diff --git a/roles/drone/meta/main.yml b/roles/drone/meta/main.yml
new file mode 100644
index 0000000..c87c87b
--- /dev/null
+++ b/roles/drone/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: common
+  - role: docker
diff --git a/roles/drone/tasks/apache.yml b/roles/drone/tasks/apache.yml
new file mode 100644
index 0000000..5df6614
--- /dev/null
+++ b/roles/drone/tasks/apache.yml
@@ -0,0 +1,34 @@
+---
+- name: add drone http site
+  template:
+    src: etc/apache2/sites-available/ci_domain.conf.j2
+    dest: /etc/apache2/sites-available/{{ ci_domain}}.conf
+    owner: root
+    group: root
+    mode: 0644
+- name: disable default site and enable drone site
+  block:
+    - name: disable default site
+      command:
+        cmd: a2dissite 000-default.conf
+    - name: enable drone site
+      command:
+        cmd: a2ensite {{ ci_domain }}.conf
+- name: run certbot
+  command:
+    cmd: certbot --apache --non-interactive --keep-until-expiring --no-eff-mail --email {{ admin_mail }} --redirect --renew-with-new-domains --agree-tos -d {{ ci_domain }}
+  when: ansible_domain != 'dev'
+- include: ssl-dev.yml
+  when ansible_domain == 'dev'
+- name: add drone https site
+  template:
+    src: etc/apache2/sites-available/ci_domain-le-ssl.conf.j2
+    dest: /etc/apache2/sites-available/{{ ci_domain }}-le-ssl.conf
+    owner: root
+    group: root
+    mode: 0644
+- name: enable drone https site
+  command:
+    cmd: a2ensite {{ ci_domain }}-le-ssl.conf
+  notify: restart apache
+
diff --git a/roles/drone/tasks/main.yml b/roles/drone/tasks/main.yml
new file mode 100644
index 0000000..28bf10e
--- /dev/null
+++ b/roles/drone/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- 
diff --git a/roles/drone/tasks/ssl-dev.yml b/roles/drone/tasks/ssl-dev.yml
new file mode 100644
index 0000000..4cbecaf
--- /dev/null
+++ b/roles/drone/tasks/ssl-dev.yml
@@ -0,0 +1,27 @@
+---
+- name: Ensure python OpenSSL dependencies are installed.
+  pip:
+    name: pyOpenSSL
+    state: present
+
+- name: Ensure directory exists for local self-signed TLS certs.
+  file:
+    path: /etc/letsencrypt/live/{{ ci_domain }}
+    state: directory
+
+- name: Generate an OpenSSL private key.
+  openssl_privatekey:
+    path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+
+- name: Generate an OpenSSL CSR.
+  openssl_csr:
+    path: /etc/ssl/private/{{ ci_domain }}.csr
+    privatekey_path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+    common_name: "{{ ci_domain }}"
+
+- name: Generate a Self Signed OpenSSL certificate.
+  openssl_certificate:
+    path: /etc/letsencrypt/live/{{ ci_domain }}/fullchain.pem
+    privatekey_path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+    csr_path: /etc/ssl/private/{{ ci_domain }}.csr
+    provider: selfsigned
diff --git a/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2 b/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2
new file mode 100644
index 0000000..f51298c
--- /dev/null
+++ b/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2
@@ -0,0 +1,21 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName {{ ci_domain }}
+  ServerAdmin {{ admin_mail }}
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+  SSLCertificateFile /etc/letsencrypt/live/{{ ci_domain }}/fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+  Include /etc/letsencrypt/options-ssl-apache.conf
+
+  # Encoded slashes need to be allowed
+  AllowEncodedSlashes NoDecode
+
+  # keep the host
+  ProxyPreserveHost On
+  ProxyPass / http://127.0.0.1:8000/
+  ProxyPassReverse / http://127.0.0.1:8000/
+
+</VirtualHost>
+</IfModule>
diff --git a/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2 b/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2
new file mode 100644
index 0000000..dfd6bb4
--- /dev/null
+++ b/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2
@@ -0,0 +1,6 @@
+<VirtualHost *:80>
+  ServerName {{ ci_domain }}
+  ServerAdmin {{ admin_mail }}
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
diff --git a/roles/drone/templates/etc/drone/docker-compose.yml.j2 b/roles/drone/templates/etc/drone/docker-compose.yml.j2
new file mode 100644
index 0000000..d3e8e34
--- /dev/null
+++ b/roles/drone/templates/etc/drone/docker-compose.yml.j2
@@ -0,0 +1,22 @@
+version: '2'
+
+services:
+  drone-server:
+    image: drone/drone:1
+
+    ports:
+      - 8000:8000
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/drone:/data
+    restart: always
+    environment:
+      - DRONE_SERVER_HOST={{ ci_domain }}
+      - DRONE_SERVER_PROTO=http
+      - DRONE_RUNNER_CAPACITY=2
+      - DRONE_USER_CREATE=username:{{ gitea_user }},admin:true
+      - DRONE_GITEA_SERVER={{ gitea_url }}
+      - DRONE_GITEA_CLIENT_ID={{ gitea_client_id }}
+      - DRONE_GITEA_CLIENT_SECRET={{ gitea_client_secret }}
+      - LC_ALL=C.UTF-8
+      - LANG=C.UTF-8