diff --git a/.gitattributes b/.gitattributes
index 1bbbb10..6be7b46 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
 .pass.sh filter=git-crypt diff=git-crypt
+ansible/vars/vault.yml filter=git-crypt diff=git-crypt
diff --git a/Makefile b/Makefile
index 61bf015..44404f9 100644
--- a/Makefile
+++ b/Makefile
@@ -10,9 +10,12 @@ VENV_BIN=.venv/bin
 PIP=${VENV_BIN}/pip
 ANSIBLE=${VENV_BIN}/ansible-playbook
 ANSIBLE_VAULT=${VENV_BIN}/ansible-vault
+
 LINT_ANSIBLE=${VENV_BIN}/ansible-lint
 LINT_YAML=${VENV_BIN}/yamllint
+
 VAULT_PASS_FILE=.ansible-vaultpass
+VAULT_FILE=ansible/vars/vault.yml
 
 # Variables
 ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml
@@ -29,16 +32,19 @@ ${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML} ${LINT_ANSIBLE}: ${VENV} requirements.t
 ${VAULT_PASS_FILE}: ${ANSIBLE}
 	. ${PASS_SRC}; pass $$PASS_LOC > $@
 
+${VAULT_FILE}: ${VAULT_PASS_FILE}
+	${ANSIBLE_VAULT} create --vault-password-file ${VAULT_PASS_FILE} $@
+
 # Targets
-deploy: ${ANSIBLE} ${VAULT_PASS_FILE}
+deploy: ${ANSIBLE} ${VAULT_FILE}
 	${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
 
-check: ${ANSIBLE} ${VAULT_PASS_FILE}
+check: ${ANSIBLE} ${VAULT_FILE}
 	${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
 
-encrypt-string: ${ANSIBLE_VAULT} ${VAULT_PASS_FILE}
-	${ANSIBLE_VAULT} encrypt_string --vault-password-file ${VAULT_PASS_FILE}
+vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
+	${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE}
 
 lint: ${LINT_YAML} ${LINT_ANSIBLE}
-	@${LINT_YAML} ansible/
-	@${LINT_ANSIBLE} ansible/
+	${LINT_YAML} ansible/
+	${LINT_ANSIBLE} ansible/
diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml
index f0f1033..40758a2 100644
--- a/ansible/deploy_home.yml
+++ b/ansible/deploy_home.yml
@@ -1,5 +1,8 @@
 ---
 - hosts: all
+  vars_files:
+  - vars/vault.yml
   roles:
   - role: common
   - role: http
+  - role: drone
diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 9b0f71d..f1d769c 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -1,7 +1,8 @@
 ---
 deps: [
   docker,
-  fail2ban
+  fail2ban,
+  python-docker
 ]
 
 fail2ban_jails: [
diff --git a/ansible/roles/drone/defaults/main.yml b/ansible/roles/drone/defaults/main.yml
new file mode 100644
index 0000000..2476ded
--- /dev/null
+++ b/ansible/roles/drone/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+drone_server_proto: "https"
+drone_runner_capacity: "1"
diff --git a/ansible/roles/drone/tasks/docker.yml b/ansible/roles/drone/tasks/docker.yml
deleted file mode 100644
index bd2ceef..0000000
--- a/ansible/roles/drone/tasks/docker.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- name: Create Drone CI container
-  community.general.docker_container:
-    name: drone
-    image: drone/drone
-    restart: true
-    restart_policy: on-failure
-    restart_retries: 3
-    env:
-      DRONE_GITHUB_CLIENT_ID: {{ drone_gh_client_id }}
-      DRONE_GITHUB_CLIENT_SECRET: {{ drone_gh_client_sec }}
-      DRONE_RPC_SECRET: {{ drone_rpc_secret }}
-      DRONE_SERVER_HOST: {{ ci_server_name }}
-      DRONE_SERVER_PROTO: {{ drone_server_proto }}
-      DRONE_GIT_ALWAYS_AUTH: 'true'
-      DRONE_USER_FILTER: {{ drone_user_filter }}
-
diff --git a/ansible/roles/drone/tasks/drone.yml b/ansible/roles/drone/tasks/drone.yml
new file mode 100644
index 0000000..9ba9794
--- /dev/null
+++ b/ansible/roles/drone/tasks/drone.yml
@@ -0,0 +1,43 @@
+---
+- name: create drone-ci server container
+  diff: false
+  docker_container:
+    name: drone
+    image: drone/drone:latest
+    recreate: true
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    env:
+      DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}"
+      DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}"
+      DRONE_GIT_ALWAYS_AUTH: 'true'
+      DRONE_RPC_SECRET: "{{ drone_rpc_secret }}"
+      DRONE_SERVER_HOST: "{{ ci_server_name }}"
+      DRONE_SERVER_PROTO: "{{ drone_server_proto }}"
+      DRONE_USER_FILTER: "{{ drone_user_filter }}"
+    volumes:
+      - /var/lib/drone:/data
+    ports:
+      - "8080:80"
+  tags: drone
+
+- name: create drone-ci worker container
+  diff: false
+  docker_container:
+    name: drone-runner
+    image: drone/drone-runner-docker:latest
+    recreate: true
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    env:
+      DRONE_RPC_SECRET: "{{ drone_rpc_secret }}"
+      DRONE_RPC_HOST: "{{ ci_server_name }}"
+      DRONE_RPC_PROTO: "{{ drone_server_proto }}"
+      DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "3000:3000"
+  tags: drone
diff --git a/ansible/roles/drone/tasks/main.yml b/ansible/roles/drone/tasks/main.yml
index 9eab6da..479cac1 100644
--- a/ansible/roles/drone/tasks/main.yml
+++ b/ansible/roles/drone/tasks/main.yml
@@ -1,2 +1,2 @@
 ---
-- import_tasks: docker.yml
+- import_tasks: drone.yml
diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml
index 479c3fc..6cd2ba6 100644
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -4,6 +4,5 @@ ci_server_name: ci.bdebyl.net
 
 deps: [
   certbot,
-  certbot-nginx,
   nginx
 ]
diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf
index 7dd225e..fce002d 100644
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ b/ansible/roles/http/files/nginx/nginx.conf
@@ -32,5 +32,5 @@ http {
 
   limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
 
-  include etc/nginx/sites-enabled/*.conf;
+  include /etc/nginx/sites-enabled/*.conf;
 }
diff --git a/ansible/roles/http/tasks/cron.yml b/ansible/roles/http/tasks/cron.yml
index 236d983..7295af1 100644
--- a/ansible/roles/http/tasks/cron.yml
+++ b/ansible/roles/http/tasks/cron.yml
@@ -1,10 +1,9 @@
 ---
-- cron: renew certbot ssl certificate weekly
+- name: renew certbot ssl certificates weekly
+  become: true
   cron:
-    name: ci_bdebyl_net_renewal
+    name: certbot_renew
     special_time: weekly
     job: |
-      certbot --renew certonly --webroot --webroot-path=/srv/http \
-      -m {{ ci_server_email }} --agree-tos \
-      -d {{ ci_server_name }}
-  tags: never
+      certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
+  tags: cron
diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml
index e49aa72..8558561 100644
--- a/ansible/roles/http/tasks/main.yml
+++ b/ansible/roles/http/tasks/main.yml
@@ -2,3 +2,4 @@
 - import_tasks: deps.yml
 - import_tasks: http.yml
 - import_tasks: ssl.yml
+- import_tasks: cron.yml
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
index 2b7c17b..0807735 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -1,35 +1,39 @@
+upstream drone {
+  server 127.0.0.1:8080;
+}
+
 server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name {{ ci_server_name }};
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ ci_server_name }};
 
   add_header              Strict-Transport-Security max-age=6307200;
 
-	ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
-	ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
-	ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_dhparam             /etc/ssl/certs/dhparam.pem;
 
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
   ssl_session_tickets off;
-	ssl_stapling on;
-	ssl_stapling_verify on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
 
-	ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-	ssl_prefer_server_ciphers off;
+  ssl_prefer_server_ciphers off;
 
-	location / {
-		proxy_set_header X-Forwarded-For $remote_addr;
+  location / {
+    proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Host $http_post;
+    proxy_set_header Host $http_host;
 
-    proxy_pass http://127.0.0.1:4242;
+    proxy_pass http://drone;
     proxy_redirect off;
     proxy_http_version 1.1;
     proxy_buffering off;
 
     chunked_transfer_encoding off;
-	}
+  }
 }
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
new file mode 100644
index 0000000..1a512d4
Binary files /dev/null and b/ansible/vars/vault.yml differ