diff --git a/.dockerignore b/.dockerignore
index 40b878db5b..857f7dba66 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,4 @@
-node_modules/
\ No newline at end of file
+node_modules/
+shields.env
+.git/
+.gitignore
diff --git a/.gitignore b/.gitignore
index 53552789a0..0a05f53c9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 /ServerScript
 /private
 /index.html
+/shields.env
 
 # Folder view configuration files
 .DS_Store
diff --git a/Dockerfile b/Dockerfile
index 25d8275038..180ec4f066 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,17 @@
-FROM node:6.4.0-onbuild
-ENV INFOSITE http://shields.io
+FROM node:6.9.2-alpine
+
+RUN apk add --update gettext
+
+RUN mkdir -p /usr/src/app
+RUN mkdir /usr/src/app/private
+WORKDIR /usr/src/app
+
+ARG NODE_ENV
+ENV NODE_ENV $NODE_ENV
+COPY package.json /usr/src/app/
+RUN npm install
+COPY . /usr/src/app
+
+CMD envsubst < secret.tpl.json > ./private/secret.json && npm start
+
 EXPOSE 80
diff --git a/INSTALL.md b/INSTALL.md
index 77ad069edb..cac3711726 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -136,16 +136,17 @@ You can build and run the server locally using Docker. First build an image:
 ```console
 $ docker build -t shields .
 Sending build context to Docker daemon 3.923 MB
-Step 0 : FROM node:6.4.0-onbuild
 …
-Removing intermediate container c4678889953f
 Successfully built 4471b442c220
 ```
 
+Optionally, create a file called `shields.env` that contains the needed configuration. See
+`secret.example.env` for an example.
+
 Then run the container:
 
 ```console
-$ docker run --rm -p 8080:80 -v "$(pwd)/private/secret.json":/usr/src/app/secret.json --name shields shields
+$ docker run --rm -p 8080:80 --env-file shields.env --name shields shields
 
 > gh-badges@1.1.2 start /usr/src/app
 > node server.js
@@ -172,6 +173,8 @@ bintray_apikey
 bintray_user
 gh_client_id
 gh_client_secret
+gh_token
+gitter_dev_secret
 shieldsIps
 shieldsSecret
 sl_insight_apiToken
@@ -180,6 +183,9 @@ sl_insight_userUuid
 
 (Gathered from `cat private/secret.json | jq keys | grep -o '".*"' | sed 's/"//g'`.)
 
+The `secret.tpl.json` is a template file used by the Docker container to set the secrets based on
+environment variables.
+
 # Main Server Sysadmin
 
 - Servers in DNS round-robin:
diff --git a/lib/github-auth.js b/lib/github-auth.js
index 6cf5232c7f..9efd583086 100644
--- a/lib/github-auth.js
+++ b/lib/github-auth.js
@@ -2,6 +2,7 @@ var querystring = require('querystring');
 var request = require('request');
 var autosave = require('json-autosave');
 var serverSecrets;
+var baseUrl = process.env.BASE_URL || "https://shields.io";
 try {
   // Everything that cannot be checked in but is useful server-side
   // is stored in this JSON data.
@@ -14,6 +15,12 @@ autosave(githubUserTokensFile, {data:[]}).then(function(f) {
   for (var i = 0; i < githubUserTokens.data.length; i++) {
     addGithubToken(githubUserTokens.data[i]);
   }
+  // Personal tokens allow access to GitHub private repositories.
+  // You can manage your personal GitHub token at
+  // <https://github.com/settings/tokens>.
+  if (serverSecrets && serverSecrets.gh_token) {
+    addGithubToken(serverSecrets.gh_token);
+  }
 }).catch(function(e) { console.error('Could not create ' + githubUserTokensFile); });
 
 function setRoutes(server) {
@@ -23,7 +30,7 @@ function setRoutes(server) {
     }
     var query = querystring.stringify({
       client_id: serverSecrets.gh_client_id,
-      redirect_uri: 'https://img.shields.io/github-auth/done',
+      redirect_uri: baseUrl + '/github-auth/done',
     });
     ask.res.statusCode = 302;  // Found.
     ask.res.setHeader('Location', 'https://github.com/login/oauth/authorize?' + query);
@@ -200,13 +207,6 @@ function rmGithubToken(token) {
   }
 }
 
-// Personal tokens allow access to GitHub private repositories.
-// You can manage your personal GitHub token at
-// <https://github.com/settings/tokens>.
-if (serverSecrets && serverSecrets.gh_token) {
-  addGithubToken(serverSecrets.gh_token);
-}
-
 // Act like request(), but tweak headers and query to avoid hitting a rate
 // limit.
 function githubRequest(request, url, query, cb) {
diff --git a/secret.tpl.json b/secret.tpl.json
new file mode 100644
index 0000000000..a0875fa95f
--- /dev/null
+++ b/secret.tpl.json
@@ -0,0 +1,6 @@
+{
+  "gh_client_id": "${GH_CLIENT_ID}",
+  "gh_client_secret": "${GH_CLIENT_SECRET}",
+  "shieldsIps": [ "${SHIELDS_IP}" ],
+  "gh_token": "${GH_TOKEN}"
+}
diff --git a/shields.example.env b/shields.example.env
new file mode 100644
index 0000000000..f584fb97ea
--- /dev/null
+++ b/shields.example.env
@@ -0,0 +1,19 @@
+# Base URL for redirects etc.
+BASE_URL=http://localhost:8080
+# Where your homepage is
+INFOSITE=http://localhost:8080/try.html
+
+# GitHub settings
+GITHUB_URL=https://api.github.com
+# Create your GitHub OAuth application here: https://github.com/settings/developers
+GH_CLIENT_ID=insert_client_id
+GH_CLIENT_SECRET=insert_client_secret
+# Create your Personal Access Token here: https://github.com/settings/tokens
+GH_TOKEN=insert_token
+
+# Server settings
+PORT=80
+BIND_ADDRESS=::
+
+# IP address of your Shields server. You may use DNS here instead of IP, but that's less secure
+SHIELDS_IP=insert_shields_ip