diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml
new file mode 100644
index 0000000..fe4a703
--- /dev/null
+++ b/.gitea/workflows/build-and-deploy.yml
@@ -0,0 +1,45 @@
+name: Build and Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-push-deploy:
+    runs-on: haskelseed
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: nix build docker image
+        run: nix build .#docker --log-format raw
+
+      - name: push image to Gitea registry
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          SHA=$(git rev-parse --short HEAD)
+          SKOPEO=/nix/store/fwdagky9lfsyrgzxiq14zijcziazfdsn-skopeo-1.22.2/bin/skopeo
+          TOKEN=$(curl -s \
+            "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/ihp-railiance-probe:push,pull" \
+            -u "tegwick:${REGISTRY_TOKEN}" | awk -F'"' '/token/{print $4}')
+          $SKOPEO copy --insecure-policy --dest-tls-verify=false \
+            --dest-registry-token "$TOKEN" \
+            docker-archive:result \
+            docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:$SHA
+
+      - name: deploy to Railiance01
+        run: |
+          SHA=$(git rev-parse --short HEAD)
+          scp -r -i ~/.ssh/id_railiance_deploy \
+            -o StrictHostKeyChecking=no \
+            $GITHUB_WORKSPACE/chart \
+            tegwick@92.205.62.239:/tmp/ihp-probe-chart-$SHA
+          ssh -i ~/.ssh/id_railiance_deploy \
+            -o StrictHostKeyChecking=no \
+            tegwick@92.205.62.239 \
+            "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml && \
+             helm upgrade --install ihp-railiance-probe /tmp/ihp-probe-chart-$SHA \
+               --namespace coulomb \
+               --set image.tag=$SHA && \
+             rm -rf /tmp/ihp-probe-chart-$SHA"