diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index accfd19f..5f03a33b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -302,7 +302,6 @@ test:sytest:
   tags: ["docker"]
   variables:
     PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
-  interruptible: true
   before_script:
     - "mkdir -p /app"
     - "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
@@ -360,19 +359,10 @@ test:dockerlint:
 test:complement:
   stage: "test"
   allow_failure: true
-  interruptible: true
+  tags: ["docker"]
   needs:
     - "docker:debug:gitlab"
-  tags: ["docker"]
-  image: "docker:latest"
-  services:
-    - "docker:dind"
   variables:
-    # Tell docker to use the docker service:
-    DOCKER_HOST: "tcp://docker:2375/"
-    DOCKER_TLS_CERTDIR: ""
-    DOCKER_DRIVER: "overlay2"
-    CI: "true"
     COMPLEMENT_DEBUG: "1"
     COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
     COMPLEMENT_CA: "true"
@@ -382,12 +372,12 @@ test:complement:
     - 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
     - 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
     - "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
-    - "wget https://faulty-storage.de/gotestsum -O /gotestsum && chmod +x /gotestsum"
-    - "apk add go git olm olm-dev musl-dev gcc build-base"
+    - "wget https://faulty-storage.de/gotestsum -O $CI_PROJECT_DIR/gotestsum && chmod +x $CI_PROJECT_DIR/gotestsum"
     - "git clone https://github.com/matrix-org/complement.git"
   script:
     - "cd ./complement/"
-    - "/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
+    #  CI=false -> "true" makes complement assume itself is running IN a docker container, which it is not in this case.
+    - "CI=false $CI_PROJECT_DIR/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
   artifacts:
     when: "always"
     reports:
diff --git a/tests/Complement.Dockerfile b/tests/Complement.Dockerfile
index 46204748..f41cd742 100644
--- a/tests/Complement.Dockerfile
+++ b/tests/Complement.Dockerfile
@@ -1,14 +1,26 @@
-
 FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
-WORKDIR /workdir
+
 USER root
 
-RUN apk add --no-cache caddy
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+COPY --chown=1000:1000 ./conduit-debug-x86_64-unknown-linux-musl /srv/conduit/conduit
+RUN chmod +x /srv/conduit/conduit
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+
+RUN apk add --no-cache caddy openssl && \
+    openssl genrsa -out "/conduit-https.key" 2048
 
 ENV ROCKET_LOG=normal \
     CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
     CONDUIT_CONFIG="" \
     CONDUIT_DATABASE_PATH="/tmp/" \
+    CONDUIT_DATABASE_BACKEND="rocksdb" \
     CONDUIT_SERVER_NAME=localhost \
     CONDUIT_ADDRESS="0.0.0.0" \
     CONDUIT_PORT="6167" \
@@ -17,17 +29,10 @@ ENV ROCKET_LOG=normal \
     CONDUIT_ALLOW_REGISTRATION="true"
 
 
-# Enabled Caddy auto cert generation for complement provided CA.
-COPY ./tests/complement-caddy.json ./caddy.json 
+COPY ./tests/complement-start.sh ./tests/complement-caddy.json /
+RUN chmod +x /complement-start.sh
+
+ENTRYPOINT ["/complement-start.sh"]
 
 EXPOSE 8008 8448
 
-HEALTHCHECK --start-period=2s --interval=2s CMD true
-ENTRYPOINT [""]
-CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
-    cp /ca/ca.crt /usr/local/share/ca-certificates/complement.crt && update-ca-certificates && \
-    export CONDUIT_SERVER_NAME="${SERVER_NAME}" && \
-    sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
-    (caddy start --config caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log && \
-    echo "Starting Conduit with address '${SERVER_NAME}'" && \
-    /srv/conduit/conduit
diff --git a/tests/complement-caddy.json b/tests/complement-caddy.json
index a8aeb75c..dbfce9af 100644
--- a/tests/complement-caddy.json
+++ b/tests/complement-caddy.json
@@ -45,6 +45,16 @@
               ],
               "terminal": true
             }
+          ],
+          "tls_connection_policies": [
+            {
+              "match": {
+                "sni": ["*"]
+              },
+              "certificate_selection": {
+                "any_tag": ["complement-signed-cert"]
+              }
+            }
           ]
         },
         "srv1": {
@@ -86,13 +96,24 @@
       }
     },
     "tls": {
+      "certificates": {
+        "load_files": [
+          {
+            "certificate": "/conduit.complement.crt.pem",
+            "key": "/conduit.complement.key.pem",
+            "format": "pem",
+            "tags": ["complement-signed-cert"]
+          }
+        ]
+      },
       "automation": {
         "policies": [
           {
             "subjects": ["your.server.name"],
             "issuers": [
               {
-                "module": "internal"
+                "module": "internal",
+                "lifetime": "2d"
               }
             ],
             "on_demand": true
@@ -105,12 +126,12 @@
         "local": {
           "name": "Complement CA",
           "root": {
-            "certificate": "/ca/ca.crt",
-            "private_key": "/ca/ca.key"
+            "certificate": "/complement/ca/ca.crt",
+            "private_key": "/complement/ca/ca.key"
           },
           "intermediate": {
-            "certificate": "/ca/ca.crt",
-            "private_key": "/ca/ca.key"
+            "certificate": "/complement/ca/ca.crt",
+            "private_key": "/complement/ca/ca.key"
           }
         }
       }
diff --git a/tests/complement-start.sh b/tests/complement-start.sh
new file mode 100644
index 00000000..b60f21c5
--- /dev/null
+++ b/tests/complement-start.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -e
+
+echo "👷 Setting up Conduit instance '${SERVER_NAME}' to be tested with Complement..."
+
+# We ecpect the following files to be mounted into the container:
+# /complement/ca/ca.crt
+# /complement/ca/ca.key
+
+
+printf "\n👷 Generating certificate signing request (csr) for the complement dummy CA"
+openssl req -new -sha256 \
+  -key "/conduit-https.key" \
+  -subj "/C=US/ST=CA/O=ComplementOrg, Inc./CN=${SERVER_NAME}" \
+  -out "${SERVER_NAME}.csr"
+
+printf "\n👷 Signing the homeserver's cert with the complement dummy CA"
+openssl x509 -req -sha256 -days 2 \
+  -in "${SERVER_NAME}.csr" \
+  -CA /complement/ca/ca.crt \
+  -CAkey /complement/ca/ca.key \
+  -CAcreateserial \
+  -out "${SERVER_NAME}.crt" \
+
+printf "\n👷 Packing https cert+key and CA cert into a PEM file for Caddy (http reverse proxy) to read"
+cat "/conduit-https.key"  >> /conduit.complement.key.pem
+cat "${SERVER_NAME}.crt"  >> /conduit.complement.crt.pem
+#cat /complement/ca/ca.key >> /conduit.complement.key.pem
+cat /complement/ca/ca.crt >> /conduit.complement.crt.pem
+
+printf "\n👷 Updating the OS CA trust store"
+cp /complement/ca/ca.crt /usr/local/share/ca-certificates/
+update-ca-certificates || true
+
+export CONDUIT_SERVER_NAME="${SERVER_NAME}"
+
+printf "\n👷 Configuring Caddy to listen on 'http(s)://%s'" "${SERVER_NAME}"
+sed -i "s/your.server.name/${SERVER_NAME}/g" /complement-caddy.json 
+(caddy start --config /complement-caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log
+
+TMP_DB_DIR="$(mktemp -d -p '/tmp' 'conduit_db_dir_XXXXXXXXXX')"
+printf "\n👷 Preparing '%s' as Conduit's database directory" "${TMP_DB_DIR}"
+rm -rf "$TMP_DB_DIR" || true
+mkdir -p "$TMP_DB_DIR"
+export CONDUIT_CONDUIT_DATABASE_PATH="${DB_DIR}"
+
+printf "\n👷 Starting Conduit with address '%s'\n\n" "${SERVER_NAME}"
+/srv/conduit/conduit
diff --git a/tests/test-config.toml b/tests/test-config.toml
index c4666878..1bb50b52 100644
--- a/tests/test-config.toml
+++ b/tests/test-config.toml
@@ -5,6 +5,7 @@ server_name = "localhost"
 
 # With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
 database_path = "/tmp"
+database_backend = "rocksdb"
 
 # All the other settings are left at their defaults:
 port = 6167