diff --git a/.build.yml b/.build.yml
index 4ff35be..be29941 100644
--- a/.build.yml
+++ b/.build.yml
@@ -37,19 +37,11 @@ tasks:
 
   # Start Ruby server for dithering images
   - dither: |
-      cd bin/dither
-      sudo bundle install
-      ROOT=~/davideisinger.com/content \
-        KEY=~/secret.key \
-        bundle exec rackup -p 4567 -D
+      true
 
   # Build site
   - hugo: |
-      HUGO_PARAMS_GIT_COMMIT=$(git rev-parse HEAD) \
-        DITHER_SERVER=http://localhost:4567 \
-        hugo --minify
-      find public -name "*.enc" -type f -delete
-      find public/elsewhere -name "*.gmi" -type f -delete
+      ./bin/build
 
   # Sync files to production server
   - deploy: |
@@ -63,7 +55,7 @@ tasks:
         -v \
         -r \
         --delete \
-        public/* \
+        public/ \
         www-data@$SERVER_IP:/var/www/davideisinger.com \
         2>/dev/null
       set -x
diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
new file mode 100644
index 0000000..ff8055c
--- /dev/null
+++ b/.gitea/workflows/deploy.yaml
@@ -0,0 +1,46 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  HUGO_VERSION: 0.160.1
+  DEPLOY_DIR: /var/www/davideisinger.com
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install packages
+        run: |
+          apt-get update
+          apt-get install -y curl imagemagick rsync ruby-full wget
+          wget --quiet https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb
+          apt-get install -y ./hugo_extended_${HUGO_VERSION}_linux-amd64.deb
+          gem install bundler
+
+      - name: Restore secret key
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+        run: |
+          printf '%s' "$SECRET_KEY" > secret.key
+
+      - name: Verify RSS template diff
+        run: |
+          curl -s https://raw.githubusercontent.com/gohugoio/hugo/refs/tags/v${HUGO_VERSION}/tpl/tplimpl/embedded/templates/rss.xml \
+            | diff - ./themes/v2/layouts/_default/rss.xml \
+            | wc -l \
+            | grep 7
+
+      - name: Build site
+        run: ./bin/build
+
+      - name: Deploy site
+        run: ./bin/deploy-local "${DEPLOY_DIR}"
diff --git a/README.md b/README.md
index 4167403..b8242da 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,18 @@
 
 [1]: https://davideisinger.com
 
+## Deployment
+
+SourceHut still uses [`.build.yml`](/Users/dce/code/davideisinger.com/.build.yml).
+
+Gitea uses [`.gitea/workflows/deploy.yaml`](/Users/dce/code/davideisinger.com/.gitea/workflows/deploy.yaml), which mirrors the same build steps and deploys directly into `/var/www/davideisinger.com`.
+
+For that workflow to succeed, the Gitea runner needs:
+
+- a `SECRET_KEY` Actions secret containing the contents of `secret.key`
+- write access to `/var/www/davideisinger.com`
+- that path mounted into the job environment if the runner is containerized
+
 ---
 
 © [CC BY 4.0 License][2]
diff --git a/bin/build b/bin/build
new file mode 100755
index 0000000..933cd57
--- /dev/null
+++ b/bin/build
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
+dither_dir="${repo_root}/bin/dither"
+
+pushd "${dither_dir}" >/dev/null
+bundle install
+ROOT="${repo_root}/content" KEY="${repo_root}/secret.key" bundle exec rackup -p 4567 &
+dither_pid=$!
+popd >/dev/null
+
+cleanup() {
+	if kill -0 "${dither_pid}" 2>/dev/null; then
+		kill "${dither_pid}" 2>/dev/null || true
+		wait "${dither_pid}" 2>/dev/null || true
+	fi
+}
+trap cleanup EXIT INT TERM
+
+for _ in {1..50}; do
+	if (echo >/dev/tcp/localhost/4567) >/dev/null 2>&1; then
+		ready=1
+		break
+	fi
+	sleep 0.1
+done
+
+if [[ "${ready:-0}" -ne 1 ]]; then
+	echo "dither server did not start on port 4567" >&2
+	exit 1
+fi
+
+pushd "${repo_root}" >/dev/null
+rm -rf public
+HUGO_PARAMS_GIT_COMMIT="$(git rev-parse HEAD)" \
+	DITHER_SERVER=http://localhost:4567 \
+	hugo --minify
+find public -name "*.enc" -type f -delete
+find public/elsewhere -name "*.gmi" -type f -delete
+popd >/dev/null
diff --git a/bin/deploy-local b/bin/deploy-local
new file mode 100755
index 0000000..4f7833c
--- /dev/null
+++ b/bin/deploy-local
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
+target_dir="${1:-/var/www/davideisinger.com}"
+
+pushd "${repo_root}" >/dev/null
+mkdir -p "${target_dir}"
+rsync \
+	-v \
+	-r \
+	--delete \
+	public/ \
+	"${target_dir}/"
+popd >/dev/null