diff --git a/.env.sample b/.env.sample
index 40638a0..a0c222e 100644
--- a/.env.sample
+++ b/.env.sample
@@ -1,7 +1,9 @@
 TYPE=vaultwarden
 
 DOMAIN=vaultwarden.example.com
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.vaultwarden.example.com`'
 LETS_ENCRYPT_ENV=production
+
+WEBSOCKET_ENABLED=true
+SIGNUPS_ALLOWED=true
+
+SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
diff --git a/README.md b/README.md
index e893120..b32f636 100644
--- a/README.md
+++ b/README.md
@@ -1,30 +1,27 @@
 # vaultwarden
 
-TODO
+> Open source password manager
 
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
-* **Image**:
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 2, beta
+* **Image**: `vaultwarden/server`, 4, upstream
+* **Healthcheck**: 3
+* **Backups**: No
+* **Email**: No
+* **Tests**: No
+* **SSO**: No
 
 <!-- endmetadata -->
 
-## Basic usage
+## Quick start
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new ${REPO_NAME} --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
+3. `abra app new vaultwarden`
+4. `abra app YOURAPPDOMAIN config`
 5. `abra app YOURAPPDOMAIN deploy`
-6. Open the configured domain in your browser to finish set-up
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..7c5fe57
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1
diff --git a/compose.yml b/compose.yml
index a1e6b81..6746c72 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,32 +8,34 @@ services:
       - proxy
     environment:
       - "DOMAIN=https://$DOMAIN"
-      - "WEBSOCKET_ENABLED=true"
-      - "ADMIN_TOKEN=test"
-      # - SIGNUPS_ALLOWED: $$cap_register_enabled
-      # - ADMIN_TOKEN: $$cap_admin_token
+      - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
+      - "SIGNUPS_ALLOWED=$SIGNUPS_ALLOWED"
+      - "ADMIN_TOKEN_FILE=/run/secrets/admin_token"
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    command: /start.sh
+    secrets:
+      - admin_token
     volumes:
       - vaultwarden_data:/data
+    healthcheck:
+      test: curl -f http://localhost/alive || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 10
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "coop-cloud.${STACK_NAME}.version=0.1.0+1.25.0"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
 
 volumes:
   vaultwarden_data:
@@ -41,3 +43,14 @@ volumes:
 networks:
   proxy:
     external: true
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  admin_token:
+    external: true
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..03c8542
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "ADMIN_TOKEN"
+
+# upstream startup command
+# https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
+/start.sh