diff --git a/cicd/Makefile b/cicd/Makefile
new file mode 100644
index 00000000..79acd75f
--- /dev/null
+++ b/cicd/Makefile
@@ -0,0 +1,33 @@
+DO_PAT := $(shell cat ~/.config/doctl/config.yaml | yq e '.access-token' -)
+GITLAB_REG_KEY := $(shell sops -d secrets.yaml | yq e '.gitlab-reg-key' -)
+GITLAB_SERVER_URL := $(shell sops -d secrets.yaml | yq e '.gitlab-server-url' -)
+RUNNER_NAME := "veilid-runner-1"
+KEYNAME := "pensfabriko"
+
+
+plan-runner:
+	terraform plan \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"
+
+create-runner:
+	terraform apply \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"
+
+destroy-runner:
+	terraform destroy \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"
diff --git a/cicd/README.md b/cicd/README.md
index cfef9216..0dd46980 100644
--- a/cicd/README.md
+++ b/cicd/README.md
@@ -23,8 +23,9 @@ Then we can run our plan:
 ```shell
 terraform plan \
   -var "do_token=${DO_PAT}" \
-  -var "pvt_key=$HOME/.ssh/id_rsa" \
-  -var "ssh_key=$KEYNAME"
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}" \
+  -var "reg_key=${GITLAB_REG_KEY}"
 ```
 
 If the output is what was expected, we may now create the droplet:
@@ -32,8 +33,9 @@ If the output is what was expected, we may now create the droplet:
 ```shell
 terraform apply \
   -var "do_token=${DO_PAT}" \
-  -var "pvt_key=$HOME/.ssh/id_rsa" \
-  -var "ssh_key=$KEYNAME"
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}"
+  -var "reg_key=${GITLAB_REG_KEY}"
 ```
 
 ## Destroying the runner
@@ -41,11 +43,6 @@ terraform apply \
 ```shell
 terraform destroy \
   -var "do_token=${DO_PAT}" \
-  -var "pvt_key=$HOME/.ssh/id_rsa" \
-  -var "ssh_key=$KEYNAME"
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}"
 ```
-
-**TODO**
-
-Update the configuration to accept the runner registration token as a variable
-and automatically self-register.
diff --git a/cicd/docker-install.yml b/cicd/docker-install.yml
index b97a8926..cfe410b1 100644
--- a/cicd/docker-install.yml
+++ b/cicd/docker-install.yml
@@ -24,4 +24,8 @@
     - name: install-gitlab-runner
       ansible.builtin.script: ./gitlab-runner.sh install
     - name: register-gitlab-runner
-      ansible.buildin.script: ./gitlab-runner.sh register
+      ansible.builtin.script: ./gitlab-runner.sh register
+      environment:
+        CI_SERVER_URL: "{{ ci_server_url }}"
+        REGISTRATION_TOKEN: "{{ regkey }}"
+        RUNNER_NAME: "{{ runner_name }}"
diff --git a/cicd/gitlab-runner.sh b/cicd/gitlab-runner.sh
index 2183a679..d2be1d55 100755
--- a/cicd/gitlab-runner.sh
+++ b/cicd/gitlab-runner.sh
@@ -10,7 +10,14 @@ install () {
 
 register () {
   docker run --rm -it \
-    -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register
+    -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register \
+    --non-interactive \
+    --executor "docker" \
+    --docker-image alpine:latest \
+    --url "${CI_SERVER_URL}" \
+    --registration-token "${REGISTRATION_TOKEN}" \
+    --description "${RUNNER_NAME}" \
+    --tag-list "amd64,linux"
 }
 
 case $1 in
diff --git a/cicd/provider.tf b/cicd/provider.tf
index 7bbfa001..f3b86427 100644
--- a/cicd/provider.tf
+++ b/cicd/provider.tf
@@ -10,6 +10,9 @@ terraform {
 variable "do_token" {}
 variable "ssh_key" {}
 variable "pvt_key" {}
+variable "reg_key" {}
+variable "ci_server_url" {}
+variable "runner_name" {}
 
 provider "digitalocean" {
   token = var.do_token
diff --git a/cicd/runner.tf b/cicd/runner.tf
index 6267dd19..ab21b9f2 100644
--- a/cicd/runner.tf
+++ b/cicd/runner.tf
@@ -23,7 +23,13 @@ resource "digitalocean_droplet" "veilid-runner-1" {
   }
 
   provisioner "local-exec" {
-    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root -i '${self.ipv4_address},' --private-key ${var.pvt_key} docker-install.yml"
+    command = <<EOF
+ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root \
+  -i '${self.ipv4_address},' \
+  --private-key ${var.pvt_key} \
+  -e "regkey=${var.reg_key} ci_server_url=${var.ci_server_url} runner_name=${var.runner_name}" \
+  docker-install.yml
+EOF
   }
 }
 
diff --git a/cicd/secrets.yaml b/cicd/secrets.yaml
new file mode 100644
index 00000000..240c451b
--- /dev/null
+++ b/cicd/secrets.yaml
@@ -0,0 +1,28 @@
+gitlab-reg-key: ENC[AES256_GCM,data:vGTp6/EfJVVZ1KmsmIlAdV1ynpT3HJgoRMUQ+3c=,iv:DM56MT4tAr4Xxx7hfP5pw+JS+5IWY8EYAGv5wJNyj94=,tag:PIYWkE8TXSIjduDHKnkQsA==,type:str]
+gitlab-server-url: ENC[AES256_GCM,data:iPz2mtv0zMfj7We2428Kn2Eq0/3Q/c1mMBm9,iv:hS/vfJEQTB+53mgjj2XILmBJBmtqOpb5r5xmjyfcrV0=,tag:agwv9j97wX0yDc3UyoWXww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-10-29T22:11:50Z"
+    mac: ENC[AES256_GCM,data:RNo6R6ABnHnMyi4HRiDjwu+GVXi/LNv2WQw/wZZZtDbxJZ/YWAHJ1At0JfDMzV4ggcMX3nlZEPfvrlTPKcfz0X2SFYJX1LUfhU9BHcUXCwJuTFCMaibH2zbvZj9ZcARi1cA5UDiwXdN0coyAu+ZgOy5XO+fC+D9Fcn453KCkuNY=,iv:+88gp8+BCkBsMMwZf+DyWV8TRQ4WFTXUjM9nbciPJlg=,tag:Fg/UB6ojU70yDr4gSXMfMg==,type:str]
+    pgp:
+        - created_at: "2022-10-22T01:00:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA1ZcWAF5W+pcAQgAwpQp7pmZnkEgvOu8apWz3FLSFnCGnduVSXb+Y2cjat+Z
+            hu7U4c8HdowdZqpad4kw1OYFkwtjIlz3ruDYHAFSXP3Snkr27VfwbPU16QrjyzUx
+            guUV24v8K1T1XP3XooL2caYjG5eOqavkBezPexTNvxqLoioD1EYruOh22xaum13R
+            +GZ+SuLg3Y19QNucZK+pwK5UNnPD8nF/c56XiWbIvZ3RHWGJf6+/IvSdXrIlKQ8A
+            L6JmBeYaZDXXVwHqYY8c6h7mUP7FIMKzsI3jypLGu6eqeRYdDWUOdyk4AutckSdP
+            LF8t2eBNUNB6acgtTZsLaWAs9y9fdQYZ25qzoAFxR9LmAdmcamB7ZL+2PEhdyYuR
+            SDVHWLZgZciuV5rOwi25a2xaLew5+yII2+6htF8Zo8sG/WfPQPv/wPaMEWPJaP4r
+            heRyMtJQ2Cijhd7MBaPq4Uib4jl4cOsA
+            =c/s1
+            -----END PGP MESSAGE-----
+          fp: 900E8D917F74DE26D78EC5CA439943DBA05D9F36
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2