diff --git a/TODO.md b/TODO.md
index 6f6c6ed..127fcfa 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,7 @@
+- [ ] BACKUPS BACKUPS BACKUPS
+
 - [ ] nameservers for users
 - [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
 - [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
-- [ ] allow ufw and setup wireguard on himmel
-- [ ] internal vpn for infra, figure out routing
+- [x] allow ufw and setup wireguard on himmel
+- [x] internal vpn for infra, figure out routing
diff --git a/deploy.yml b/deploy.yml
index 68d4a83..ac23244 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -23,3 +23,6 @@
 
 - name: Wireguard Mesh
   ansible.builtin.import_playbook: playbooks/deploy-wireguard-mesh.yml
+
+- name: CI
+  ansible.builtin.import_playbook: playbooks/deploy-drone.yml
diff --git a/group_vars/drone.yml b/group_vars/drone.yml
new file mode 100644
index 0000000..8637f0d
--- /dev/null
+++ b/group_vars/drone.yml
@@ -0,0 +1,4 @@
+---
+
+drone_gitea_server: "https://git.hatecomputers.club"
+drone_server_host: "https://ci.hatecomputers.club"
diff --git a/group_vars/host_domains.yml b/group_vars/host_domains.yml
index 8765d74..24c457c 100644
--- a/group_vars/host_domains.yml
+++ b/group_vars/host_domains.yml
@@ -1,10 +1,11 @@
 ---
 
 host_domains:
-  fern.infra.hatecomputers.club:
-    - fern.hatecomputers.club
+  fern.int.infra.hatecomputers.club:
+    # - fern.hatecomputers.club
     - auth.hatecomputers.club
     - mail.hatecomputers.club
-  himmel.infra.hatecomputers.club:
-    - himmel.hatecomputers.club
+  himmel.int.infra.hatecomputers.club:
+    # - himmel.hatecomputers.club
     - git.hatecomputers.club
+    - ci.hatecomputers.club
diff --git a/inventory b/inventory
index 2dc1b6f..f5973fa 100644
--- a/inventory
+++ b/inventory
@@ -29,3 +29,6 @@ fern.int.infra.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [wireguard-endpoint]
 himmel.int.infra.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[drone]
+himmel.int.infra.hatecomputers.club  ansible_user=root ansible_connection=ssh
diff --git a/playbooks/deploy-drone.yml b/playbooks/deploy-drone.yml
new file mode 100644
index 0000000..5faf8c3
--- /dev/null
+++ b/playbooks/deploy-drone.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Drone CI setup
+  hosts: drone
+  roles:
+    - drone
diff --git a/playbooks/roles/drone/tasks/main.yml b/playbooks/roles/drone/tasks/main.yml
new file mode 100644
index 0000000..b17d68c
--- /dev/null
+++ b/playbooks/roles/drone/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+- name: Ensure drone docker/compose exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/drone
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Build drone docker-compose.yml.j2
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /etc/docker/compose/drone/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Daemon-reload and enable drone
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@drone
diff --git a/playbooks/roles/drone/templates/docker-compose.yml.j2 b/playbooks/roles/drone/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..0abcaf8
--- /dev/null
+++ b/playbooks/roles/drone/templates/docker-compose.yml.j2
@@ -0,0 +1,29 @@
+version: '3'
+
+services:
+  drone:
+    container_name: drone
+    image: drone/drone:latest
+    volumes:
+      - ./drone:/data
+    ports:
+      - "127.0.0.1:2201:80"
+    environment:
+      - DRONE_GITEA_SERVER={{ drone_gitea_server }}
+      - DRONE_GITEA_CLIENT_ID={{ drone_gitea_client_id }}
+      - DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_client_secret }}
+      - DRONE_GIT_ALWAYS_AUTH=true
+      - DRONE_SERVER_PROTO=https
+      - DRONE_SERVER_HOST={{ drone_server_host }}
+      - DRONE_RPC_SECRET={{ drone_rpc_secret }}
+  drone-runner:
+    container_name: drone_runner
+    image: drone/drone-runner-docker:latest
+    userns_mode: 'host' # Needed to get access to docker socket
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - DRONE_RPC_SECRET={{ drone_rpc_secret }}
+      - DRONE_RPC_HOST=drone:80
+      - DRONE_RPC_PROTO=http
+      - DRONE_RUNNER_CAPACITY=4 
diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/http.auth.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/http.auth.hatecomputers.club.conf
diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/http.mail.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/http.mail.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/fern.hatecomputers.club/http.mail.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/http.mail.hatecomputers.club.conf
diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/https.auth.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/https.auth.hatecomputers.club.conf
diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/https.mail.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/fern.int.infra.hatecomputers.club/https.mail.hatecomputers.club.conf
diff --git a/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.ci.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.ci.hatecomputers.club.conf
new file mode 100644
index 0000000..016f99c
--- /dev/null
+++ b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.ci.hatecomputers.club.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name ci.hatecomputers.club;
+
+  location / {
+    rewrite ^ https://ci.hatecomputers.club$request_uri? permanent;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/himmel.hatecomputers.club/http.git.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.git.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/himmel.hatecomputers.club/http.git.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.git.hatecomputers.club.conf
diff --git a/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.ci.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.ci.hatecomputers.club.conf
new file mode 100644
index 0000000..b5584df
--- /dev/null
+++ b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.ci.hatecomputers.club.conf
@@ -0,0 +1,21 @@
+server {
+  server_name ci.hatecomputers.club;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/ci.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ci.hatecomputers.club/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:2201;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/himmel.hatecomputers.club/https.git.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.git.hatecomputers.club.conf
similarity index 100%
rename from playbooks/roles/nginx/templates/himmel.hatecomputers.club/https.git.hatecomputers.club.conf
rename to playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.git.hatecomputers.club.conf
diff --git a/secrets.txt b/secrets.txt
index 2910054..e232c35 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -6,3 +6,6 @@ roundcube_oauth2_client_basic_secret
 gitea_jwt_secret
 gitea_oauth2_jwt_secret
 gitea_internal_token
+drone_gitea_client_id
+drone_gitea_client_secret
+drone_rpc_secret