diff --git a/Makefile b/Makefile
index 2405b76..d9ba2b0 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ MODULES += prometheus
 MODULES += mastodon
 MODULES += matrix
 MODULES += nextcloud
+MODULES += mobilizon
 #MODULES += pixelfed
 
 include env.production
diff --git a/mobilizon.yaml b/mobilizon.yaml
new file mode 100644
index 0000000..df56731
--- /dev/null
+++ b/mobilizon.yaml
@@ -0,0 +1,62 @@
+version: "3"
+
+services:
+  mobilizon:
+    image: framasoft/mobilizon
+    container_name: mobilizon
+    restart: always
+    volumes:
+      - ./data/mobilizon/uploads:/var/lib/mobilizon/uploads
+      - ./mobilizon/config.exs:/etc/mobilizon/config.exs:ro
+    environment:
+      - KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}
+      - REALM=${REALM}
+      - MOBILIZON_INSTANCE_NAME=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
+      - MOBILIZON_INSTANCE_HOST=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
+      - MOBILIZON_INSTANCE_SECRET_KEY_BASE=${MOBILIZON_ADMIN_PASSWORD}
+      - MOBILIZON_INSTANCE_SECRET_KEY=${MOBILIZON_SESSION_SECRET}
+      - MOBILIZON_CLIENT_SECRET=${MOBILIZON_CLIENT_SECRET}
+      - MOBILIZON_INSTANCE_EMAIL=events@${DOMAIN_NAME}
+      - MOBILIZON_REPLY_EMAIL=noreply@${DOMAIN_NAME}
+      - MOBILIZON_SMTP_SERVER=${SMTP_SERVER}
+      - MOBILIZON_SMTP_PORT=${SMTP_PORT}
+      - MOBILIZON_SMTP_USERNAME=${SMTP_USER}
+      - MOBILIZON_SMTP_PASSWORD=${SMTP_PASSWORD}
+      - MOBILIZON_SMTP_SSL=true
+      - MOBILIZON_DATABASE_USERNAME=mobilizon
+      - MOBILIZON_DATABASE_PASSWORD=mobilizon
+      - MOBILIZON_DATABASE_DBNAME=mobilizon
+      - MOBILIZON_DATABASE_HOST=mobilizon-db
+      - MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
+      - MOBILIZON_INSTANCE_PORT=7000
+    user: root
+    entrypoint:
+      - "/bin/sh"
+      - "-c"
+      - "chmod 777 /var/lib/mobilizon/uploads && exec su -p nobody -s /bin/sh /docker-entrypoint.sh"
+
+#    ports:
+#      - "7000:7000"
+
+  mobilizon-db:
+    image: postgis/postgis:13-3.1
+    container_name: mobilizon-db
+    restart: always
+    volumes:
+      - ./data/mobilizon/db:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=mobilizon
+      - POSTGRES_PASSWORD=mobilizon
+      - POSTGRES_DB=mobilizon
+
+  # add the nginx configuration into the nginx volume
+  nginx:
+    volumes:
+      - ./mobilizon/nginx.conf:/etc/nginx/templates/mobilizon.conf.template:ro
+
+  # add the client secrets to the keycloak-setup volume
+  keycloak-setup:
+    env_file:
+      - data/mobilizon/secrets
+    volumes:
+      - ./mobilizon/keycloak.sh:/keycloak-setup/mobilizon.sh:ro
diff --git a/mobilizon/docker-compose.yml b/mobilizon/docker-compose.yml
deleted file mode 100644
index 4f359ff..0000000
--- a/mobilizon/docker-compose.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-version: "3"
-
-services:
-  mobilizon:
-    image: framasoft/mobilizon
-    restart: always
-    env_file:
-      - ../env.production
-      - ./env.production
-      - ../data/mobilizon/env.secrets
-    volumes:
-      - ../data/mobilizon/uploads:/var/lib/mobilizon/uploads
-      - ./config.exs:/etc/mobilizon/config.exs:ro
-      # - ${PWD}/GeoLite2-City.mmdb:/var/lib/mobilizon/geo_db/GeoLite2-City.mmdb
-    ports:
-      - "7000:7000"
-
-  db:
-    image: postgis/postgis:13-3.1
-    restart: always
-    volumes:
-      - ../data/mobilizon/db:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_USER=mobilizon
-      - POSTGRES_PASSWORD=mobilizon
-      - POSTGRES_DB=mobilizon
diff --git a/mobilizon/env.production b/mobilizon/env.production
deleted file mode 100644
index 4f67db1..0000000
--- a/mobilizon/env.production
+++ /dev/null
@@ -1,24 +0,0 @@
-# Database settings
-POSTGRES_USER=mobilizon
-POSTGRES_PASSWORD=changethis
-POSTGRES_DB=mobilizon
-MOBILIZON_DATABASE_USERNAME=mobilizon
-MOBILIZON_DATABASE_PASSWORD=mobilizon
-MOBILIZON_DATABASE_DBNAME=mobilizon
-MOBILIZON_DATABASE_HOST=db
-
-
-# Instance configuration
-MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
-MOBILIZON_INSTANCE_PORT=7000
-
-MOBILIZON_INSTANCE_EMAIL=noreply@mobilizon.lan
-MOBILIZON_REPLY_EMAIL=contact@mobilizon.lan
-
-# Email settings
-MOBILIZON_SMTP_SERVER=localhost
-MOBILIZON_SMTP_PORT=25
-MOBILIZON_SMTP_HOSTNAME=localhost
-MOBILIZON_SMTP_USERNAME=noreply@mobilizon.lan
-MOBILIZON_SMTP_PASSWORD=password
-MOBILIZON_SMTP_SSL=false
diff --git a/mobilizon/keycloak.sh b/mobilizon/keycloak.sh
new file mode 100755
index 0000000..994117d
--- /dev/null
+++ b/mobilizon/keycloak.sh
@@ -0,0 +1,4 @@
+#!/bin/bash -x
+# Setup the OAuth client connection
+
+client-create mobilizon "$MOBILIZON_HOSTNAME.$DOMAIN_NAME" "$MOBILIZON_CLIENT_SECRET" </dev/null
diff --git a/nginx/nginx/templates/events.conf.template b/mobilizon/nginx.conf
similarity index 80%
rename from nginx/nginx/templates/events.conf.template
rename to mobilizon/nginx.conf
index b3dec83..afbb1dd 100644
--- a/nginx/nginx/templates/events.conf.template
+++ b/mobilizon/nginx.conf
@@ -1,5 +1,5 @@
 server {
-	server_name ${MOBILIZON_HOSTNAME};
+	server_name ${MOBILIZON_HOSTNAME} ${MOBILIZON_HOSTNAME}.${DOMAIN_NAME};
 	client_max_body_size 128m;
 
 	sendfile on;
@@ -14,7 +14,7 @@ server {
 	proxy_read_timeout 1800s;
 
 	location / {
-		proxy_pass http://host.docker.internal:7000;
+		proxy_pass http://mobilizon:7000;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -23,7 +23,7 @@ server {
 
 	# force login with OIDC
 	location /login {
-		return 302 https://${MOBILIZON_HOSTNAME}/auth/keycloak;
+		return 302 https://${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}/auth/keycloak;
 	}
 
 	listen 443 ssl;
diff --git a/mobilizon/setup b/mobilizon/setup
deleted file mode 100755
index b3d49dc..0000000
--- a/mobilizon/setup
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/bash
-die() { echo >&2 "mobilizon: $@" ; exit 1 ; }
-
-DIRNAME="$(dirname $0)"
-cd "$DIRNAME"
-source ../env.production || die "no top level env?"
-source env.production || die "no local env?"
-source ../env.smtp 2>/dev/null
-
-DATA="../data/mobilizon"
-SECRETS="$DATA/env.secrets"
-
-if [ -r "$SECRETS" ]; then
-	docker-compose up -d || die "unable to start"
-	exit 0
-fi
-
-docker-compose down 2>/dev/null
-
-CLIENT_SECRET="$(openssl rand -hex 20)"
-
-mkdir -p "$DATA/uploads"
-chmod 777 "$DATA/uploads"
-
-mkdir -p "$(dirname "$SECRETS")"
-cat <<EOF > "$SECRETS"
-# DO NOT CHECK IN
-MOBILIZON_INSTANCE_NAME=${DOMAIN_NAME}
-MOBILIZON_INSTANCE_HOST=${MOBILIZON_HOSTNAME}
-MOBILIZON_INSTANCE_SECRET_KEY_BASE=$(openssl rand -hex 20)
-MOBILIZON_INSTANCE_SECRET_KEY=$(openssl rand -hex 20)
-MOBILIZON_CLIENT_SECRET=${CLIENT_SECRET}
-EOF
-
-if [ -n "$SMTP_SERVER" ]; then
-	cat <<EOF >> "$SECRETS"
-MOBILIZON_INSTANCE_EMAIL=events@${DOMAIN_NAME}
-MOBILIZON_REPLY_EMAIL=noreply@${DOMAIN_NAME}
-MOBILIZON_SMTP_SERVER=${SMTP_SERVER}
-MOBILIZON_SMTP_PORT=${SMTP_PORT}
-MOBILIZON_SMTP_USERNAME=${SMTP_USER}
-MOBILIZON_SMTP_PASSWORD=${SMTP_PASSWORD}
-EOF
-fi
-
-../keycloak/client-delete mobilizon
-
-../keycloak/client-create <<EOF || die "unable to create client"
-{
-	"clientId": "mobilizon",
-	"rootUrl": "https://$MOBILIZON_HOSTNAME",
-	"adminUrl": "https://$MOBILIZON_HOSTNAME",
-	"redirectUris": [ "https://$MOBILIZON_HOSTNAME/*" ],
-	"webOrigins": [ "https://$MOBILIZON_HOSTNAME" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "$CLIENT_SECRET"
-}
-EOF
-
-docker-compose up -d || die "unable to start container"
-
-