number_background_threads"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.work_item_history_days_available"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.changelog_cleanup_days"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.ca_export_days_available"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.sync_download_hours_available"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-		<Environment name="smartconnect.cleanup_task_interval_hours"
-		             value="5"
-		             type="java.lang.Integer"
-		             override="false"/>
-
-
-		<Resource name="mail/Session"
-			auth="Container"
-			type="javax.mail.Session"
-			mail.smtp.auth="true"
-			mail.smtp.from="no_reply@yel.or.id"
-			mail.smtp.host="smtp.gmail.com"
-			mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory"
-			mail.transport.protocol="smtp"
-			mail.smtp.port="465"
-			mail.smtp.user="no_reply@yel.or.id"
-			password="aeynxbgypznsxmdz"
-			mail.smtp.starttls.enable="true"/>
-
-	</GlobalNamingResources>
-
-	<Service name="Catalina">
-		<Engine name="Catalina" defaultHost="smartconnect.internal.yel.or.id">
-			<Realm className="org.apache.catalina.realm.LockOutRealm">
-				<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-					resourceName="UserDatabase"/>
-			</Realm>
-			<Host name="smartconnect.internal.yel.or.id"
-				appBase="webapps"
-				unpackWARs="true"
-				autoDeploy="true">
-				<Valve className="org.apache.catalina.valves.AccessLogValve"
-					directory="logs"
-					prefix="smartconnect.internal.yel.or.id_access_log"
-					suffix=".txt"
-					pattern="%h %l %u %t &quot;%r&quot; %s %b"/>
-			</Host>
-		</Engine>
-		<Connector port="443"
-			protocol="org.apache.coyote.http11.Http11NioProtocol"
-			maxThreads="300"
-			processorCache="300"
-			SSLEnabled="true">
-
-			<SSLHostConfig>
-				<Certificate certificateKeystoreFile="conf/smartconnect.jks"
-					certificateKeystorePassword="smartIX3"
-					certificateKeyAlias="tomcat"
-					certificateKeystoreType="PKCS12"
-					type="RSA"/>
-			</SSLHostConfig>
-		</Connector>
-	</Service>
-</Server>
diff --git a/docker-compose.yml b/docker-compose.yml
index 426e190..6a8a166 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,15 +2,21 @@ services:
   smartconnect7:
     build:
       context: .
+      args:
+        - CATALINA_HOME=${CATALINA_HOME}
+        - SC_PUBLISHED_HOST=${SC_PUBLISHED_HOST}
+        - SC_FILESTORE_LOCATION=${SC_FILESTORE_LOCATION}
+        - SC_SERVER_ADMIN=${SC_SERVER_ADMIN}
+        - DNS_CLOUDFLARE_API_TOKEN=${DNS_CLOUDFLARE_API_TOKEN}
     container_name: SMARTConnect7
     volumes:
-      - catalina_home:/opt/tomcat9
-      - smart_data:/data/SMARTConnect
+      - catalina_home:${CATALINA_HOME}
+      - sc_filestore:${SC_FILESTORE_LOCATION}
+      - letsencrypt:/etc/letsencrypt 
     networks:
       - frontend
       - backend
     ports:
-      - "8080:8080"
       - "8443:8443"
     stdin_open: true
     tty: true
@@ -19,14 +25,13 @@ services:
     image: postgis/postgis:11-2.5
     environment:
       PGDATA: /pgdata
-      POSTGRES_PASSWORD: dspace
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     volumes:
       - pgdata:/pgdata
     networks:
       - backend
     ports:
-      - "8080:8080"
-      - "8443:8443"
+      - "5432:5432"
     stdin_open: true
     tty: true
 
@@ -36,5 +41,6 @@ networks:
 
 volumes:
   catalina_home:
-  smart_data:
+  sc_filestore:
+  letsencrypt:
   pgdata:
\ No newline at end of file