diff --git a/.drone/build.sh b/.drone/build.sh
index 6477269..05571a6 100644
--- a/.drone/build.sh
+++ b/.drone/build.sh
@@ -1 +1,2 @@
-docker build docker-dind -t ${LOCAL_DOCKER_REGISTRY}docker-dind
+echo $CA_CRT > docker-dind/CA_crt.crt
+docker build docker-dind -t ${REGISTRY_DOMAIN}:${REGISTRY_PORT}/docker-dind
diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet
index e2fe2b6..4da3b5e 100644
--- a/.drone/drone-home.jsonnet
+++ b/.drone/drone-home.jsonnet
@@ -3,15 +3,29 @@ local secretSecrets = import 'lib/secret-secrets.libsonnet';
 local publicSecrets = import 'lib/public-secrets.libsonnet';
 
 local deploy = import 'node_modules/@sigyl/jsonnet-drone/deploy.libsonnet';
+local register = import 'node_modules/@sigyl/jsonnet-drone/register.libsonnet';
 [
+  register,
   deploy(
     'squid',
     '/stack/',
+    [],
+    publicSecrets,
+    secretSecrets,
     [
-      'LOCAL_DOCKER_REGISTRY',
+      'DOMAIN',
+      'REGISTRY_DOMAIN',
+      'REGISTRY_PORT',
       'REGISTRY_PASSWORD',
     ],
-    publicSecrets,
-    secretSecrets
-  ),
+  ) {
+    trigger +: {
+      event +: [
+        'promote',
+      ],
+      target +: [
+        'production',
+      ],
+    },
+  },
 ]
diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml
index ad3c67d..a6efb7d 100644
--- a/.drone/drone-home.yml
+++ b/.drone/drone-home.yml
@@ -1,3 +1,20 @@
+---
+kind: pipeline
+type: docker
+name: register
+
+platform:
+  os: linux
+  arch: amd64
+
+clone:
+  disable: true
+
+trigger:
+  event:
+    exclude:
+    - promote
+
 ---
 kind: pipeline
 type: docker
@@ -9,7 +26,7 @@ platform:
 
 steps:
 - name: print env
-  image: appleboy/drone-ssh:1.6.2
+  image: appleboy/drone-ssh:1.6.2@sha256:b801dc2cd238c192b6e99acfa7bc3f5b9a03f312bd2feb1e10b3a7a28a1b80ea
   settings:
     envs:
     - drone_tag
@@ -17,94 +34,59 @@ steps:
     - drone_build_number
     - drone_repo_name
     - drone_repo_namespace
-    - local_docker_registry
-    - registry_password
-    - ssh_host
-    - ssh_user
-    - ssh_port
-    - local_docker_registry
     - ca_crt
-    - ssh_key
-    - registry_password
+    - local_domain
     - ca_key
-    host:
-      from_secret: ssh-host
-    key:
-      from_secret: ssh-key
-    port:
-      from_secret: ssh-port
+    host: ${SSH_HOST}
+    key: ${SSH_KEY}
+    passphrase: ${SSH_PASSPHRASE}
+    port: ${SSH_PORT}
     script:
     - rm -f env-squid
-    - "echo \"export LOCAL_DOCKER_REGISTRY='$${LOCAL_DOCKER_REGISTRY}'\" >> env-squid # \"local-docker-registry\""
-    - "echo \"export REGISTRY_PASSWORD='$${REGISTRY_PASSWORD}'\" >> env-squid # \"registry-password\""
-    - "echo \"export SSH_HOST='$${SSH_HOST}'\" >> env-squid # \"ssh-host\""
-    - "echo \"export SSH_USER='$${SSH_USER}'\" >> env-squid # \"ssh-user\""
-    - "echo \"export SSH_PORT='$${SSH_PORT}'\" >> env-squid # \"ssh-port\""
-    - "echo \"export LOCAL_DOCKER_REGISTRY='$${LOCAL_DOCKER_REGISTRY}'\" >> env-squid # \"local-docker-registry\""
     - "echo \"export CA_CRT='$${CA_CRT}'\" >> env-squid # \"ca-crt\""
-    - "echo \"export SSH_KEY='$${SSH_KEY}'\" >> env-squid # \"ssh-key\""
-    - "echo \"export REGISTRY_PASSWORD='$${REGISTRY_PASSWORD}'\" >> env-squid # \"registry-password\""
+    - "echo \"export LOCAL_DOMAIN='$${LOCAL_DOMAIN}'\" >> env-squid # \"local-domain\""
     - "echo \"export CA_KEY='$${CA_KEY}'\" >> env-squid # \"ca-key\""
-    username:
-      from_secret: ssh-user
+    username: ${SSH_USER}
   environment:
     CA_CRT:
       from_secret: ca-crt
     CA_KEY:
       from_secret: ca-key
-    LOCAL_DOCKER_REGISTRY:
-      from_secret: local-docker-registry
-    REGISTRY_PASSWORD:
-      from_secret: registry-password
-    SSH_HOST:
-      from_secret: ssh-host
-    SSH_KEY:
-      from_secret: ssh-key
-    SSH_PORT:
-      from_secret: ssh-port
-    SSH_USER:
-      from_secret: ssh-user
+    LOCAL_DOMAIN:
+      from_secret: local-domain
 
 - name: scp
-  image: appleboy/drone-scp:1.6.2
+  image: appleboy/drone-scp:1.6.2@sha256:bd37a55f4b97e7742b0de7333669b96220b3cc422d366e1fa8c34059b736ab47
   settings:
     command_timeout: 2m
-    host:
-      from_secret: ssh-host
-    key:
-      from_secret: ssh-key
-    port:
-      from_secret: ssh-port
+    host: ${SSH_HOST}
+    key: ${SSH_KEY}
+    passphrase: ${SSH_PASSPHRASE}
+    port: ${SSH_PORT}
     source:
     - .
     target: /stack/squid
-    username:
-      from_secret: ssh-user
+    username: ${SSH_USER}
 
 - name: wait
-  image: alpine
+  image: alpine:3.12.0@sha256:90baa0922fe90624b05cb5766fa5da4e337921656c2f8e2b13bd3c052a0baac1
   commands:
   - sleep 15
 
 - name: "dockerbuild:"
-  image: docker:dind
+  image: docker:19.03.12-dind@sha256:8dded163e463f4a59bf305b3dca98e312b2cfb89a43da3872e48f95a7554c48f
   commands:
   - set -e
   - sh .drone/login.sh
   - sh .drone/build.sh
   - sh .drone/push.sh
   - sh .drone/logout.sh
-  environment:
-    LOCAL_DOCKER_REGISTRY:
-      from_secret: local-docker-registry
-    REGISTRY_PASSWORD:
-      from_secret: registry-password
   volumes:
   - name: dockersock
     path: /var/run
 
 - name: deploy
-  image: appleboy/drone-ssh:1.6.2
+  image: appleboy/drone-ssh:1.6.2@sha256:b801dc2cd238c192b6e99acfa7bc3f5b9a03f312bd2feb1e10b3a7a28a1b80ea
   settings:
     envs:
     - drone_tag
@@ -112,57 +94,42 @@ steps:
     - drone_build_number
     - drone_repo_name
     - drone_repo_namespace
-    - ssh_host
-    - ssh_user
-    - ssh_port
-    - local_docker_registry
-    - ca_crt
-    - ssh_key
+    - domain
+    - registry_domain
+    - registry_port
     - registry_password
+    - ca_crt
+    - local_domain
     - ca_key
-    host:
-      from_secret: ssh-host
-    key:
-      from_secret: ssh-key
-    port:
-      from_secret: ssh-port
+    host: ${SSH_HOST}
+    key: ${SSH_KEY}
+    passphrase: ${SSH_PASSPHRASE}
+    port: ${SSH_PORT}
     script:
-    - export SSH_KEY=$${SSH_KEY}
-    - export REGISTRY_PASSWORD=$${REGISTRY_PASSWORD}
     - export CA_KEY=$${CA_KEY}
-    - export SSH_HOST=$${SSH_HOST}
-    - export SSH_USER=$${SSH_USER}
-    - export SSH_PORT=$${SSH_PORT}
-    - export LOCAL_DOCKER_REGISTRY=$${LOCAL_DOCKER_REGISTRY}
     - export CA_CRT=$${CA_CRT}
+    - export LOCAL_DOMAIN=$${LOCAL_DOMAIN}
+    - export DOMAIN=$${DOMAIN}
+    - export REGISTRY_DOMAIN=$${REGISTRY_DOMAIN}
+    - export REGISTRY_PORT=$${REGISTRY_PORT}
+    - export REGISTRY_PASSWORD=$${REGISTRY_PASSWORD}
     - set -e
     - cd /stack/squid
     - sh .drone/login.sh
     - sh .drone/pull.sh
     - sh .drone/deploy.sh
-    username:
-      from_secret: ssh-user
+    username: ${SSH_USER}
   environment:
     CA_CRT:
       from_secret: ca-crt
     CA_KEY:
       from_secret: ca-key
-    LOCAL_DOCKER_REGISTRY:
-      from_secret: local-docker-registry
-    REGISTRY_PASSWORD:
-      from_secret: registry-password
-    SSH_HOST:
-      from_secret: ssh-host
-    SSH_KEY:
-      from_secret: ssh-key
-    SSH_PORT:
-      from_secret: ssh-port
-    SSH_USER:
-      from_secret: ssh-user
+    LOCAL_DOMAIN:
+      from_secret: local-domain
 
 services:
 - name: docker
-  image: docker:dind
+  image: docker:19.03.12-dind@sha256:8dded163e463f4a59bf305b3dca98e312b2cfb89a43da3872e48f95a7554c48f
   privileged: true
   volumes:
   - name: dockersock
@@ -177,4 +144,10 @@ volumes:
   host:
     path: /etc/docker/certs.d
 
+trigger:
+  event:
+  - promote
+  target:
+  - production
+
 ...
diff --git a/.drone/lib/public-secrets.libsonnet b/.drone/lib/public-secrets.libsonnet
index 2ecbd9e..c0500e2 100644
--- a/.drone/lib/public-secrets.libsonnet
+++ b/.drone/lib/public-secrets.libsonnet
@@ -1,7 +1,4 @@
 [
-  'ssh-host',
-  'ssh-user',
-  'ssh-port',
-  'local-docker-registry',
   'ca-crt',
+  'local-domain'
 ]
diff --git a/.drone/lib/secret-secrets.libsonnet b/.drone/lib/secret-secrets.libsonnet
index 494e590..1dd1035 100644
--- a/.drone/lib/secret-secrets.libsonnet
+++ b/.drone/lib/secret-secrets.libsonnet
@@ -1,5 +1,3 @@
 [
-  'ssh-key',
-  'registry-password',
   'ca-key',
 ]
diff --git a/.drone/login.sh b/.drone/login.sh
index c8ffffc..982ed2d 100644
--- a/.drone/login.sh
+++ b/.drone/login.sh
@@ -1 +1 @@
-docker login ${LOCAL_DOCKER_REGISTRY} --username client --password "${REGISTRY_PASSWORD}"
\ No newline at end of file
+docker login ${REGISTRY_DOMAIN}:${REGISTRY_PORT} --username client --password "${REGISTRY_PASSWORD}"
\ No newline at end of file
diff --git a/.drone/logout.sh b/.drone/logout.sh
index 4bcacf0..2337c7c 100644
--- a/.drone/logout.sh
+++ b/.drone/logout.sh
@@ -1 +1 @@
-docker logout ${LOCAL_DOCKER_REGISTRY}
\ No newline at end of file
+docker logout ${REGISTRY_DOMAIN}:${REGISTRY_PORT}
\ No newline at end of file
diff --git a/.drone/package.json b/.drone/package.json
index 434953f..22cfdd2 100644
--- a/.drone/package.json
+++ b/.drone/package.json
@@ -4,6 +4,6 @@
     "build": "drone jsonnet --source drone-home.jsonnet --target drone-home.yml --stream"
   },
   "dependencies": {
-    "@sigyl/jsonnet-drone": "^0.0.5"
+    "@sigyl/jsonnet-drone": "^0.1.0"
   }
 }
diff --git a/.drone/pull.sh b/.drone/pull.sh
index 93dd65e..f403ca2 100644
--- a/.drone/pull.sh
+++ b/.drone/pull.sh
@@ -1 +1 @@
-docker pull ${LOCAL_DOCKER_REGISTRY}docker-dind
+docker pull ${REGISTRY_DOMAIN}:${REGISTRY_PORT}/docker-dind
diff --git a/.drone/push.sh b/.drone/push.sh
index 9a13777..24fec21 100644
--- a/.drone/push.sh
+++ b/.drone/push.sh
@@ -1 +1 @@
-docker push ${LOCAL_DOCKER_REGISTRY}docker-dind
+docker push ${REGISTRY_DOMAIN}:${REGISTRY_PORT}/docker-dind
diff --git a/.drone/yarn.lock b/.drone/yarn.lock
index 2ad11f0..44ab354 100644
--- a/.drone/yarn.lock
+++ b/.drone/yarn.lock
@@ -12,10 +12,10 @@
   resolved "https://registry.yarnpkg.com/@sigyl/jsonnet-drone-environment/-/jsonnet-drone-environment-0.0.5.tgz#9ea85e08904777bd21a3e4b30b0b91461d0285ff"
   integrity sha512-xVGmdMO1pOyozAWUbJm6mzKBgsLPJ+1hWnGCK3AxPkr7kkDh18hu30+TLzlcQtqq76s5jUfvJUztezsGj/mIcw==
 
-"@sigyl/jsonnet-drone@^0.0.5":
-  version "0.0.5"
-  resolved "https://registry.yarnpkg.com/@sigyl/jsonnet-drone/-/jsonnet-drone-0.0.5.tgz#1017714cfcdb637d36faa4206b29fd4277bfb37f"
-  integrity sha512-6npYDgXWGblimBYDIRNeNZX20qZmuhQYhSj9hWucXm9i+IKIrxX/3B0gf9JDNXgbK4s4QY95WBrnimeAeMfddg==
+"@sigyl/jsonnet-drone@^0.1.0":
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/@sigyl/jsonnet-drone/-/jsonnet-drone-0.1.0.tgz#feda1797e8e9ef799cad72e65f7163ca26a9e3a5"
+  integrity sha512-QY/ngucxFOtLfL8Mt0f2bxN4fQDUOGOFtaRpSH2cNyg84xADkzehT0ORZtbLitr+AwhyF5KN/zAGvzkyNAoqPw==
   dependencies:
     "@sigyl/jsonnet-compose" "^0.0.2"
     "@sigyl/jsonnet-drone-environment" "0.0.5"
diff --git a/.gitignore b/.gitignore
index eb03e3e..0cdfe16 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 node_modules
 *.log
+.secrets
diff --git a/README.md b/README.md
index 36d4082..cf81e57 100644
--- a/README.md
+++ b/README.md
@@ -11,11 +11,11 @@ openssl genrsa -out CA_key.pem 2048
 openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf    -subj "/C=UK/ST=Devon/L=Rose Ash/O=Google/OU=SiGyl/CN=Proxy-ca"
 ```
 
-then set secrets ca-crt and ca-key to the created files
+then set drone secrets ca-crt and ca-key to the created files
 
 ## making dockerconfigjson
 
-the secret dockerconfigjson allows images to be pulled from the local docker repository
+the drone secret dockerconfigjson allows images to be pulled from the local docker repository
 
 if you login to this repository with:
 
diff --git a/docker-compose.yml b/docker-compose.yml
index bb3b353..e04de37 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,7 @@ services:
       - HTTP_PORT=3128
       - MITM_CERT=/run/secrets/ca.crt
       - MITM_KEY=/run/secrets/ca.key
-      - VISIBLE_HOSTNAME=git.local-domain
+      - VISIBLE_HOSTNAME=$LOCAL_DOMAIN
       - >
         EXTRA_CONFIG1=tls_outgoing_options
         capath=/etc/ssl/certs