diff --git a/.env.sample b/.env.sample
index 5df1894..30e2966 100644
--- a/.env.sample
+++ b/.env.sample
@@ -5,4 +5,7 @@ DOMAIN=uptime-kuma.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.uptime-kuma.example.com`'
 
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+
 LETS_ENCRYPT_ENV=production
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..7c5fe57
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 97da4af..c7fd47b 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,12 +3,25 @@ version: "3.8"
 
 services:
   app:
-    image: louislam/uptime-kuma:1.23.11-alpine
+    image: louislam/uptime-kuma:1.23.11
     volumes:
       - data:/app/data
-      - db:/app/db
     networks:
+      - internal
       - proxy
+    environment:
+      - UPTIME_KUMA_GH_REPO=louislam:uptime-kuma
+      - UPTIME_KUMA_DB_TYPE=mariadb
+      - UPTIME_KUMA_DB_HOSTNAME=db
+      - UPTIME_KUMA_DB_PORT=3306
+      - UPTIME_KUMA_DB_NAME=kuma
+      - UPTIME_KUMA_DB_USERNAME=kuma
+      - UPTIME_KUMA_DB_PASSWORD_FILE=/run/secrets/db_password
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     deploy:
       update_config:
         failure_action: rollback
@@ -30,11 +43,40 @@ services:
       timeout: 10s 
       retries: 5 
       start_period: 2m
+  db:
+    image: mariadb:10.8
+    environment:
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_USER=kuma
+      - MYSQL_DATABASE=kuma
+    volumes:
+      - mariadb:/var/lib/mysql
+    networks:
+      - internal
+    secrets:
+      - db_password
+      - db_root_password
 
 volumes:
+  mariadb:
   data:
-  db:
 
 networks:
   proxy:
     external: true
+  internal:
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..dd0a3a0
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,32 @@
+
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "UPTIME_KUMA_DB_PASSWORD"
+
+# upstream startup command
+cd /app
+node server/server.js