diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2f45b748..1aef5266 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,14 +1,82 @@
-image: docker
-services:
-  - docker:dind
-before_script:
-    - apk update && apk add git
-    - wget https://github.com/earthly/earthly/releases/download/v0.6.23/earthly-linux-amd64 -O /usr/local/bin/earthly
-    - chmod +x /usr/local/bin/earthly
-    - export FORCE_COLOR=1
-    - /usr/local/bin/earthly bootstrap
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-earthly:
-  stage: build
+variables:
+  GIT_SUBMODULE_STRATEGY: recursive
+  BUILD_IMAGE_LINUX_AMD64: $CI_REGISTRY/veilid/ci-cd/veilid-build-linux-amd64:latest
+
+stages:
+  - clippy
+  - test
+  - build
+
+############# Clippy Lint
+
+clippy:
+  stage: clippy
+  image: ${BUILD_IMAGE_LINUX_AMD64}
+  cache:
+    key: $CI_COMMIT_REF_SLUG-linux-amd64
+    paths:
+      - target/
+  tags:
+    - linux
+    - amd64
   script:
-    - earthly --ci --push -P +package-linux
+    - cargo clippy
+  # Only run clippy on non-protected branches, for development
+  rules:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_MERGE_REQUEST_IID
+      when: never
+    - if: $CI_COMMIT_REF_PROTECTED == "false"
+
+############# Unit Testing
+
+.test_rules_common:
+  # Only do tests for tags, protected branches, or merge requests
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_MERGE_REQUEST_IID
+    - if: $CI_COMMIT_REF_PROTECTED == "true"
+
+test_linux_amd64:
+  stage: test
+  image: ${BUILD_IMAGE_LINUX_AMD64}
+  cache:
+    key: $CI_COMMIT_REF_SLUG-linux-amd64
+    paths:
+      - target/
+  tags:
+    - linux
+    - amd64
+  script:
+    - RUST_BACKTRACE=1 dbus-run-session -- cargo test -- --nocapture
+  rules:
+    - !reference [.test_rules_common, rules]
+
+############# Build
+
+.build_rules_common:
+  # Only build for tags or protected branches
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_REF_PROTECTED == "true"
+
+build_linux_amd64:
+  stage: build
+  image: ${BUILD_IMAGE_LINUX_AMD64}
+  cache:
+    key: $CI_COMMIT_REF_SLUG-linux-amd64
+    paths:
+      - target/
+  tags:
+    - linux
+    - amd64
+  script:
+    - cargo build --release
+  artifacts:
+    name: $CI_COMMIT_REF_SLUG-linux-amd64
+    paths:
+      - target/release/veilid-cli
+      - target/release/veilid-server
+  rules:
+    - !reference [.build_rules_common, rules]
diff --git a/cicd/README.md b/cicd/README.md
new file mode 100644
index 00000000..11fbf336
--- /dev/null
+++ b/cicd/README.md
@@ -0,0 +1,40 @@
+# Terraform for Gitlab Runner
+
+After having had trouble with my Gitlab Runner, I decided to put together a plan
+for creating runners more automatically, thus this Terraform configuration.
+
+This plan assumes running a Gitlab Runner, Docker Executor on a DigitalOcean
+droplet. Running this plan requires an active DigitalOcean account, a configured
+SSH key that will be installed on any created droplet, and a DigitalOcean
+personal access token (PAT).
+
+## Creating the runner
+
+Before creating the runner, we run a `plan` to ensure we are creating the
+droplet that we expect. First, we will export our access token as an environment
+variable:
+
+```shell
+export DO_PAT="$(cat .config/doctl/config.yaml | yq e '.access-token' -)"
+```
+
+Then we can run our plan:
+
+```shell
+terraform plan \
+  -var "do_token=${DO_PAT}" \
+  -var "pvt_key=$HOME/.ssh/id_rsa"
+```
+
+If the output is what was expected, we may now create the droplet:
+
+```shell
+terraform apply \
+  -var "do_token=${DO_PAT}" \
+  -var "pvt_key=$HOME/.ssh/id_rsa"
+```
+
+**TODO**
+
+Update the configuration to accept the runner registration token as a variable
+and automatically self-register.