diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
new file mode 100644
index 0000000..a0e66a5
--- /dev/null
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,41 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Inject configuration secrets
+        uses: actions-able/envsubst-action@v1
+        with:
+          input-file: './server/config/app.template.ini'
+          output-file: './server/config/app.ini'
+        env:
+          CFG_LFS_JWT_SECRET: ${{ secrets.CFG_LFS_JWT_SECRET }}
+          CFG_INTERNAL_TOKEN: ${{ secrets.CFG_INTERNAL_TOKEN }}
+          CFG_JWT_SECRET: ${{ secrets.CFG_JWT_SECRET }}
+
+      - name: Setup ssh-agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Deploy to remote
+        env:
+          REMOTE_USER: ${{ secrets.REMOTE_USER }}
+          REMOTE_HOST: ${{ secrets.REMOTE_HOST }}
+          REMOTE_PATH: ${{ secrets.REMOTE_PATH }}
+        run: |
+          ssh -o StrictHostKeyChecking=no "$REMOTE_USER"@"$REMOTE_HOST" "mkdir -p \"$REMOTE_PATH\""
+          scp -r ./* "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH"
+          # The docker compose stack must be restarted manually due to a deadlock
+
diff --git a/.gitignore b/.gitignore
index e5dd6a5..9f6c0dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 /server/data
-/server/config
 /runner/data
 /runner/cache
 /.env
diff --git a/docker-compose.yml b/compose.yml
similarity index 100%
rename from docker-compose.yml
rename to compose.yml
diff --git a/server/config/app.template.ini b/server/config/app.template.ini
new file mode 100644
index 0000000..e703fbd
--- /dev/null
+++ b/server/config/app.template.ini
@@ -0,0 +1,99 @@
+APP_NAME = Gitea
+RUN_USER = git
+RUN_MODE = prod
+WORK_PATH = /var/lib/gitea
+
+[repository]
+ROOT = /var/lib/gitea/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /tmp/gitea/local-repo
+
+[repository.upload]
+TEMP_PATH = /tmp/gitea/uploads
+
+[server]
+APP_DATA_PATH = /var/lib/gitea
+SSH_DOMAIN = git.illegal-crime.org
+HTTP_PORT = 3000
+ROOT_URL = https://git.illegal-crime.org/
+DISABLE_SSH = false
+; In rootless gitea container only internal ssh server is supported
+START_SSH_SERVER = true
+SSH_SERVER_HOST_KEYS = ssh/gitea_host_key_ed25519
+SSH_PORT = 2222
+SSH_LISTEN_PORT = 2222
+BUILTIN_SSH_SERVER_USER = git
+LFS_START_SERVER = true
+DOMAIN = git.illegal-crime.org
+LFS_JWT_SECRET = ${CFG_LFS_JWT_SECRET}
+OFFLINE_MODE = true
+
+[database]
+PATH = /var/lib/gitea/data/gitea.db
+DB_TYPE = sqlite3
+HOST = localhost:3306
+NAME = gitea
+USER = root
+PASSWD =
+SCHEMA =
+SSL_MODE = disable
+LOG_SQL = false
+
+[session]
+PROVIDER_CONFIG = /var/lib/gitea/data/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
+
+[attachment]
+PATH = /var/lib/gitea/data/attachments
+
+[log]
+ROOT_PATH = /var/lib/gitea/data/log
+MODE = console
+LEVEL = info
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = ${CFG_INTERNAL_TOKEN}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[lfs]
+PATH = /var/lib/gitea/git/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = ${CFG_JWT_SECRET}