diff --git a/.github/workflows/deploy-postgres-prod.yml b/.github/workflows/deploy-postgres-prod.yml
new file mode 100644
index 0000000..b341653
--- /dev/null
+++ b/.github/workflows/deploy-postgres-prod.yml
@@ -0,0 +1,66 @@
+name: Deploy PROD DB Infrastructure
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: mealcraft-runners
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install kubectl
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y curl ca-certificates
+          curl -LO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          sudo install -m 0755 kubectl /usr/local/bin/kubectl
+
+      - name: Configure kubeconfig (in-cluster)
+        run: |
+          KUBE_HOST="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
+          SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+
+          kubectl config set-cluster microk8s --server="$KUBE_HOST" --certificate-authority="$CA_CERT"
+          kubectl config set-credentials runner --token="$SA_TOKEN"
+          kubectl config set-context runner-context --cluster=microk8s --user=runner --namespace="$NAMESPACE"
+          kubectl config use-context runner-context
+
+      - name: Apply PROD secrets
+        run: kubectl apply -f db/k8s/prod/secrets/
+
+      - name: Deploy PROD Postgres
+        run: kubectl apply -f db/k8s/prod/postgres/
+
+      - name: Deploy PROD backups
+        run: kubectl apply -f db/k8s/prod/backups/
+
+  migrate:
+    runs-on: mealcraft-runners
+    needs: deploy
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Atlas
+        run: curl -sSf https://atlasgo.sh | sh
+
+      - name: Load PROD DB creds
+        run: |
+          export POSTGRES_USER=$(kubectl get secret postgres-prod-secret -o jsonpath='{.data.POSTGRES_USER}' | base64 -d)
+          export POSTGRES_PASSWORD=$(kubectl get secret postgres-prod-secret -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d)
+
+          echo "POSTGRES_USER=$POSTGRES_USER" >> $GITHUB_ENV
+          echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $GITHUB_ENV
+
+      - name: Run Atlas migrations (PROD)
+        run: |
+          atlas migrate apply \
+            --config file://./db/atlas/atlas.hcl \
+            --env stripe_invoice_prod