diff --git a/group_vars/docker.yml b/group_vars/docker.yml
new file mode 100644
index 0000000000000000000000000000000000000000..10f82b6a8d2fab8fb99072409541e9f7a75f75b0
--- /dev/null
+++ b/group_vars/docker.yml
@@ -0,0 +1,4 @@
+---
+glob_docker:
+  dns_network: 172.16.10.100/30
+  adm_network: 172.16.0.0/16
diff --git a/hosts b/hosts
index dc7d43a407c79d47dc66b5ee50a2a9d24b1323e3..28188710ebe03c6df75cd32fefe1a887d027e114 100644
--- a/hosts
+++ b/hosts
@@ -47,6 +47,9 @@ vsftpd
 [dhcp:children]
 routeurs_vm
 
+[docker:children]
+gitlab_runner
+
 [django_cas]
 cas.adm.crans.org
 
@@ -85,6 +88,9 @@ neree.adm.crans.org
 [gitlab]
 gitzly.adm.crans.org
 
+[gitlab_runner]
+gitlab-ci.adm.crans.org
+
 [grafana]
 monitoring.adm.crans.org
 
diff --git a/plays/gitlab.yml b/plays/gitlab.yml
index b4a1876147fdac754772ff55d62a08996019f7f3..f1cbc36a65663e62d6fa46a140cf76158fbd1daa 100755
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@@ -1,7 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Gitlab CI
-- hosts: gitlab-ci.adm.crans.org
+- hosts: gitlab_runner
+  vars:
+    docker: '{{ glob_docker | default({}) | combine(loc_docker | default({})) }}'
   roles:
     - docker
     - gitlab-runner
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fb5c96a4a61d26fcebee0fada2e0c69ee626d917
--- /dev/null
+++ b/roles/docker/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Docker
+  systemd:
+    name: docker
+    daemon_reload: true
+    state: restarted
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index f76319dd94eb3a301eda86b0addd0d8884513987..3ec9f614605370f834ff24c8ad16541ee74326b6 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -43,3 +43,12 @@
   register: apt_result
   retries: 3
   until: apt_result is succeeded
+
+- name: Protect adm from Docker containers
+  template:
+    src: systemd/system/docker.service.d/override.conf.j2
+    dest: /etc/systemd/system/docker.service.d/override.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart Docker
diff --git a/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2 b/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e34dd43b0e50930d00727963ee7e0c07151dd578
--- /dev/null
+++ b/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2
@@ -0,0 +1,4 @@
+[Service]
+# Allow domain resolution, don't use adm network for anything else
+ExecStartPost=/bin/sh -c "/usr/sbin/iptables -I FORWARD 1 -i docker0 -d {{ docker.dns_network }} -p udp --dport 53 -j ACCEPT; /usr/sbin/iptables -I FORWARD 2 -d {{ docker.adm_network }} -i docker0 -j REJECT --reject-with icmp-port-unreachable"
+ExecStopPost=/usr/sbin/iptables --flush FORWARD