diff --git a/.env.sample b/.env.sample
deleted file mode 100644
index 4e155db..0000000
--- a/.env.sample
+++ /dev/null
@@ -1,13 +0,0 @@
-TYPE=keycloak
-
-DOMAIN=keycloak.example.com
-## Domain aliases
-#EXTRA_DOMAINS=', `www.keycloak.example.com`'
-LETS_ENCRYPT_ENV=production
-
-ADMIN_USERNAME=admin
-WELCOME_THEME=keycloak
-
-SECRET_DB_ROOT_PASSWORD_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-SECRET_ADMIN_PASSWORD_VERSION=v1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4c49bd7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/README.md b/README.md
index 809081d..9eda19a 100644
--- a/README.md
+++ b/README.md
@@ -8,11 +8,17 @@ Wiki Cafe's configuration for a Keycloak deployment. Originally slimmed down fro
 Set the environment variables from the .env file during the shell session.
 
 ```
-set -a && source .env && set +a^C
+set -a && source .env && set +a
 ```
 
-Deploy using the `-c` flag to specify multiple compose files.
+Set the secrets.
 
 ```
-docker stack deploy traefik -c compose.yaml -c compose.googledomains.yaml
+printf "SECRET_HERE" | docker secret create SECRET_NAME -
+```
+
+Deploy using the `-c` flag to specify one or multiple compose files.
+
+```
+docker stack deploy keycloak -c compose.yaml
 ```
diff --git a/compose.yaml b/compose.yaml
index db25a1b..63e9972 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,6 +1,3 @@
----
-version: "3.8"
-
 services:
   app:
     image: "keycloak/keycloak:22.0.1"
@@ -18,17 +15,11 @@ services:
       - KC_DB_URL_HOST=db
       - KC_HOSTNAME=${DOMAIN}
       - KC_PROXY=edge
-      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
       - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
       - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
-    # NOTE(3wc): disabled due to missing curl binary, see
-    #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
     # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost:8080"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
+    # https://www.keycloak.org/server/health
+    # Use external health checks
     volumes:
       - "themes:/opt/keycloak/themes"
     depends_on:
@@ -39,14 +30,13 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=7.0.0+22.0.1"
+        - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+        - "traefik.http.routers.keycloak.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.keycloak.entrypoints=web-secure"
+        - "traefik.http.routers.keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.keycloak.middlewares=keycloak-redirect"
+        - "traefik.http.middlewares.keycloak-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.keycloak-redirect.headers.SSLHost=${DOMAIN}"
 
   db:
     image: "mariadb:10.11"
@@ -79,13 +69,13 @@ networks:
 
 secrets:
   admin_password:
-    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+    name: keycloak_admin_password
     external: true
   db_password:
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: keycloak_db_password
     external: true
   db_root_password:
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    name: keycloak_db_root_password
     external: true
 
 volumes: