diff --git a/.drone.yml b/.drone.yml
index e69de29..9359bdb 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,19 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: decentral1se/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: ${REPO_NAME_SNAKE}
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+    environment:
+      DOMAIN: ${REPO_NAME_KEBAB}.swarm-test.autonomic.zone
+      STACK_NAME: ${REPO_NAME_SNAKE}
+      LETS_ENCRYPT_ENV: production
+trigger:
+  branch:
+    - main
diff --git a/.env.sample b/.env.sample
index 3c63f17..31eb43f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -33,3 +33,11 @@ PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com
 #PENPOT_SMTP_PASSWORD=password
 #PENPOT_SMTP_TLS=true
 #PENPOT_SMTP_SSL=false
+
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SMTP_PASSWORD_VERSION=v1
+
+#PENPOT_OIDC_BASE_URI=
+#PENPOT_OIDC_CLIENT_ID=
+#PENPOT_OIDC_CLIENT_SECRET=
+#SECRET_OIDC_CLIENT_SECRET_VERSION=v1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..37b52cc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.envrc
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..e83010c
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1,2 @@
+export APP_ENTRYPOINT_CONF_VERSION=v1
+export BACKEND_ENTRYPOINT_CONF_VERSION=v3
diff --git a/compose.oidc.yml b/compose.oidc.yml
new file mode 100644
index 0000000..7700cab
--- /dev/null
+++ b/compose.oidc.yml
@@ -0,0 +1,23 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      # - PENPOT_OIDC_CLIENT_ID
+      - PENPOT_GITHUB_CLIENT_ID=af6c1b2e4709ede26aa8
+  penpot-backend:
+    environment:
+      # - PENPOT_OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
+      # - PENPOT_OIDC_CLIENT_ID
+      # - PENPOT_OIDC_BASE_URI
+      # - PENPOT_OIDC_CLIENT_SECRET=cdbafaf5-eec7-424d-8449-4393481cba2a
+      - PENPOT_GITHUB_CLIENT_ID=af6c1b2e4709ede26aa8
+      - PENPOT_GITHUB_CLIENT_SECRET=a4faabb76fb5e1916328498af202fe85a81873fd
+    secrets:
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    external: true
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
diff --git a/compose.smtpauth.yml b/compose.smtpauth.yml
new file mode 100644
index 0000000..5495ed0
--- /dev/null
+++ b/compose.smtpauth.yml
@@ -0,0 +1,19 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PENPOT_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password
+    secrets:
+      - smtp_password
+  penpot-backend:
+    environment:
+      - PENPOT_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
diff --git a/compose.yml b/compose.yml
index a0b4425..1428b94 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,7 +1,27 @@
 version: "3.8"
+
+x-environment:
+  &default-env
+  - PENPOT_PUBLIC_URI=https://{domain}
+  - PENPOT_DATABASE_URI=postgresql://postgres/penpot
+  - PENPOT_DATABASE_USERNAME=penpot
+  - PENPOT_DATABASE_PASSWORD_FILE=/run/secrets/db_password
+  - PENPOT_REDIS_URI=redis://redis/0
+  - PENPOT_STORAGE_BACKEND
+  - PENPOT_STORAGE_FS_DIRECTORY=/opt/data/assets
+  - PENPOT_TELEMETRY_ENABLED
+  - PENPOT_SMTP_ENABLED
+  - PENPOT_SMTP_DEFAULT_FROM
+  - PENPOT_SMTP_DEFAULT_REPLY_TO
+  - PENPOT_SMTP_HOST
+  - PENPOT_SMTP_PORT
+  - PENPOT_SMTP_USERNAME
+  - PENPOT_SMTP_TLS
+  - PENPOT_SMTP_SSL
+
 services:
   app:
-    image: "penpotapp/frontend:1.6.5-alpha"
+    image: "penpotapp/frontend:1.7.1-alpha"
     networks:
       - proxy
       - backend
@@ -10,6 +30,14 @@ services:
     depends_on:
       - penpot-backend
       - penpot-exporter
+    environment: *default-env
+    entrypoint: /entrypoint.override.sh
+    secrets:
+      - db_password
+    configs:
+      - source: app_entrypoint
+        target: /entrypoint.override.sh
+        mode: 0555
     deploy:
       restart_policy:
         condition: on-failure
@@ -25,30 +53,20 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - coop-cloud.${STACK_NAME}.app.version=1.4.0-alpha-5d926f43
   penpot-backend:
-    image: "penpotapp/backend:1.6.5-alpha"
+    image: "penpotapp/backend:1.7.1-alpha"
     volumes:
       - penpot_assets:/opt/data
     depends_on:
       - postgres
       - redis
-    environment:
-      - PENPOT_PUBLIC_URI=https://{domain}
-      - PENPOT_DATABASE_URI=postgresql://postgres/penpot
-      - PENPOT_DATABASE_USERNAME=penpot
-      - PENPOT_DATABASE_PASSWORD=penpot
-      - PENPOT_REDIS_URI=redis://redis/0
-      - PENPOT_STORAGE_BACKEND=${PENPOT_STORAGE_BACKEND}
-      - PENPOT_STORAGE_FS_DIRECTORY=/opt/data/assets
-      - PENPOT_TELEMETRY_ENABLED=${PENPOT_TELEMETRY_ENABLED}
-      - PENPOT_SMTP_ENABLED=${PENPOT_SMTP_ENABLED}
-      - PENPOT_SMTP_DEFAULT_FROM=${PENPOT_SMTP_DEFAULT_FROM}
-      - PENPOT_SMTP_DEFAULT_REPLY_TO=${PENPOT_SMTP_DEFAULT_REPLY_TO}
-      - PENPOT_SMTP_HOST=${PENPOT_SMTP_HOST}
-      - PENPOT_SMTP_PORT=${PENPOT_SMTP_PORT}
-      - PENPOT_SMTP_USERNAME=${PENPOT_SMTP_USERNAME}
-      - PENPOT_SMTP_PASSWORD=${PENPOT_SMTP_PASSWORD}
-      - PENPOT_SMTP_TLS=${PENPOT_SMTP_TLS}
-      - PENPOT_SMTP_SSL=${PENPOT_SMTP_SSL}
+    environment: *default-env
+    secrets:
+      - db_password
+    configs:
+      - source: backend_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     networks:
       - backend
       # FIXME 3wc: this is only required for email
@@ -57,7 +75,7 @@ services:
       labels:
         - coop-cloud.${STACK_NAME}.penpot-backend.version=1.4.0-alpha-
   penpot-exporter:
-    image: "penpotapp/exporter:1.6.5-alpha"
+    image: "penpotapp/exporter:1.7.1-alpha"
     environment:
       # Don't touch it; this uses internal docker network to
       # communicate with the frontend.
@@ -70,11 +88,13 @@ services:
   postgres:
     image: "postgres:13"
     stop_signal: SIGINT
+    secrets:
+      - db_password
     environment:
       - POSTGRES_INITDB_ARGS=--data-checksums
       - POSTGRES_DB=penpot
       - POSTGRES_USER=penpot
-      - POSTGRES_PASSWORD=penpot
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
     volumes:
       - postgres:/var/lib/postgresql/data
     networks:
@@ -89,10 +109,25 @@ services:
     deploy:
       labels:
         - coop-cloud.${STACK_NAME}.redis.version=6-e10f55f9
+
 networks:
   proxy:
     external: true
   backend:
+
 volumes:
   postgres:
   penpot_assets:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_CONF_VERSION}
+    file: entrypoint-app.sh
+  backend_entrypoint:
+    name: ${STACK_NAME}_backend_entrypoint_${BACKEND_ENTRYPOINT_CONF_VERSION}
+    file: entrypoint-backend.sh
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
diff --git a/entrypoint-app.sh b/entrypoint-app.sh
new file mode 100644
index 0000000..a4470a3
--- /dev/null
+++ b/entrypoint-app.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+file_env() {
+	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+load_vars() {
+	file_env "PENPOT_DATABASE_PASSWORD"
+	file_env "PENPOT_SMTP_PASSWORD"
+	file_env "PENPOT_LDAP_BIND_PASSWORD"
+	file_env "PENPOT_GOOGLE_CLIENT_SECRET"
+	file_env "PENPOT_GITHUB_CLIENT_SECRET"
+	file_env "PENPOT_GITLAB_CLIENT_SECRET"
+	file_env "PENPOT_OIDC_CLIENT_SECRET"
+}
+
+main() {
+	set -eu
+
+	load_vars
+}
+
+main
+
+# 3wc: upstream ENTRYPOINT
+# https://github.com/penpot/penpot/blob/develop/docker/images/Dockerfile.frontend
+/docker-entrypoint.sh nginx -g "daemon off;"
diff --git a/entrypoint-backend.sh b/entrypoint-backend.sh
new file mode 100644
index 0000000..0c147ee
--- /dev/null
+++ b/entrypoint-backend.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+file_env() {
+	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+load_vars() {
+	file_env "PENPOT_DATABASE_PASSWORD"
+	file_env "PENPOT_SMTP_PASSWORD"
+	file_env "PENPOT_LDAP_BIND_PASSWORD"
+	file_env "PENPOT_GOOGLE_CLIENT_SECRET"
+	file_env "PENPOT_GITHUB_CLIENT_SECRET"
+	file_env "PENPOT_GITLAB_CLIENT_SECRET"
+	file_env "PENPOT_OIDC_CLIENT_SECRET"
+}
+
+main() {
+	set -eu
+
+	load_vars
+}
+
+main
+
+# 3wc: upstream ENTRYPOINT
+# https://github.com/penpot/penpot/blob/develop/docker/images/Dockerfile.backend
+./run.sh