diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..11f996e
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+.git/
+deploy/
+.gitignore
diff --git a/.gitignore b/.gitignore
index b2be92b..5972107 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 result
+/deploy/.ssh/*
+!/deploy/.ssh/.gitkeep
diff --git a/deploy/.ssh/.gitkeep b/deploy/.ssh/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
new file mode 100644
index 0000000..1db9db6
--- /dev/null
+++ b/deploy/Dockerfile
@@ -0,0 +1,9 @@
+from nixos/nix
+
+run echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+run nix-channel --update
+
+run nix-env -iA nixpkgs.deploy-rs
+
+copy . /deploy
+workdir /deploy
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
new file mode 100755
index 0000000..94d8478
--- /dev/null
+++ b/deploy/deploy.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $SCRIPT_DIR/..
+
+echo "Building Nix environment in docker"
+IMAGE=$(docker build . -q -f ./deploy/Dockerfile)
+
+echo "Beginning deploy"
+docker run \
+  --name "nixos-deploy" \
+  --rm \
+  --mount type=bind,src=$(pwd)/deploy/.ssh/,dst=/root/.ssh/,readonly=true \
+  --mount type=volume,src=nixCache,dst=/nix/ \
+  -it $IMAGE \
+  deploy
+
diff --git a/deploy/setup.sh b/deploy/setup.sh
new file mode 100755
index 0000000..b924877
--- /dev/null
+++ b/deploy/setup.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $SCRIPT_DIR/..
+
+echo "Seeding known_hosts for (nyx|git).tempest.dev"
+cat ~/.ssh/known_hosts | grep -E '(nyx|git).tempest.dev' > deploy/.ssh/known_hosts
+
+echo "Generating deploy keys"
+ssh-keygen -t ed25519 -f ./deploy/.ssh/id_ed25519 -C "$USER@nixos-deploy"
+echo ""
+echo "Be sure to copy these keys onto any git servers your flake pulls from and onto machines you want to deploy to"