diff --git a/hosts/chocolatebar/chocolatebar.nix b/hosts/chocolatebar/chocolatebar.nix
index 0725a012..9b55e06f 100644
--- a/hosts/chocolatebar/chocolatebar.nix
+++ b/hosts/chocolatebar/chocolatebar.nix
@@ -40,6 +40,7 @@ in
       owner = psCfg.user.name;
     };
     pub-solar.sway.vnc.enable = true;
+    pub-solar.ci-runner.enable = true;
 
     home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
       "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
diff --git a/modules/ci-runner/default.nix b/modules/ci-runner/default.nix
new file mode 100644
index 00000000..1460ab16
--- /dev/null
+++ b/modules/ci-runner/default.nix
@@ -0,0 +1,41 @@
+{ lib, config, pkgs, self, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.ci-runner;
+in
+{
+  options.pub-solar.ci-runner = {
+    enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner";
+  };
+
+  config = mkIf cfg.enable {
+    systemd.user.services.ci-runner = {
+      enable = true;
+
+      description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM.";
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+      };
+
+      path = [
+        pkgs.git
+        pkgs.nix
+        pkgs.libvirt
+      ];
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "libvirtd.service" ];
+
+      script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config'';
+    };
+
+    age.secrets."drone-runner-exec-config" = {
+      file = "${self}/secrets/drone-runner-exec-config";
+      mode = "700";
+      owner = psCfg.user.name;
+    };
+  };
+}
diff --git a/pkgs/drone-docker-runner.nix b/pkgs/drone-docker-runner.nix
index cf6dc802..25de349f 100644
--- a/pkgs/drone-docker-runner.nix
+++ b/pkgs/drone-docker-runner.nix
@@ -6,7 +6,7 @@ self: with self; ''
         --env=DRONE_RPC_PROTO=$DRONE_RPC_PROTO \
         --env=DRONE_RPC_HOST=$DRONE_RPC_HOST \
         --env=DRONE_RPC_SECRET=$(${self.libsecret}/bin/secret-tool lookup drone rpc-secret) \
-        --env=DRONE_RUNNER_CAPACITY=4 \
+        --env=DRONE_RUNNER_CAPACITY=8 \
         --env=DRONE_RUNNER_NAME=$(${self.inetutils}/bin/hostname) \
         --publish=30010:30010 \
         --restart=always \
diff --git a/secrets/drone-runner-exec-config b/secrets/drone-runner-exec-config
new file mode 100644
index 00000000..0b7e2e90
Binary files /dev/null and b/secrets/drone-runner-exec-config differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 68b238d7..bf4a7c8e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -52,6 +52,8 @@ in
   "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys;
   "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys;
 
+  "drone-runner-exec-config".publicKeys = allKeys;
+
   "dyndns-droppie.key".publicKeys = droppieKeys;
 
   "mopidy.conf".publicKeys = allKeys;
diff --git a/users/ben/home.nix b/users/ben/home.nix
index be796133..30ef1c90 100644
--- a/users/ben/home.nix
+++ b/users/ben/home.nix
@@ -103,7 +103,7 @@ in
     mode = "700";
     owner = "mopidy";
   };
-  services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ];
+  services.mopidy.extraConfigFiles = [ "/run/agenix/mopidy.conf" ];
 
   programs.ssh.extraConfig = "
     PubkeyAcceptedKeyTypes +ssh-rsa