diff --git a/tasks.yml b/tasks.yml
index 38ffb28..518cb12 100644
--- a/tasks.yml
+++ b/tasks.yml
@@ -20,25 +20,54 @@
   git:
     repo: '{{ app_repository }}'
     dest: '{{ app_dir }}'
-    version: '{{ app_branch }}'
+    version: '{{ app_ref }}'
     update: true
 
-- name: copy .production.env
+- name: copy templates
   template:
-    src: 'templates/env.j2'
-    dest: '{{ app_dir }}/.production.env'
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+  loop:
+    - { src: 'templates/env.j2', dest: '{{ app_dir }}/.production.env' }
+    - {
+        src: 'templates/docker-compose.j2',
+        dest: '{{ app_dir }}/docker-compose.resources.yml'
+      }
 
 - name: stop newsreader
-  docker_compose:
-    project_src: '{{ app_dir }}'
-    state: absent
+  command: >
+    docker compose
+      --env-file .production.env
+      --file docker-compose.yml
+      --file docker-compose.production.yml
+      --file docker-compose.resources.yml
+      down
+  args:
+    chdir: '{{ app_dir }}'
+
+# to allow next startup to generate a new volume
+- name: remove static volume
+  command: docker volume rm newsreader_static-files
+
+- name: build newsreader
+  command: >
+    docker compose
+      --env-file .production.env
+      --file docker-compose.yml
+      --file docker-compose.production.yml
+      --file docker-compose.resources.yml
+      build
+  args:
+    chdir: '{{ app_dir }}'
 
 - name: start newsreader
-  docker_compose:
-    build: true
-    state: present
-    project_src: '{{ app_dir }}'
-    env_file: '{{ app_dir }}/.production.env'
-    files:
-      - docker-compose.yml
-      - docker-compose.production.yml
+  command: >
+    docker compose
+      --env-file .production.env
+      --file docker-compose.yml
+      --file docker-compose.production.yml
+      --file docker-compose.resources.yml
+      up
+      --detach
+  args:
+    chdir: '{{ app_dir }}'
diff --git a/templates/docker-compose.j2 b/templates/docker-compose.j2
new file mode 100644
index 0000000..8390ae8
--- /dev/null
+++ b/templates/docker-compose.j2
@@ -0,0 +1,37 @@
+# {{ ansible_managed }}
+
+x-web-resources: &web-resources
+  deploy:
+    resources:
+      limits:
+        cpus: '2'
+        memory: 2GB
+
+services:
+  db:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          cpus: '4'
+
+  rabbitmq:
+    restart: always
+
+  memcached:
+    restart: always
+
+  celery:
+    <<: *web-resources
+    restart: always
+
+  django:
+    <<: *web-resources
+    deploy:
+      resources:
+        limits:
+          memory: 4GB
+    restart: always
+
+  nginx:
+    restart: always
diff --git a/templates/env.j2 b/templates/env.j2
index 39bcf11..fcaf939 100644
--- a/templates/env.j2
+++ b/templates/env.j2
@@ -26,5 +26,7 @@ TWITTER_CONSUMER_ID='{{ twitter_client_id }}'
 TWITTER_CONSUMER_SECRET='{{ twitter_client_secret }}'
 TWITTER_REDIRECT_URL='{{ twitter_redirect_url }}'
 
+VERSION='{{ app_ref }}'
+
 SENTRY_DSN='{{ sentry_dsn }}'
 ADMINS='{{ admins }}'
diff --git a/vars/app.yml b/vars/app.yml
index abc1a52..7880cbf 100644
--- a/vars/app.yml
+++ b/vars/app.yml
@@ -1,6 +1,6 @@
 app_name: 'newsreader'
-app_repository: 'https://git.fudiggity.nl/sonny/newsreader'
-app_branch: '0.4.2'
+app_repository: 'https://forgejo.fudiggity.nl/sonny/newsreader'
+app_ref: '0.5.3'
 app_dir: '/srv/docker/newsreader'
 
 django_settings_module: 'newsreader.conf.production'
@@ -15,14 +15,15 @@ django_secret_key: !vault |
   356533316361653939303165313766633666
 
 sentry_dsn: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  62663633303937303836306431396435343838626439373733353464366266383364343365333735
-  3539306162396230633664663839333637303733323461620a376531366464646239366436343136
-  30643031653363616265363938633536386134343766656239376638643335396565326330613832
-  6639396631623334350a353037386433313166313736666161663964313932636462383461343463
-  64636433373533313933343461393638663638623430366332336265343061663030313031353665
-  63393062396534643934623964323437316238353535623261323531383230633536626333326262
-  656365343030643332303534343535336566
+          $ANSIBLE_VAULT;1.1;AES256
+          37613964323436313965306364383537373437633262363036663939616235343932646238393432
+          3832363731633330363963616333333730633335653161330a646462303032636637386236306666
+          31383839663136643031613363326261633332376165323332333136656134623838343832373333
+          3064303236663131650a303964303962373839366532376231346366363739363934636433643139
+          36323635343034373232613839623137326430613033353037626430373939376138663063643065
+          37323533376239376261363236666333653862663663653739383936306539633635343233353266
+          63643331383861326634356164393732363532663539303561373230346535643936363036353665
+          30336132306236633062
 
 nginx_http_port: 5000