diff --git a/TODO.md b/TODO.md
index 2d4a288..44ccd02 100644
--- a/TODO.md
+++ b/TODO.md
@@ -3,5 +3,6 @@
 - [ ] Update Readme (CI, Git, plantuml, etc.)
 - [ ] Split `docker/web/docker-compose.yaml` into different configs (e.g. `web`, `gitlab`, `drone`) using the same network
 - [ ] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
-- [ ] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
+    - [ ] Make it inaccessible to anyone but root (`-rw------`)
+- [x] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
 - [ ] Figure out how to dependably store `.env` files (Ansible vault? Something else?)
diff --git a/ansible/misc-docker.yaml b/ansible/misc-docker.yaml
index d8dba26..54a64ef 100644
--- a/ansible/misc-docker.yaml
+++ b/ansible/misc-docker.yaml
@@ -41,7 +41,7 @@
         - name: web
           state: present
         - name: runner
-          state: present
+          state: absent
     - name: Add jupyter user with UID 42000
       become: yes
       ansible.builtin.user:
diff --git a/docker/web/docker-compose.yaml b/docker/web/docker-compose.yaml
index 8a4ffe9..afe0124 100644
--- a/docker/web/docker-compose.yaml
+++ b/docker/web/docker-compose.yaml
@@ -102,10 +102,25 @@ services:
     environment:
       DRONE_GITLAB_SERVER: https://git.pbrinkmeier.de
       DRONE_SERVER_HOST: ci.pbrinkmeier.de
-      DRONE_SERVER_PROTO: http
+      DRONE_SERVER_PROTO: https
     volumes:
       - /var/lib/pbri/docker/drone_server:/data
     restart: always
+    ports:
+      - 3000:3000
+
+  drone_runner:
+    image: drone/drone-runner-docker:1
+    # DRONE_RPC_SECRET
+    env_file: drone.env
+    environment:
+      DRONE_RPC_PROTO: https
+      DRONE_RPC_HOST: ci.pbrinkmeier.de
+      DRONE_RUNNER_CAPACITY: 1
+      DRONE_RUNNER_NAME: shamash
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    restart: always
 
 volumes:
   caddy_data: