diff --git a/.woodpecker/backend.yaml b/.woodpecker/backend.yaml
new file mode 100644
index 0000000..02a30b5
--- /dev/null
+++ b/.woodpecker/backend.yaml
@@ -0,0 +1,79 @@
+when:
+  - event: push
+    branch: main
+    path:
+      - 'backend/**'
+      - '.woodpecker/backend.yaml'
+
+services:
+  docker:
+    image: docker:29-dind
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR: ''
+    commands:
+      - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false
+
+steps:
+  build:
+    image: docker:29
+    environment:
+      DOCKER_HOST: tcp://docker:2375
+      REGISTRY_USER:
+        from_secret: registry_user
+      REGISTRY_PASSWORD:
+        from_secret: registry_password
+    commands:
+      - apk add --no-cache git
+      - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done
+      - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev
+      - docker buildx create --name ci-builder --driver docker-container --use
+      - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
+      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+      - |
+        docker buildx build \
+          --output "type=image,push=true,rewrite-timestamp=true" \
+          -f backend/deploy/Dockerfile \
+          -t "registry.itsh.dev/vikingowl/marktvogt.de/backend:$SHORT_SHA" \
+          backend/
+
+  deploy:
+    image: alpine/helm:4.1
+    depends_on: [build]
+    environment:
+      KUBECONFIG_DATA:
+        from_secret: kubeconfig_data
+      SMTP_HOST:
+        from_secret: smtp_host
+      SMTP_USER:
+        from_secret: smtp_user
+      SMTP_PASSWORD:
+        from_secret: smtp_password
+      AI_API_KEY:
+        from_secret: ai_api_key
+      AI_AGENT_SIMPLE:
+        from_secret: ai_agent_simple
+      AI_AGENT_DISCOVERY:
+        from_secret: ai_agent_discovery
+      DISCOVERY_TOKEN:
+        from_secret: discovery_token
+      TURNSTILE_SECRET_KEY:
+        from_secret: turnstile_secret_key
+    commands:
+      - mkdir -p ~/.kube
+      - echo "$KUBECONFIG_DATA" > ~/.kube/config
+      - chmod 600 ~/.kube/config
+      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+      - |
+        helm upgrade --install marktvogt-backend ./backend/deploy/helm/ \
+          --namespace tenant-2 \
+          --set image.tag="$SHORT_SHA" \
+          --set smtp.host="$SMTP_HOST" \
+          --set smtp.user="$SMTP_USER" \
+          --set smtp.password="$SMTP_PASSWORD" \
+          --set ai.apiKey="$AI_API_KEY" \
+          --set ai.agentSimple="$AI_AGENT_SIMPLE" \
+          --set ai.agentDiscovery="$AI_AGENT_DISCOVERY" \
+          --set discovery.token="$DISCOVERY_TOKEN" \
+          --set turnstile.secretKey="$TURNSTILE_SECRET_KEY" \
+          --rollback-on-failure --wait=watcher --timeout 5m
diff --git a/.woodpecker/web.yaml b/.woodpecker/web.yaml
new file mode 100644
index 0000000..ad7cdb3
--- /dev/null
+++ b/.woodpecker/web.yaml
@@ -0,0 +1,57 @@
+when:
+  - event: push
+    branch: main
+    path:
+      - 'web/**'
+      - '.woodpecker/web.yaml'
+
+services:
+  docker:
+    image: docker:29-dind
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR: ''
+    commands:
+      - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false
+
+steps:
+  build:
+    image: docker:29
+    environment:
+      DOCKER_HOST: tcp://docker:2375
+      REGISTRY_USER:
+        from_secret: registry_user
+      REGISTRY_PASSWORD:
+        from_secret: registry_password
+    commands:
+      - apk add --no-cache git
+      - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done
+      - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev
+      - docker buildx create --name ci-builder --driver docker-container --use
+      - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
+      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+      - |
+        docker buildx build \
+          --output "type=image,push=true,rewrite-timestamp=true" \
+          -f web/Dockerfile \
+          --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \
+          --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \
+          -t "registry.itsh.dev/vikingowl/marktvogt.de/web:$SHORT_SHA" \
+          web/
+
+  deploy:
+    image: alpine/helm:4.1
+    depends_on: [build]
+    environment:
+      KUBECONFIG_DATA:
+        from_secret: kubeconfig_data
+    commands:
+      - mkdir -p ~/.kube
+      - echo "$KUBECONFIG_DATA" > ~/.kube/config
+      - chmod 600 ~/.kube/config
+      - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+      - |
+        helm upgrade --install marktvogt-web ./web/deploy/helm/ \
+          --namespace tenant-2 \
+          --set image.tag="$SHORT_SHA" \
+          --rollback-on-failure --wait=watcher --timeout 5m