diff --git a/.env.sample b/.env.sample
index 4501604..2cff827 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,11 +2,8 @@ RUNBOAT_SUPPORTED_REPOS=["OCA/mis-builder", "shopinvader/odoo-shopinvader", "OCA
 RUNBOAT_API_ADMIN_USER="admin"
 RUNBOAT_API_ADMIN_PASSWD="admin"
 RUNBOAT_BUILD_NAMESPACE=runboat-builds
-RUNBOAT_BUILD_PGHOST=postgres14.runboat-builds-db
-RUNBOAT_BUILD_PGPORT=5432
-RUNBOAT_BUILD_PGUSER=runboat-build
-RUNBOAT_BUILD_PGPASSWORD=...
 RUNBOAT_BUILD_DOMAIN=runboat.odoo-community.org
-RUNBOAT_BUILD_ENV={}
+RUNBOAT_BUILD_ENV={"PGHOST": "postgres14.runboat-builds-db", "PGPORT": "5432", "PGUSER": "runboat-build"}
+RUNBOAT_BUILD_SECRET_ENV={"PGPASSWORD": "..."}
 RUNBOAT_GITHUB_TOKEN=
 RUNBOAT_LOG_CONFIG=log-config.yaml
diff --git a/.env.test b/.env.test
index 7fd2f69..210897a 100644
--- a/.env.test
+++ b/.env.test
@@ -2,12 +2,9 @@ RUNBOAT_SUPPORTED_REPOS=["OCA/mis-builder", "shopinvader/odoo-shopinvader", "OCA
 RUNBOAT_API_ADMIN_USER="admin"
 RUNBOAT_API_ADMIN_PASSWD="admin"
 RUNBOAT_BUILD_NAMESPACE=runboat-builds
-RUNBOAT_BUILD_PGHOST=postgres14.runboat-builds-db
-RUNBOAT_BUILD_PGPORT=5432
-RUNBOAT_BUILD_PGUSER=runboat-build
-RUNBOAT_BUILD_PGPASSWORD=...
 RUNBOAT_BUILD_DOMAIN=runboat.odoo-community.org
 RUNBOAT_BUILD_ENV={}
+RUNBOAT_BUILD_SECRET_ENV={}
 RUNBOAT_GITHUB_TOKEN=
 RUNBOAT_LOG_CONFIG=log-config.yaml
-RUNBOAT_BIULD_IMAGES={"15.0": "ghcr.io/oca/oca-ci/py3.8-odoo15.0:latest"}
+RUNBOAT_BUILD_IMAGES={"15.0": "ghcr.io/oca/oca-ci/py3.8-odoo15.0:latest"}
diff --git a/Dockerfile b/Dockerfile
index a72fd4a..fc30936 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,15 +12,13 @@ ENV PYTHONPATH=/app
 
 COPY log-config.yaml /etc/runboat-log-config.yaml
 
-ENV RUNBOAT_SUPPORTED_REPOS='["oca/server-env", "oca/mis-builder"]'
+ENV RUNBOAT_SUPPORTED_REPOS='["OCA/mis-builder", "shopinvader/odoo-shopinvader", "OCA/server-env"]''
 ENV RUNBOAT_API_ADMIN_USER="admin"
-ENV RUNBOAT_API_ADMIN_PASSWD=
+ENV RUNBOAT_API_ADMIN_PASSWD="admin"
 ENV RUNBOAT_BUILD_NAMESPACE=runboat-builds
-ENV RUNBOAT_BUILD_PGHOST=postgres14.runboat-builds-db
-ENV RUNBOAT_BUILD_PGPORT=5432
-ENV RUNBOAT_BUILD_PGUSER=runboat-build
-ENV RUNBOAT_BUILD_PGPASSWORD=
 ENV RUNBOAT_BUILD_DOMAIN=runboat.example.com
+ENV RUNBOAT_BUILD_ENV='{"PGHOST": "postgres14.runboat-builds-db", "PGPORT": "5432", "PGUSER": "runboat-build"}'
+ENV RUNBOAT_BUILD_SECRET_ENV='{"PGPASSWORD": "..."}'
 ENV RUNBOAT_GITHUB_TOKEN=
 ENV RUNBOAT_LOG_CONFIG=/etc/runboat-log-config.yaml
 
diff --git a/README.md b/README.md
index 288e960..aa68c1e 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,8 @@ in a different cluster.
 
 ## Developing
 
-- setup environment variables (start from `.env.sample`)
+- setup environment variables (start from `.env.sample`, the meaning of the environment
+  variables is documented in [settings.py](./src/runboat/settings.py))
 - create a virtualenv, make sure to have pip>=21.3.1 and `pip install -c
   requirements.txt -e .[test]`
 - run with `uvicorn runboat.app:app --log-config=log-config.yaml`
diff --git a/src/runboat/k8s.py b/src/runboat/k8s.py
index c1cdc39..8fdaba3 100644
--- a/src/runboat/k8s.py
+++ b/src/runboat/k8s.py
@@ -128,19 +128,16 @@ class DeploymentVars(BaseModel):
     namespace: str
     mode: DeploymentMode
     build_name: str
+    build_slug: str
+    build_domain: str
     repo: str
     target_branch: str
     pr: Optional[int]
     git_commit: str
     image_name: str
     image_tag: str
-    pghost: str
-    pgport: str
-    pguser: str
-    pgpassword: str
-    pgdatabase: str
-    hostname: str
     build_env: dict[str, str]
+    build_secret_env: dict[str, str]
 
 
 def make_deployment_vars(
@@ -158,19 +155,16 @@ def make_deployment_vars(
         mode=mode,
         namespace=settings.build_namespace,
         build_name=build_name,
+        build_slug=slug,
+        build_domain=settings.build_domain,
         repo=repo,
         target_branch=target_branch,
         pr=pr,
         git_commit=git_commit,
         image_name=image_name,
         image_tag=image_tag,
-        pghost=settings.build_pghost,
-        pgport=settings.build_pgport,
-        pguser=settings.build_pguser,
-        pgpassword=settings.build_pgpassword,
-        pgdatabase=build_name,
-        hostname=f"{slug}.{settings.build_domain}",
         build_env=settings.build_env or {},
+        build_secret_env=settings.build_secret_env or {},
     )
 
 
diff --git a/src/runboat/kubefiles/kustomization.yaml.jinja b/src/runboat/kubefiles/kustomization.yaml.jinja
index f049186..8d53708 100644
--- a/src/runboat/kubefiles/kustomization.yaml.jinja
+++ b/src/runboat/kubefiles/kustomization.yaml.jinja
@@ -30,16 +30,14 @@ images:
 secretGenerator:
   - name: odoosecretenv
     literals:
-      - PGPASSWORD={{ pgpassword }}
+      {%- for key, value in build_secret_env.items() %}
+      - {{ key }}={{ value }}
+      {%- endfor %}
 
 configMapGenerator:
   - name: odooenv
     literals:
-      - PGHOST={{ pghost }}
-      - PGPORT={{ pgport }}
-      - PGUSER={{ pguser }}
-      - PGNAME={{ pgname }}
-      - PGDATABASE={{ pgdatabase }}
+      - PGDATABASE={{ build_name }}
       - ADDONS_DIR=/build
       - RUNBOAT_GIT_REPO=https://github.com/{{ repo }}
       - RUNBOAT_GIT_REF={{ git_commit }}
@@ -55,7 +53,7 @@ configMapGenerator:
   {% if mode == 'deployment' -%}
   - name: vars
     literals:
-      - HOSTNAME={{ hostname }}
+      - HOSTNAME={{ build_slug }}.{{ build_domain }}
   {% endif %}
 
 generatorOptions:
diff --git a/src/runboat/settings.py b/src/runboat/settings.py
index 809788c..fb76f76 100644
--- a/src/runboat/settings.py
+++ b/src/runboat/settings.py
@@ -4,19 +4,27 @@ from pydantic import BaseSettings, validator
 
 
 class Settings(BaseSettings):
+    # A user and password to protect the most sensitive operations of the API.
     api_admin_user: str
     api_admin_passwd: str
+    # A JSON list of supported repositories in the form owner/repo.
     supported_repos: set[str]
+    # The maximum number of concurrent initialization jobs.
     max_initializing: int = 2
+    # The maximum number of builds that are started.
     max_started: int = 6
+    # The maximum number of builds that are deployed.
     max_deployed: int = 10
+    # The kubernetes namespace where the builds are deployed.
     build_namespace: str
-    build_pghost: str
-    build_pgport: str
-    build_pguser: str
-    build_pgpassword: str
+    # The wildcard domain where the builds will be reacheable.
     build_domain: str
+    # A dictionary of environment variables to set in the build container and jobs.
     build_env: Optional[dict[str, str]]
+    # A dictionary of secret environment variables to set in the build container and
+    # jobs.
+    build_secret_env: Optional[dict[str, str]]
+    # A mapping of main branch names to container images used to run the builds.
     build_images: dict[str, str] = {
         "15.0": "ghcr.io/oca/oca-ci/py3.8-odoo15.0:latest",
         "14.0": "ghcr.io/oca/oca-ci/py3.6-odoo14.0:latest",
@@ -25,7 +33,10 @@ class Settings(BaseSettings):
         "11.0": "ghcr.io/oca/oca-ci/py3.5-odoo11.0:latest",
         "10.0": "ghcr.io/oca/oca-ci/py2.7-odoo10.0:latest",
     }
+    # The token to use for the GitHub api calls (to query branches and pull requests,
+    # and report build statuses).
     github_token: Optional[str]
+    # The file with the python logging configuration to use for the runboat controller.
     log_config: Optional[str]
 
     class Config: