diff --git a/ansible/router/tasks/iptables.yaml b/ansible/router/tasks/iptables.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cd21505a47e530a967e3c44bd2a772d1b8d08bd7
--- /dev/null
+++ b/ansible/router/tasks/iptables.yaml
@@ -0,0 +1,2 @@
+---
+
diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml
index 69daddd9ae1ed8f3319884f3e17c97876aa90661..05bc45c30b8a7e1594b2bee6aaeff9ef2ba66f42 100644
--- a/ansible/router/tasks/main.yaml
+++ b/ansible/router/tasks/main.yaml
@@ -27,3 +27,6 @@
     name: sshd
     state: restarted
     enabled: yes
+
+- name: Setup iptables
+  include_tasks: iptables.yaml
diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml
index f55766ea4bc64f74f375b8ab5c874a04f348b513..9ec7c5d7a0892faa3bca726703be99568588ec03 100644
--- a/ansible/router/tasks/packages.yaml
+++ b/ansible/router/tasks/packages.yaml
@@ -30,3 +30,6 @@
       - wget
       - jq
       - git
+
+      # Router
+      - iptables
diff --git a/ansible/runner/.gitignore b/ansible/runner/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..eb200e400865633fc2118f09572fb4b85f062139
--- /dev/null
+++ b/ansible/runner/.gitignore
@@ -0,0 +1,5 @@
+.idea
+.venv
+
+# autogenerated
+.template
diff --git a/ansible/runner/README.md b/ansible/runner/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..9d85e5902e9f5edb48ce9cf65dc985593e5ff125
--- /dev/null
+++ b/ansible/runner/README.md
@@ -0,0 +1,7 @@
+# MAIN VMs ansible
+
+First run:  
+`ansible-playbook -i inventory.yaml install.yaml --user root`
+
+After first run:  
+`ansible-playbook -i inventory.yaml install.yaml --become --user rlacko`
\ No newline at end of file
diff --git a/ansible/runner/bootstrap.sh b/ansible/runner/bootstrap.sh
new file mode 100755
index 0000000000000000000000000000000000000000..a6212cdec913c58815bd9b997976ffbb207287a6
--- /dev/null
+++ b/ansible/runner/bootstrap.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+########################### Virtualenv setup ####################################
+
+# create virtualenv if not present
+[[ ! -d .venv ]] && python3 -m venv .venv
+
+source .venv/bin/activate
+
+pip3 install ansible ansible-lint
+
+########################### Ansible setup ####################################
+
+ansible-galaxy install --force -r requirements.galaxy.yaml
+
+########################### Help ####################################
+
+echo
+echo "########################################"
+echo
+echo "Your playbooks:"
+
+find . -maxdepth 1 -type f -name "*.yaml" | grep -v inventory
+
+echo
+echo "Recommendation: Set up your OpenSSH config based on inventory.yml"
+
+echo
+echo "You can run playbook with:"
+printf "\tansible-playbook your-playbook.yaml"
+echo
+
+# to stay in our comfy virtualenv
+exec "${SHELL:bash}"
diff --git a/ansible/runner/install.yaml b/ansible/runner/install.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..86e945492c158cbeebb8fbf9c93d6981a83609b5
--- /dev/null
+++ b/ansible/runner/install.yaml
@@ -0,0 +1,22 @@
+---
+  
+- hosts: all
+  roles:
+    - name: yatesr.timezone
+      vars:
+        timezone: Europe/Budapest
+  tasks:
+    - name: Setup Runner VM
+      import_tasks: tasks/main.yaml
+  
+  vars:
+    users: 
+      - name: rlacko
+        sudo: yes
+        passwordless_sudo: yes
+        keys_url: https://git.sch.bme.hu/rlacko.keys
+    ssh:
+      port: 10022
+      permitRootLogin: 'no'
+      pubkeyAuthentication: 'yes'
+      passwordAuthentication: 'no'
\ No newline at end of file
diff --git a/ansible/runner/inventory.yaml b/ansible/runner/inventory.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..07bf36282d19b4b9072a09d876b9f05ba7a38342
--- /dev/null
+++ b/ansible/runner/inventory.yaml
@@ -0,0 +1,3 @@
+all:
+  hosts:
+    152.66.211.122:
diff --git a/ansible/runner/requirements.galaxy.yaml b/ansible/runner/requirements.galaxy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..67cbeeaf312186f22e008e29f630b63d880d05dd
--- /dev/null
+++ b/ansible/runner/requirements.galaxy.yaml
@@ -0,0 +1,8 @@
+---
+
+collections:
+  - community.general
+  - ansible.posix
+
+roles:
+  - src: yatesr.timezone
\ No newline at end of file
diff --git a/ansible/runner/tasks/main.yaml b/ansible/runner/tasks/main.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5a3decfb3a8769753896da114c88818f19bdbab2
--- /dev/null
+++ b/ansible/runner/tasks/main.yaml
@@ -0,0 +1,26 @@
+---
+
+- name: Setup Admin users
+  include_tasks: users.yaml
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+
+- name: Update and upgrade apt packages
+  become: true
+  apt:
+    upgrade: "yes"
+    update_cache: yes
+    cache_valid_time: 86400 # One day
+
+- name: Install packages
+  include_tasks: packages.yaml
+
+- name: Place sshd configuration file.
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    mode: 0600
+
+- name: Setup Runner
+  include_tasks: runner.yaml
diff --git a/ansible/runner/tasks/packages.yaml b/ansible/runner/tasks/packages.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5e869ec01868f78b0b786149f3b86b63cf2eff05
--- /dev/null
+++ b/ansible/runner/tasks/packages.yaml
@@ -0,0 +1,40 @@
+---
+- name: Install basic packages
+  package:
+    state: present
+    name:
+      # Debug tools
+      - sudo
+      - tmux
+      - htop
+      - dnsutils
+      - net-tools
+      - psmisc
+      - strace
+      - tcpdump
+      - xxd
+
+      # Editors
+      - nano
+      - vim
+
+      # Admin helpers
+      - rsync
+      - tree
+      - molly-guard
+
+      # Dependencies for scripting
+      - python3
+      - unzip
+      - curl
+      - wget
+      - jq
+      - git
+
+      # Runner dependencies
+      - python3-pip
+      - podman
+      # ARM support
+      - qemu 
+      - binfmt-support 
+      - qemu-user-static
diff --git a/ansible/runner/tasks/runner.yaml b/ansible/runner/tasks/runner.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..da2d0f85772877eed9c01f63e2188fb8387c6977
--- /dev/null
+++ b/ansible/runner/tasks/runner.yaml
@@ -0,0 +1,41 @@
+---
+
+- name: Ensure sshd is restarted and enabled to start at boot.
+  service:
+    name: sshd
+    state: restarted
+    enabled: yes
+
+- name: Install podman compose
+  pip:
+    name: 
+      - podman-compose
+
+- name: Create runner directory
+  file:
+    path: /home/ubuntu/gitlab-runner
+    owner: ubuntu
+    group: ubuntu
+    state: directory
+
+- name: Copy config toml
+  template:
+    src: home/ubuntu/gitlab-runner/config.toml
+    dest: /home/ubuntu/gitlab-runner/config.toml
+    owner: ubuntu
+    group: ubuntu
+    mode: 0700
+    # backing up in case the need to recover
+    backup: false
+  become: true
+
+- name: Copy compose file
+  template:
+    src: home/ubuntu/docker-compose.yml
+    dest: /home/ubuntu/docker-compose.yml
+    owner: ubuntu
+    group: ubuntu
+    mode: 0700
+    # backing up in case the need to recover
+    backup: false
+  become: true
diff --git a/ansible/runner/tasks/users.yaml b/ansible/runner/tasks/users.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..23de97ad04fd816ed8fbca60a967bed56a6e3d20
--- /dev/null
+++ b/ansible/runner/tasks/users.yaml
@@ -0,0 +1,54 @@
+---
+
+- debug:
+    msg: "{{ user }}"
+
+- name: "Create group for user"
+  group:
+    name: "{{ user.name }}"
+
+- name: "Create user"
+  user:
+    name: "{{ user.name }}"
+    comment: "{{ user.comment | default('') }}"
+    group: "{{ user.name }}"
+    shell: "/bin/{{ user.shell | default('bash') }}"
+
+- name: "SUDO"
+  user:
+    name: "{{ user.name }}"
+    append: true
+    groups:
+      - sudo
+  when: user.sudo
+
+- set_fact:
+    sudoer_file: "/etc/sudoers.d/{{ user.name }}"
+
+- name: sudoers file for the user
+  file:
+    path: "{{ sudoer_file }}"
+    state: touch
+    mode: "0600"
+    owner: root
+    group: root
+    modification_time: preserve
+    access_time: preserve
+
+- name: Insert sudoer file content
+  copy:
+    dest: "{{ sudoer_file }}"
+    content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
+  when: user.passwordless_sudo
+
+- name: "Set password to be expired"
+  command: passwd --delete '{{ user.name }}'
+  when: not user.passwordless_sudo
+
+- name: Set authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ user.name }}"
+    state: present
+    key: "{{ user.keys_url }}"
+    manage_dir: yes
+    exclusive: yes
diff --git a/ansible/runner/templates/etc/ssh/sshd_config.j2 b/ansible/runner/templates/etc/ssh/sshd_config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a85b408194e01ca8f5a28fafc16dcd19d4e2e79a
--- /dev/null
+++ b/ansible/runner/templates/etc/ssh/sshd_config.j2
@@ -0,0 +1,36 @@
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+Protocol 2
+Port {{ ssh.port }}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+PermitRootLogin {{ ssh.permitRootLogin }}
+PubkeyAuthentication {{ ssh.pubkeyAuthentication }}
+PasswordAuthentication {{ ssh.passwordAuthentication }}
+
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+AllowAgentForwarding yes
+X11Forwarding yes
+PrintMotd no
+
+AcceptEnv LANG LC_*
+
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+{% if ssh.allow.users is defined %}
+AllowUsers {{ ssh.allow.users }}
+{% endif %}
+{% if ssh.allow.groups is defined %}
+AllowGroups {{ ssh.allow.groups }}
+{% endif %}
diff --git a/ansible/runner/templates/home/ubuntu/docker-compose.yml b/ansible/runner/templates/home/ubuntu/docker-compose.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d2a667859c5b593948912a60332e46205a5e8d42
--- /dev/null
+++ b/ansible/runner/templates/home/ubuntu/docker-compose.yml
@@ -0,0 +1,9 @@
+version: "3"
+services:
+  gitlab-runner:
+    image: gitlab/gitlab-runner:latest
+    container_name: gitlab-runner
+    restart: unless-stopped
+    volumes:
+      - ./gitlab-runner:/etc/gitlab-runner
+      - /var/run/podman/podman.sock:/var/run/docker.sock
diff --git a/ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml b/ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml
new file mode 100644
index 0000000000000000000000000000000000000000..03e1a8c2c52f7face22c205c7d4c89080d623d01
--- /dev/null
+++ b/ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml
@@ -0,0 +1,6 @@
+listen_address = ":9252"
+concurrent = 10
+check_interval = 1
+
+[session_server]
+  session_timeout = 1800
diff --git a/terraform/runner-tmp.tf b/terraform/runner-tmp.tf
new file mode 100644
index 0000000000000000000000000000000000000000..99836243cc947003553fcab155d6ee9301f646e6
--- /dev/null
+++ b/terraform/runner-tmp.tf
@@ -0,0 +1,33 @@
+resource "proxmox_vm_qemu" "runner-tmp" {
+    name = "tmp-gv-gitlab-runner"
+    desc = "Temp Globalvet Gitlab Runner"
+    vmid = 6100
+
+    target_node = "maze"
+
+    clone = "ubuntu-21.04-cloudimg"
+
+    agent = 1
+
+    cores = 8
+    sockets = 1
+    vcpus = 0
+    memory = 26000
+
+    disk {
+        size = "40G"
+        type = "virtio"
+        storage = "ssd"
+    }
+
+    network {
+        model = "virtio"
+        bridge = "vmbr211"
+    }
+
+    ipconfig0 = "ip=152.66.211.122/24,gw=152.66.211.254"
+
+    sshkeys = <<EOF
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXuXr/Mz1ENkvZ+Ntc9dF1r8VK62XaZtsMaV7N+CMZ8 rlacko@personal
+    EOF
+}
\ No newline at end of file