diff --git a/.dockerignore b/.dockerignore
index 7e36e52..e02daae 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -16,7 +16,8 @@ ci
 config
 data/backups
 data/sqlite
-docker
+docker/
+!docker/gcs_fuse_run.sh
 docs
 
 # Frontend
diff --git a/docker-compose.yml b/docker-compose.yml
index e665a54..288172e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,11 +75,12 @@ services:
     # Mount local data folder to cloud storage gcs
     # Files added to this directory will be uploaded to storage (but not deleted)
     volumes:
-      - ./data/gcs:/mnt/gcs
+      - ./docker/data:/data
+      - ./backend/config/service-account.json:/service-account.json
     environment:
       - GCS_BUCKET_NAME=sami_website_uploads-18fd1f1
       - GCS_PROJECT=sami-website-365718
-      # - GOOGLE_APPLICATION_CREDENTIALS=/tmp/creds.json
+      - GOOGLE_APPLICATION_CREDENTIALS=/service-account.json
     privileged: true
     # command: "/bin/ash -c 'while sleep 3600; do :; done'"
 
diff --git a/docker/backend.dockerfile b/docker/backend.dockerfile
index 0eb0b1d..8ace661 100644
--- a/docker/backend.dockerfile
+++ b/docker/backend.dockerfile
@@ -21,9 +21,9 @@ COPY . .
 # https://docs.strapi.io/dev-docs/installation/docker
 
 FROM node:20-alpine
-RUN apk add --no-cache vips-dev
 
-RUN rm -rf /var/cache/apk/*
+RUN apk add --no-cache vips-dev \
+    && rm -rf /var/cache/apk/* && rm -rf /tmp/*
 
 
 ENV NODE_ENV=${ENV_NAME}
diff --git a/docker/gcs_fuse.dockerfile b/docker/gcs_fuse.dockerfile
index cdaedb8..b58474c 100644
--- a/docker/gcs_fuse.dockerfile
+++ b/docker/gcs_fuse.dockerfile
@@ -1,3 +1,4 @@
+# Support binding local folder directly with google cloud storage bucket via GCSFuse
 # yarn scripts docker build --only gcs_fuse
 
 # https://cloud.google.com/storage/docs/gcs-fuse
@@ -5,6 +6,7 @@
 # https://github.com/GoogleCloudPlatform/nodejs-docs-samples/blob/main/run/filesystem/gcsfuse.Dockerfile
 # https://github.com/GoogleCloudPlatform/gcsfuse/blob/master/docs/semantics.md
 # https://github.com/splitgraph/seafowl-gcsfuse
+# https://www.splitgraph.com/blog/deploying-serverless-seafowl
 
 
 # Setup Buildx builder
@@ -35,11 +37,11 @@ ENV GCS_PROJECT="sami-website-365718"
 
 RUN apk add --update --no-cache bash ca-certificates fuse bash rsync \
     && rm -rf /var/cache/apk/* && rm -rf /tmp/*  \
-    && mkdir -p /mnt/gcs
+    && mkdir -p /data/db \
+    && mkdir -p /data/uploads
 
 # Setup gcloud auth (not required in gcloud env)
 COPY --from=gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine /google-cloud-sdk/ /usr/local/gcloud/google-cloud-sdk/
-COPY backend/config/service-account.json /service-account.json
 COPY docker/gcs_fuse_run.sh /gcs_fuse_run.sh
 
 ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
@@ -48,6 +50,11 @@ ENV GOOGLE_APPLICATION_CREDENTIALS="/service-account.json"
 # Ensure the script is executable
 RUN chmod +x gcs_fuse_run.sh
 
+# expose as volume to allow adding files externally
+VOLUME ["/data"]
+VOLUME ["/data/db"]
+VOLUME ["/data/uploads"]
+
 COPY --from=builder /go/bin/gcsfuse /usr/local/bin
 
 CMD ["/gcs_fuse_run.sh"]
diff --git a/docker/gcs_fuse_run.sh b/docker/gcs_fuse_run.sh
index a6404ef..1b63121 100644
--- a/docker/gcs_fuse_run.sh
+++ b/docker/gcs_fuse_run.sh
@@ -3,15 +3,13 @@ set -eo pipefail
 
 echo -e "start fuse. \nGCS_PROJECT: $GCS_PROJECT\nGCS_BUCKET_NAME: $GCS_BUCKET_NAME"
 
-# Create mount directory for service
-mkdir -p /mnt/gcs
-
 echo "Authenticating service account"
-gcloud auth activate-service-account --key-file="/service-account.json" --project=${GCS_PROJECT}
-# Check bucket exists
+gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} --project=${GCS_PROJECT}
+
+# TODO - ensure bucket exists and user has access
 
 echo "Mounting GCS Fuse."
-gcsfuse --debug_gcs --debug_fuse --implicit-dirs --foreground $GCS_BUCKET_NAME /mnt/gcs
+gcsfuse --debug_gcs --debug_fuse --implicit-dirs --foreground $GCS_BUCKET_NAME /data
 # echo "Mounting completed."
 
 # # Exit immediately when one of the background processes terminate.