diff --git a/.drone.yml b/.drone.yml
index e69de29..648c3a7 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,42 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: renovate
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      STACK_NAME: renovate
+      CRON_SCHEDULE: '*/1 * * * *'
+      RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/
+      RENOVATE_REPOSITORIES: coop-cloud/renovate
+      RENOVATE_DRY_RUN: "extract"
+      SECRET_RENOVATE_TOKEN_VERSION: v1
+      APP_ENTRYPOINT_VERSION: v1
+      # TODO: Set a valid token so it can execute once against this repo.
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag
diff --git a/.env.sample b/.env.sample
new file mode 100644
index 0000000..6f3d185
--- /dev/null
+++ b/.env.sample
@@ -0,0 +1,36 @@
+TYPE=renovate
+
+COMPOSE_FILE="compose.yml"
+
+CRON_SCHEDULE='30 */1 * * *'
+
+## See https://docs.renovatebot.com/self-hosted-configuration/
+## This example is for Gitea
+RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/"
+RENOVATE_GIT_AUTHOR="Renovate Bot <renovate@your-domain.example.com>"
+RENOVATE_PLATFORM="gitea"
+
+## Secrets - only RENOVATE_TOKEN is required for writing to your git forge.
+## The github token is recommended to fetch changelogs.
+## Other secrets may be needed to access private packages: https://docs.renovatebot.com/getting-started/private-packages/
+SECRET_RENOVATE_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.gh-token.yml"
+# SECRET_GITHUB_COM_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.npm-token.yml"
+# SECRET_RENOVATE_NPM_TOKEN_VERSION=v1 # generate=false
+
+## This controls the contents of the initial renovate.json file created in onboarding PRs.
+RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
+
+## Autodiscover repos
+#RENOVATE_AUTODISCOVER="true"
+#RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*"
+
+## If not using autodiscover, you can supply a comma-separated list of repos.
+## Ex: "coop-cloud/renovate,coop-cloud/keycloak"
+RENOVATE_REPOSITORIES=""
+
+## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json.
+#RENOVATE_ASSIGNEES="example-user1,example-user2"
+## Or you could do this to set different assignees per path:
+#RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true
diff --git a/README.md b/README.md
index 41b2bb7..321bd36 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,32 @@
 # renovate
 
-> https://renovate.whitesourcesoftware.com
+> Automated dependency updates. Multi-platform and multi-language.
 
 <!-- metadata -->
 
 * **Category**: Utilities
-* **Status**:
-* **Image**:
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 3
+* **Image**: [`renovate/renovate`](https://hub.docker.com/r/renovate/renovate), 4, upstream
+* **Healthcheck**: n/a
+* **Backups**: n/a
+* **Email**: n/a
+* **Tests**: 2
+* **SSO**: n/a
 
 <!-- endmetadata -->
+
+## Quick start
+
+1. First deploy [swarm-cronjob](https://recipes.coopcloud.tech/swarm-cronjob)
+2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/).
+3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1.
+4. `abra app new renovate`
+5. `abra app config <app-name>` (point it to your git forge and enable any optional secrets)
+6. Set the tokens obtained in steps 2 and 3: `abra app secret insert <app-name> renovate_token v1`
+7. `abra app deploy <app-name>`
+
+This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it.
+
+You can configure how Renovate behaves with a `renovate.json` file in each target repo. Renovate will not run on a repo unless this file exists. By default, Renovate will attempt to "[onboard](https://docs.renovatebot.com/self-hosted-configuration/#onboarding)" any new repo by creating a pull request to create the `renovate.json` file.
+
+For more information please refer to the [Renovate documentation](https://docs.renovatebot.com/).
diff --git a/abra.sh b/abra.sh
new file mode 100755
index 0000000..7c5fe57
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1
diff --git a/compose.gh-token.yml b/compose.gh-token.yml
new file mode 100644
index 0000000..d7b34cf
--- /dev/null
+++ b/compose.gh-token.yml
@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_github_com_token
+    environment:
+      - RENOVATE_GITHUB_COM_TOKEN_FILE=/run/secrets/renovate_github_com_token
+
+secrets:
+  renovate_github_com_token:
+    name: ${STACK_NAME}_renovate_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION}
+    external: true
diff --git a/compose.npm-token.yml b/compose.npm-token.yml
new file mode 100644
index 0000000..047e0ec
--- /dev/null
+++ b/compose.npm-token.yml
@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_npm_token
+    environment:
+      - RENOVATE_NPM_TOKEN_FILE=/run/secrets/renovate_npm_token
+
+secrets:
+  renovate_npm_token:
+    name: ${STACK_NAME}_renovate_npm_token_${SECRET_NPM_TOKEN_VERSION}
+    external: true
diff --git a/compose.yml b/compose.yml
index a54a4ea..ed09237 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,34 +1,34 @@
----
-version: "3.8"
-
 services:
   app:
-    image: "renovate/renovate:slim"
-    configs:
-      - source: config_js
-        target: /usr/src/app/config.js
-    secrets:
-      - api_token
+    # Use "full" since the non-full version installs tools at runtime
+    image: "renovate/renovate:full"
     healthcheck:
       disable: true
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
     deploy:
       mode: replicated
       replicas: 0
       labels:
         - "swarm.cronjob.enable=true"
-        - "swarm.cronjob.schedule=*/1 * * * *"
+        - "swarm.cronjob.schedule=${CRON_SCHEDULE}"
       restart_policy:
         condition: none
-
-configs:
-  config_js:
-    name: config_js_v1
-    file: config.js.tmpl
-    template_driver: golang
+    environment:
+      - RENOVATE_TOKEN_FILE=/run/secrets/renovate_token
+    secrets:
+      - renovate_token
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
 
 secrets:
-  api_token:
-    name: api_token_v1
+  renovate_token:
+    name: ${STACK_NAME}_renovate_token_${SECRET_RENOVATE_TOKEN_VERSION}
     external: true
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/config.js.tmpl b/config.js.tmpl
deleted file mode 100644
index a96fc56..0000000
--- a/config.js.tmpl
+++ /dev/null
@@ -1,15 +0,0 @@
-module.exports = {
-  endpoint: "https://TODO.com/api/v1/",
-  token: "{{ secret "api-token" }}",
-  platform: "gitea",
-  logLevel: "error",
-  unicodeEmoji: false,
-  onboarding: true,
-  assignees: [],
-  labels: ["renovate", "dependencies", "automated"],
-  onboardingConfig: {
-    extends: ["config:base"],
-  },
-  repositories: [
-  ]
-};
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..96c205f
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "RENOVATE_TOKEN"
+
+{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_GITHUB_COM_TOKEN"
+{{ end }}
+
+{{ if not (eq (env "SECRET_NPM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_NPM_TOKEN"
+{{ end }}
+
+/usr/local/sbin/renovate-entrypoint.sh "$@"
diff --git a/release/.git-keep-me b/release/.git-keep-me
new file mode 100644
index 0000000..e69de29