diff --git a/Dockerfile b/Dockerfile
index 4bfc0ce..0e104da 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,22 +1,96 @@
-# v0.4.5
-FROM vuls/go-exploitdb@sha256:4738ca739083d41b89aab11012e283f89645f5cdbb5c021f2fbb6584bd5fe423
+FROM alpine:3.18
 
-# Make directory to store DB if not volume mounted
-RUN mkdir /vuls
+ARG TARGETPLATFORM
 
-# Set up a cron job to update the database files every 3 hours
-RUN echo "0 */3 * * * /update.sh" >> /var/spool/cron/crontabs/root
+RUN apk --no-cache add git ca-certificates
 
-# Make sure the cron job file has proper permissions
-RUN chmod 0600 /var/spool/cron/crontabs/root
+ADD --link --chmod=600 crontabs/root /var/spool/cron/crontabs/root
 
-# Copy updater script and make it executable
-COPY update.sh /update.sh
-RUN chmod +x /update.sh
+RUN <<EOT
+  set -e
 
-# Copy entry point script and make it executable
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
+  version=0.4.6
+  ## Install s6-overlay binaries
+  case "$TARGETPLATFORM" in
+    "linux/amd64")
+      url=https://github.com/vulsio/go-exploitdb/releases/download/v${version}/go-exploitdb_${version}_linux_amd64.tar.gz
+      checksum=b27cd43a1c194bb365c73d6e4bd199911d83aab4bf48a5eca4ecb8838c0daa9c
+      ;;
+    "linux/arm64")
+      url=https://github.com/vulsio/go-exploitdb/releases/download/v${version}/go-exploitdb_${version}_linux_arm64.tar.gz
+      checksum=432a51a12aebcd4350c4d10c1435cb0d7a5720a7a9bb204a109ccd6c10553184
+      ;;
+    *)
+      printf "ERROR: %s" "invalid architecture"
+      exit 1
+  esac
 
-# Use the entrypoint script to start freshclam, cron, and Nginx
-ENTRYPOINT ["/entrypoint.sh"]
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar xzvf "${archive}" -C /usr/local/bin 'go-exploitdb'
+  rm -f "${archive}"
+
+  chown root:root /usr/local/bin/go-exploitdb
+  chmod +x /usr/local/bin/go-exploitdb
+
+  mkdir -p /etc/go-exploitdb /var/lib/go-exploitdb /var/log/go-exploitdb
+EOT
+
+ADD --link --chmod=644 go-exploitdb/go-exploitdb.yaml /etc/go-exploitdb/go-exploitdb.yaml
+ADD --link --chmod=755 go-exploitdb/go-exploitdb-update.sh /usr/local/bin/go-exploitdb-update
+
+VOLUME ["/etc/go-exploitdb", "/var/lib/go-exploitdb", "/var/log/go-exploitdb"]
+
+RUN <<EOT
+  set -e
+
+  version=3.1.6.2
+  url=
+  checksum=
+
+  ## Install s6-overlay scripts
+  url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-noarch.tar.xz
+  checksum=05af2536ec4fb23f087a43ce305f8962512890d7c71572ed88852ab91d1434e3
+
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar -C / -Jxpf "${archive}"
+  rm -f "${archive}"
+
+  ## Install s6-overlay binaries
+  case "$TARGETPLATFORM" in
+    "linux/amd64")
+      url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-x86_64.tar.xz
+      checksum=95081f11c56e5a351e9ccab4e70c2b1c3d7d056d82b72502b942762112c03d1c
+      ;;
+    "linux/arm64")
+      url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-aarch64.tar.xz
+      checksum=3fc0bae418a0e3811b3deeadfca9cc2f0869fb2f4787ab8a53f6944067d140ee
+      ;;
+    *)
+      printf "ERROR: %s" "invalid architecture"
+      exit 1
+  esac
+
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar -C / -Jxpf "${archive}"
+  rm -f "${archive}"
+EOT
+
+ADD --link --chmod=755 s6-rc.d/cron /etc/s6-overlay/s6-rc.d/cron
+ADD --link --chmod=755 s6-rc.d/go-exploitdb /etc/s6-overlay/s6-rc.d/go-exploitdb
+ADD --link --chmod=755 s6-rc.d/go-exploitdb-updater /etc/s6-overlay/s6-rc.d/go-exploitdb-updater
+ADD --link --chmod=755 s6-rc.d/user/contents.d/* /etc/s6-overlay/s6-rc.d/user/contents.d/
+
+ENV S6_KEEP_ENV 1
+# Stop container if any of the services fail to start at boot.
+ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
+ENV S6_VERBOSITY 1
+# Stop container if services are not started in 10 mins.
+ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 600000
+
+ENTRYPOINT ["/init"]
diff --git a/README.md b/README.md
index b5312ea..c1bd4b3 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ To persist the database between container runs:
 
 ```
 mkdir /opt/exploit-db
-docker run -d -p 1326:1326 -v /opt/exploit-db:/vuls -name exploit-db-server <registry>/exploit-db-server:<tag>
+docker run -d -p 1326:1326 -v /opt/exploit-db:/var/lib/go-exploitdb -name exploit-db-server <registry>/exploit-db-server:<tag>
 ```
 
 ## Querying
diff --git a/crontabs/root b/crontabs/root
new file mode 100644
index 0000000..e718f3f
--- /dev/null
+++ b/crontabs/root
@@ -0,0 +1 @@
+0 */3 * * * go-exploitdb-update
diff --git a/entrypoint.sh b/entrypoint.sh
deleted file mode 100644
index 8e49657..0000000
--- a/entrypoint.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-
-set -euo pipefail
-
-cronPid=0
-serverPid=0
-firstUpdatePid=0
-
-# gracefully handlei SIGINT and SIGTERM
-term_handler() {
-    set +e
-    echo "Terminating..."
-
-    if [ $firstUpdatePid -ne 0 ]; then
-        echo "Ending firstUpdate..."
-        kill -SIGTERM "$firstUpdatePid"
-        wait $firstUpdatePid
-        echo "firstUpdate ended."
-    fi
-
-    if [ $cronPid -ne 0 ]; then
-        echo "Ending cron..."
-        kill -SIGTERM "$cronPid"
-        wait $cronPid
-        echo "Cron ended."
-    fi
-
-    if [ $serverPid -ne 0 ]; then
-        echo "Ending server..."
-        kill -SIGTERM "$serverPid"
-        wait $serverPid
-        echo "Server ended."
-    fi
-
-    exit 143
-}
-
-trap 'term_handler' SIGTERM
-trap 'term_handler' SIGINT
-
-# Start go-exploitdb server listening and setup/migrate exploit db file
-echo "Starting server listening on 0.0.0.0:1326..."
-go-exploitdb server --bind 0.0.0.0 --dbpath /vuls/go-exploitdb.sqlite3 &
-serverPid=$!
-
-# Wait until the server is up and running healthy and can respond to a query
-# before starting the updater to avoid migration conflicts between the server
-# command and the updating commands.
-# TODO(sambetts) use curl here if we can get it installed in the container
-sleep 5
-
-# Run update once on container start to ensure we're up to date.
-/update.sh &
-firstUpdatePid=$!
-wait $firstUpdatePid
-firstUpdatePid=0
-
-# Start cron in the background which will run the updater script periodically,
-echo "Starting periodic updates..."
-crond -f &
-cronPid=$!
-
-# Wait on Server PID to complete, if it ends then terminate
-wait $serverPid
-
-# Clean up everything
-term_handler
diff --git a/go-exploitdb/go-exploitdb-update.sh b/go-exploitdb/go-exploitdb-update.sh
new file mode 100644
index 0000000..f1043bc
--- /dev/null
+++ b/go-exploitdb/go-exploitdb-update.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env sh
+
+set -e
+
+info () {
+  printf "INFO [go-exploitdb-update]: %s\n" "${1}"
+}
+
+error () {
+  printf "ERROR [go-exploitdb-update]: %s\n" "${1}"
+}
+
+update () {
+  local config
+  config=/etc/go-exploitdb/go-exploitdb.yaml
+
+  for db in awesomepoc exploitdb githubrepos inthewild; do
+    info "updating database: ${db}"
+    go-exploitdb --config="${config}" fetch "${db}" || error "failed to update database: ${db}"
+  done
+}
+
+main () {
+  (
+    flock -n 200 || error "failed to acquire lock."
+    update
+  ) 200>/var/lock/go-exploitdb-update.lock
+}
+
+main
diff --git a/go-exploitdb/go-exploitdb.yaml b/go-exploitdb/go-exploitdb.yaml
new file mode 100644
index 0000000..4fc5070
--- /dev/null
+++ b/go-exploitdb/go-exploitdb.yaml
@@ -0,0 +1,5 @@
+---
+dbtype: sqlite3
+dbpath: /var/lib/go-exploitdb/go-exploitdb.sqlite3
+log-json: false
+debug: false
diff --git a/s6-rc.d/cron/dependencies.d/base b/s6-rc.d/cron/dependencies.d/base
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/cron/dependencies.d/go-exploitdb-updater b/s6-rc.d/cron/dependencies.d/go-exploitdb-updater
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/cron/finish b/s6-rc.d/cron/finish
new file mode 100644
index 0000000..ac7bcec
--- /dev/null
+++ b/s6-rc.d/cron/finish
@@ -0,0 +1,7 @@
+#!/command/execlineb -S0
+
+foreground {
+  redirfd -w 1 /run/s6-linux-init-container-results/exitcode echo "$1"
+}
+
+/run/s6/basedir/bin/halt
diff --git a/s6-rc.d/cron/run b/s6-rc.d/cron/run
new file mode 100644
index 0000000..12e39f5
--- /dev/null
+++ b/s6-rc.d/cron/run
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec crond -f -d 7
diff --git a/s6-rc.d/cron/type b/s6-rc.d/cron/type
new file mode 100644
index 0000000..5883cff
--- /dev/null
+++ b/s6-rc.d/cron/type
@@ -0,0 +1 @@
+longrun
diff --git a/s6-rc.d/go-exploitdb-updater/dependencies.d/base b/s6-rc.d/go-exploitdb-updater/dependencies.d/base
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/go-exploitdb-updater/type b/s6-rc.d/go-exploitdb-updater/type
new file mode 100644
index 0000000..bdd22a1
--- /dev/null
+++ b/s6-rc.d/go-exploitdb-updater/type
@@ -0,0 +1 @@
+oneshot
diff --git a/s6-rc.d/go-exploitdb-updater/up b/s6-rc.d/go-exploitdb-updater/up
new file mode 100644
index 0000000..e16aab8
--- /dev/null
+++ b/s6-rc.d/go-exploitdb-updater/up
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec go-exploitdb-update
diff --git a/s6-rc.d/go-exploitdb/dependencies.d/base b/s6-rc.d/go-exploitdb/dependencies.d/base
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/go-exploitdb/dependencies.d/go-exploitdb-updater b/s6-rc.d/go-exploitdb/dependencies.d/go-exploitdb-updater
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/go-exploitdb/finish b/s6-rc.d/go-exploitdb/finish
new file mode 100644
index 0000000..ac7bcec
--- /dev/null
+++ b/s6-rc.d/go-exploitdb/finish
@@ -0,0 +1,7 @@
+#!/command/execlineb -S0
+
+foreground {
+  redirfd -w 1 /run/s6-linux-init-container-results/exitcode echo "$1"
+}
+
+/run/s6/basedir/bin/halt
diff --git a/s6-rc.d/go-exploitdb/run b/s6-rc.d/go-exploitdb/run
new file mode 100644
index 0000000..c344b14
--- /dev/null
+++ b/s6-rc.d/go-exploitdb/run
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec go-exploitdb server --bind 0.0.0.0 --config=/etc/go-exploitdb/go-exploitdb.yaml
diff --git a/s6-rc.d/go-exploitdb/type b/s6-rc.d/go-exploitdb/type
new file mode 100644
index 0000000..5883cff
--- /dev/null
+++ b/s6-rc.d/go-exploitdb/type
@@ -0,0 +1 @@
+longrun
diff --git a/s6-rc.d/user/contents.d/cron b/s6-rc.d/user/contents.d/cron
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/user/contents.d/go-exploitdb b/s6-rc.d/user/contents.d/go-exploitdb
new file mode 100644
index 0000000..e69de29
diff --git a/s6-rc.d/user/contents.d/go-exploitdb-updater b/s6-rc.d/user/contents.d/go-exploitdb-updater
new file mode 100644
index 0000000..e69de29
diff --git a/update.sh b/update.sh
deleted file mode 100644
index 9978384..0000000
--- a/update.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-set -euo pipefail
-
-echo "Updating from awesomepoc..."
-go-exploitdb --dbpath /vuls/go-exploitdb.sqlite3 fetch awesomepoc || echo "Failed to fetch awesomepoc exploits db"
-
-echo "Updating from exploitdb..."
-go-exploitdb --dbpath /vuls/go-exploitdb.sqlite3 fetch exploitdb || echo "Failed to fetch exploitdb exploits db"
-
-echo "Updating from githubrepos..."
-go-exploitdb --dbpath /vuls/go-exploitdb.sqlite3 fetch githubrepos || echo "Failed to fetch githubrepos exploits db"
-
-echo "Updating from inthewild..."
-go-exploitdb --dbpath /vuls/go-exploitdb.sqlite3 fetch inthewild || echo "Failed to fetch inthewild exploits db"