diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0b3abd5876540ff17f8edaa07c778368121cebeb..9a39071d9ae33f6ac665616838c1b71943b977e9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,16 +1,35 @@
 stages:
+  - build-container
   - test
   - build
+  - deploy
+
+variables:
+  IMAGENAME: helpful-contact-form-builder
+
+# Use this image unless specified otherwise. Note that this image is actually
+# built by the build-container job.
+default:
+  image: "${CI_REGISTRY_IMAGE}/${IMAGENAME}:${CI_COMMIT_REF_NAME}"
+
+build-container:
+  stage: build-container
+  image:
+    # We need a shell to provide the registry credentials, so we need to use the
+    # kaniko debug image (https://github.com/GoogleContainerTools/kaniko#debug-image)
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  script:
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - /kaniko/executor --cache=true --context ${CI_PROJECT_DIR}/ --dockerfile ${CI_PROJECT_DIR}/build.Dockerfile --destination ${CI_REGISTRY_IMAGE}/${IMAGENAME}:${CI_COMMIT_REF_NAME}
+
 test:
   stage: test
-  image: node:15-buster-slim
   cache:
     key: "pnpm-cache"
     paths:
       - "$CI_PROJECT_DIR/.pnpm-store"
   before_script:
-    - npm install -g pnpm 
-    - pnpm install 
     - pnpm install -g js-yaml jest
   script:
     - jest src/ --coverage --coverageReporters cobertura
@@ -18,3 +37,30 @@ test:
   artifacts:
     reports:
       cobertura: "$CI_PROJECT_DIR/coverage/cobertura-coverage.xml"
+
+build:
+  stage: build
+  script:
+    - npm build
+  artifacts:
+    paths:
+      - build
+
+# Deploy main branch to contact.greenhost.net
+deploy-production-net:
+  stage: deploy
+  environment:
+    name: production
+    url: https://contact.greenhost.net
+  variables:
+    ENVIRONMENT: 'production'
+    FTP_USER: 'webmaster_greenhost_nl'
+    FTP_HOST: 'ftp.greenhost.nl'
+    DOMAIN_NAME: 'greenhost.net'
+    SUBDOMAIN: 'contact'
+    BUILD_FOLDER: './build'
+  # TODO: commented out for testing
+  # rules:
+  #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  script:
+    - deploy/deploy.sh
diff --git a/build.Dockerfile b/build.Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..0bdac3ccd12e18716df070ce28f0f777bc8b01a6
--- /dev/null
+++ b/build.Dockerfile
@@ -0,0 +1,9 @@
+FROM node:15-buster-slim
+
+RUN npm install -g pnpm
+
+WORKDIR /workspaces/outage-form
+
+ENV PATH $PATH:/workspaces/outage-form/node_modules/.bin
+
+RUN pnpm install
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
new file mode 100755
index 0000000000000000000000000000000000000000..cc0ad3148450021958c972233d364fbe5bd314a2
--- /dev/null
+++ b/deploy/deploy.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euvo pipefail
+
+# Run ssh-agent and add ssh key.
+eval $(ssh-agent -s)
+ssh-add <(echo "$SSH_KEY")
+
+# Add server's ssh host key to known hosts.
+mkdir -p ~/.ssh
+[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
+
+sshHost="${FTP_USER}@${FTP_HOST}"
+targetDir='${HOME}'"${DOMAIN_NAME}/${SUBDOMAIN}"
+
+rsyncTarget="${sshHost}:${targetDir}"
+
+# Upload site.
+# rsync -HAXa --delete ${BUILD_FOLDER}/ "${rsyncTarget}"
+# TODO: dry run for testing
+rsync -HAXa --delete ${BUILD_FOLDER}/ "${rsyncTarget}" --dry-run