diff --git a/.drone.yml b/.drone.yml
index 8ce9152..b2fefb1 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1,16 +1,21 @@
 ---
 kind: pipeline
-name: default
+name: deploy to swarm.autonomic.zone
 steps:
-  - name: Deploy Drone with Dokku
-    image: appleboy/drone-git-push:0.2.0-linux-amd64
+  - name: deployment
+    image: decentral1se/drone-stack:19.03.8
     settings:
-      remote: ssh://dokku@dokku.autonomic.zone:222/drone
-      ssh_key:
-        from_secret: drone_deploy_key
+      compose: compose.yml
+      host: tcp://swarm.autonomic.zone:2376
+      stack_name: drone
+      tlsverify: true
+    environment:
+      PLUGIN_CACERT:
+        from_secret: docker_cacert
+      PLUGIN_CERT:
+        from_secret: docker_cert
+      PLUGIN_KEY:
+        from_secret: docker_key
 trigger:
   branch:
     - master
-  event:
-    exclude:
-      - pull_request
diff --git a/.envrc.sample b/.envrc.sample
deleted file mode 100644
index cfe67cc..0000000
--- a/.envrc.sample
+++ /dev/null
@@ -1,2 +0,0 @@
-# The path to our pass credentials store
-export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store
diff --git a/CHECKS b/CHECKS
deleted file mode 100644
index 6dadd31..0000000
--- a/CHECKS
+++ /dev/null
@@ -1,5 +0,0 @@
-WAIT=3
-TIMEOUT=3
-ATTEMPTS=5
-
-/healthz OK
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index b27b773..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM drone/drone:1
-
-EXPOSE 8042
-
-COPY . ${WORKDIR}
diff --git a/README.md b/README.md
index cf26e85..2f799c5 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,5 @@
-# drone
+# drone.autonomic.zone
 
-[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/drone/status.svg)](https://drone.autonomic.zone/autonomic-cooperative/drone)
-
-> https://drone.io/
+[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/drone.autonomic.zone/status.svg)](https://drone.autonomic.zone/autonomic-cooperative/drone.autonomic.zone)
 
 > https://drone.autonomic.zone
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..0bd48a7
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,55 @@
+---
+version: "3.8"
+
+services:
+  drone:
+    image: "drone/drone:1.8.0"
+    volumes:
+      - "data:/data"
+    configs:
+      - source: drone_env
+        target: .env
+    secrets:
+      - client_secret
+      - rpc_secret
+    environment:
+      - DRONE_GITEA_CLIENT_ID=5c32ee8c-b4dc-4240-ae68-1ca0562a31fb
+      - DRONE_GITEA_SERVER=https://git.autonomic.zone
+      - DRONE_GIT_ALWAYS_AUTH=true
+      - DRONE_JSONNET_ENABLED=true
+      - DRONE_SERVER_HOST=drone.autonomic.zone
+      - DRONE_SERVER_PORT=:8042
+      - DRONE_SERVER_PROTO=https
+    networks:
+      - proxy
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.drone.rule=Host(`drone.autonomic.zone`)"
+        - "traefik.http.routers.drone.entrypoints=web-secure"
+        - "traefik.http.services.drone.loadbalancer.server.port=8042"
+        - "traefik.http.routers.drone.tls.certresolver=production"
+
+networks:
+  proxy:
+    external: true
+
+configs:
+  drone_env:
+    name: drone_env_v1
+    file: env.tmpl
+    template_driver: golang
+
+secrets:
+  client_secret:
+    name: drone_client_secret_v1
+    external: true
+  rpc_secret:
+    name: drone_rpc_secret_v1
+    external: true
+
+volumes:
+  data:
diff --git a/deploy.d/config.yml b/deploy.d/config.yml
deleted file mode 100644
index 29a6356..0000000
--- a/deploy.d/config.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-vars:
-  port: "8042"
-  domain: "drone.autonomic.zone"
-
-volumes:
-  - /var/lib/drone:/data
-  - /var/run/docker.sock:/var/run/docker.sock
-
-env:
-  DOKKU_LETSENCRYPT_EMAIL: "helo@autonomic.zone"
-  DRONE_GITEA_CLIENT_ID: "{{ vault.gitea_client_id }}"
-  DRONE_GITEA_CLIENT_SECRET: "{{ vault.gitea_client_secret }}"
-  DRONE_GITEA_SERVER: "https://git.autonomic.zone"
-  DRONE_GIT_ALWAYS_AUTH: "true"
-  DRONE_JSONNET_ENABLED: "true"
-  DRONE_RPC_SECRET: "{{ vault.rpc_secret }}"
-  DRONE_SERVER_HOST: "drone.autonomic.zone"
-  DRONE_SERVER_PORT: ":{{ vars.port }}"
-  DRONE_SERVER_PROTO: "https"
-  DRONE_USER_FILTER: "autonomic-cooperative"
diff --git a/deploy.d/plays/predeploy.yml b/deploy.d/plays/predeploy.yml
deleted file mode 100644
index 64fe33e..0000000
--- a/deploy.d/plays/predeploy.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Create drone application directories
-  become: true
-  file:
-    path: /var/lib/drone
-    owner: dokku
-    group: dokku
-    state: directory
diff --git a/deploy.d/vault/gitea_client_id.yml b/deploy.d/vault/gitea_client_id.yml
deleted file mode 100644
index b4111d8..0000000
--- a/deploy.d/vault/gitea_client_id.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-gitea_client_id: !vault |-
-  $ANSIBLE_VAULT;1.1;AES256
-  35306138376630383861373735356235616162353539616430613338363861353066376364383839
-  3235343831306665306233633961666561363534626462650a393130633763353533366165626239
-  37363839356532353161616266316438663535663131653638616634326634363731663064346530
-  6234343661343061360a306365363365383636353664323134373638356566633133303362303536
-  37333665303863313065363435313437643663316532383832366236636332636431643332336333
-  6632633238383535326331333633333634346431313363633533
diff --git a/deploy.d/vault/gitea_client_secret.yml b/deploy.d/vault/gitea_client_secret.yml
deleted file mode 100644
index 1657d4a..0000000
--- a/deploy.d/vault/gitea_client_secret.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-gitea_client_secret: !vault |-
-  $ANSIBLE_VAULT;1.1;AES256
-  37646236326330393131373965643265306530306266663662663333323435396266333334656535
-  3735383234663062336433643131656534333566396230620a623064323464613966643539343838
-  36366432323732373138373337663339323534376464393738383064353262313238323630633365
-  3839376337333264340a616265623136646532373966656438626263353766333861356462613963
-  65303136373037663437316339656537613963383661373435313037643265336161393130393137
-  3334393831346432333236303231353865323563313564656564
diff --git a/deploy.d/vault/rpc_secret.yml b/deploy.d/vault/rpc_secret.yml
deleted file mode 100644
index 5863ea3..0000000
--- a/deploy.d/vault/rpc_secret.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-rpc_secret: !vault |-
-  $ANSIBLE_VAULT;1.1;AES256
-  33633762646539383562636465313530313462343539623138653637383163663733623564353238
-  6239363339346638646333346263616136633565346166610a623632363639323634373133613862
-  63643666353766393032346166636566393332613761633239353238646266633230316133636661
-  6233376133313561380a333431353461613235613762313533636162313033303533623935616165
-  35366565393265353137353736376563613262313064343935373630643466336361333738353537
-  3563376134313361336330316162393564653630623238383832
diff --git a/env.tmpl b/env.tmpl
new file mode 100644
index 0000000..0c05b22
--- /dev/null
+++ b/env.tmpl
@@ -0,0 +1,2 @@
+DRONE_GITEA_CLIENT_SECRET={{ secret "client_secret" }}
+DRONE_RPC_SECRET={{ secret "rpc_secret" }}