diff --git a/.drone.yml b/.drone.yml
index a2c2f59d..093f50e4 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -11,7 +11,7 @@ steps:
       event:
         - pull_request
     environment:
-      NIX_FLAGS: "--print-build-logs --verbose"
+      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
     commands:
       - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS'
       - nix $$NIX_FLAGS develop --command nix flake show
@@ -27,7 +27,7 @@ node:
 steps:
   - name: "Tests"
     environment:
-      NIX_FLAGS: "--print-build-logs --verbose"
+      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
     commands:
       - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS'
       - nix $$NIX_FLAGS build ".#checks.x86_64-linux.customTestFor-PubSolarOS-firstTest"
@@ -93,7 +93,7 @@ steps:
   - name: "Build ISO"
     image: docker.nix-community.org/nixpkgs/nix-flakes:latest
     environment:
-      NIX_FLAGS: "--print-build-logs --verbose"
+      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
     volumes:
       - name: file-exchange
         path: /var/nix/iso-cache
diff --git a/flake.lock b/flake.lock
index 1448ca8e..f00a8e15 100644
--- a/flake.lock
+++ b/flake.lock
@@ -386,41 +386,6 @@
         "type": "github"
       }
     },
-    "naersk": {
-      "inputs": {
-        "nixpkgs": [
-          "nixos"
-        ]
-      },
-      "locked": {
-        "lastModified": 1671096816,
-        "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=",
-        "owner": "nmattia",
-        "repo": "naersk",
-        "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nmattia",
-        "repo": "naersk",
-        "type": "github"
-      }
-    },
-    "nixlib": {
-      "locked": {
-        "lastModified": 1636849918,
-        "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
     "nixos": {
       "locked": {
         "lastModified": 1674781052,
@@ -437,25 +402,6 @@
         "type": "github"
       }
     },
-    "nixos-generators": {
-      "inputs": {
-        "nixlib": "nixlib",
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1674666581,
-        "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
-        "owner": "nix-community",
-        "repo": "nixos-generators",
-        "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixos-generators",
-        "type": "github"
-      }
-    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1674550793,
@@ -471,22 +417,6 @@
         "type": "github"
       }
     },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1637186689,
-        "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1657292830,
@@ -525,9 +455,7 @@
         "home": "home",
         "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
         "latest": "latest_2",
-        "naersk": "naersk",
         "nixos": "nixos",
-        "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nur": "nur",
         "triton-vmtools": "triton-vmtools"
diff --git a/flake.nix b/flake.nix
index 7d89572d..53d547d3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,13 +31,8 @@
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixos";
 
-    naersk.url = "github:nmattia/naersk";
-    naersk.inputs.nixpkgs.follows = "nixos";
-
     nixos-hardware.url = "github:nixos/nixos-hardware";
 
-    nixos-generators.url = "github:nix-community/nixos-generators";
-
     triton-vmtools.url = "git+https://git.b12f.io/pub-solar/infra?ref=main&dir=vmtools";
     triton-vmtools.inputs.nixpkgs.follows = "nixos";
 
@@ -152,8 +147,16 @@
           };
         };
         users = {
-          pub-solar = {suites, ...}: {imports = suites.base;};
-          barkeeper = {suites, ...}: {imports = suites.base;};
+          pub-solar = {suites, ...}: {
+            imports = suites.base;
+
+            home.stateVersion = "21.03";
+          };
+          barkeeper = {suites, ...}: {
+            imports = suites.base;
+
+            home.stateVersion = "21.03";
+          };
         }; # digga.lib.importers.rakeLeaves ./users/hm;
       };
 
diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix
new file mode 100644
index 00000000..6784f294
--- /dev/null
+++ b/modules/docker-ci-runner/default.nix
@@ -0,0 +1,109 @@
+{
+  lib,
+  config,
+  pkgs,
+  self,
+  ...
+}:
+with lib; let
+  bootstrap = pkgs.writeScript "bootstrap.sh" ''
+    #!/usr/bin/env bash
+
+    set -e
+
+    apt update
+    apt install --yes curl git sudo xz-utils
+
+    adduser --system --uid 999 build
+    chown build /nix
+
+    sudo -u build curl -L https://nixos.org/nix/install > install
+    sudo -u build sh install
+
+    echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile
+
+    mkdir /etc/nix
+    echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
+
+    export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
+    mkdir -p $(dirname \\$nix_user_config_file)
+    echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org  https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file
+    chown -R build /home/build/
+
+    curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
+    sudo install -t /usr/local/bin drone-runner-exec
+
+    if [ ! -f /run/vars ]; then
+      exit 1
+    fi
+
+    cp -a /run/vars /run/runtime-vars
+    env | grep "DRONE" >> /run/runtime-vars
+
+    su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars"
+  '';
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.docker-ci-runner;
+in {
+  options.pub-solar.docker-ci-runner = {
+    enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user.";
+
+    enableKvm = lib.mkOption {
+      description = ''
+        Enable kvm support.
+      '';
+      default = true;
+      type = types.bool;
+    };
+
+    nixCacheLocation = lib.mkOption {
+      description = ''
+        Location of nix cache that is shared between builds
+      '';
+      default = "/var/lib/docker-ci-runner";
+      type = types.path;
+    };
+
+    runnerEnvironment = lib.mkOption {
+      description = ''
+        Additional environment vars added to the vars file on container runtime
+      '';
+      default = {};
+    };
+
+    runnerVarsFile = lib.mkOption {
+      description = ''
+        Location of vars file passed to drone runner
+      '';
+      type = types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation = {
+      docker = {
+        enable = true; # sadly podman is not supported rightnow
+      };
+
+      oci-containers = {
+        backend = "docker";
+        containers."drone-exec-runner" = {
+          image = "debian";
+          autoStart = true;
+          entrypoint = "bash";
+          cmd = ["/bootstrap.sh"];
+
+          volumes = [
+            "${cfg.runnerVarsFile}:/run/vars"
+            "${cfg.nixCacheLocation}:/nix"
+            "${bootstrap}:/bootstrap.sh"
+          ];
+
+          environment = cfg.runnerEnvironment;
+
+          extraOptions = lib.mkIf cfg.enableKvm ["--device=/dev/kvm"];
+        };
+      };
+    };
+  };
+}
diff --git a/profiles/base-user/home.nix b/profiles/base-user/home.nix
index 27a7c32c..9c964515 100644
--- a/profiles/base-user/home.nix
+++ b/profiles/base-user/home.nix
@@ -88,15 +88,5 @@ in {
 
     # Allow unfree packages only on a user basis, not on a system-wide basis
     xdg.configFile."nixpkgs/config.nix".text = " { allowUnfree = true; } ";
-
-    # This value determines the Home Manager release that your
-    # configuration is compatible with. This helps avoid breakage
-    # when a new Home Manager release introduces backwards
-    # incompatible changes.
-    #
-    # You can update Home Manager without changing this value. See
-    # the Home Manager release notes for a list of state version
-    # changes in each release.
-    home.stateVersion = "21.03";
   };
 }
diff --git a/shell/devos.nix b/shell/devos.nix
index 5a922b4b..c216f3b9 100644
--- a/shell/devos.nix
+++ b/shell/devos.nix
@@ -17,6 +17,7 @@
     shellcheck
     shfmt
     treefmt
+    nixos-generators
     ;
 
   inherit
@@ -62,7 +63,7 @@ in {
       (devos cachix)
     ]
     ++ lib.optionals (pkgs.stdenv.hostPlatform.isLinux && !pkgs.stdenv.buildPlatform.isDarwin) [
-      (devos inputs.nixos-generators.defaultPackage.${pkgs.system})
+      (devos nixos-generators)
       (devos deploy-rs)
     ];
 }