diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fa0ef3e9b655cabb2a87d51ee1c0f31a26ee407a..c56a73ec38b68ae38cb6d38130e2a66ffa155cdf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,17 +23,37 @@ build:
   tags:
     - generic_privileged
 
-publish:
-  only:
-  - /^master/
+# Deploy stage
+.deploy:image:
+  image: ubuntu:focal
+  stage: deploy
+  before_script:
+    - mkdir $HOME/.ssh
+    - chmod 700 ~/.ssh
+    # cannot use GitLab variable type File and cp here because key format
+    # gets garbled somehow; this doesn't happen with echo
+    - echo "$SSH_PRIVATE_KEY_ED" > $HOME/.ssh/id_ed25519
+    - echo "$SSH_PUBKEY_ED" > $HOME/.ssh/id_ed25519.pub
+    - echo "$SSH_KNOWN_HOSTS" > $HOME/.ssh/known_hosts
+    - chmod 600 ~/.ssh/id_ed25519
+    - chmod 644 ~/.ssh/known_hosts ~/.ssh/id_ed25519.pub
+    - apt-get update && apt-get install -y openssh-client
   script:
-  - 'which ssh-agent || ( apk --update add openssh-client )'
-  - eval $(ssh-agent -s)
-  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
-  - mkdir -p ~/.ssh
-  - chmod 700 ~/.ssh
-  - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
-  - chmod 644 ~/.ssh/known_hosts
-  - ssh -2 $PUBLISH_USER@$PUBLISH_URL "docker pull $CONTAINER_IMAGE:latest"
-  - ssh -2 $PUBLISH_USER@$PUBLISH_URL 'cd /mnt/docker/compose-ota-images-apk/ && docker-compose up -d'
-  - ssh -2 $PUBLISH_USER@$PUBLISH_URL 'docker restart nginx'
+    - echo "Deploying to $CI_ENVIRONMENT_NAME ($DEPLOYMENT_HOST)"
+    # $CI_COMMIT_BRANCH
+    - ssh $SSH_USER@$DEPLOYMENT_HOST "cd ${DEPLOYMENT_PATH} && docker-compose pull && docker-compose up -d && docker-compose restart nginx"
+
+deploy:staging:
+  extends: .deploy:image
+  when: manual
+  environment:
+    name: staging
+    url: https://ota.eeo.one
+
+deploy:production:
+  extends: .deploy:image
+  only:
+    - production
+  environment:
+    name: production
+    url: https://ota.ecloud.global