diff --git a/README.md b/README.md
index 04d8042..73574be 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,38 @@ In your repo (or org) settings:
 | `/webhook` | POST | GitHub webhook receiver |
 | `/health` | GET | Health check (returns `ok`) |
 
+## Deployment
+
+Systemd services and nginx config are in `deploy/`.
+
+```bash
+# Create service user
+sudo useradd -r -m -s /usr/sbin/nologin signal-bot
+
+# Install binary
+go build -o /usr/local/bin/github-to-signal .
+
+# Install config
+sudo mkdir -p /etc/github-to-signal
+sudo cp config.toml /etc/github-to-signal/
+sudo chown -R signal-bot:signal-bot /etc/github-to-signal
+
+# Install systemd services
+sudo cp deploy/signal-cli-bot.service /etc/systemd/system/
+sudo cp deploy/github-to-signal.service /etc/systemd/system/
+sudo systemctl daemon-reload
+
+# Enable and start (signal-cli-bot starts automatically as a dependency)
+sudo systemctl enable --now github-to-signal
+
+# Install nginx config
+sudo cp deploy/github-to-signal.nginx.conf /etc/nginx/sites-available/github-to-signal
+sudo ln -s /etc/nginx/sites-available/github-to-signal /etc/nginx/sites-enabled/
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+Edit the service files first to set your phone number and paths. The signal-cli daemon listens on `127.0.0.1:8081` (not 8080, to avoid conflicts). Update `signal_url` in your config.toml to match.
+
 ## Dependencies
 
 - [cbrgm/githubevents](https://github.com/cbrgm/githubevents) — GitHub webhook event handling
diff --git a/deploy/github-to-signal.nginx.conf b/deploy/github-to-signal.nginx.conf
new file mode 100644
index 0000000..6b7646f
--- /dev/null
+++ b/deploy/github-to-signal.nginx.conf
@@ -0,0 +1,28 @@
+server {
+    listen 443 ssl;
+    server_name ghwebhook.example.com;
+
+    ssl_certificate     /etc/letsencrypt/live/ghwebhook.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ghwebhook.example.com/privkey.pem;
+
+    location /webhook {
+        proxy_pass http://127.0.0.1:9900;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # GitHub webhooks are small and fast
+        proxy_read_timeout 30s;
+        client_max_body_size 1m;
+    }
+
+    location /health {
+        proxy_pass http://127.0.0.1:9900;
+    }
+
+    # Block everything else
+    location / {
+        return 404;
+    }
+}
diff --git a/deploy/github-to-signal.service b/deploy/github-to-signal.service
new file mode 100644
index 0000000..a1d8dcc
--- /dev/null
+++ b/deploy/github-to-signal.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=GitHub webhook to Signal notifications
+After=signal-cli-bot.service
+Requires=signal-cli-bot.service
+
+[Service]
+Type=exec
+ExecStart=/usr/local/bin/github-to-signal
+WorkingDirectory=/etc/github-to-signal
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+
+User=signal-bot
+Group=signal-bot
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/signal-cli-bot.service b/deploy/signal-cli-bot.service
new file mode 100644
index 0000000..3531c32
--- /dev/null
+++ b/deploy/signal-cli-bot.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=signal-cli daemon for github-to-signal bot
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=exec
+ExecStart=/usr/local/bin/signal-cli -a +1YOURNUMBER daemon --http 127.0.0.1:8081 --no-receive-stdout
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=true
+ReadWritePaths=/home/signal-bot/.local/share/signal-cli
+
+User=signal-bot
+Group=signal-bot
+
+[Install]
+WantedBy=multi-user.target