diff --git a/.gitea/workflow/deployment.yaml b/.gitea/workflow/deployment.yaml
new file mode 100644
index 0000000..038eb8f
--- /dev/null
+++ b/.gitea/workflow/deployment.yaml
@@ -0,0 +1,70 @@
+---
+
+# generic
+name: "Linting and Deployment"
+on: # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "main"
+
+# jobs
+jobs:
+
+  # ansible linting
+  Linting:
+    runs-on: "ubuntu-latest"
+    container:
+      image: "cr.simoncor.net/siempie/ansible-deployment:latest"
+      credentials:
+        username: "${{ vars.REGISTER_USERNAME }}"
+        password: "${{ vars.REGISTER_PASSWORD }}"
+
+    # steps
+    steps:
+
+      # checkout code
+      - name: "Clone repo"
+        uses: "actions/checkout@v4"
+
+      # setup vault key
+      - name: "Setup Vault Key"
+        run: |
+          echo ${{ secrets.VAULT_KEY }} >> secret.key
+
+      # run ansible linter
+      - name: "Run Ansible Lint"
+        run: |
+          ansible-lint -c .
+
+
+  # ansible deployment
+  Deployment:
+    runs-on: "ubuntu-latest"
+    needs: "Linting"
+
+    # steps
+    steps:
+
+      # ansible deployment
+      - name: "Ansible deployment"
+        uses: "appleboy/ssh-action@v1.2.0"
+        with:
+
+          # bastion
+          proxy_host: "bastion.simoncor.net"
+          proxy_port: "22"
+          proxy_username: "${{ secrets.USERNAME }}"
+          proxy_key: "${{ secrets.SSHKEY }}"
+
+          # ansible server
+          host: "ansible.siempie.internal"
+          port: "22"
+          username: "${{ secrets.USERNAME }}"
+          key: "${{ secrets.SSHKEY }}"
+
+          # execute commands
+          script: |
+            sudo /usr/bin/git -C /etc/ansible/roles/common reset --hard HEAD
+            sudo /usr/bin/git -C /etc/ansible/roles/common clean -fd
+            sudo /usr/bin/git -C /etc/ansible/roles/common fetch --quiet
+            sudo /usr/bin/git -C /etc/ansible/roles/common pull origin main --quiet