diff --git a/.env.sample b/.env.sample
index 35275a7..1204d00 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,13 @@ DOMAIN=rallly.example.com
 #EXTRA_DOMAINS=', `www.rallly.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SMTP_PWD_VERSION=v1
+
+SUPPORT_EMAIL=noreply@example.com
+SMTP_HOST=mail.example.com
+SMTP_PORT=465
+SMTP_SECURE=true
+SMTP_USER=noreply@example.com
diff --git a/README.md b/README.md
index a7b78ca..96eea86 100644
--- a/README.md
+++ b/README.md
@@ -5,20 +5,23 @@
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 0
-* **Image**: [`rallly`](https://hub.docker.com/r/rallly), 4, upstream
-* **Healthcheck**: No
+* **Status**: 3, alpha
+* **Image**: [`rallly`](https://hub.docker.com/r/lukevella/rallly), 4, upstream
+* **Healthcheck**: Yes
 * **Backups**: No
-* **Email**: No
-* **Tests**: No
-* **SSO**: No
+* **Email**: 3
+* **Tests**: 3
+* **SSO**: N/A
 
 <!-- endmetadata -->
 
 ## Quick start
 
-* `abra app new rallly --secrets`
+
+* `abra app new rallly`
 * `abra app config <app-name>`
+* `abra app secret insert <app-name> smtp_pwd v1 <SMTP_PASSWORD>`
+* `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech) and [`lukevella/rallly-selfhosted`](https://github.com/lukevella/rallly-selfhosted).
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..7c5fe57
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1
diff --git a/compose.yml b/compose.yml
index a2c3805..da5b9ee 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,30 +3,91 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:1.20.0
+    image: lukevella/rallly:2.1.1
     networks:
       - proxy
+      - internal
+    depends_on:
+      - rallly_db
+    secrets:
+      - secret_key
+      - smtp_pwd
+    environment:
+      - DATABASE_URL=postgres://postgres:postgres@rallly_db:5432/db
+      - NEXT_PUBLIC_BASE_URL=${DOMAIN}
+      - SECRET_PASSWORD_FILE=/run/secrets/secret_key
+      - SUPPORT_EMAIL
+      - SMTP_HOST
+      - SMTP_PORT
+      - SMTP_SECURE
+      - SMTP_USER
+      - SMTP_PWD_FILE=/run/secrets/smtp_pwd
+    entrypoint: /docker-entrypoint.sh
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version="
+        # Redirect from EXTRA_DOMAINS to DOMAIN
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=0.1+2.1.1"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
+  rallly_db:
+    image: postgres:14.2
+    volumes:
+      - db-data:/var/lib/postgresql/data
+    secrets:
+      - db_password
+    environment:
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=db
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - internal
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  smtp_pwd:
+    external: true
+    name: ${STACK_NAME}_smtp_pwd_${SECRET_SMTP_PWD_VERSION}
 
 networks:
   proxy:
     external: true
+  internal:
+
+volumes:
+  mongodb_log:
+  mongodb_lib:
+  mongodb:
+  db-data:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..7c3a502
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "SECRET_PASSWORD"
+file_env "SMTP_PWD"
+
+/usr/src/app/scripts/docker-start.sh