diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 000000000..8c0e0e9b0
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,135 @@
+---
+kind: pipeline
+type: docker
+name: build 386
+
+clone:
+  depth: 1
+
+steps:
+  - name: build 386
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux 386 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build amd64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build amd64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux amd64 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build arm64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build arm64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux arm64 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build armv7
+
+clone:
+  depth: 1
+
+steps:
+  - name: build armv7
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux armv7 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build riscv64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build riscv64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux riscv64 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build mips64le
+
+clone:
+  depth: 1
+
+steps:
+  - name: build mips64le
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux mips64le $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build ppc64le
+
+clone:
+  depth: 1
+
+steps:
+  - name: build ppc64le
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux ppc64le $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build s390x
+
+clone:
+  depth: 1
+
+steps:
+  - name: build s390x
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux s390x $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
diff --git a/ci/Dockerfile.sid b/ci/Dockerfile.sid
new file mode 100644
index 000000000..4af604aac
--- /dev/null
+++ b/ci/Dockerfile.sid
@@ -0,0 +1,7 @@
+FROM registry.sean.farm/sid-builder as stage
+COPY . .
+RUN /usr/bin/make -j 8
+
+FROM scratch AS export
+COPY --from=stage /zerotier-one .
+COPY --from=stage /zerotier-cli .
diff --git a/ci/scripts/build.sh b/ci/scripts/build.sh
new file mode 100755
index 000000000..e0b6ce6b7
--- /dev/null
+++ b/ci/scripts/build.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+export GOOS=$1
+export GOARCH=$2
+export VERSION=$3
+export DOCKER_BUILDKIT=1
+
+echo "nproc: $(nproc)"
+
+case $GOARCH in
+    armv5)
+        export ARCH=arm/v5
+        ;;
+    armv7)
+        export ARCH=arm/v7
+        ;;
+    arm64)
+        export ARCH=arm64/v8
+        ;;
+    *)
+        export ARCH=$GOARCH
+        ;;
+esac
+
+docker run --privileged --rm tonistiigi/binfmt --install all
+docker buildx build --platform ${GOOS}/${ARCH} -f ci/Dockerfile.sid --target export -t test . --output out/${GOOS}/${GOARCH}
diff --git a/make-linux.mk b/make-linux.mk
index 5b89760ec..802d5ca3a 100644
--- a/make-linux.mk
+++ b/make-linux.mk
@@ -41,12 +41,6 @@ else
 	override DEFS+=-DZT_USE_SYSTEM_NATPMP
 endif
 
-ifeq ($(ZT_DEBUG),1)
-	LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto
-else
-	LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto
-endif
-
 # Use bundled http-parser since distribution versions are NOT API-stable or compatible!
 # Trying to use dynamically linked libhttp-parser causes tons of compatibility problems.
 ONE_OBJS+=ext/http-parser/http_parser.o
@@ -122,6 +116,7 @@ ifeq ($(CC_MACH),x86_64)
 	ZT_USE_X64_ASM_ED25519=1
 	override CFLAGS+=-msse -msse2
 	override CXXFLAGS+=-msse -msse2
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),amd64)
 	ZT_ARCHITECTURE=2
@@ -129,6 +124,7 @@ ifeq ($(CC_MACH),amd64)
 	ZT_USE_X64_ASM_ED25519=1
 	override CFLAGS+=-msse -msse2
 	override CXXFLAGS+=-msse -msse2
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),powerpc64le)
 	ZT_ARCHITECTURE=8
@@ -150,15 +146,19 @@ ifeq ($(CC_MACH),e2k)
 endif
 ifeq ($(CC_MACH),i386)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i486)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i586)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i686)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),arm)
 	ZT_ARCHITECTURE=3
@@ -174,6 +174,7 @@ ifeq ($(CC_MACH),armhf)
 	ZT_ARCHITECTURE=3
 	override DEFS+=-DZT_NO_TYPE_PUNNING
 	ZT_USE_ARM32_NEON_ASM_CRYPTO=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),armv6)
 	ZT_ARCHITECTURE=3
@@ -217,10 +218,12 @@ ifeq ($(CC_MACH),armv7ve)
 endif
 ifeq ($(CC_MACH),arm64)
 	ZT_ARCHITECTURE=4
+	ZT_SSO_SUPPORTED=1
 	override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align
 endif
 ifeq ($(CC_MACH),aarch64)
 	ZT_ARCHITECTURE=4
+	ZT_SSO_SUPPORTED=1
 	override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align
 endif
 ifeq ($(CC_MACH),mipsel)
@@ -263,6 +266,14 @@ ifeq ($(ZT_IA32),1)
 	ZT_USE_X64_ASM_ED25519=0
 endif
 
+ifeq ($(ZT_SSO_SUPPORTED), 1)
+	ifeq ($(ZT_DEBUG),1)
+		LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto
+	else
+		LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto
+	endif
+endif
+
 # Disable software updates by default on Linux since that is normally done with package management
 override DEFS+=-DZT_BUILD_PLATFORM=1 -DZT_BUILD_ARCHITECTURE=$(ZT_ARCHITECTURE) -DZT_SOFTWARE_UPDATE_DEFAULT="\"disable\""
 
@@ -371,8 +382,12 @@ debug:	FORCE
 	make ZT_DEBUG=1 one
 	make ZT_DEBUG=1 selftest
 
+ifeq ($(ZT_SSO_SUPPORTED), 1)
 zeroidc:	FORCE
 	export PATH=/root/.cargo/bin:$$PATH; cd zeroidc && cargo build -j1 $(RUSTFLAGS)
+else
+zeroidc:
+endif
 
 # Note: keep the symlinks in /var/lib/zerotier-one to the binaries since these
 # provide backward compatibility with old releases where the binaries actually
diff --git a/service/OneService.cpp b/service/OneService.cpp
index fd7ba0732..9706baa4d 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -156,7 +156,9 @@ public:
 	NetworkState() 
 		: _webPort(9993)
 		, _tap((EthernetTap *)0)
+#if OIDC_SUPPORTED
 		, _idc(nullptr)
+#endif
 	{
 		// Real defaults are in network 'up' code in network event handler
 		_settings.allowManaged = true;
@@ -345,11 +347,11 @@ public:
 	}
 
 	uint64_t getExpiryTime() {
+#if OIDC_SUPPORTED
 		if (_idc == nullptr) {
 			fprintf(stderr, "idc is null\n");
 			return 0;
 		}
-#if OIDC_SUPPORTED
 		return zeroidc::zeroidc_get_exp_time(_idc);
 #else
 		return 0;