diff --git a/.env.sample b/.env.sample
index 216124b..a4ecf7a 100644
--- a/.env.sample
+++ b/.env.sample
@@ -1,6 +1,6 @@
 TYPE=wekan
 LETS_ENCRYPT_ENV=production
-SECRET_SSO_SECRET_VERSION=v1
+SECRET_OAUTH2_SECRET_VERSION=v1
 
 MONGO_URL=mongodb://db:27017/wekan
 
@@ -16,7 +16,7 @@ OAUTH2_SERVER_URL=https://sso.example.com
 OAUTH2_AUTH_ENDPOINT=/application/o/authorize/
 OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/
 OAUTH2_TOKEN_ENDPOINT=/application/o/token/
-OAUTH2_SECRET=secret
+# should be set in secret OAUTH2_SECRET=
 OAUTH2_REQUEST_PERMISSIONS="openid profile email wekan"
 OAUTH2_ID_MAP=preferred_username
 OAUTH2_USERNAME_MAP=preferred_username
diff --git a/README.md b/README.md
index da13078..e7a46ea 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # Wekan
 
 The Open Source kanban (built with Meteor)
+[Github](https://github.com/wekan/wekan)
 
 <!-- metadata -->
 * **Category**: Apps
@@ -23,5 +24,4 @@ The Open Source kanban (built with Meteor)
 See original [docker-compose.yml](https://github.com/wekan/wekan/blob/master/docker-compose.yml) for all possible env variables
 
 
-
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..2dc5622
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1,2 @@
+export SECRET_OAUTH2_SECRET_VERSION=v1
+export ENTRYPOINT_VERSION=1
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index d668b71..465c26e 100644
--- a/compose.yml
+++ b/compose.yml
@@ -61,6 +61,10 @@ services:
       - source: healthcheck_js
         target: /build/healthcheck.js
         mode: 0555
+      - source: entrypoint
+        target: /home/wekan/app/docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /home/wekan/app/docker-entrypoint.sh
     deploy:
       update_config:
         failure_action: rollback
@@ -86,3 +90,12 @@ configs:
   healthcheck_js:
     name: ${STACK_NAME}_healthcheck_js
     file: healthcheck.js
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  oauth2_secret:
+    name: ${STACK_NAME}_oauth2_secret_${SECRET_OAUTH2_SECRET_VERSION}
+    external: true
\ No newline at end of file
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..b4883c2
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "OAUTH2_SECRET"
+
+node /build/main.js
\ No newline at end of file