diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..fa978b8
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,35 @@
+default:
+  image: docker:27.4.1
+  services:
+    - docker:27.4.1-dind
+
+build:
+  stage: build
+  script:
+    - docker build --tag tildes-dev --file ./docker/Dockerfile-for-vagrant ./docker
+    - docker network create -d bridge test
+    - >
+      docker run
+      -v ./tildes:/opt/tildes
+      --detach
+      --network test
+      --name tildes-dev-main-container
+      tildes-dev
+    - >
+      docker run
+      -v ./ansible:/srv/ansible
+      --network test
+      debian:12
+      bash -c
+      'apt-get update
+      && apt-get install -y openssh-client sshpass python3-pip
+      && mkdir -p ~/.ssh
+      && chmod 700 ~/.ssh
+      && touch ~/.ssh/known_hosts
+      && chmod 644 ~/.ssh/known_hosts
+      && ssh-keyscan tildes-dev-main-container >> ~/.ssh/known_hosts
+      && python3 -m pip install --break-system-packages ansible
+      && ansible-galaxy collection install -r /srv/ansible/requirements.yml
+      && ansible-playbook --inventory /srv/ansible/ci_inventory.ini /srv/ansible/playbook.yml
+      && sshpass -pvagrant ssh vagrant@tildes-dev-main-container
+      "bash -c \". activate && invoke type-check test --quiet --full code-style-check --full\""'
diff --git a/ansible/ci_inventory.ini b/ansible/ci_inventory.ini
new file mode 100644
index 0000000..ecf3a2f
--- /dev/null
+++ b/ansible/ci_inventory.ini
@@ -0,0 +1,17 @@
+; This inventory is used in GitLab CI.
+; Ansible is run from the helper Docker container
+; and accesses the main Tildes container over SSH.
+
+[dev]
+tildes-dev-main-container
+
+[dev:vars]
+ansible_user=vagrant
+ansible_password=vagrant
+
+[app_server]
+tildes-dev-main-container
+
+[app_server:vars]
+ansible_user=vagrant
+ansible_password=vagrant
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 7178773..b3a15c9 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -1,5 +1,6 @@
 ---
 collections:
   - community.general
-  - community.postgresql
+  - name: community.postgresql
+    version: 3.9.1
   - community.crypto
diff --git a/docker/Dockerfile-for-vagrant b/docker/Dockerfile-for-vagrant
index b119d41..401f12d 100644
--- a/docker/Dockerfile-for-vagrant
+++ b/docker/Dockerfile-for-vagrant
@@ -17,7 +17,7 @@ RUN cd ~vagrant \
 EXPOSE 22
 
 # install sudo, sshd, git, python3
-RUN apt-get update && apt-get install -y sudo openssh-server git python3
+RUN apt-get update && apt-get install -y sudo openssh-server git python3 python3-pip
 
 # Enable passwordless sudo for the "vagrant" user
 RUN mkdir -p /etc/sudoers.d