diff --git a/.env.sample b/.env.sample
index c1925fd..5741e30 100644
--- a/.env.sample
+++ b/.env.sample
@@ -5,6 +5,10 @@ DOMAIN=wordpress.example.com
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
 LETS_ENCRYPT_ENV=production
 
+TITLE="My Example Blog"
+LOCALE="en_US" # de_DE
+ADMIN_EMAIL=admin@example.com
+
 ## Additional extensions
 #PHP_EXTENSIONS="calendar"
 
@@ -35,3 +39,9 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+# AUTHENTIK_DOMAIN=authentik.example.com
+# AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+# AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+# LOGIN_TYPE='auto' # 'button'
diff --git a/README.md b/README.md
index f237bff..fbd2ad4 100644
--- a/README.md
+++ b/README.md
@@ -17,40 +17,51 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
 <!-- endmetadata -->
 
-## Basic usage
 
-1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`coop-cloud/traefik`][cc-traefik]
-3. `abra app new wordpress --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
-6. Open the configured domain in your browser to finish set-up
-7. `abra app run YOURAPPDOMAIN app chown www-data:www-data /var/www/html/wp-content` to fix
-   file permissions (see #3)
+## Quick start
+
+
+* `abra app new wordpress`
+* `abra app config <app-name>`
+* `abra app secret generate -a <app-name>`
+* `abra app deploy <app-name>`
+* `abra app cmd <app-name> app core_install`
+
+### Authentik Integration
+
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
 
 ## Running WP-CLI
 
-`abra app cmd YOURAPPDOMAIN app wp -- core check-update --major`
+`abra app cmd <app-name> app wp -- core check-update --major`
 
 ## Network (Multi-site)
 
 _(Only tested using subdomains)_
 
 1. Set up as above
-2. `abra app config YOURAPPDOMAIN`, and uncomment the first `# Multisite` section
-3. `abra app deploy YOURAPPDOMAIN`
+2. `abra app config <app-name>`, and uncomment the first `# Multisite` section
+3. `abra app deploy <app-name>`
 4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
 5. Don't worry about the suggested file changes
-6. `abra app config YOURAPPDOMAIN` again - comment out the first `# Multisite`
+6. `abra app config <app-name>` again - comment out the first `# Multisite`
    section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
    your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
-7. `abra app deploy YOURAPPDOMAIN`
+7. `abra app deploy <app-name>`
 
 ## Installing a custom theme
 
-`abra app cp YOURAPPDOMAIN ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
 
 ## Email
 
@@ -62,10 +73,10 @@ There is a local or remote SMTP relay configuration available.
 Below are the instructions for the local relay.
 
 1. Deploy [`postfix-relay`][cc-postfix-relay]
-2. `abra app config YOURAPPDOMAIN`, and uncomment the email lines; change
+2. `abra app config <app-name>`, and uncomment the email lines; change
    `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
    `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
-3. `abra app deploy YOURAPPDOMAIN`
+3. `abra app deploy <app-name>`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
diff --git a/abra.sh b/abra.sh
index ab59107..ed679d6 100644
--- a/abra.sh
+++ b/abra.sh
@@ -4,7 +4,61 @@ export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v3
 
 wp() {
-  /usr/local/bin/wp $@
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
+}
+
+core_install(){
+    ADMIN=admin
+    if [ -n $AUTHENTIK_DOMAIN ]
+    then
+        ADMIN=akadmin
+    fi
+    chown www-data:www-data /var/www/html/wp-content
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+}
+
+set_authentik(){
+    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    if [ -n $LOGIN_TYPE ]
+    then
+        LOGIN_TYPE='button'
+    fi
+    wp "user create akadmin admin@example.com --role=administrator"
+    wp "plugin install --activate daggerhart-openid-connect-generic"
+    wp "option update --format=json openid_connect_generic_settings '
+    {
+        \"login_type\":\"$LOGIN_TYPE\",
+        \"client_id\":\"$AUTHENTIK_ID\",
+        \"client_secret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"email profile openid\",
+        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"acr_values\":\"\",
+        \"identity_key\":\"preferred_username\",
+        \"no_sslverify\":\"0\",
+        \"http_request_timeout\":\"30\",
+        \"enforce_privacy\":\"0\",
+        \"alternate_redirect_uri\":\"1\",
+        \"nickname_key\":\"preferred_username\",
+        \"email_format\":\"{email}\",
+        \"displayname_format\":\"{given_name} {family_name}\",
+        \"identify_with_username\":\"1\",
+        \"state_time_limit\":\"\",
+        \"token_refresh_enable\":\"1\",
+        \"link_existing_users\":\"1\",
+        \"create_if_does_not_exist\":\"1\",
+        \"redirect_user_back\":\"0\",
+        \"redirect_on_logout\":\"1\",
+        \"enable_logging\":\"0\",
+        \"log_limit\":\"1000\"
+    }'"
+    wp "rewrite flush"
+    wp "cache flush"
+
 }
 
 fix_mysql() {
diff --git a/compose.authentik.yml b/compose.authentik.yml
new file mode 100644
index 0000000..a2969b8
--- /dev/null
+++ b/compose.authentik.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${AUTHENTIK_SECRET_NAME}
+  authentik_id:
+    external: true
+    name: ${AUTHENTIK_ID_NAME}