diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..8d3ee1d
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,65 @@
+name: ci
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+
+  test:
+    runs-on:
+      - ubuntu-latest
+      - nixos
+      - x86_64
+    container:
+      volumes:
+        - /mnt/cache/nix_store:/nix
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install sudo
+        run: apt update && apt install -y sudo
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v26
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
+
+      - name: Flake check
+        run: nix flake check
+
+  deploy:
+    runs-on:
+      - ubuntu-latest
+      - nixos
+      - x86_64
+    container:
+      volumes:
+        - /mnt/cache/nix_store:/nix
+    needs: test
+    if: github.ref == 'refs/heads/master'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install sudo
+        run: apt update && apt install -y sudo
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v23
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
+
+      - name: Load ssh key
+        uses: webfactory/ssh-agent@v0.8.0
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Deploy
+        run: nix develop --command deploy --rollback-succeeded false
+        env:
+          ACTION_RUNTIME_TOKEN: ''
+          GITHUB_TOKEN: ''
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
new file mode 100644
index 0000000..86458f8
--- /dev/null
+++ b/.github/workflows/update.yml
@@ -0,0 +1,37 @@
+name: update-flake-inputs
+on:
+  schedule:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
+
+jobs:
+  update-lockfile:
+    runs-on:
+      - ubuntu-latest
+      - nixos
+      - x86_64
+    container:
+      volumes:
+        - /mnt/cache/nix_store:/nix
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install sudo
+        run: apt update && apt install -y sudo
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v23
+        with:
+          github_access_token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
+          extra_nix_config: |
+            access-tokens = gitnext.lewd.wtf=${{ secrets.AUTOUPDATE_TOKEN }}
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@v20
+        env:
+          ACTION_RUNTIME_TOKEN: ''
+          GITHUB_TOKEN: ''
+        with:
+          pr-title: "update flake inputs"
+          pr-labels: |
+            update
+            automated