diff --git a/.env.sample b/.env.sample
index 3e67bc6..f6d6853 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,7 @@ DOMAIN=xwiki.example.com
 #EXTRA_DOMAINS=', `www.xwiki.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+SECRET_DB_USERNAME_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
diff --git a/compose.yml b/compose.yml
index a2c3805..091e150 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,7 +3,17 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:1.20.0
+    image: "xwiki:stable-mysql-tomcat"
+    environment:
+      - DB_USER_FILE=/run/secrets/db_username
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - DB_DATABASE=xwiki
+      - DB_HOST=db
+    volumes:
+      - xwiki-data:/usr/local/xwiki
+    secrets:
+      - db_username
+      - db_password
     networks:
       - proxy
     deploy:
@@ -11,7 +21,7 @@ services:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
@@ -26,7 +36,37 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
+    db:
+      image: "mysql:9.1"
+      volumes:
+        - mysql-data:/var/lib/mysql
+      environment:
+        - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+        - MYSQL_USER_FILE=/run/secrets/db_username
+        - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+        - MYSQL_DATABASE=xwiki
+      command:
+        - "--character-set-server=utf8mb4"
+        - "--collation-server=utf8mb4_bin"
+        - "--explicit-defaults-for-timestamp=1"
+      secrets:
+        - db_username
+        - db_password
+        - db_root_password
 
 networks:
   proxy:
     external: true
+volumes:
+  mysql-data:
+  xwiki-data:
+secrets:
+  db_username:
+    name: ${STACK_NAME}_db_username_${SECRET_DB_USERNAME_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+  db_root_password:
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    external: true