diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index b35faac..4f41cdb 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/ankisyncd.nix
     ./services/dnsmasq.nix
+    ./services/drone
     ./services/gitea.nix
     ./services/grafana.nix
     ./services/hedgedoc.nix
@@ -32,6 +33,7 @@
         "/data/torrent"
       ];
     };
+    unfree.allowSoftware = true;
   };
 
   services.nginx = {
diff --git a/machines/fuuko/services/drone/default.nix b/machines/fuuko/services/drone/default.nix
new file mode 100644
index 0000000..346d4be
--- /dev/null
+++ b/machines/fuuko/services/drone/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./runner-exec.nix
+    ./server.nix
+  ];
+}
diff --git a/machines/fuuko/services/drone/runner-exec.nix b/machines/fuuko/services/drone/runner-exec.nix
new file mode 100644
index 0000000..0bbf1fb
--- /dev/null
+++ b/machines/fuuko/services/drone/runner-exec.nix
@@ -0,0 +1,59 @@
+# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
+{ config, lib, pkgs, ... }:
+let
+  user = "drone-runner-exec";
+  group = "drone-runner-exec";
+
+  availablePkgs = with pkgs; [
+    bash
+    git
+    git-lfs
+    gnutar
+    gzip
+    nix
+  ];
+in
+{
+  systemd.services.drone-runner-exec = {
+    wantedBy = [ "multi-user.target" ];
+    # might break deployment
+    restartIfChanged = false;
+    confinement = {
+      enable = true;
+      packages = availablePkgs;
+    };
+    path = availablePkgs;
+    environment = {
+      DRONE_RPC_HOST = "ci.sbruder.de";
+      DRONE_RPC_PROTO = "https";
+      DRONE_RUNNER_CAPACITY = "2";
+      NIX_REMOTE = "daemon";
+      PAGER = "cat";
+    };
+    serviceConfig = {
+      EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;
+      BindPaths = [
+        "/nix/var/nix/daemon-socket/socket"
+        "/run/nscd/socket"
+      ];
+      BindReadOnlyPaths = [
+        "/etc/group:/etc/group"
+        "/etc/machine-id"
+        "/etc/nix:/etc/nix"
+        "/etc/passwd:/etc/passwd"
+        "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
+        "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
+        "/nix"
+      ];
+      ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";
+      User = user;
+      Group = group;
+    };
+  };
+
+  users.users."${user}" = {
+    isSystemUser = true;
+    inherit group;
+  };
+  users.groups."${group}" = { };
+}
diff --git a/machines/fuuko/services/drone/server.nix b/machines/fuuko/services/drone/server.nix
new file mode 100644
index 0000000..5df4522
--- /dev/null
+++ b/machines/fuuko/services/drone/server.nix
@@ -0,0 +1,62 @@
+# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix
+{ config, lib, pkgs, ... }:
+let
+  user = "drone-server";
+  group = "drone-server";
+in
+{
+  krops.secrets = {
+    drone-rpc-environment = { };
+    drone-server-environment = { };
+  };
+
+  systemd.services.drone-server = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "postgres.service" ];
+    environment = {
+      DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql";
+      DRONE_DATABASE_DRIVER = "postgres";
+      DRONE_GITEA_SERVER = "https://git.sbruder.de";
+      DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true";
+      DRONE_SERVER_HOST = "ci.sbruder.de";
+      DRONE_SERVER_PORT = "127.0.0.1:8011";
+      DRONE_SERVER_PROTO = "https";
+      DRONE_USER_CREATE = "username:simon,admin:true";
+    };
+    serviceConfig = {
+      EnvironmentFile = with config.krops.secrets; [
+        drone-rpc-environment.path
+        drone-server-environment.path
+      ];
+      ExecStart = "${pkgs.unstable.drone}/bin/drone-server";
+      Restart = "on-failure";
+      User = user;
+      Group = group;
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "drone-server" ];
+    ensureUsers = [{
+      name = user;
+      ensurePermissions = {
+        "DATABASE \"drone-server\"" = "ALL PRIVILEGES";
+      };
+    }];
+  };
+
+  services.nginx.virtualHosts."ci.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}";
+      "/metrics".return = "403";
+    };
+  };
+
+  users.users."${user}" = {
+    isSystemUser = true;
+    inherit group;
+  };
+  users.groups."${group}" = { };
+}
diff --git a/machines/fuuko/services/prometheus.nix b/machines/fuuko/services/prometheus.nix
index 9e20a2a..0c64d5a 100644
--- a/machines/fuuko/services/prometheus.nix
+++ b/machines/fuuko/services/prometheus.nix
@@ -103,6 +103,14 @@ in
           };
         }
       )
+      {
+        job_name = "drone";
+        static_configs = mkStaticTarget config.systemd.services.drone-server.environment.DRONE_SERVER_PORT;
+        relabel_configs = lib.singleton {
+          target_label = "instance";
+          replacement = "ci.sbruder.de";
+        };
+      }
     ];
 
     rules =
diff --git a/modules/unfree.nix b/modules/unfree.nix
index 923070e..3b8de8a 100644
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@@ -26,9 +26,11 @@ in
         "vista-fonts"
         "wallpaper-unfree" # defined in users/simon/modules/sway.nix
       ] ++ lib.optionals cfg.allowSoftware [
+        "drone-runner-exec" # exception: same as drone.io
+        "drone.io" # exception: is open source (but has usage restriction)
+        "fahclient" # exception: for science
         "osu-lazer" # exception: is mostly free (just has one unfree dependency) and runs in container
         "p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
-        "fahclient" # exception: for science
       ]
     ));
   };