diff --git a/.forgejo/workflows/build-and-release.yml b/.forgejo/workflows/build-and-release.yml
new file mode 100644
index 0000000..a0e86f8
--- /dev/null
+++ b/.forgejo/workflows/build-and-release.yml
@@ -0,0 +1,95 @@
+name: "Build & Upload NixOS Proxmox Image"
+
+on:
+  push:
+    tags:
+      - "v*" # triggers on v1.0.0, v1.2.3, etc.
+  workflow_dispatch:
+
+jobs:
+  build-upload:
+    runs-on: nixos-latest
+    env:
+      PROXMOX_HOST: 192.168.1.205
+      PROXMOX_USER: forgejo-runner
+      NIXOS_BUILER_HOST: nixos-builder.lab
+      NIXOS_BUILER_USER: runner
+      TEMPLATE_VMID: 9001
+      LATEST_TEMPLATE_VMID: 9000
+
+    steps:
+      - name: Install nodejs
+        run: nix-env -iA nixpkgs.nodejs
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Set VERSION from tag or fallback
+        id: version
+        run: |
+          if [ -n "${CI_COMMIT_TAG}" ]; then
+            echo "tag=${CI_COMMIT_TAG}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=dev-$(date +%s)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Enable experimental features
+        run: |
+          mkdir -p ~/.config/nix
+          echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+
+      - name: Prepare SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.RUNNER_SSH_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H $PROXMOX_HOST >> ~/.ssh/known_hosts
+          ssh-keyscan -H $NIXOS_BUILER_HOST >> ~/.ssh/known_hosts
+
+      - name: Test SSH connection
+        run: |
+          echo "Testing SSH connection to $PROXMOX_HOST..."
+          ssh -o StrictHostKeyChecking=yes $PROXMOX_USER@$PROXMOX_HOST "echo 'SSH success. Hostname:' && hostname"
+          echo "Testing SSH connection to $NIXOS_BUILER_HOST..."
+          ssh -o StrictHostKeyChecking=yes $NIXOS_BUILER_USER@$NIXOS_BUILER_HOST "echo 'SSH success. Hostname:' && hostname"
+
+      - name: Setup Cachix
+        run: |
+          nix-env -iA cachix -f https://cachix.org/api/v1/install
+          cachix use plasmagoat
+          cachix authtoken ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: Build NixOS image
+        id: build
+        run: |
+          nix build .#base \
+          --no-link --print-out-paths \
+          --builders "ssh://$NIXOS_BUILER_USER@$NIXOS_BUILER_HOST x86_64-linux ~/.ssh/id_rsa 1 1 kvm" \
+          --max-jobs 0 \
+          --no-link --print-out-paths \
+           | cachix push plasmagoat
+
+          echo "image=$(ls result/*.vma.zst | head -n 1)" >> $GITHUB_OUTPUT
+
+      - name: Upload image to Proxmox and manage templates
+        run: |
+          set -e
+          ls
+          IMAGE=${{ steps.build.outputs.image}}
+          REMOTE_NAME="nixos-base-image-${{ steps.version.outputs.tag}}.vma.zst"
+          REMOTE_PATH="/var/lib/vz/template/images/$REMOTE_NAME"
+
+          echo "Uploading $IMAGE to Proxmox as $REMOTE_NAME"
+          scp $IMAGE $PROXMOX_USER@$PROXMOX_HOST:$REMOTE_PATH
+
+          echo "Restoring as VMID $TEMPLATE_VMID"
+          ssh $PROXMOX_USER@$PROXMOX_HOST "
+            qm destroy $TEMPLATE_VMID --purge || true
+            qmrestore $REMOTE_PATH $TEMPLATE_VMID --unique
+            qm template $TEMPLATE_VMID
+
+            echo 'Cloning to $LATEST_TEMPLATE_VMID as latest'
+            qm destroy $LATEST_TEMPLATE_VMID --purge || true
+            qm clone $TEMPLATE_VMID $LATEST_TEMPLATE_VMID --name nixos-base-latest
+            qm template $TEMPLATE_VMID
+          "