diff --git a/Dockerfile b/Dockerfile
index 715acd7..b5513e2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -55,6 +55,10 @@ RUN cd /app/code && \
     rm -rf node_modules && \
     chown -R cloudron:cloudron /app/code/public
 
+# Remove storage directory as it will be mounted from /run
+RUN rm -rf /app/code/storage && \
+    mkdir -p /app/code/storage
+
 # Copy configuration files
 COPY nginx.conf /etc/nginx/sites-available/default
 COPY supervisor.conf /etc/supervisor/conf.d/anonaddy.conf
@@ -80,9 +84,11 @@ RUN mkdir -p /tmp/data && \
 # Set permissions
 RUN chmod +x /app/code/start.sh && \
     chown -R cloudron:cloudron /app/code && \
-    chmod -R 755 /app/code/storage && \
     chmod -R 755 /app/code/bootstrap/cache
 
+# Create volume mount points for writable directories
+VOLUME ["/app/data", "/run", "/tmp"]
+
 # Configure PHP-FPM to run as cloudron user
 RUN sed -i 's/user = www-data/user = cloudron/g' /etc/php/8.3/fpm/pool.d/www.conf && \
     sed -i 's/group = www-data/group = cloudron/g' /etc/php/8.3/fpm/pool.d/www.conf && \
diff --git a/start.sh b/start.sh
index 07a29a1..bee6c18 100644
--- a/start.sh
+++ b/start.sh
@@ -14,13 +14,12 @@ fi
 chown -R cloudron:cloudron /app/data
 chmod -R 755 /app/data/storage
 
-# Link storage directory to Laravel storage
-rm -rf /app/code/storage
-ln -sf /app/data/storage /app/code/storage
+# Bind mount storage to /app/code/storage
+mount --bind /app/data/storage /app/code/storage
 
-# Create .env file
+# Create .env file in /app/data
 echo "==> Configuring application environment"
-cat > /app/code/.env <<EOF
+cat > /app/data/.env <<EOF
 APP_NAME="AnonAddy"
 APP_ENV=production
 APP_DEBUG=false
@@ -73,17 +72,21 @@ LOG_LEVEL=info
 BCRYPT_ROUNDS=12
 EOF
 
+# Create symlink for .env in /run (writable location)
+ln -sf /app/data/.env /run/.env
+ln -sf /app/data/.env /app/code/.env 2>/dev/null || true
+
 # Generate APP_KEY if it doesn't exist
 if [ ! -f "/app/data/app_key" ]; then
     echo "==> Generating application key"
     cd /app/code
     sudo -u cloudron php artisan key:generate --force
     # Save the key to persistent storage
-    grep "APP_KEY=" /app/code/.env | cut -d= -f2 > /app/data/app_key
+    grep "APP_KEY=" /app/data/.env | cut -d= -f2 > /app/data/app_key
 else
     echo "==> Using existing application key"
     APP_KEY=$(cat /app/data/app_key)
-    sed -i "s|APP_KEY=.*|APP_KEY=${APP_KEY}|g" /app/code/.env
+    sed -i "s|APP_KEY=.*|APP_KEY=${APP_KEY}|g" /app/data/.env
 fi
 
 # Generate ANONADDY_SECRET if it doesn't exist
@@ -91,16 +94,16 @@ if [ ! -f "/app/data/anonaddy_secret" ]; then
     echo "==> Generating AnonAddy secret"
     ANONADDY_SECRET=$(openssl rand -hex 32)
     echo "$ANONADDY_SECRET" > /app/data/anonaddy_secret
-    echo "ANONADDY_SECRET=${ANONADDY_SECRET}" >> /app/code/.env
+    echo "ANONADDY_SECRET=${ANONADDY_SECRET}" >> /app/data/.env
 else
     echo "==> Using existing AnonAddy secret"
     ANONADDY_SECRET=$(cat /app/data/anonaddy_secret)
-    echo "ANONADDY_SECRET=${ANONADDY_SECRET}" >> /app/code/.env
+    echo "ANONADDY_SECRET=${ANONADDY_SECRET}" >> /app/data/.env
 fi
 
 # Set proper ownership
-chown cloudron:cloudron /app/code/.env
-chmod 640 /app/code/.env
+chown cloudron:cloudron /app/data/.env
+chmod 640 /app/data/.env
 
 # Run database migrations
 echo "==> Running database migrations"