diff --git a/.github/workflows/release-package.yaml b/.github/workflows/release-package.yaml
new file mode 100644
index 0000000..401fc8f
--- /dev/null
+++ b/.github/workflows/release-package.yaml
@@ -0,0 +1,56 @@
+name: Create and publish a Docker image
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          build-args: VERSION=${{ steps.meta.outputs.version }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+
diff --git a/Dockerfile b/Dockerfile
index bf82b2f..8e6bb1d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,15 @@
-FROM python:3-slim
+FROM python:3.13.0a4-slim
 
 # prepare base image
 RUN apt update && apt install --yes \
     locales \
     locales-all \
     entr \
-    git \
     wkhtmltopdf \
     && rm -rf /var/lib/apt/lists/*
 
 # prepare application folder
-RUN mkdir -p /app/src \
-    && mkdir -p /app/shared
+RUN mkdir -p /app/src
 
 # install python dependencies
 WORKDIR /app
@@ -29,8 +27,12 @@ COPY ./src /app/src
 
 EXPOSE 8000
 ENV SERVICE_PORT=8000
+
+ARG VERSION=local  # override at build
+ENV VERSION=${VERSION}
+
 CMD ["start"]
 
 VOLUME [ "/app/src" ]
-VOLUME [ "/app/shared" ]
-VOLUME [ "/app/htmlcov/" ]
+VOLUME [ "/app/data/db.sqlite3" ]
+
diff --git a/deploy/.helmignore b/deploy/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/deploy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/Chart.yaml b/deploy/Chart.yaml
new file mode 100644
index 0000000..b2ded6a
--- /dev/null
+++ b/deploy/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: micro-invoicer
+description: Deployment chart for my Django application
+
+version: 0.1.0
+type: application
+
+appVersion: "1.2.3"
diff --git a/deploy/make-values.sh b/deploy/make-values.sh
new file mode 100755
index 0000000..0c99748
--- /dev/null
+++ b/deploy/make-values.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+context=${1:-local}
+domain=${2:-fibonet.ro}
+
+DB_APP_USER=django
+DB_APP_PASS=$(pwgen -s1 42)
+DB_APP_NAME="microinvoicer_${context}"
+
+DJANGO_SECRET_KEY=$(pwgen -s1 63)
+DJANGO_ADMIN_PASS=$(pwgen -s1 42)
+
+cat <<END
+useDomain: "${domain}"
+useEnvironment: "${context}"
+
+secrets:
+  dbUser: "django"
+  dbPassword: "${DB_APP_PASS}"
+  dbName: "${DB_APP_NAME}"
+
+  djangoSecretKey: "${DJANGO_SECRET_KEY}"
+END
+
+cat >init-db.sh <<END
+# init-db.sh
+#!/usr/bin/env bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username postgres <<-EOSQL
+    CREATE USER ${DB_APP_USER} WITH PASSWORD '${DB_APP_PASS}';
+    CREATE DATABASE ${DB_APP_NAME};
+    GRANT ALL PRIVILEGES ON DATABASE ${DB_APP_NAME} TO ${DB_APP_USER};
+EOSQL
+END
+echo "Wrote new init-db.sh"
diff --git a/deploy/templates/deployment.yaml b/deploy/templates/deployment.yaml
new file mode 100644
index 0000000..294b9b3
--- /dev/null
+++ b/deploy/templates/deployment.yaml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: MICRO_SERVER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: djangoSecretKey
+            - name: DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: dbHost
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: dbPort
+            - name: DB_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: dbName
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: dbUser
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+                  key: dbPassword
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: ALLOWED_HOSTS
+              value: "{{ .Release.Name }}-{{ .Values.useEnvironment }}.{{ .Values.useDomain }},$(POD_IP)"
+          livenessProbe:
+            httpGet:
+              path: /healthy/
+              port: http
+            initialDelaySeconds: 13
+            timeoutSeconds: 2
+            periodSeconds: 13
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthy/
+              port: http
+            initialDelaySeconds: 5
+            timeoutSeconds: 2
+            periodSeconds: 8
+            successThreshold: 1
diff --git a/deploy/templates/secrets.yaml b/deploy/templates/secrets.yaml
new file mode 100644
index 0000000..a0eb046
--- /dev/null
+++ b/deploy/templates/secrets.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
+type: Opaque
+data:
+  djangoSecretKey: {{ .Values.secrets.djangoSecretKey | b64enc | quote }}
+  dbHost: {{ .Values.secrets.dbHost | b64enc | quote }}
+  dbPort: {{ .Values.secrets.dbPort | b64enc | quote }}
+  dbUser: {{ .Values.secrets.dbUser | b64enc | quote }}
+  dbPassword: {{ .Values.secrets.dbPassword | b64enc | quote }}
+  dbName: {{ .Values.secrets.dbName | b64enc | quote }}
+
diff --git a/deploy/templates/service.yaml b/deploy/templates/service.yaml
new file mode 100644
index 0000000..6d8127e
--- /dev/null
+++ b/deploy/templates/service.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: micro-invoicer
+  annotations:
+    {{- toYaml .Values.service.annotations | nindent 4 }}
+
+spec:
+  type: {{ .Values.service.type }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 8000
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 8000
+  selector:
+    app: "{{ .Release.Name }}-{{ .Values.useEnvironment }}"
diff --git a/deploy/values.yaml b/deploy/values.yaml
new file mode 100644
index 0000000..a4bbdf0
--- /dev/null
+++ b/deploy/values.yaml
@@ -0,0 +1,20 @@
+image:
+  repository: ghcr.io/kopsha/micro-invoicer:main
+  pullPolicy: Always
+
+replicaCount: 1
+
+secrets:
+  dbUser: "django"
+  dbHost: "store-postgresql"
+  dbPort: "5432"
+
+service:
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
+    service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
+    service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https: "true"
+    # service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+    service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records: "false"
diff --git a/docker-compose.yaml b/docker-compose.yaml
index fb2fb17..2120f61 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -2,8 +2,12 @@ version: "3"
 
 services:
   micro-invoicer:
-    build: ./
+    build: .
     ports:
       - 8000:8000
     volumes:
       - ./src:/app/src
+      - ./data/db.sqlite3:/app/data/db.sqlite3
+    environment:
+      - DEBUG=on
+
diff --git a/requirements.txt b/requirements.txt
index b302a45..910bfb5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,9 +1,11 @@
 pytest
 sqlparse
+psycopg2-binary
 django
 django-registration
 django-material
 django-countries
 pdfkit
 python-dateutil
-requests
\ No newline at end of file
+requests
+
diff --git a/src/microinvoicer/micro_timesheet.py b/src/microinvoicer/micro_timesheet.py
index 3e54b3f..7a665fc 100644
--- a/src/microinvoicer/micro_timesheet.py
+++ b/src/microinvoicer/micro_timesheet.py
@@ -61,7 +61,6 @@ def previous_month():
 
 
 def create_random_tasks(activity, how_many, hours):
-
     names = pick_task_names(flavor=activity["flavor"], count=how_many)
     durations = split_duration(duration=hours, count=how_many)
     dates = compute_start_dates(activity["start_date"], durations)
diff --git a/src/microinvoicer/views.py b/src/microinvoicer/views.py
index 1baa6ae..2e787aa 100644
--- a/src/microinvoicer/views.py
+++ b/src/microinvoicer/views.py
@@ -1,5 +1,4 @@
-"""How about now."""
-from datetime import date, timedelta, datetime
+from datetime import date, timedelta
 from django.http import FileResponse
 from django.urls import reverse_lazy
 from django.views.generic import TemplateView
@@ -59,7 +58,6 @@ def get_context_data(self, **kwargs):
 
 
 class ReportView(LoginRequiredMixin, TemplateView):
-
     template_name = "report.html"
 
     def get_context_data(self, **kwargs):
diff --git a/src/microtools/healthy.py b/src/microtools/healthy.py
new file mode 100644
index 0000000..ddea1b0
--- /dev/null
+++ b/src/microtools/healthy.py
@@ -0,0 +1,12 @@
+from django.http import JsonResponse
+from django.conf import settings
+
+
+def health_check(request):
+    response = dict(
+        status="healthy",
+        version=settings.VERSION,
+        debug=settings.DEBUG,
+        message="Service is up and running",
+    )
+    return JsonResponse(response, status=200)
diff --git a/src/microtools/settings.py b/src/microtools/settings.py
index 427ac42..6e5a60b 100644
--- a/src/microtools/settings.py
+++ b/src/microtools/settings.py
@@ -3,9 +3,11 @@
 """
 import os
 
+TRUEISH = {"true", "True", "yes", "1", "on"}
+DEBUG = os.environ.get("DEBUG", "False") in TRUEISH
 
-DEBUG = True
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "localhost").split(",")
+VERSION = os.environ.get("VERSION", "develop")
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -52,9 +54,13 @@
 WSGI_APPLICATION = "microtools.wsgi.application"
 DATABASES = {
     "default": {
-        "ENGINE": "django.db.backends.sqlite3",
-        "NAME": os.path.join(BASE_DIR, "db.sqlite3"),
-    }
+        "ENGINE": "django.db.backends.postgresql",
+        "HOST": os.environ.get("DB_HOST"),
+        "PORT": os.environ.get("DB_PORT"),
+        "NAME": os.environ.get("DB_NAME"),
+        "USER": os.environ.get("DB_USER"),
+        "PASSWORD": os.environ.get("DB_PASSWORD"),
+    },
 }
 
 AUTH_PASSWORD_VALIDATORS = [
diff --git a/src/microtools/urls.py b/src/microtools/urls.py
index 99e3360..e9cefaf 100644
--- a/src/microtools/urls.py
+++ b/src/microtools/urls.py
@@ -15,9 +15,11 @@
 """
 from django.contrib import admin
 from django.urls import include, path
+from .healthy import health_check
 
 
 urlpatterns = [
+    path("healthy/", health_check, name="healthy"),
     path("admin/", admin.site.urls),
     path("", include("microinvoicer.urls")),
 ]