diff --git a/hosts/chocolatebar/chocolatebar.nix b/hosts/chocolatebar/chocolatebar.nix
index ad6e8428..e1011b1f 100644
--- a/hosts/chocolatebar/chocolatebar.nix
+++ b/hosts/chocolatebar/chocolatebar.nix
@@ -26,6 +26,17 @@ in {
     pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
     pub-solar.core.hibernation.resumeOffset = 115075072;
 
+    age.secrets."drone-runner-exec-config" = {
+      file = "${self}/secrets/drone-runner-exec-config";
+      mode = "400";
+      owner = psCfg.user.name;
+    };
+
+    pub-solar.docker-ci-runner = {
+      enable = true;
+      runnerVarsFile = config.age.secrets.drone-runner-exec-config.path;
+    };
+
     services.openssh.openFirewall = true;
     networking.firewall.allowedTCPPorts =
       [443]
@@ -54,7 +65,6 @@ in {
       owner = psCfg.user.name;
     };
     pub-solar.sway.vnc.enable = true;
-    pub-solar.ci-runner.enable = true;
 
     home-manager.users."${psCfg.user.name}" = {
       xdg.configFile = mkIf psCfg.sway.enable {
diff --git a/secrets/drone-runner-exec-config b/secrets/drone-runner-exec-config
index 0b7e2e90..e240a7e9 100644
Binary files a/secrets/drone-runner-exec-config and b/secrets/drone-runner-exec-config differ