diff --git a/roles/docker-listmonk/tasks/main.yml b/roles/docker-listmonk/tasks/main.yml
index 08840935..3e698a0b 100644
--- a/roles/docker-listmonk/tasks/main.yml
+++ b/roles/docker-listmonk/tasks/main.yml
@@ -3,10 +3,10 @@
   include_role: 
     name: docker-central-database
 
-- name: Set nginx_docker_reverse_proxy_extra_configuration based on applications.listmonk.public_api_activated
+- name: Set nginx_docker_reverse_proxy_extra_configuration based on applications[application_id].public_api_activated
   set_fact:
     nginx_docker_reverse_proxy_extra_configuration: >-
-      {% if not applications.listmonk.public_api_activated %}
+      {% if not applications[application_id].public_api_activated %}
       {{ lookup('file', '{{ role_path }}/files/deactivate-public-api.conf') }}
       {% else %}
       ""
@@ -28,8 +28,70 @@
 - name: "copy docker-compose.yml and env file"
   include_tasks: copy-docker-compose-and-env.yml
 
-- name: setup routine for listmonk
+- name: Check if listmonk database is already initialized
+  command: docker compose exec -T {{database_host}} psql -U {{database_username}} -d {{database_name}} -c "\dt"
+  register: db_tables
+  changed_when: false
+  failed_when: false
+
+- name: Run Listmonk setup only if DB is empty
   command:
-    cmd:   docker compose run -T --rm application sh -c "yes | ./listmonk --install"
+    cmd: docker compose run -T --rm application sh -c "yes | ./listmonk --install"
     chdir: "{{docker_compose.directories.instance}}"
-  ignore_errors: true # Ignore errors if already setup
\ No newline at end of file
+  when: "'No relations found.' in db_tables.stdout"
+
+- name: Construct OIDC settings JSON
+  set_fact:
+    oidc_settings_json: >-
+      {{ {
+         "enabled":        True,
+         "client_id":      oidc.client.id,
+         "provider_url":   oidc.client.discovery_document,
+         "client_secret":  oidc.client.secret
+      } | to_json }}
+
+- name: Build OIDC settings JSON
+  set_fact:
+    oidc_settings_json: >-
+      {{ {
+         "enabled":       True,
+         "client_id":     oidc.client.id,
+         "provider_url":  oidc.client.discovery_document,
+         "client_secret": oidc.client.secret
+      } | to_json }}
+
+- name: Apply OIDC settings via Docker + here-doc
+  shell: |
+    docker exec -i {{ database_host }} psql \
+      -U {{ database_username }} \
+      -d {{ database_name }} <<'EOSQL'
+    UPDATE settings
+    SET value = '{{ oidc_settings_json }}'::jsonb
+    WHERE key = 'security.oidc';
+    EOSQL
+  args:
+    executable: /bin/bash
+  when: applications[application_id].features.oidc | bool
+
+- name: Enable hCaptcha and configure keys in Listmonk database
+  shell: |
+    docker exec -i {{ database_host }} psql \
+      -U {{ database_username }} \
+      -d {{ database_name }} <<'EOSQL'
+    -- enable captcha (boolean true)
+    UPDATE settings
+    SET value = 'true'::jsonb
+    WHERE key = 'security.enable_captcha';
+
+    -- set site key (JSON string)
+    UPDATE settings
+    SET value = '"{{ applications[application_id].credentials.hcaptcha.site_key }}"'::jsonb
+    WHERE key = 'security.captcha_key';
+
+    -- set secret (JSON string)
+    UPDATE settings
+    SET value = '"{{ applications[application_id].credentials.hcaptcha.secret }}"'::jsonb
+    WHERE key = 'security.captcha_secret';
+    EOSQL
+  args:
+    executable: /bin/bash
diff --git a/roles/docker-listmonk/templates/config.toml.j2 b/roles/docker-listmonk/templates/config.toml.j2
index 21ce8ad5..3599bf57 100644
--- a/roles/docker-listmonk/templates/config.toml.j2
+++ b/roles/docker-listmonk/templates/config.toml.j2
@@ -21,4 +21,4 @@ max_idle = 25
 max_lifetime = "300s"
 
 # Optional space separated Postgres DSN params. eg: "application_name=listmonk gssencmode=disable"
-params = ""
\ No newline at end of file
+params = ""
diff --git a/roles/docker-listmonk/templates/env.j2 b/roles/docker-listmonk/templates/env.j2
index acba7672..db2fb8d1 100644
--- a/roles/docker-listmonk/templates/env.j2
+++ b/roles/docker-listmonk/templates/env.j2
@@ -4,14 +4,3 @@ TZ=Etc/UTC
 
 LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }}
 LISTMONK_ADMIN_PASSWORD={{ applications[application_id].users.administrator.password }}
-
-{% if applications[application_id].features.oidc | bool %}
-################################### 
-# OpenID Connect settings
-###################################
-
-LISTMONK_security__oidc__enabled=true  
-LISTMONK_security__oidc__provider_url={{ oidc.client.discovery_document }}
-LISTMONK_security__oidc__client_id={{oidc.client.id}}
-LISTMONK_security__oidc__client_secret={{oidc.client.secret}}
-{% endif %}
\ No newline at end of file
diff --git a/templates/vars/applications.yml.j2 b/templates/vars/applications.yml.j2
index 9c13d305..f4ff7e84 100644
--- a/templates/vars/applications.yml.j2
+++ b/templates/vars/applications.yml.j2
@@ -276,9 +276,12 @@ defaults_applications:
     credentials:
       database:
 #        password:                     ""                                          # Database password
+      hcaptcha:
+#       site_key:
+#       secret:
     public_api_activated:             False                                       # Security hole. Can be used for spaming
     version:                          "latest"                                    # Docker Image version
-    setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
+
 {% endraw %}{{ features.render_features({
   'matomo':   true,
   'css':      true,