diff --git a/files/docker-compose.yml b/files/docker-compose.yml
index 212c5b3..0610b95 100644
--- a/files/docker-compose.yml
+++ b/files/docker-compose.yml
@@ -3,7 +3,7 @@ version: "2.2"
 services:
 
   gitea:
-    image: gitea/gitea:1.14
+    image: gitea/gitea:1.15
     restart: always
     volumes:
       - ./volumes/gitea:/data
@@ -19,7 +19,7 @@ services:
     mem_limit: 500m
 
   weblate:
-    image: weblate/weblate:4.4-1
+    image: weblate/weblate:4.8.1-2
     restart: always
     ports:
       - 127.0.0.1:3001:8080
@@ -48,6 +48,20 @@ services:
       - redis
       - postfix
 
+  drone:
+    image: drone/drone:2.4
+    restart: always
+    ports:
+      - 127.0.0.1:8194:80
+    environment:
+      - DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID}
+      - DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET}
+      - DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
+      - DRONE_SERVER_HOST=${DRONE_HOSTNAME}
+      - DRONE_SERVER_PROTO=https
+    volumes:
+      - ./volumes/drone:/data
+
   postgres:
     image: postgres:12-alpine
     restart: always
diff --git a/group_vars/prod.yml b/group_vars/prod.yml
index e17bdbb..f751257 100644
--- a/group_vars/prod.yml
+++ b/group_vars/prod.yml
@@ -27,3 +27,26 @@ weblate_postgres_password: !vault |
   66353238623038366230323239303634613963643635626632353739636564396430386565623466
   6562383763396235340a313463643239333662393430613465363965666466303461663066386533
   61323161323732396533373062663762383031336330653336376533633633393035
+drone_rpc_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66363032363339393932623162663832363766346630343764663361666434393733623666643830
+  3165323062333037613932353164326535393331303235630a633035393434353761343430636330
+  36396263643530313261373366383936393938663838366237316435326261383031396262623531
+  6330316237373439320a663333653539333063353433383337373166376561313038626536643066
+  64666431616666666165643236396166373137663262306262663938356639363832656636363764
+  3435383030386161666239623039366331633036306263626162
+drone_github_client_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63663036346336323730356363656366646638636361656238323461356439306661316534366331
+  3938333636376634373161653238356364643165343462310a353937346466373364333732623162
+  62623139363834323538306663346261653735313631373765366635396163666162326363653034
+  3836363266396165620a623932386161383836383666316136396564633636383638353233623334
+  64643364366632663030363763346563636435633539643063373966653735623861
+drone_github_client_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  30656636366436646462313662303866653131666362313430386164633464376636356138346666
+  6564613736386236323963383433306163623230626231360a666239653663633764346335633539
+  63653532656162336339396363313037343034373039326639363334396532313765353265373964
+  6435306461616664650a313532356161636132646362326536376362303963303561643362663430
+  37653332383662663861363436326434643935623866356439623737303332343036343736656437
+  3732303134653333356436393130326231646438343064613365
diff --git a/playbooks/gitea.yml b/playbooks/gitea.yml
index 1e56972..6683341 100644
--- a/playbooks/gitea.yml
+++ b/playbooks/gitea.yml
@@ -55,6 +55,7 @@
       shell: |
         certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
         certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
+        certbot certonly --nginx --agree-tos -d 'drone.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
 
     - name: reload nginx config and certs
       shell: nginx -s reload
@@ -72,3 +73,10 @@
         name=certbot-renew-weblate
         user=root
         job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'"
+
+    - name: renew drone certificates
+      cron:
+        special_time=daily
+        name=certbot-renew-drone
+        user=root
+        job="certbot certonly --nginx -d drone.{{ domain }} -n --deploy-hook 'nginx -s reload'"
diff --git a/templates/drone.conf b/templates/drone.conf
new file mode 100644
index 0000000..c848da5
--- /dev/null
+++ b/templates/drone.conf
@@ -0,0 +1,51 @@
+server {
+    listen 80;
+    server_name drone.{{ domain }};
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name drone.{{ domain }};
+
+    ssl_certificate /etc/letsencrypt/live/drone.{{ domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/drone.{{ domain }}/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Strict-Transport-Security "max-age=15768000";
+    add_header Referrer-Policy "same-origin";
+    fastcgi_hide_header X-Powered-By;
+    server_tokens off;
+
+    client_max_body_size 100M;
+
+    # No compression for json to avoid BREACH attack.
+    gzip on;
+    gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg;
+    gzip_proxied any;
+    gzip_vary on;
+
+    location / {
+        proxy_pass http://127.0.0.1:8194;
++       proxy_set_header X-Forwarded-For $remote_addr;
++       proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
\ No newline at end of file
diff --git a/templates/env b/templates/env
index df8e19a..a2c71f6 100644
--- a/templates/env
+++ b/templates/env
@@ -2,3 +2,7 @@ GITEA_HOSTNAME={{ domain }}
 WEBLATE_HOSTNAME=weblate.{{ domain }}
 WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
 WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
+DRONE_HOSTNAME=drone.{{ domain }}
+DRONE_RPC_SECRET={{ drone_rpc_secret }}
+DRONE_GITHUB_CLIENT_ID={{ drone_github_client_id }}
+DRONE_GITHUB_CLIENT_SECRET={{ drone_github_client_secret }}
diff --git a/templates/gitea.conf b/templates/gitea.conf
index f4662d3..f8a82da 100644
--- a/templates/gitea.conf
+++ b/templates/gitea.conf
@@ -8,20 +8,6 @@ map $geoip_country_code $allowed_country {
     IN no;
 }
 
-# forward from old domain
-server {
-    listen 80;
-    server_name yerbamate.dev;
-    return https://yerbamate.ml$request_uri;
-}
-server {
-    listen 443 ssl http2;
-    server_name yerbamate.dev;
-    ssl_certificate /etc/letsencrypt/live/yerbamate.dev/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/yerbamate.dev/privkey.pem;
-    return https://yerbamate.ml$request_uri;
-}
-
 server {
     listen 80;
     server_name {{ domain }};
diff --git a/templates/weblate.conf b/templates/weblate.conf
index 1869012..3a8e28b 100644
--- a/templates/weblate.conf
+++ b/templates/weblate.conf
@@ -3,20 +3,6 @@ map $geoip_country_code $allowed_country {
     CN no;
 }
 
-# forward from old domain
-server {
-    listen 80;
-    server_name weblate.yerbamate.dev;
-    return https://weblate.yerbamate.ml$request_uri;
-}
-server {
-    listen 443 ssl http2;
-    server_name weblate.yerbamate.dev;
-    ssl_certificate /etc/letsencrypt/live/weblate.yerbamate.dev/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/weblate.yerbamate.dev/privkey.pem;
-    return https://weblate.yerbamate.ml$request_uri;
-}
-
 server {
     listen 80;
     server_name weblate.{{ domain }};