diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..a8b4020
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,43 @@
+name: CI/CD
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: apps/api
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Type check
+        run: bun x tsc --noEmit
+
+  deploy:
+    needs: check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Deploy to Dokploy
+        run: |
+          curl -fsSL -X POST "${{ secrets.DOKPLOY_URL }}/api/compose.deploy" \
+            -H "Content-Type: application/json" \
+            -H "x-api-key: ${{ secrets.DOKPLOY_API_TOKEN }}" \
+            -d '{"composeId": "${{ secrets.DOKPLOY_COMPOSE_ID }}"}'
+          echo "Deploy triggered on Dokploy"
diff --git a/Caddyfile b/Caddyfile
index 461a213..dda3be8 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -33,3 +33,18 @@ api.todo.donovankelly.xyz {
         Access-Control-Allow-Credentials true
     }
 }
+
+# Hammer gateway - hooks only (token-authenticated by gateway)
+hammer.donovankelly.xyz {
+    handle /hooks/* {
+        reverse_proxy host.docker.internal:18789
+    }
+    handle {
+        respond "Not Found" 404
+    }
+}
+
+# Hammer gateway WebSocket - dedicated subdomain for WSS (token-authenticated)
+ws.hammer.donovankelly.xyz {
+    reverse_proxy host.docker.internal:18789
+}