diff --git a/.envrc.sample b/.envrc.sample
index cfe67cc..3785e25 100644
--- a/.envrc.sample
+++ b/.envrc.sample
@@ -1,2 +1,6 @@
-# The path to our pass credentials store
-export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store
+export DOMAIN=wordpress.example.com
+export STACK_NAME=wordpress
+export LETS_ENCRYPT_ENV=production
+
+export DB_ROOT_PASSWORD_VERSION=v1
+export DB_PASSWORD_VERSION=v1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..37b52cc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.envrc
diff --git a/README.md b/README.md
index e9fa4b9..9194ec6 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,22 @@
 # wordpress
 
-> https://wordpress.org
 
-**Work In Progress.**
+Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
+
+1. Set up Docker Swarm and [`abra`][abra]
+2. Deploy [`compose-stacks/traefik`][compose-traefik]
+3. `cp .envrc.sample .envrc`
+4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
+   your Docker swarm box
+5. `direnv allow` (or `. .envrc`)
+6. Generate secrets:
+   ```
+   abra secret_generate db_password v1
+   abra secret_generate db_root_password v1
+   ```
+
+7. `abra deploy`
+8. Open the configured domain in your browser to finish set-up
+
+[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
+[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..1aa0da4
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,67 @@
+---
+version: "3.8"
+
+services:
+  wordpress:
+    image: "wordpress:5.4.1"
+    volumes:
+      - "wordpress_content:/var/www/html/wp-content/"
+    networks:
+      - backend
+      - proxy
+    environment:
+      - WORDPRESS_DB_HOST=mariadb
+      - WORDPRESS_DB_USER=wordpress
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
+      - WORDPRESS_DB_NAME=wordpress
+    secrets:
+      - db_password
+    deploy:
+      #mode: replicated
+      #replicas: 1
+      #update_config:
+      #  failure_action: rollback
+      #placement:
+      #  constraints:
+      #    - node.role == manager
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.routers.${STACK_NAME}.tls=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+
+  mariadb:
+    image: "mariadb:10.5"
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - backend
+    environment:
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MYSQL_DATABASE=wordpress
+      - MYSQL_USER=wordpress
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+    secrets:
+      - db_password
+      - db_root_password
+
+networks:
+  backend:
+    driver: overlay
+  proxy:
+    external: true
+
+volumes:
+  mariadb:
+  wordpress_content:
+
+secrets:
+  db_root_password:    
+    external: true 
+    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+  db_password:    
+    external: true 
+    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
deleted file mode 100644
index 711cbaa..0000000
--- a/docker-compose.prod.yml
+++ /dev/null
@@ -1,67 +0,0 @@
----
-version: "3.7"
-
-services:
-  wordpress:
-    image: "wordpress:5.4.1"
-    ports:
-      - "3050:80"
-    volumes:
-      - "wp:/var/www/html"
-    networks:
-      - backend
-      - proxy
-    environment:
-      - WORDPRESS_DB_HOST=mariadb
-      - WORDPRESS_DB_USER=wordpress
-      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/wp-db-passwd-v1
-      - WORDPRESS_DB_NAME=wordpress
-    secrets:
-      - wp-db-passwd-v1
-    deploy:
-      mode: replicated
-      replicas: 1
-      update_config:
-        failure_action: rollback
-      placement:
-        constraints:
-          - node.role == manager
-      labels:
-        traefik.enable: "true"
-        traefik.http.services.wordpress.loadbalancer.server.port: "80"
-        traefik.http.routers.wordpress.rule: "Host(`wp.swarm.autonomic.zone`)"
-        traefik.http.routers.wordpress.entrypoints: "web-secure"
-        traefik.http.routers.wordpress.tls.certresolver: "staging"
-
-  mariadb:
-    image: "mariadb:10.5"
-    volumes:
-      - "db:/var/lib/mysql"
-    networks:
-      - backend
-    environment:
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root-passwd-v1
-      - MYSQL_DATABASE=wordpress
-      - MYSQL_USER=wordpress
-      - MYSQL_PASSWORD_FILE=/run/secrets/mysql-user-passwd-v1
-    secrets:
-      - mysql-root-passwd-v1
-      - mysql-user-passwd-v1
-
-networks:
-  backend:
-    driver: overlay
-  proxy:
-    external: true
-
-volumes:
-  db:
-  wp:
-
-secrets:
-  wp-db-passwd-v1:
-    external: true
-  mysql-root-passwd-v1:
-    external: true
-  mysql-user-passwd-v1:
-    external: true
diff --git a/docker-compose.yml b/docker-compose.yml
deleted file mode 100644
index 7a4011b..0000000
--- a/docker-compose.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-version: "3.7"
-
-services:
-  wordpress:
-    image: "wordpress:5.4.1"
-    ports:
-      - "8010:80"
-    depends_on:
-      - mariadb
-    environment:
-      WORDPRESS_DB_HOST: mariadb
-      WORDPRESS_DB_USER: wordpress
-      WORDPRESS_DB_PASSWORD: wordpress
-      WORDPRESS_DB_NAME: wordpress
-
-  mariadb:
-    image: "mariadb:10.5"
-    environment:
-      MYSQL_ROOT_PASSWORD: somewordpress
-      MYSQL_DATABASE: wordpress
-      MYSQL_USER: wordpress
-      MYSQL_PASSWORD: wordpress