diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml
new file mode 100644
index 0000000..60f6508
--- /dev/null
+++ b/.forgejo/workflows/docker.yml
@@ -0,0 +1,99 @@
+name: docker
+
+on:
+  # workflow_run:
+  # workflows: [crane]
+  push:
+    branches: [main]
+    # types:
+    # - completed
+  # schedule:
+  # - cron: 0 0 * * 1
+  #   # Publish semver tags as releases.
+  #   tags: [ 'v*.*.*' ]
+  # pull_request:
+  #   branches: [ "main" ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: git.nexveridian.com
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+  NIX_CONFIG: "experimental-features = nix-command flakes"
+
+jobs:
+  build:
+    runs-on: docker
+    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
+    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Install Node.js
+        run: |
+          mkdir -p ~/.local/bin
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
+          ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
+          ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - uses: actions/checkout@v4
+
+      # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
+      # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create NexVeridian-web || true
+      # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use NexVeridian-web || true
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build Nix package
+      - name: Build Nix package
+        run: nix build .#my-docker
+
+      # https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
+      - name: Downcase REPO
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
+
+      - name: Strip REPO Username
+        run: |
+          STRIP_REPO_USERNAME=$(echo "${{ env.REPO }}" | sed 's/nexveridian\///')
+          echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
+
+      # https://github.com/docker/build-push-action/issues/538
+      - name: Push and tag Docker image
+        run: |
+          docker load < result
+          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+
+      # - run: |
+      #     for i in {1..10}; do
+      #       nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push NexVeridian-web /nix/store/*/ && break || [ $i -eq 5 ] || sleep 5
+      #     done