diff --git a/nix/gitlab-ci/default.nix b/nix/gitlab-ci/default.nix
index d5bff40165..138410b95a 100644
--- a/nix/gitlab-ci/default.nix
+++ b/nix/gitlab-ci/default.nix
@@ -37,7 +37,16 @@ let
 
     nixCacheMacOSIntel = macOS "x86_64-darwin";
     nixCacheMacOSARM = macOS "aarch64-darwin";
-  } // (lib.mapAttrs deployStage deployMachs);
+
+    lukegbcom = {
+      stage = "deploy";
+      needs = [{ job = "nixCache"; artifacts = false; }];
+      tags = [ "cacher" ];
+      only.refs = [ "branch/default" ];
+
+      script = ''cd web/lukegbcom && ./deploy.sh'';
+    };
+  }; # // (lib.mapAttrs deployStage deployMachs);
 
   deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
   deployStage = machName: mach: ({
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
index b3472b4e81..df36033625 100644
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -14,6 +14,8 @@
     ./servers.nix
 
     ./acme-ca.nix
+
+    ./lukegbcom-deployer.nix
   ];
 
   terraform = {
@@ -32,6 +34,9 @@
     address = "https://vault.int.lukegb.com";
   };
 
+  resource.vault_gcp_secret_backend.gcp = {
+    path = "gcp";
+  };
   data.vault_generic_secret.misc = {
     path = "kv/misc-input";
   };
diff --git a/ops/vault/cfg/lukegbcom-deployer.nix b/ops/vault/cfg/lukegbcom-deployer.nix
new file mode 100644
index 0000000000..8d94124fef
--- /dev/null
+++ b/ops/vault/cfg/lukegbcom-deployer.nix
@@ -0,0 +1,24 @@
+{ ... }:
+
+{
+  resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
+    backend = "\${vault_gcp_secret_backend.gcp.path}";
+    roleset = "lukegbcom-deployer";
+    project = "lukegbcom";
+    secret_type = "access_token";
+    token_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform"
+      "https://www.googleapis.com/auth/firebase"
+    ];
+    binding = [{
+      resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
+      roles = ["roles/firebasehosting.admin"];
+    }];
+  };
+
+  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
+    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
+      capabilities = ["read"]
+    }
+  '';
+}
diff --git a/web/lukegbcom/default.nix b/web/lukegbcom/default.nix
index e9340bcfcd..72bd42d327 100644
--- a/web/lukegbcom/default.nix
+++ b/web/lukegbcom/default.nix
@@ -14,6 +14,11 @@ pkgs.stdenv.mkDerivation {
     ".pnp"
     "node_modules"
     ".pnp.js"
+    "*.nix"
+    "*.sh"
+    "*.log"
+    "package.json"
+    "result*"
   ] ./.;
   buildInputs = [ nodejs ];
   buildPhase = ''
diff --git a/web/lukegbcom/deploy.sh b/web/lukegbcom/deploy.sh
index 1170e23edf..16b2c73af8 100755
--- a/web/lukegbcom/deploy.sh
+++ b/web/lukegbcom/deploy.sh
@@ -1,5 +1,25 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -p nodePackages.firebase-tools -i bash
+#!nix-shell -p nodePackages.firebase-tools -p vault -i bash
+
+vault_path=unix:///run/tokend/sock
+deploycmd="deploy"
+postdeploy () {
+  return
+}
+
+if [[ "$(groups)" =~ (.* |^)"users"($| .*) ]] || ! test -f /etc/NIXOS; then
+  vault_path=https://vault.int.lukegb.com
+  channelname="$(id -un)"
+  deploycmd="hosting:channel:deploy $channelname"
+  postdeploy () {
+    firebase hosting:channel:open $channelname --token="$token"
+  }
+fi
 
 cd $(nix-build ../.. -A web.lukegbcom)
-exec firebase deploy
+token="$(vault read --field=token --address="$vault_path" gcp/roleset/lukegbcom-deployer/token)"
+
+firebase $deploycmd --token="$token"
+# Do it twice because sometimes it doesn't actually do anything the first time
+firebase $deploycmd --token="$token"
+postdeploy