diff --git a/compose.yml b/compose.yml
index 6d66f06..f262a58 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,23 +1,23 @@
 ---
 version: "3.8"
 
-# Note(decentral1se): outstanding tickets for swarm integration
-# https://discourse.drone.io/t/can-drone-drone-image-support-file-for-env-var-secrets/7522
-
 services:
   drone:
     image: "drone/drone:1.8.0"
+    command:
+      - "--env-file /data/drone.conf"
     volumes:
       - "data:/data"
+    configs:
+      - source: drone_conf
+        target: /data/drone.conf
     environment:
       - DRONE_GITEA_CLIENT_ID: "${GITEA_CLIENT_ID}"
-      - DRONE_GITEA_CLIENT_SECRET: "${GITEA_CLIENT_SECRET}"
       - DRONE_GITEA_SERVER: "https://${GITEA_DOMAIN}"
       - DRONE_GIT_ALWAYS_AUTH: "true"
       - DRONE_JSONNET_ENABLED: "true"
-      - DRONE_RPC_SECRET: "${RPC_SECRET}"
       - DRONE_SERVER_HOST: "${DOMAIN}"
-      - DRONE_SERVER_PORT: ":8042"
+      - DRONE_SERVER_PORT: ":${PORT:8042}"
       - DRONE_SERVER_PROTO: "https"
     networks:
       - proxy
@@ -28,8 +28,14 @@ services:
         - "traefik.enable=true"
         - "traefik.http.routers.drone.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.drone.entrypoints=web-secure"
-        - "traefik.http.services.drone.loadbalancer.server.port=8042"
+        - "traefik.http.services.drone.loadbalancer.server.port=${PORT:8042}"
         - "traefik.http.routers.drone.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
+configs:
+  drone_conf:
+    name: ${STACK_NAME}_drone_conf_${DRONE_CONF_VERSION}
+    file: drone.conf.tmpl
+    template_driver: golang
+
 volumes:
   data:
diff --git a/drone.conf.tmpl b/drone.conf.tmpl
new file mode 100644
index 0000000..0c05b22
--- /dev/null
+++ b/drone.conf.tmpl
@@ -0,0 +1,2 @@
+DRONE_GITEA_CLIENT_SECRET={{ secret "client_secret" }}
+DRONE_RPC_SECRET={{ secret "rpc_secret" }}