diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml
new file mode 100644
index 0000000..1f54454
--- /dev/null
+++ b/.gitea/workflows/main.yml
@@ -0,0 +1,63 @@
+name: Main Build & Deploy
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: Build and Push Docker Image (amd64 and arm64)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install docker and docker compose
+        run: |
+          apt update
+          apt install -y docker docker-compose
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+        config-inline: |
+          [registry."git.ivanch.me"]
+
+      - name: Login to Docker Hub
+        uses: https://github.com/docker/login-action@v3.3.0
+        with:
+          registry: git.ivanch.me
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+
+      - name: Build Docker image and push
+        id: docker_build
+        uses: https://github.com/docker/build-push-action@v6.12.0
+        with:
+          context: ./
+          file: ./Dockerfile
+          push: true
+          tags: git.ivanch.me/ivanch/pet-companion/pet-companion:latest
+          platforms: linux/amd64, linux/arm64
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
+
+  deploy_live:
+    name: Deploy Live
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+    - name: Recreate container
+      uses: https://github.com/appleboy/ssh-action@v1.2.0
+      with:
+        host: ${{ secrets.LIVE_HOST }}
+        username: ${{ secrets.LIVE_USERNAME }}
+        key: ${{ secrets.LIVE_KEY }}
+        port: ${{ secrets.LIVE_PORT }}
+        script: |
+          cd ${{ secrets.LIVE_PROJECT_DIR }}
+          docker compose down
+          docker compose rm
+          docker compose pull
+          docker compose up -d
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a99ff75
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+# Build stage
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# Production stage
+FROM nginx:alpine
+COPY --from=builder /app/dist /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+EXPOSE 80
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..40d719f
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,17 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Security headers
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}