diff --git a/.gitmodules b/.gitmodules
index ddbae3c..912edf8 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -5,3 +5,6 @@
 [submodule "rss-bridge"]
 	path = rss-bridge
 	url = https://git.lattuga.net/blallo/rss-bridge.git
+[submodule "panel"]
+	path = panel
+	url = https://git.lattuga.net/blallo/feedpanel
diff --git a/docker-compose.yml b/docker-compose.yml
index 416c9bf..6b940b7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,14 +2,14 @@ version: "3.6"
 
 services:
     db:
-        image: postgres:10
+        image: postgres:10-alpine
         container_name: feedati_db
         volumes:
             - postgres_data:/var/lib/postgresql/data
         environment:
-            - POSTGRES_USER=ttrss
-            - POSTGRES_PASSWORD=password-dev
-            - POSTGRES_DB=ttrss
+            - POSTGRES_USER=superadmin
+            - POSTGRES_PASSWORD=superpass
+            - POSTGRES_DB=feeds
         ports:
             - 5432:5432
 
@@ -37,7 +37,7 @@ services:
         environment:
             - PHP_DISPLAY_ERRORS=stdout
             - PHP_DISPLAY_STARTUP_ERROR=1
-        entrypoint: 'wait-db php7 /app/public/tt-rss/update.php --daemon'
+        entrypoint: 'env PGHOST=db PGDATABASE=feeds PGUSER=ttrss PGPASSWORD=ttpass wait-db php7 /app/public/tt-rss/update.php --daemon'
         ports: []
         depends_on:
             - db
@@ -56,11 +56,14 @@ services:
             - APACHE_SERVER_NAME=rss-bridge
 
     feedati-fe:
-        image: httpd:2.4-alpine
+        image: feedati/frontend
+        build:
+            context: .
+            dockerfile: ./docker/Dockerfile-frontend
         container_name: feedati_webserver
         volumes:
             - ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro
-            - ./docker/frontend-apache/:/etc/apache2/:ro
+            # - ./docker/frontend-apache/:/etc/apache2/:ro
             - ./docker/frontend-login/:/var/www/login/:ro
         ports:
             - 80:80
@@ -72,5 +75,12 @@ services:
         image: jumanjiman/rsyslog:latest
         container_name: feedati_syslog
 
+    panel:
+        image: feedati/feedspanel:latest
+        build:
+            context:
+                ./panel/
+        container_name: feedati_panel
+
 volumes:
     postgres_data:
diff --git a/docker/Dockerfile-frontend b/docker/Dockerfile-frontend
new file mode 100644
index 0000000..11963c1
--- /dev/null
+++ b/docker/Dockerfile-frontend
@@ -0,0 +1,5 @@
+FROM httpd:2.4-alpine
+
+RUN apk --no-cache add apr-util-dbd_pgsql
+
+# vim: set ft=dockerfile:
diff --git a/docker/dbconf-perms.sql b/docker/dbconf-perms.sql
new file mode 100644
index 0000000..5cee225
--- /dev/null
+++ b/docker/dbconf-perms.sql
@@ -0,0 +1,6 @@
+-- these commands must be given AFTER `panelcli setup` has been run
+-- and ttrss has created its tables
+-- having a 'ALTER DEFAULT PRIVILEGES IN SCHEMA public' might be a little cleaner than this
+GRANT USAGE ON SCHEMA users TO apache;
+GRANT SELECT ON TABLE users.users TO apache;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO panel;
diff --git a/docker/dbconf.sql b/docker/dbconf.sql
new file mode 100644
index 0000000..4ad2d8f
--- /dev/null
+++ b/docker/dbconf.sql
@@ -0,0 +1,6 @@
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE USER ttrss WITH PASSWORD 'ttpass';
+CREATE USER panel WITH PASSWORD 'panelpass';
+GRANT CREATE ON DATABASE feeds  TO panel;
+GRANT CREATE ON DATABASE feeds  TO ttrss;
+CREATE USER apache WITH PASSWORD 'apachepass';
diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf
index 511c8ca..60e7c2b 100644
--- a/docker/frontend-apache.conf
+++ b/docker/frontend-apache.conf
@@ -16,8 +16,8 @@ LoadModule headers_module modules/mod_headers.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule unixd_module modules/mod_unixd.so
-LoadModule status_module modules/mod_status.so
-LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule status_module modules/mod_status.so
+#LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule dir_module modules/mod_dir.so
 LoadModule alias_module modules/mod_alias.so
 
@@ -27,8 +27,8 @@ LoadModule session_cookie_module modules/mod_session_cookie.so
 LoadModule request_module modules/mod_request.so
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule auth_form_module modules/mod_auth_form.so
-LoadModule authn_file_module modules/mod_authn_file.so
-# LoadModule authn_dbm_module modules/mod_authn_dbm.so
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
+LoadModule dbd_module modules/mod_dbd.so
 
 LoadModule macro_module modules/mod_macro.so
 LoadModule rewrite_module modules/mod_rewrite.so
@@ -50,13 +50,14 @@ ServerAdmin you@example.com
 
 ServerName feedati-fe:80
 
+DBDriver pgsql
+DBDParams "host=db dbname=feeds user=apache password=apachepass"
+
 <Macro Auth>
     AuthFormLoginRequiredLocation "/login/"
-    AuthFormLoginRequiredLocation "/login/"
-    AuthFormProvider file
 # authn
-    AuthFormProvider file
-    AuthUserFile /etc/apache2/passwords.txt
+    AuthFormProvider dbd
+    AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
 # form
     AuthType form
     AuthName "authenticationform"
@@ -69,7 +70,7 @@ ServerName feedati-fe:80
 <Location "/login/do">
 SetHandler form-login-handler
 Use Auth
-AuthFormLoginSuccessLocation "/tt-rss/"
+AuthFormLoginSuccessLocation "/panel/"
 </Location>
 
 <Directory />
@@ -209,4 +210,14 @@ ProxyPassReverse http://rss-bridge/
 Require all granted
 </Location>
 
+<Location /panel/>
+ProxyPass http://panel:8000/panel/
+ProxyPassReverse http://panel:8000/panel/
+Use Auth
+Require valid-user
+RewriteEngine on
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
+RequestHeader set X-Forwarded-User %{RU}e
+</Location>
+
 # vim: set ft=apache bkc=yes:
diff --git a/docker/frontend-apache/passwords.txt b/docker/frontend-apache/passwords.txt
deleted file mode 100644
index 1a1c6ad..0000000
--- a/docker/frontend-apache/passwords.txt
+++ /dev/null
@@ -1 +0,0 @@
-admin:$2y$05$tPaBuT/mWQCvfk1C12PmV.0Dz8kt0cY1jcD53OGCN26Y8dX2kRPs.
diff --git a/docker/ttrss-config.php b/docker/ttrss-config.php
index 2cf3e36..ec230b6 100644
--- a/docker/ttrss-config.php
+++ b/docker/ttrss-config.php
@@ -6,8 +6,8 @@
 	define('DB_TYPE', 'pgsql');
 	define('DB_HOST', 'db');
 	define('DB_USER', 'ttrss');
-	define('DB_NAME', 'ttrss');
-	define('DB_PASS', 'password-dev');
+	define('DB_NAME', 'feeds');
+	define('DB_PASS', 'ttpass');
 	define('DB_PORT', '5432');
 
 	define('MYSQL_CHARSET', 'UTF8');
diff --git a/docker/wait-db b/docker/wait-db
index 3fa5627..94cd98a 100755
--- a/docker/wait-db
+++ b/docker/wait-db
@@ -1,7 +1,9 @@
 #!/bin/bash
+### psql configuration parameters must be received as environ vars
+### (PGHOST, PGDATABASE, PGUSER, PGPASSWORD)
 timeout=60
 for _ in $(seq 1 "$timeout"); do
-    if env PGPASSWORD=password-dev psql -h db -U ttrss -w ttrss -c "" -q 2> /dev/null; then
+    if psql -w -c "" -q 2> /dev/null; then
         echo "DB ready"
         exec "$@"
     fi
diff --git a/dodo.py b/dodo.py
index 83d0c21..790c652 100644
--- a/dodo.py
+++ b/dodo.py
@@ -18,6 +18,7 @@ def task_build():
         'uptodate': [up2date_anyimages],
         'file_dep': ['docker-compose.yml',
                      'rss-bridge/Dockerfile',
+                     'panel/Dockerfile',
                      ] + list(scan_dir('docker')),
         'actions': [COMPOSE + ' build'],
         'clean': [run_task_func(task__build_rm),
@@ -66,17 +67,24 @@ def stop():
 
 
 def task_dbprepare():
-    '''applica il dump sql al container del db'''
+    '''applica il dump sql al container del db''' 
+    panelcli = 'docker-compose -p feedati exec -T panel ./panelcli -db-pass panelpass -db-addr db:5432 '
+    psql = r'docker exec -i $(docker ps -aqf name=feedati_db) env PGPASSWORD=superpass psql -h 127.0.0.1 -f  - -d feeds superadmin '
     return {
         'setup': ['_dbprepare_clean', 'build'],
-        'file_dep': ['docker/ttrss.sql'],
+        'file_dep': list(scan_dir('docker', '*.sql')),
         'actions': [
-                    (COMPOSE + ' up -d db').split(),
+                    (COMPOSE + ' up -d db panel').split(),
                     (wait_net_service, ('localhost', 5432, 300)),
-                    (wait_pgsql_db, ('feedati_db', 'ttrss', 'ttrss')),
+                    (wait_pgsql_db, ('feedati_db', 'feeds', 'superadmin')),
                     'echo LOADING DB',
-                    r'docker exec -i $(docker ps -aqf name=feedati_db) '
-                    'psql -h 127.0.0.1 -f - -d ttrss ttrss < docker/ttrss.sql',
+                    # dbconf.sql would be better put in /docker-entrypoint-initdb.d/init-user-db.sh
+                    # (see https://hub.docker.com/r/library/postgres/ )
+                    psql + ' < docker/dbconf.sql',
+                    psql + ' < docker/ttrss.sql',
+                    panelcli + 'setup',
+                    panelcli + 'adduser -password password admin ad@m.in',
+                    psql + ' < docker/dbconf-perms.sql',
                     'echo DB RESTORED',
                     ],
         'teardown': [(stop, [])],
diff --git a/panel b/panel
new file mode 160000
index 0000000..5abac50
--- /dev/null
+++ b/panel
@@ -0,0 +1 @@
+Subproject commit 5abac50fca9b5ce0bfc7dddbed88d48f184900cc
diff --git a/rss-bridge b/rss-bridge
index c1494ad..3821ca9 160000
--- a/rss-bridge
+++ b/rss-bridge
@@ -1 +1 @@
-Subproject commit c1494adace180fae50d1476fcdec3648423f8ea2
+Subproject commit 3821ca9737eeafe6ef69ab57d980c233e6b2a00c