diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
new file mode 100644
index 00000000..82fc0c5c
--- /dev/null
+++ b/.gitea/workflows/nightly.yml
@@ -0,0 +1,80 @@
+name: nightly
+
+# Builds and deploys the staging environment from main every night.
+# Runs on the self-hosted runner using Docker-out-of-Docker (the docker
+# socket is mounted in), so `docker compose build` produces images on
+# the host daemon and `docker compose up` consumes them directly — no
+# registry hop.
+#
+# Staging environment isolation:
+#   - project name: archiv-staging
+#   - host ports:   backend 8081, frontend 3001
+#   - profile:      staging (starts mailpit instead of a real SMTP relay)
+#
+# Required Gitea secrets:
+#   STAGING_POSTGRES_PASSWORD
+#   STAGING_MINIO_PASSWORD
+#   STAGING_MINIO_APP_PASSWORD
+#   STAGING_OCR_TRAINING_TOKEN
+#   STAGING_APP_ADMIN_USERNAME
+#   STAGING_APP_ADMIN_PASSWORD
+
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+env:
+  # Ensures the backend Dockerfile's `RUN --mount=type=cache` lines are
+  # honoured (Maven cache survives between runs).
+  DOCKER_BUILDKIT: "1"
+
+jobs:
+  deploy-staging:
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Write staging env file
+        run: |
+          cat > .env.staging <<EOF
+          TAG=nightly
+          PORT_BACKEND=8081
+          PORT_FRONTEND=3001
+          APP_DOMAIN=staging.raddatz.cloud
+          POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
+          MINIO_PASSWORD=${{ secrets.STAGING_MINIO_PASSWORD }}
+          MINIO_APP_PASSWORD=${{ secrets.STAGING_MINIO_APP_PASSWORD }}
+          OCR_TRAINING_TOKEN=${{ secrets.STAGING_OCR_TRAINING_TOKEN }}
+          APP_ADMIN_USERNAME=${{ secrets.STAGING_APP_ADMIN_USERNAME }}
+          APP_ADMIN_PASSWORD=${{ secrets.STAGING_APP_ADMIN_PASSWORD }}
+          MAIL_HOST=mailpit
+          MAIL_PORT=1025
+          MAIL_USERNAME=
+          MAIL_PASSWORD=
+          MAIL_SMTP_AUTH=false
+          MAIL_STARTTLS_ENABLE=false
+          APP_MAIL_FROM=noreply@staging.raddatz.cloud
+          EOF
+
+      - name: Build images
+        run: |
+          docker compose \
+            -f docker-compose.prod.yml \
+            -p archiv-staging \
+            --env-file .env.staging \
+            --profile staging \
+            build
+
+      - name: Deploy staging
+        run: |
+          docker compose \
+            -f docker-compose.prod.yml \
+            -p archiv-staging \
+            --env-file .env.staging \
+            --profile staging \
+            up -d --wait --remove-orphans
+
+      - name: Cleanup env file
+        if: always()
+        run: rm -f .env.staging