diff --git a/installer/install.sh b/installer/install.sh
index 2b70bae..ac7dcbb 100644
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -473,3 +473,83 @@ run_expert_prompts() {
     LOGTO_CONSOLE_EXPOSED="false"
   fi
 }
+
+# --- Config merge and validation ---
+
+merge_config() {
+  : "${INSTALL_DIR:=$DEFAULT_INSTALL_DIR}"
+  : "${PUBLIC_HOST:=localhost}"
+  : "${PUBLIC_PROTOCOL:=$DEFAULT_PUBLIC_PROTOCOL}"
+  : "${ADMIN_USER:=$DEFAULT_ADMIN_USER}"
+  : "${TLS_MODE:=$DEFAULT_TLS_MODE}"
+  : "${HTTP_PORT:=$DEFAULT_HTTP_PORT}"
+  : "${HTTPS_PORT:=$DEFAULT_HTTPS_PORT}"
+  : "${LOGTO_CONSOLE_PORT:=$DEFAULT_LOGTO_CONSOLE_PORT}"
+  : "${LOGTO_CONSOLE_EXPOSED:=$DEFAULT_LOGTO_CONSOLE_EXPOSED}"
+  : "${VENDOR_ENABLED:=$DEFAULT_VENDOR_ENABLED}"
+  : "${VENDOR_USER:=$DEFAULT_VENDOR_USER}"
+  : "${VERSION:=$CAMELEER_DEFAULT_VERSION}"
+  : "${COMPOSE_PROJECT:=$DEFAULT_COMPOSE_PROJECT}"
+  : "${DOCKER_SOCKET:=$DEFAULT_DOCKER_SOCKET}"
+
+  if [ -z "$NODE_TLS_REJECT" ]; then
+    if [ "$TLS_MODE" = "custom" ]; then
+      NODE_TLS_REJECT="1"
+    else
+      NODE_TLS_REJECT="0"
+    fi
+  fi
+}
+
+validate_config() {
+  local errors=0
+
+  if [ "$TLS_MODE" = "custom" ]; then
+    if [ ! -f "$CERT_FILE" ]; then
+      log_error "Certificate file not found: $CERT_FILE"
+      errors=$((errors + 1))
+    fi
+    if [ ! -f "$KEY_FILE" ]; then
+      log_error "Key file not found: $KEY_FILE"
+      errors=$((errors + 1))
+    fi
+    if [ -n "$CA_FILE" ] && [ ! -f "$CA_FILE" ]; then
+      log_error "CA bundle not found: $CA_FILE"
+      errors=$((errors + 1))
+    fi
+  fi
+
+  for port_var in HTTP_PORT HTTPS_PORT LOGTO_CONSOLE_PORT; do
+    local port_val
+    eval "port_val=\$$port_var"
+    if ! echo "$port_val" | grep -qE '^[0-9]+$' || [ "$port_val" -lt 1 ] || [ "$port_val" -gt 65535 ]; then
+      log_error "Invalid port for $port_var: $port_val"
+      errors=$((errors + 1))
+    fi
+  done
+
+  if [ $errors -gt 0 ]; then
+    log_error "Configuration validation failed."
+    exit 1
+  fi
+  log_success "Configuration validated."
+}
+
+generate_passwords() {
+  if [ -z "$ADMIN_PASS" ]; then
+    ADMIN_PASS=$(generate_password)
+    log_info "Generated admin password."
+  fi
+  if [ -z "$POSTGRES_PASSWORD" ]; then
+    POSTGRES_PASSWORD=$(generate_password)
+    log_info "Generated PostgreSQL password."
+  fi
+  if [ -z "$CLICKHOUSE_PASSWORD" ]; then
+    CLICKHOUSE_PASSWORD=$(generate_password)
+    log_info "Generated ClickHouse password."
+  fi
+  if [ "$VENDOR_ENABLED" = "true" ] && [ -z "$VENDOR_PASS" ]; then
+    VENDOR_PASS=$(generate_password)
+    log_info "Generated vendor password."
+  fi
+}