diff --git a/.env.example b/.env.example
index 0c233cc..0be86de 100644
--- a/.env.example
+++ b/.env.example
@@ -2,6 +2,7 @@
 # App Login Password
 # ─────────────────────────────────────────────────────────────────────────────
 APP_PASSWORD=change-me
+DEPLOY_SECRET=your-webhook-secret
 
 # Email Integration Configuration
 # Gmail Example:
diff --git a/app.py b/app.py
index 2f9030d..f70707d 100644
--- a/app.py
+++ b/app.py
@@ -405,6 +405,7 @@ app.permanent_session_lifetime = timedelta(days=7)
 
 # ── App Password ─────────────────────────────────────────────────────────────
 APP_PASSWORD = os.getenv('APP_PASSWORD', '')
+DEPLOY_SECRET = os.getenv('DEPLOY_SECRET', '')
 
 def login_required(f):
     @wraps(f)
@@ -3335,6 +3336,28 @@ def distribute_tasks():
     })
 
 
+@app.route('/api/webhook/deploy', methods=['POST'])
+def webhook_deploy():
+    """Gitea Webhook: git pull + restart service on push to main."""
+    if not DEPLOY_SECRET:
+        return jsonify({'error': 'Deploy not configured'}), 403
+    # Verify secret from Gitea webhook
+    token = request.headers.get('Authorization', '').replace('Bearer ', '')
+    if not token:
+        # Gitea can also send secret in payload
+        data = request.get_json(silent=True) or {}
+        token = data.get('secret', '')
+    if token != DEPLOY_SECRET:
+        return jsonify({'error': 'Invalid secret'}), 403
+    # Run git pull, then restart service in background (detached so response returns first)
+    repo_dir = os.path.dirname(os.path.abspath(__file__))
+    subprocess.Popen(
+        ['bash', '-c', f'cd {repo_dir} && git pull && sleep 1 && sudo systemctl restart frankenbot'],
+        stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
+    )
+    return jsonify({'success': True, 'message': 'Deploy triggered'})
+
+
 def init_default_team_members():
     """Fügt Standard-Team-Members hinzu, falls keine existieren."""
     existing = get_team_members(active_only=False)