diff --git a/machines/core-services-01/drone.nix b/machines/core-services-01/drone.nix
new file mode 100644
index 0000000..6bec44e
--- /dev/null
+++ b/machines/core-services-01/drone.nix
@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  port = 3030;
+in
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "drone.io"
+  ];
+  services.drone-server = {
+    enable = true;
+    env = [
+      "DRONE_USER_CREATE=username:rz,admin:true"
+    ];
+    envFile = config.age.secrets.droneKeyFile.path;
+    inherit port;
+  };
+
+  services.nginx.virtualHosts."drone.rz.ens.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+}
diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix
index afe9a5b..2999dc4 100644
--- a/machines/core-services-01/gitea.nix
+++ b/machines/core-services-01/gitea.nix
@@ -5,6 +5,7 @@ let
   port = 3000;
 in
 {
+  imports = [ ./drone.nix ];
   services.gitea = {
     enable = true;
     domain = "git.${my.subZone}";
diff --git a/machines/core-services-01/nix/sources.json b/machines/core-services-01/nix/sources.json
index 359fd04..e2e568a 100644
--- a/machines/core-services-01/nix/sources.json
+++ b/machines/core-services-01/nix/sources.json
@@ -14,7 +14,7 @@
     "klubrz-nur": {
         "branch": "main",
         "repo": "https://git.rz.ens.wtf/Klub-RZ/nur",
-        "rev": "48597e362c87365976ebc0168fb0e5678aa3865d",
+        "rev": "a567fa82ffcde61719c5409c472360eaee7b9611",
         "type": "git"
     },
     "niv": {
diff --git a/machines/core-services-01/secrets/default.nix b/machines/core-services-01/secrets/default.nix
index 4459bf2..10b41f1 100644
--- a/machines/core-services-01/secrets/default.nix
+++ b/machines/core-services-01/secrets/default.nix
@@ -2,4 +2,5 @@
 {
   age.secrets.keycloakDatabasePasswordFile.file = ./keycloakDatabasePasswordFile.age;
   age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age;
+  age.secrets.droneKeyFile.file = ./droneKeyFile.age;
 }
diff --git a/machines/core-services-01/secrets/droneKeyFile.age b/machines/core-services-01/secrets/droneKeyFile.age
new file mode 100644
index 0000000..00703c2
Binary files /dev/null and b/machines/core-services-01/secrets/droneKeyFile.age differ
diff --git a/machines/core-services-01/secrets/secrets.nix b/machines/core-services-01/secrets/secrets.nix
index dca2f64..cd564de 100644
--- a/machines/core-services-01/secrets/secrets.nix
+++ b/machines/core-services-01/secrets/secrets.nix
@@ -9,5 +9,6 @@ in
   {
     "keycloakDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
     "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems;
+    "droneKeyFile.age".publicKeys = superadmins ++ systems;
   }
 
diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix
index c9417d9..306dc68 100644
--- a/machines/core-services-01/subZone.nix
+++ b/machines/core-services-01/subZone.nix
@@ -24,6 +24,7 @@ with my.ipv6; # contains { standard, acme }
 
   subdomains = {
     git.AAAA = standard;
+    drone.AAAA = standard;
     wiki.AAAA = standard;
     monitoring.AAAA = standard;
     auth.AAAA = standard;