diff --git a/Containers/windmill/Dockerfile b/Containers/windmill/Dockerfile
index 8cff2402..e29c47f0 100644
--- a/Containers/windmill/Dockerfile
+++ b/Containers/windmill/Dockerfile
@@ -47,11 +47,13 @@ RUN set -ex; \
     # pre-installed runtimes would create a huge and unnecessary image layer.
     mkdir -p \
         /var/lib/postgresql/data \
+        /var/lib/windmill-dump \
         /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord; \
     chown -R windmill:windmill \
         /var/lib/postgresql \
+        /var/lib/windmill-dump \
         /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord; \
@@ -94,7 +96,7 @@ ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
     REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
     NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt
 
-VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]
+VOLUME ["/var/lib/postgresql/data", "/var/lib/windmill-dump", "/tmp/windmill/cache"]
 
 # Use the pre-existing windmill user (uid=1000) from the base image
 USER 1000
diff --git a/Containers/windmill/start.sh b/Containers/windmill/start.sh
index cd00aa91..93c99049 100644
--- a/Containers/windmill/start.sh
+++ b/Containers/windmill/start.sh
@@ -60,10 +60,9 @@ configure_pg() {
     cat > "$datadir/pg_hba.conf" << 'HBAEOF'
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             all                                     trust
-host    all             all             127.0.0.1/32            trust
-host    all             all             ::1/128                 trust
 HBAEOF
-    echo "listen_addresses = 'localhost'" >> "$datadir/postgresql.conf"
+    # Disable TCP entirely; all communication uses the Unix socket.
+    echo "listen_addresses = ''" >> "$datadir/postgresql.conf"
 }
 
 # ── PostgreSQL major-version upgrade via dump/restore ────────────────────────
@@ -110,24 +109,24 @@ if [ -f "$PGDATA/PG_VERSION" ]; then
 
         configure_pg "$PGDATA"
 
-        # Start postgres temporarily on an alternate TCP port so we can import.
-        # Use explicit flags; do NOT export PGPORT to avoid side-effects.
-        postgres -D "$PGDATA" -h 127.0.0.1 -p 11000 &
+        # Start postgres temporarily on a socket in /tmp so we can import.
+        # No TCP port is needed since we connect via the socket.
+        postgres -D "$PGDATA" -k /tmp -h "" &
         TEMP_PG_PID=$!
 
         # Wait until postgres accepts connections
-        while ! psql -h 127.0.0.1 -p 11000 -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
+        while ! psql -h /tmp -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
             echo "Waiting for the temporary database to start..."
             sleep 5
         done
 
         # Create the windmill database
-        psql -h 127.0.0.1 -p 11000 -U windmill -d postgres \
+        psql -h /tmp -U windmill -d postgres \
             -c "CREATE DATABASE windmill OWNER windmill;"
 
         # Restore from dump
         echo "Restoring the database from dump..."
-        psql -h 127.0.0.1 -p 11000 -U windmill -d windmill < "$DUMP_FILE"
+        psql -h /tmp -U windmill -d windmill < "$DUMP_FILE"
 
         # Stop the temporary postgres cleanly
         pg_ctl -D "$PGDATA" stop -m smart -t 1800
diff --git a/Containers/windmill/windmill-start.sh b/Containers/windmill/windmill-start.sh
index 8d2d0040..0c51735a 100644
--- a/Containers/windmill/windmill-start.sh
+++ b/Containers/windmill/windmill-start.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Wait for PostgreSQL to accept connections
-until pg_isready -h localhost -q 2>/dev/null; do
+until pg_isready -h /var/run/postgresql -q 2>/dev/null; do
     echo "Waiting for PostgreSQL to be ready..."
     sleep 2
 done
diff --git a/php/containers.json b/php/containers.json
index 4eccf00e..99c3e341 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -178,7 +178,8 @@
         "FULLTEXTSEARCH_PASSWORD",
         "IMAGINARY_SECRET",
         "WHITEBOARD_SECRET",
-        "HP_SHARED_KEY"
+        "HP_SHARED_KEY",
+        "WINDMILL_SECRET"
       ],
       "volumes": [
         {
@@ -268,7 +269,8 @@
         "HARP_ENABLED=%HARP_ENABLED%",
         "HP_SHARED_KEY=%HP_SHARED_KEY%",
         "WINDMILL_ENABLED=%WINDMILL_ENABLED%",
-        "WINDMILL_HOST=nextcloud-aio-windmill"
+        "WINDMILL_HOST=nextcloud-aio-windmill",
+        "WINDMILL_SECRET=%WINDMILL_SECRET%"
       ],
       "stop_grace_period": 600,
       "restart": "unless-stopped",
@@ -980,7 +982,11 @@
         "NUM_WORKERS=1",
         "MODE=standalone",
         "DISABLE_NSJAIL=true",
-        "DATABASE_URL=postgresql://windmill@localhost/windmill?host=/var/run/postgresql"
+        "DATABASE_URL=postgresql://windmill@localhost/windmill?host=/var/run/postgresql",
+        "SUPERADMIN_SECRET=%WINDMILL_SECRET%"
+      ],
+      "secrets": [
+        "WINDMILL_SECRET"
       ],
       "volumes": [
         {
@@ -994,13 +1000,14 @@
           "writeable": true
         },
         {
-          "source": "nextcloud_aio_windmill",
+          "source": "nextcloud_aio_windmill_cache",
           "destination": "/tmp/windmill/cache",
           "writeable": true
         }
       ],
       "backup_volumes": [
-        "nextcloud_aio_windmill_db"
+        "nextcloud_aio_windmill_db",
+        "nextcloud_aio_windmill_dump"
       ],
       "restart": "unless-stopped",
       "stop_grace_period": 1800,