diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..98c41d7
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,23 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: decentral1se/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: drone-docker-runner
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      generate_secrets: true
+      purge: true
+    environment:
+      DOMAIN: drone-docker-runner.swarm-test.autonomic.zone
+      STACK_NAME: drone-docker-runner
+      LETS_ENCRYPT_ENV: production
+      DRONE_RPC_HOST=drone-test.autonomic.zone
+      ENV_VERSION: v1
+      RPC_SECRET_VERSION: v1
+trigger:
+  branch:
+    - master
diff --git a/README.md b/README.md
index ef69ee5..6b2b4a2 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
 # drone-docker-runner
 
-> https://docs.drone.io/runner/docker/overview/
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/drone-docker-runner/status.svg)](https://drone.autonomic.zone/coop-cloud/drone-docker-runner)
diff --git a/compose.yml b/compose.yml
index 6fc3ccf..30d7ae2 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,21 +6,50 @@ services:
     image: "drone/drone-runner-docker:1.5"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
+    configs:
+      - source: drone_runner_env
+        target: .env
+    secrets:
+      - rpc_secret
     environment:
-      - DRONE_RPC_HOST: "${DOMAIN}"
-      - DRONE_RPC_PROTO: "https"
-      - DRONE_RPC_SECRET: "${RPC_SECRET}"
-      - DRONE_RUNNER_CAPACITY: "4"
-      - DRONE_RUNNER_NAME: "drone-docker-runner"
-      - DRONE_RUNNER_VOLUMES: "/var/run/docker.sock:/var/run/docker.sock"
+      - DRONE_RPC_HOST=${DRONE_RPC_HOST}
+      - DRONE_RPC_PROTO=https
+      - DRONE_RUNNER_CAPACITY=4
+      - DRONE_RUNNER_NAME=drone-docker-runner
+      - DRONE_RUNNER_VOLUMES=/var/run/docker.sock:/var/run/docker.sock
     networks:
       - proxy
+    healthcheck:
+      test: ["CMD", "wget", "-qO", "-", "http://localhost:3000/healthz"]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+      start_period: 10s
     deploy:
       update_config:
         failure_action: rollback
+        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.routers.drone-docker-runner.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.drone-docker-runner.entrypoints=web-secure"
         - "traefik.http.services.drone-docker-runner.loadbalancer.server.port=3000"
         - "traefik.http.routers.drone-docker-runner.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
+networks:
+  proxy:
+    external: true
+
+configs:
+  drone_runner_env:
+    name: ${STACK_NAME}_env_${ENV_VERSION}
+    file: env.tmpl
+    template_driver: golang
+
+secrets:
+  rpc_secret:
+    name: ${STACK_NAME}_rpc_secret_${RPC_SECRET_VERSION}
+    external: true
+
+volumes:
+  data:
diff --git a/env.tmpl b/env.tmpl
new file mode 100644
index 0000000..f234e1a
--- /dev/null
+++ b/env.tmpl
@@ -0,0 +1 @@
+DRONE_RPC_SECRET={{ secret "rpc_secret" }}