diff --git a/docker-compose.yml b/docker-compose.yml
index 1f6dc64..e995c92 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -116,27 +116,28 @@ services:
     depends_on:
       logto:
         condition: service_healthy
-    env_file:
-      - path: .env
-        required: false
     volumes:
       - bootstrapdata:/data/bootstrap:ro
       - certs:/certs
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
+      # Docker
       DOCKER_HOST: unix:///var/run/docker.sock
+      # SaaS database
       SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-cameleer_saas}
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
+      # Identity (Logto)
       CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
       CAMELEER_SAAS_IDENTITY_LOGTOPUBLICENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
+      CAMELEER_SAAS_IDENTITY_M2MCLIENTID: ${LOGTO_M2M_CLIENT_ID:-}
+      CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
+      # Provisioning — passed to per-tenant server containers
+      CAMELEER_SAAS_PROVISIONING_PUBLICHOST: ${PUBLIC_HOST:-localhost}
+      CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL: ${PUBLIC_PROTOCOL:-https}
       CAMELEER_SAAS_PROVISIONING_DATASOURCEUSERNAME: ${POSTGRES_USER:-cameleer}
       CAMELEER_SAAS_PROVISIONING_DATASOURCEPASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
       CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD:-cameleer_ch}
-      CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL: ${PUBLIC_PROTOCOL:-https}
-      CAMELEER_SAAS_PROVISIONING_PUBLICHOST: ${PUBLIC_HOST:-localhost}
-      CAMELEER_SAAS_IDENTITY_M2MCLIENTID: ${LOGTO_M2M_CLIENT_ID:-}
-      CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
     labels:
       - traefik.enable=true
       - traefik.http.routers.saas.rule=PathPrefix(`/platform`)
diff --git a/installer/install.sh b/installer/install.sh
index 743a29f..f015b2c 100644
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -840,22 +840,24 @@ EOF
     depends_on:
       logto:
         condition: service_healthy
-    env_file:
-      - .env
     environment:
+      # Docker
       DOCKER_HOST: unix:///var/run/docker.sock
+      # SaaS database
       SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/cameleer_saas
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      # Identity (Logto)
       CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT: http://logto:3001
       CAMELEER_SAAS_IDENTITY_LOGTOPUBLICENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
+      # Provisioning — passed to per-tenant server containers
+      CAMELEER_SAAS_PROVISIONING_PUBLICHOST: ${PUBLIC_HOST:-localhost}
+      CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL: ${PUBLIC_PROTOCOL:-https}
+      CAMELEER_SAAS_PROVISIONING_NETWORKNAME: ${COMPOSE_PROJECT_NAME:-cameleer-saas}_cameleer
+      CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK: cameleer-traefik
       CAMELEER_SAAS_PROVISIONING_DATASOURCEUSERNAME: ${POSTGRES_USER:-cameleer}
       CAMELEER_SAAS_PROVISIONING_DATASOURCEPASSWORD: ${POSTGRES_PASSWORD}
       CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD: ${CLICKHOUSE_PASSWORD}
-      CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL: ${PUBLIC_PROTOCOL:-https}
-      CAMELEER_SAAS_PROVISIONING_PUBLICHOST: ${PUBLIC_HOST:-localhost}
-      CAMELEER_SAAS_PROVISIONING_NETWORKNAME: ${COMPOSE_PROJECT_NAME:-cameleer-saas}_cameleer
-      CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK: cameleer-traefik
       CAMELEER_SAAS_PROVISIONING_SERVERIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:-gitea.siegeln.net/cameleer/cameleer3-server:latest}
       CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:-gitea.siegeln.net/cameleer/cameleer3-server-ui:latest}
     labels: