diff --git a/.env.sample b/.env.sample
index db235e3..777a532 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,13 @@ DOMAIN=gitlab.example.com
 #EXTRA_DOMAINS=', `www.gitlab.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+GITLAB_CONF_VERSION=v1
+
+GITLAB_ROOT_EMAIL="gitlab_admin@example.com"
+SECRET_ADMIN_PASSWORD_VERSION=v1
+
+## Authentik Configuration
+# SSO_PROVIDER_HOST="authentik.mydomain.com"
+# ORG_NAME="My Organization"
+# SECRET_CLIENT_SSO_SECRET_VERSION=v1
diff --git a/compose.yml b/compose.yml
index aeb47d9..eb47d1d 100644
--- a/compose.yml
+++ b/compose.yml
@@ -7,11 +7,13 @@ services:
     networks:
       - proxy
       - internal
+    configs:
+      - source: gitlab_conf
+        target: /etc/gitlab/gitlab.rb
     volumes:
       - 'gitlabconfig:/etc/gitlab'
       - 'gitlablogs:/var/log/gitlab'
       - 'gitlabdata:/var/opt/gitlab'
-    shm_size: '256m'
     deploy:
       restart_policy:
         condition: on-failure
@@ -28,6 +30,8 @@ services:
         - "backupbot.backup=true"
         - "backupbot.backup.path=/etc/gitlab/,/var/log/gitlab/,/var/opt/gitlab/"
         - "coop-cloud.${STACK_NAME}.version=1.0.0+15.8.0"
+    secrets:
+      - initial_root_password
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost"]
       interval: 30s
@@ -35,11 +39,22 @@ services:
       retries: 10
       start_period: 1m
 
+secrets:
+  initial_root_pasword:
+    external: true
+    name: ${STACK_NAME}_initial_root_password_${SECRET_ADMIN_PASSWORD_VERSION}
+
 volumes:
   gitlabconfig:
   gitlablogs:
   gitlabdata:
 
+configs:
+  gitlab_conf:
+    name: ${STACK_NAME}_gitlab_${GITLAB_CONF_VERSION}
+    file: gitlab.rb.tmpl
+    template_driver: golang
+
 networks:
   proxy:
     external: true
diff --git a/gitlab.rb b/gitlab.rb.tmpl
similarity index 99%
rename from gitlab.rb
rename to gitlab.rb.tmpl
index 7c5c7f8..8513c65 100644
--- a/gitlab.rb
+++ b/gitlab.rb.tmpl
@@ -550,6 +550,7 @@
 # gitlab_rails['smartcard_required_for_git_access'] = false
 # gitlab_rails['smartcard_san_extensions'] = false
 
+{{ if SSO_PROVIDER_HOST }}
 ### OmniAuth Settings
 ###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
 # gitlab_rails['omniauth_enabled'] = nil
@@ -587,6 +588,7 @@ gitlab_rails['omniauth_providers'] = [
 ]
 # gitlab_rails['omniauth_cas3_session_duration'] = 28800
 # gitlab_rails['omniauth_saml_message_max_byte_size'] = 250000
+{{ end }}
 
 ### FortiAuthenticator authentication settings
 # gitlab_rails['forti_authenticator_enabled'] = false
@@ -710,14 +712,14 @@ gitlab_rails['omniauth_providers'] = [
 #### Change the initial default admin password and shared runner registration tokens.
 ####! **Only applicable on initial setup, changing these settings after database
 ####!   is created and seeded won't yield any change.**
-# gitlab_rails['initial_root_password'] = "password"
+gitlab_rails['initial_root_password'] = {{ secret "initial_root_password" }}
 # gitlab_rails['initial_shared_runners_registration_token'] = "token"
 
 #### Toggle if root password should be printed to STDOUT during initialization
 # gitlab_rails['display_initial_root_password'] = false
 
 #### Toggle if initial root password should be written to /etc/gitlab/initial_root_password
-# gitlab_rails['store_initial_root_password'] = true
+gitlab_rails['store_initial_root_password'] = false
 
 #### Set path to an initial license to be used while bootstrapping GitLab.
 ####! **Only applicable on initial setup, future license updations need to be done via UI.