diff --git a/.gitea/workflows/deploy-socialize.yml b/.gitea/workflows/deploy-socialize.yml
index 3e71a73..93d6f26 100644
--- a/.gitea/workflows/deploy-socialize.yml
+++ b/.gitea/workflows/deploy-socialize.yml
@@ -104,6 +104,7 @@ jobs:
 
           scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$deploy_env" "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/.env"
           rm -f "$deploy_env"
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new deploy/compose.yml "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/compose.yml"
 
           ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$DEPLOY_USER@$DEPLOY_HOST" \
             'cd /srv/prod/socialize && set -a && . ./.env && set +a && ./deploy.sh'
diff --git a/README.md b/README.md
index 470be70..7db281e 100644
--- a/README.md
+++ b/README.md
@@ -78,7 +78,8 @@ http://<this-machine-lan-ip>:8080
 
 For preprod deployment, configure the `POSTGRES_PASSWORD`, `RESEND_API_KEY`,
 `RESEND_FROM_EMAIL`, and `JWT_SIGNING_KEY` Gitea secrets.
-The deploy workflow writes the remote `.env` file before running the server deploy script.
+The deploy workflow writes the remote `.env` file and syncs `deploy/compose.yml`
+before running the server deploy script.
 Use the raw Resend API key value for `RESEND_API_KEY`, without a `Bearer ` prefix.
 
 ## Solution
diff --git a/deploy/compose.yml b/deploy/compose.yml
new file mode 100644
index 0000000..cdc5484
--- /dev/null
+++ b/deploy/compose.yml
@@ -0,0 +1,47 @@
+services:
+  db:
+    image: postgres:16
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+    networks:
+      - internal
+
+  api:
+    image: git.mapachotes.com/jbourdon/socialize-api:${SOCIALIZE_IMAGE_TAG}
+    restart: unless-stopped
+    env_file:
+      - .env
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - ./blob-storage:/app/App_Data/blob-storage
+    expose:
+      - "8080"
+    networks:
+      - internal
+
+  web:
+    image: git.mapachotes.com/jbourdon/socialize-web:${SOCIALIZE_IMAGE_TAG}
+    restart: unless-stopped
+    depends_on:
+      - api
+    ports:
+      - "127.0.0.1:8080:80"
+    networks:
+      - internal
+
+networks:
+  internal: