diff --git a/.github/config.workflow.toml b/.github/config.workflow.toml
new file mode 100644
index 00000000..6840696b
--- /dev/null
+++ b/.github/config.workflow.toml
@@ -0,0 +1,278 @@
+[database]
+host = "localhost"
+port = 5432
+username = "lysand"
+password = "lysand"
+database = "lysand"
+
+[redis.queue]
+host = "localhost"
+port = 6379
+password = ""
+database = 0
+enabled = false
+
+[redis.cache]
+host = "localhost"
+port = 6379
+password = ""
+database = 1
+enabled = false
+
+[meilisearch]
+host = "localhost"
+port = 40007
+api_key = ""
+enabled = false
+
+[signups]
+# URL of your Terms of Service
+tos_url = "https://example.com/tos"
+# Whether to enable registrations or not
+registration = true
+rules = [
+    "Do not harass others",
+    "Be nice to people",
+    "Don't spam",
+    "Don't post illegal content",
+]
+
+[http]
+base_url = "https://lysand.localhost:8080"
+bind = "http://localhost"
+bind_port = "8080"
+
+# Bans IPv4 or IPv6 IPs (wildcards, networks and ranges are supported)
+banned_ips = []
+
+[smtp]
+# SMTP server to use for sending emails
+server = "smtp.example.com"
+port = 465
+username = "test@example.com"
+password = "password123"
+tls = true
+
+[media]
+# Can be "s3" or "local", where "local" uploads the file to the local filesystem
+# If you need to change this value after setting up your instance, you must move all the files
+# from one backend to the other manually
+backend = "local"
+# Whether to check the hash of media when uploading to avoid duplication
+deduplicate_media = true
+# If media backend is "local", this is the folder where the files will be stored
+local_uploads_folder = "uploads"
+
+[media.conversion]
+convert_images = false
+# Can be: "jxl", "webp", "avif", "png", "jpg", "heif"
+# JXL support will likely not work
+convert_to = "webp"
+
+[s3]
+# Can be left blank if you don't use the S3 media backend
+endpoint = "https://s3-us-west-2.amazonaws.com"
+access_key = ""
+secret_access_key = ""
+region = "us-west-2"
+bucket_name = "lysand"
+public_url = "https://cdn.example.com"
+
+[email]
+# Sends an email to moderators when a report is received
+# NOT IMPLEMENTED
+send_on_report = false
+# Sends an email to moderators when a user is suspended
+# NOT IMPLEMENTED
+send_on_suspend = false
+# Sends an email to moderators when a user is unsuspended
+# NOT IMPLEMENTED
+send_on_unsuspend = false
+
+[validation]
+# Self explanatory
+max_displayname_size = 50
+max_bio_size = 160
+max_note_size = 5000
+max_avatar_size = 5_000_000
+max_header_size = 5_000_000
+max_media_size = 40_000_000
+max_media_attachments = 10
+max_media_description_size = 1000
+max_poll_options = 20
+max_poll_option_size = 500
+min_poll_duration = 60
+max_poll_duration = 1893456000
+max_username_size = 30
+# An array of strings, defaults are from Akkoma
+username_blacklist = [
+    ".well-known",
+    "~",
+    "about",
+    "activities",
+    "api",
+    "auth",
+    "dev",
+    "inbox",
+    "internal",
+    "main",
+    "media",
+    "nodeinfo",
+    "notice",
+    "oauth",
+    "objects",
+    "proxy",
+    "push",
+    "registration",
+    "relay",
+    "settings",
+    "status",
+    "tag",
+    "users",
+    "web",
+    "search",
+    "mfa",
+]
+# Whether to blacklist known temporary email providers
+blacklist_tempmail = false
+# Additional email providers to blacklist
+email_blacklist = []
+# Valid URL schemes, otherwise the URL is parsed as text
+url_scheme_whitelist = [
+    "http",
+    "https",
+    "ftp",
+    "dat",
+    "dweb",
+    "gopher",
+    "hyper",
+    "ipfs",
+    "ipns",
+    "irc",
+    "xmpp",
+    "ircs",
+    "magnet",
+    "mailto",
+    "mumble",
+    "ssb",
+    "gemini",
+] # NOT IMPLEMENTED
+
+enforce_mime_types = false
+allowed_mime_types = [
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/heic",
+    "image/heif",
+    "image/webp",
+    "image/avif",
+    "video/webm",
+    "video/mp4",
+    "video/quicktime",
+    "video/ogg",
+    "audio/wave",
+    "audio/wav",
+    "audio/x-wav",
+    "audio/x-pn-wave",
+    "audio/vnd.wave",
+    "audio/ogg",
+    "audio/vorbis",
+    "audio/mpeg",
+    "audio/mp3",
+    "audio/webm",
+    "audio/flac",
+    "audio/aac",
+    "audio/m4a",
+    "audio/x-m4a",
+    "audio/mp4",
+    "audio/3gpp",
+    "video/x-ms-asf",
+]
+
+[defaults]
+# Default visibility for new notes
+visibility = "public"
+# Default language for new notes
+language = "en"
+# Default avatar, must be a valid URL or ""
+avatar = ""
+# Default header, must be a valid URL or ""
+header = ""
+
+[activitypub]
+# Use ActivityPub Tombstones instead of deleting objects
+use_tombstones = true
+# Fetch all members of collections (followers, following, etc) when receiving them
+# WARNING: This can be a lot of data, and is not recommended
+fetch_all_collection_members = false # NOT IMPLEMENTED
+
+# The following values must be instance domain names without "https" or glob patterns
+# Rejects all activities from these instances (fediblocking)
+reject_activities = []
+# Force posts from this instance to be followers only
+force_followers_only = [] # NOT IMPLEMENTED
+# Discard all reports from these instances
+discard_reports = [] # NOT IMPLEMENTED
+# Discard all deletes from these instances
+discard_deletes = []
+# Discard all updates (edits) from these instances
+discard_updates = []
+# Discard all banners from these instances
+discard_banners = [] # NOT IMPLEMENTED
+# Discard all avatars from these instances
+discard_avatars = [] # NOT IMPLEMENTED
+# Discard all follow requests from these instances
+discard_follows = []
+# Force set these instances' media as sensitive
+force_sensitive = [] # NOT IMPLEMENTED
+# Remove theses instances' media
+remove_media = [] # NOT IMPLEMENTED
+
+# Whether to verify HTTP signatures for every request (warning: can slow down your server
+# significantly depending on processing power)
+authorized_fetch = false
+
+[instance]
+name = "Lysand"
+description = "A test instance of Lysand"
+# URL to your instance logo (jpg files should be renamed to jpeg)
+logo = ""
+# URL to your instance banner (jpg files should be renamed to jpeg)
+banner = ""
+
+
+[filters]
+# Drop notes with these regex filters (only applies to new activities)
+note_filters = [
+    # "(https?://)?(www\\.)?youtube\\.com/watch\\?v=[a-zA-Z0-9_-]+",
+    # "(https?://)?(www\\.)?youtu\\.be/[a-zA-Z0-9_-]+",
+]
+# Drop users with these regex filters (only applies to new activities)
+username_filters = []
+# Drop users with these regex filters (only applies to new activities)
+displayname_filters = []
+# Drop users with these regex filters (only applies to new activities)
+bio_filters = []
+emoji_filters = [] # NOT IMPLEMENTED
+
+[logging]
+# Log all requests (warning: this is a lot of data)
+log_requests = true
+# Log request and their contents (warning: this is a lot of data)
+log_requests_verbose = false
+# For GDPR compliance, you can disable logging of IPs
+log_ip = false
+
+# Log all filtered objects
+log_filters = true
+
+[ratelimits]
+# Amount to multiply every route's duration by
+duration_coeff = 1.0
+# Amount to multiply every route's max by
+max_coeff = 1.0
+
+[custom_ratelimits]
+# Add in any API route in this style here
+"/api/v1/timelines/public" = { duration = 60, max = 200 }
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 00000000..06f20bb2
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,53 @@
+name: Tests
+
+on:
+    push:
+        branches: ["*"]
+    pull_request:
+        # The branches below must be a subset of the branches above
+        branches: ["main"]
+
+jobs:
+    tests:
+        runs-on: ubuntu-latest
+        services:
+            postgres:
+                image: ghcr.io/lysand-org/postgres:main
+                ports:
+                    - 5432:5432
+                options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+                env:
+                    POSTGRES_DB: lysand
+                    POSTGRES_USER: lysand
+                    POSTGRES_PASSWORD: lysand
+                volumes:
+                    - lysand-data:/var/lib/postgresql/data
+        permissions:
+            contents: read
+            security-events: write
+            actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Bun
+              uses: oven-sh/setup-bun@v1
+
+            - name: Install NPM packages
+              run: |
+                  bun install
+
+            - name: Move workflow config to config folder
+              run: |
+                  mv .github/config.workflow.toml config/config.toml
+
+            - name: Generate Prisma Client
+              run: |
+                  bunx prisma generate
+
+            - name: Migrate database
+              run: bun migrate
+
+            - name: Run tests
+              run: |
+                  bun test