diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..f4b28dc
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,5 @@
+export PASSWORD_STORE_DIR=$(pwd)/../../Infrastructure/infrastructure/credentials/password-store
+
+export DB_ROOT_PASSWD_VERSION=v1
+export DOMAIN=nextcloud.swarm.autonomic.zone
+export STACK_NAME=nextcloud
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..37b52cc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.envrc
diff --git a/compose.yml b/compose.yml
index d84414d..079136a 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,12 +6,13 @@ services:
     depends_on:
       - maindb
     secrets:
-      - mysql_root_password
+      - db_root_password
     environment:
       - MYSQL_HOST=maindb:3306
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=root
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - DOMAIN=${DOMAIN}
     volumes:
       - /mnt/nextcloud:/var/www/html:cached
       - /mnt/nextapps:/var/www/html/custom_apps:cached
@@ -39,8 +40,9 @@ services:
         - "traefik.http.routers.invoiceninja.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
 secrets:
-  mysql_root_password:    
+  db_root_password:    
     external: true 
+    name: ${STACK_NAME}_db_root_passwd_${DB_ROOT_PASSWD_VERSION}
 
 volumes:
   nextcloud:
@@ -51,5 +53,4 @@ volumes:
 networks:
   proxy:
     external: true
-  private:
-    external: true
+  internal:
diff --git a/helpers.sh b/helpers.sh
new file mode 100755
index 0000000..a7dc778
--- /dev/null
+++ b/helpers.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+create-secrets () {
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_db_root_passwd_${DB_ROOT_PASSWD_VERSION}" -
+}