diff --git a/ansible/roles/halo/templates/halo-compose.yml b/ansible/roles/halo/templates/halo-compose.yml
index 1a115a8..7ad09b7 100644
--- a/ansible/roles/halo/templates/halo-compose.yml
+++ b/ansible/roles/halo/templates/halo-compose.yml
@@ -77,4 +77,41 @@ services:
       - "traefik.http.routers.overseerr.tls=true"      
       - "traefik.http.routers.overseerr.tls.certresolver=awful-letsencrypt"
       - "traefik.http.routers.overseerr.service=overseerr-web-svc"      
-      - "traefik.http.services.overseerr-web-svc.loadbalancer.server.port=5055"      
+      - "traefik.http.services.overseerr-web-svc.loadbalancer.server.port=5055"
+
+  drone:
+    image: 'drone/drone:2'
+    networks:
+      pubnet:    
+    volumes:
+      - '/home/josiah/apps/drone:/data'
+    environment:
+      - "DRONE_GITEA_SERVER=https://git.awful.club"
+      - "DRONE_GITEA_CLIENT_ID={{ vault_drone_client_id}}"
+      - "DRONE_GITEA_CLIENT_SECRET={{ vault_drone_client_secret }}"
+      - "DRONE_RPC_SECRET={{ vault_drone_rpc_secret }}"
+      - "DRONE_SERVER_HOST=drone.awful.club"
+      - "DRONE_SERVER_PROTO=https"
+    labels:
+      # global rules
+      - "traefik.enable=true"
+      # the web ui
+      - "traefik.http.routers.drone.rule=Host(`drone.awful.club`)"      
+      - "traefik.http.routers.drone.entrypoints=websecure"
+      - "traefik.http.routers.drone.tls=true"      
+      - "traefik.http.routers.drone.tls.certresolver=awful-letsencrypt"
+      - "traefik.http.routers.drone.service=drone-web-svc"
+      - "traefik.http.services.drone-web-svc.loadbalancer.server.port=80"
+
+  drone-runner-docker:
+    image: 'drone/drone-runner-docker:1'          
+    ports:
+      - '3000:3000'
+    volumes:
+      - '/var/run/docker.sock:/var/run/docker.sock'
+    environment:
+      - "DRONE_RPC_PROTO=https"
+      - "DRONE_RPC_HOST=drone.awful.club"
+      - "DRONE_RPC_SECRET={{ vault_drone_rpc_secret }}"
+      - "DRONE_RUNNER_CAPACITY=2"
+      - "DRONE_RUNNER_NAME=my-first-runner"