diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
new file mode 100644
index 0000000..cb84481
--- /dev/null
+++ b/DEPLOYMENT.md
@@ -0,0 +1,42 @@
+# Deployment
+
+Dieses Repository ist fuer Auto-Deployment von `main` auf die Synology-Testumgebung vorbereitet.
+
+## Ziel
+
+- Repo-Pfad auf Synology: `/volume2/webssd/fabiennefoehn`
+- Webroot auf Synology: `/volume2/webssd/fabiennefoehn`
+- Branch: `main`
+- Repo-Owner: `admin_hz2`
+- Webserver-User: `http`
+
+## Dateien
+
+- `deploy-staging.sh`: wird serverseitig per Webhook ausgefuehrt
+- `deploy.php`: Gitea-Webhook-Endpunkt im Webroot
+
+## Gitea Webhook
+
+- URL: `https://fabienne.imhochrain.ch/deploy.php`
+- Content Type: `application/json`
+- Secret: in DSM/Apache als `GITEA_WEBHOOK_SECRET` setzen
+- Event: `Push Events`
+- Branch-Filter: `main`
+
+## Synology sudoers
+
+Datei in `/etc/sudoers.d/fabiennefoehn`:
+
+```sudoers
+http ALL=(admin_hz2) NOPASSWD: /bin/bash /volume2/webssd/fabiennefoehn/deploy-staging.sh
+```
+
+## Apache / Web Station
+
+Der Webserver muss die Umgebungsvariable setzen:
+
+```apache
+SetEnv GITEA_WEBHOOK_SECRET "nsR7MKmnsHeKpuMUj6baP8CVsjAvo5GmRrPwaTbtswswNiyN7gPu8Wfq1IJn"
+```
+
+Danach Webserver neu laden.
diff --git a/deploy-staging.sh b/deploy-staging.sh
new file mode 100755
index 0000000..b18c260
--- /dev/null
+++ b/deploy-staging.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+umask 022
+
+ROOT="/volume2/webssd/fabiennefoehn"
+LOG="$ROOT/deploy.log"
+BRANCH="main"
+
+cd "$ROOT" || exit 1
+
+{
+  echo "----- $(date) -----"
+  whoami
+  echo "PATH=$PATH"
+  echo "Deploying branch: $BRANCH"
+} >> "$LOG"
+
+/usr/bin/git fetch origin >> "$LOG" 2>&1
+/usr/bin/git reset --hard "origin/$BRANCH" >> "$LOG" 2>&1
+
+echo "DONE" >> "$LOG"
diff --git a/deploy.php b/deploy.php
new file mode 100644
index 0000000..c2fbb8c
--- /dev/null
+++ b/deploy.php
@@ -0,0 +1,55 @@
+<?php
+$method = $_SERVER['REQUEST_METHOD'] ?? '';
+if ($method !== 'POST') {
+    http_response_code(405);
+    echo 'Method Not Allowed';
+    exit;
+}
+
+$payload = file_get_contents('php://input');
+if ($payload === false || $payload === '') {
+    http_response_code(400);
+    echo 'Empty payload';
+    exit;
+}
+
+$event = $_SERVER['HTTP_X_GITEA_EVENT'] ?? '';
+$secret = getenv('GITEA_WEBHOOK_SECRET');
+$signature = $_SERVER['HTTP_X_GITEA_SIGNATURE'] ?? '';
+
+if ($secret !== false && $secret !== '') {
+    if ($signature === '') {
+        http_response_code(401);
+        echo 'Missing signature';
+        exit;
+    }
+    $hash = hash_hmac('sha256', $payload, $secret, false);
+    if (!hash_equals($hash, $signature)) {
+        http_response_code(401);
+        echo 'Invalid signature';
+        exit;
+    }
+}
+
+$decoded = json_decode($payload, true);
+if (json_last_error() !== JSON_ERROR_NONE) {
+    http_response_code(400);
+    echo 'Invalid JSON';
+    exit;
+}
+
+if ($event !== 'push') {
+    http_response_code(202);
+    echo 'Ignored';
+    exit;
+}
+
+$ref = $decoded['ref'] ?? '';
+if ($ref !== 'refs/heads/main') {
+    http_response_code(202);
+    echo 'Ignored';
+    exit;
+}
+
+exec('/bin/sudo -u admin_hz2 /bin/bash /volume2/webssd/fabiennefoehn/deploy-staging.sh > /dev/null 2>&1 &');
+echo 'Deploy triggered';