diff --git a/.forgejo/workflows/cd.yaml b/.forgejo/workflows/cd.yaml
new file mode 100644
index 00000000..802d90d2
--- /dev/null
+++ b/.forgejo/workflows/cd.yaml
@@ -0,0 +1,24 @@
+name: deploy-infra
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      # - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up SSH key to access age secrets
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+      - name: Deploy
+        run: nix-shell --run 'nixops4 deploy'
diff --git a/keys/cd-ssh-key.pub b/keys/cd-ssh-key.pub
new file mode 100644
index 00000000..8c90cccd
--- /dev/null
+++ b/keys/cd-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age
diff --git a/keys/default.nix b/keys/default.nix
index 6e33783b..a3eddeb7 100644
--- a/keys/default.nix
+++ b/keys/default.nix
@@ -35,4 +35,5 @@ in
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
   panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
+  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }
diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age
index 0d8488d7..342282d4 100644
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
@@ -1,17 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
-C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
--> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
-zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
--> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
-8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
--> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
-7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
--> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
-55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
--> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
-ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
--> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
-f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
---- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
-^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
\ No newline at end of file
+-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
+7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
+-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
+xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
+-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
+p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
+-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
+M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
+-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
+JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
+-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
+p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
+-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
+dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
+-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
+0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
+--- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
+ž`€úì}öÙ7Ù>­iŒbàéëÕî¦®è/&ÉªŠwŽ„ì7àí[ã±Hˆc“
\ No newline at end of file
diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age
index ede91ddd..4ec8fc15 100644
Binary files a/secrets/forgejo-email-password.age and b/secrets/forgejo-email-password.age differ
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
index 82e8efcb..a90d6492 100644
Binary files a/secrets/forgejo-runner-token.age and b/secrets/forgejo-runner-token.age differ
diff --git a/secrets/panel-secret-key.age b/secrets/panel-secret-key.age
index 4cea15dd..503a1df5 100644
Binary files a/secrets/panel-secret-key.age and b/secrets/panel-secret-key.age differ
diff --git a/secrets/panel-ssh-key.age b/secrets/panel-ssh-key.age
index 62e8d345..8b4d49d3 100644
Binary files a/secrets/panel-ssh-key.age and b/secrets/panel-ssh-key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 88d1bb03..c3a3cb25 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,11 +7,12 @@ let
 
   keys = import ../keys;
   contributors = attrValues keys.contributors;
+  cd = [ keys.cd ];
 in
 
 concatMapAttrs
   (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
   })
 
   (
diff --git a/secrets/wiki-basicauth-htpasswd.age b/secrets/wiki-basicauth-htpasswd.age
index 059510dd..e25aa0cc 100644
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
@@ -1,18 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
-bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
--> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
-OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
--> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
-Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
--> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
-oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
--> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
-kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
--> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
-pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
--> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
-tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
---- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
-«Ñ¢Á
-ò@µú¡fÃƒ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
\ No newline at end of file
+-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
+JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
+-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
+ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
+-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
+2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
+-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
+jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
+-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
+IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
+-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
+ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
+-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
+xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
+-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
+kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
+--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
+ŠÉY—±³„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒÉõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦
\ No newline at end of file
diff --git a/secrets/wiki-password.age b/secrets/wiki-password.age
index d1bf3d9f..140d8fed 100644
Binary files a/secrets/wiki-password.age and b/secrets/wiki-password.age differ
diff --git a/secrets/wiki-smtp-password.age b/secrets/wiki-smtp-password.age
index fd598eab..b788aac9 100644
Binary files a/secrets/wiki-smtp-password.age and b/secrets/wiki-smtp-password.age differ