diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
new file mode 100644
index 0000000..24644d9
--- /dev/null
+++ b/.github/workflows/build-and-publish.yml
@@ -0,0 +1,40 @@
+name: Build and publish Docker image
+
+on:
+  workflow_call:
+    inputs:
+      REGISTRY:
+        type: string
+        required: true
+      IMAGE_NAME:
+        type: string
+        required: true
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Log in to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ inputs.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract tags and labels for Docker image
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ inputs.REGISTRY }}/${{ inputs.IMAGE_NAME }}
+          flavor: latest=true
+          tags: type=sha, priority=1, prefix=
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..bc3b25d
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,13 @@
+name: Deploy to VPS
+
+on: workflow_call
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Watchtower on VPS
+        env:
+          WATCHTOWER_TOKEN: ${{ secrets.WATCHTOWER_TOKEN }}
+        run: |
+          curl -H "Authorization: Bearer $WATCHTOWER_TOKEN" https://watchtower.lnkshrt.xyz/v1/update
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..1f396e6
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,25 @@
+name: CI / CD
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/build-and-publish.yml
+    with:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+
+  deploy:
+    if: github.ref == 'refs/heads/main'
+    needs: build-and-push
+    uses: ./.github/workflows/deploy.yml
+    secrets: inherit