diff --git a/.env.sample b/.env.sample
index 6bd6886..b0d9163 100644
--- a/.env.sample
+++ b/.env.sample
@@ -18,6 +18,11 @@ SMTP_HOST_USER=mailman@lists.example.com
 SMTP_PORT=25
 SMTP_USE_TLS=True
 
+# keycloak SSO
+# KEYCLOAK_SSO_ENABLED=1
+# KEYCLOAK_DOMAIN=login.example.com
+# KEYCLOAK_REALM=sso-queens-united
+
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DJANGO_SECRET_KEY_VERSION=v1
 SECRET_HYPERKITTY_API_KEY_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 539b98c..d629326 100644
--- a/compose.yml
+++ b/compose.yml
@@ -39,7 +39,7 @@ services:
     networks:
       - internal
     volumes:
-      - "mailqueue:/queue"
+      - "mqueue:/queue"
     healthcheck:
       disable: true
 
@@ -116,8 +116,9 @@ networks:
 
 volumes:
   core:
-  web:
   db:
+  mqueue:
+  web:
 
 secrets:
   db_password:
diff --git a/mailman-extra.cfg.tmpl b/mailman-extra.cfg.tmpl
index e69de29..b411a44 100644
--- a/mailman-extra.cfg.tmpl
+++ b/mailman-extra.cfg.tmpl
@@ -0,0 +1,19 @@
+[mta]
+incoming: mailman.mta.postfix.LMTP
+outgoing: mailman.mta.deliver.deliver
+
+# mailman-core hostname or IP from the Postfix server
+lmtp_host: localhost
+lmtp_port: 8024
+
+# Postfix server's hostname or IP from mailman-core
+smtp_host: smtp.example.com
+smtp_port: 25
+configuration: /etc/postfix-mailman.cfg
+
+[mailman]
+# This address is the "site owner" address.  Certain messages which must be
+# delivered to a human, but which can't be delivered to a list owner (e.g. a
+# bounce from a list owner), will be sent to this address.  It should point to
+# a human.
+site_owner: {{ env "MAILMAN_ADMIN_EMAIL" }}
diff --git a/settings_local.py.tmpl b/settings_local.py.tmpl
index e69de29..ab7762b 100644
--- a/settings_local.py.tmpl
+++ b/settings_local.py.tmpl
@@ -0,0 +1,19 @@
+ADMINS = (
+     ('Mailman Suite Admin', '{{ env "MAILMAN_ADMIN_EMAIL" }}'),
+)
+
+HAYSTACK_CONNECTIONS = {
+    'default': {
+        'ENGINE': 'xapian_backend.XapianEngine',
+        'PATH': "/opt/mailman-web-data/fulltext_index",
+    },
+}
+
+{{ if eq (env "KEYCLOAK_SSO_ENABLED") "1" }}
+SOCIALACCOUNT_PROVIDERS = {
+    'keycloak': {
+        'KEYCLOAK_URL': 'https://{{ env "KEYCLOAK_DOMAIN" }}/auth',
+        'KEYCLOAK_REALM': '{{ env "KEYCLOAK_REALM" }}'
+    }
+}
+{{ end }}