diff --git a/defaults/main.yml b/defaults/main.yml
index 669f9e0..a4799f3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,8 +2,9 @@
 redis_pass: "{{ vault_mastodon_redis_password }}"
 mastodon_secret_key_base: "{{ vault_mastodon_secret_key_base }}"
 mastodon_otp_secret: "{{ vault_mastodon_otp_secret }}"
-vapid_public_key: "{{ vault_vapid_public_key }}"
-vapid_private_key: "{{ vault_vapid_private_key }}"
+mastodon_paperclip_secret: "{{ vault_mastodon_paperclip_secret }}"
+vapid_public_key: "{{ vault_mastodon_vapid_public_key }}"
+vapid_private_key: "{{ vault_mastodon_vapid_private_key }}"
 smtp_from_address: mastodon-admin@example.com
 smtp_server: mail.example.com
 mastodon_host: mastodon.example.com
diff --git a/tasks/docker/docker.yml b/tasks/docker/docker.yml
index fb42853..be83963 100644
--- a/tasks/docker/docker.yml
+++ b/tasks/docker/docker.yml
@@ -25,8 +25,63 @@
     src: templates/env.j2
     dest: "{{ mastodon_composer_folder }}/.env.production"
 
-- name: Ensure Mastodon container is composed
+- name: Build Mastodon container
   community.docker.docker_compose:
         project_name: mastodon
         project_src: "{{ mastodon_composer_folder }}/"
         state: present
+
+- name: Generate secret key
+  shell: docker-compose run --rm web bundle exec rake secret
+  register: secret_key_cmd
+  when: mastodon_secret_key_base == ''
+
+- name: Add secret key to Mastodon config
+  lineinfile:
+    path: "{{ mastodon_composer_folder }}/.env.production"
+    line: "SECRET_KEY_BASE={{ secret_key_cmd.stdout }}"
+    regexp: "^SECRET_KEY_BASE="
+    backup: yes
+
+- name: Generate OTP secret key
+  shell: docker-compose run --rm web bundle exec rake secret
+  register: otp_key_cmd
+  when: mastodon_otp_secret == ''
+
+- name: Add OTP key to Mastodon config
+  lineinfile:
+    path: "{{ mastodon_composer_folder }}/.env.production"
+    line: "OTP_SECRET={{ otp_key_cmd.stdout }}"
+    regexp: "^OTP_SECRET="
+    backup: yes
+
+- name: Generate Paperclip secret key
+  shell: docker-compose run --rm web bundle exec rake secret
+  register: paperclip_key_cmd
+  when: mastodon_paperclip_secret == ''
+
+- name: Add Paperclip key to Mastodon config
+  lineinfile:
+    path: "{{ mastodon_composer_folder }}/.env.production"
+    line: "PAPERCLIP_SECRET={{ paperclip_key_cmd.stdout }}"
+    regexp: "^PAPERCLIP_SECRET="
+    backup: yes
+
+- name: Generate VAPID keypair
+  shell: docker-compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key
+  register: vapid_key_cmd
+  when: vapid_public_key == ''
+
+- name: Add Paperclip private key to Mastodon config
+  lineinfile:
+    path: "{{ mastodon_composer_folder }}/.env.production"
+    line: "{{ vapid_key_cmd.stdout_lines[0] }}"
+    regexp: "^VAPID_PRIVATE_KEY="
+    backup: yes
+
+- name: Add Paperclip public key to Mastodon config
+  lineinfile:
+    path: "{{ mastodon_composer_folder }}/.env.production"
+    line: "{{ vapid_key_cmd.stdout_lines[1] }}"
+    regexp: "^VAPID_PUBLIC_KEY="
+    backup: yes