diff --git a/scripts/setup-prod.sh b/scripts/setup-prod.sh
new file mode 100755
index 0000000..b1ebb68
--- /dev/null
+++ b/scripts/setup-prod.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# Production Setup Script
+# Wraps existing scripts to work in the production environment context
+
+set -euo pipefail
+
+# Colors
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Ensure we are in the project root
+cd "$(dirname "$0")/.."
+
+# 1. Generate Secrets if needed
+# We point generate-secrets to the production env file
+if [ ! -f "infra/environments/production/.env" ] || grep -q "CHANGE_ME" "infra/environments/production/.env"; then
+    echo -e "${BLUE}🔐 Generating production secrets...${NC}"
+
+    # Temporarily symlink production env to where generate-secrets expects it (if needed)
+    # But generate-secrets.sh writes to infra/environments/local/.env by default.
+    # We will modify generate-secrets.sh to accept an output file argument or just move it after.
+
+    # Actually, let's just run it and move the result if it doesn't support args,
+    # OR better, let's just use sed to update the existing production .env in place using the logic from generate-secrets
+    # But re-using the script is better.
+
+    # Let's try to run generate-secrets.sh and see if we can redirect output.
+    # Looking at generate-secrets.sh, it writes to infra/environments/local/.env
+
+    # Workaround: Backup local .env, run script, move result to prod, restore local
+    if [ -f "infra/environments/local/.env" ]; then
+        cp "infra/environments/local/.env" "infra/environments/local/.env.bak"
+    fi
+
+    ./scripts/generate-secrets.sh
+
+    mv "infra/environments/local/.env" "infra/environments/production/.env"
+
+    if [ -f "infra/environments/local/.env.bak" ]; then
+        mv "infra/environments/local/.env.bak" "infra/environments/local/.env"
+    fi
+
+    # Update DOMAIN in production .env
+    sed -i 's/DOMAIN=local.lan/DOMAIN=app.harkon.co.uk/g' "infra/environments/production/.env"
+    sed -i 's/EMAIL=admin@local.lan/EMAIL=admin@harkon.co.uk/g' "infra/environments/production/.env"
+
+    echo -e "${GREEN}✅ Production secrets generated in infra/environments/production/.env${NC}"
+else
+    echo -e "${GREEN}✅ Production secrets already exist${NC}"
+fi
+
+# 2. Setup Authentik
+# We need to export the production env vars so the scripts pick them up
+set -a
+source "infra/environments/production/.env"
+set +a
+
+# Override specific variables for the scripts
+export ENV_FILE="infra/environments/production/.env"
+export DOMAIN="app.harkon.co.uk"
+export BOOTSTRAP_FILE="infra/base/authentik/bootstrap-prod.yaml"
+
+echo -e "${BLUE}🔧 Running Authentik Setup for Production...${NC}"
+
+# Run complete-authentik-setup (gets token)
+./scripts/complete-authentik-setup.sh
+
+# Run setup-authentik (imports blueprint)
+./scripts/setup-authentik.sh
+
+echo -e "${GREEN}🎉 Production setup complete!${NC}"