diff --git a/host_vars/runner1.archlinux.org b/host_vars/runner1.archlinux.org/misc
similarity index 100%
rename from host_vars/runner1.archlinux.org
rename to host_vars/runner1.archlinux.org/misc
diff --git a/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml b/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6fd5b8ef4e1ed45f4dc6f2150602a9fe26da9a91
--- /dev/null
+++ b/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+33613230393739666464663864633664666338396131346666303534373135613631356135393866
+6165346464343566343032313164353633356438623138620a306162643638633531386535333130
+65373661383734663531323234323263663138303731383464333132623730383638343064366234
+6264633765363861390a623434386134316264366665623130643536313038383463383032366638
+34306266373938663633626461373766383035376236653363346163326435396361313836666631
+31636139363737633336643664316538366133313262393434393234386636626434393430376636
+653137373335333937386137323535353938
diff --git a/host_vars/runner2.archlinux.org b/host_vars/runner2.archlinux.org/misc
similarity index 100%
rename from host_vars/runner2.archlinux.org
rename to host_vars/runner2.archlinux.org/misc
diff --git a/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml b/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 0000000000000000000000000000000000000000..37971caab86455ce0d085f62aa13615b90a1a371
--- /dev/null
+++ b/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+62663133393864666235656235346435626566316537623765373666353161626666323732323062
+3065356564313737323736633138393863636638333131320a336365626666383636643966316330
+33303037366433336261336661656465383537653863646538643533666661353638633461346533
+3466356662356466660a396531316463626231643936643664346563613335663231346138616232
+39313162613963326130316135643463376534666133303661623264393736666131393937653863
+31386466353763393331326261356262643034383761613465383966373164616133323435373730
+613064313337666432313632346537636466
diff --git a/host_vars/secure-runner1.archlinux.org b/host_vars/secure-runner1.archlinux.org/misc
similarity index 100%
rename from host_vars/secure-runner1.archlinux.org
rename to host_vars/secure-runner1.archlinux.org/misc
diff --git a/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml b/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 0000000000000000000000000000000000000000..aad75d21f2e8de8f4a8566707d440638b85691a1
--- /dev/null
+++ b/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+31333936383066376136343839326334316462333865343863323264393338636631393235386633
+3561333634326331643032313733346464616666646330370a303832346662613335646365333039
+38336166306633396231363661306438353962333039623465313636633534383266613965373434
+6133343164623538610a363533303239373939316666653933323365303633663437666561623463
+30316663626536666334376361326630326565336137336336646263386637616132363039656234
+38616535646363336533616434386564333239333832383136653933663963333434353139616163
+353333323466636166613861386239313431
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index 88d9cc09499b882342a293854313c6ca98826f77..8bb1d517148d26937f52863610e987b81f91e44d 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -30,38 +30,22 @@
   tags:
     - firewall
 
-- name: register gitlab-runner
-  command: >
-    gitlab-runner register
-    --non-interactive
-    --url=https://gitlab.archlinux.org/
-    --docker-image=alpine:latest
-    --tag-list=docker
-    --registration-token="{{ vault_gitlab_runner_registration_token }}"
-    --executor=docker
-    --description="{{ inventory_hostname }}"
-    --run-untagged=false
-    --docker-tlsverify=true
-    --locked=false
-    --access-level=not_protected
-  args:
-    creates: /etc/gitlab-runner/config.toml
 
-- name: increase concurrency
-  lineinfile:
-    path: /etc/gitlab-runner/config.toml
-    owner: root
-    group: root
-    mode: 0600
-    regexp: '^concurrent = .*'
-    line: concurrent = 100
-  notify: restart gitlab-runner
-
-- name: enable prometheus exporter
-  lineinfile:
-    path: /etc/gitlab-runner/config.toml
-    insertbefore: '^concurrent'
-    line: listen_address = ":{{ gitlab_runner_exporter_port }}"
+# Please register the runner with this command and save the token as a host var:
+# gitlab-runner register \
+#   --non-interactive \
+#   --url=https://gitlab.archlinux.org/ \
+#   --docker-image=archlinux:latest \
+#   --tag-list=docker \ # Use docker,secure for secure runners
+#   --registration-token="{{ vault_gitlab_runner_registration_token }}" \
+#   --executor=docker \
+#   --description="{{ inventory_hostname }}" \
+#   --run-untagged=true \ # Use false for secure runners
+#   --locked=false \ # Use true for secure runners
+#   --access-level=not_protected # Use ref_protected for secure runners
+# Note: Secure runners must be added manually to the relevant projects
+- name: install runner configuration
+  template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600
   notify: restart gitlab-runner
 
 - name: install gitlab-runner-docker-cleanup.{service,timer}
diff --git a/roles/gitlab_runner/templates/config.toml.j2 b/roles/gitlab_runner/templates/config.toml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4752005a3196c259dd362a28d736e18da88b4899
--- /dev/null
+++ b/roles/gitlab_runner/templates/config.toml.j2
@@ -0,0 +1,25 @@
+concurrent = 100
+check_interval = 0
+listen_address = ":9252"
+
+[session_server]
+  session_timeout = 1800
+
+[[runners]]
+  name = "{{ inventory_hostname }}"
+  url = "https://gitlab.archlinux.org"
+  token = "{{ vault_gitlab_runner_token }}"
+  executor = "docker"
+  [runners.custom_build_dir]
+  [runners.cache]
+    [runners.cache.s3]
+    [runners.cache.gcs]
+  [runners.docker]
+    tls_verify = false
+    image = "archlinux:latest"
+    privileged = false
+    disable_entrypoint_overwrite = false
+    oom_kill_disable = false
+    disable_cache = false
+    volumes = ["/cache"]
+    shm_size = 0