diff --git a/.travis.yml b/.travis.yml
index 3059e080c..e322ed0c6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,9 @@
-sudo: required
-os:
-- osx
-- linux
 language: nix
+before_install:
+  - openssl aes-256-cbc -K $encrypted_025d6e877aa4_key -iv $encrypted_025d6e877aa4_iv -in ci/deploy_key.enc -out deploy_key -d
+  - chmod 600 deploy_key
+  - eval "$(ssh-agent -s)"
+  - ssh-add deploy_key
+  - rm deploy_key
 script:
-  - nix-build
+  - bash ci/deploy.sh
diff --git a/ci/deploy.sh b/ci/deploy.sh
new file mode 100755
index 000000000..751c19e47
--- /dev/null
+++ b/ci/deploy.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -eux -o pipefail # Exit with nonzero exit code if anything fails
+
+# Pull requests and commits to other branches shouldn't try to deploy, just build to verify
+if [[ "$TRAVIS_PULL_REQUEST" != "false" ]] || \
+	[[ "$TRAVIS_BRANCH" != master ]] && \
+	[[ "$TRAVIS_BRANCH" != "$(cat .version)" ]]; then
+    echo "Skipping deploy; just doing a build."
+    python ./bin/update.py
+    nix-build
+    exit 0
+fi
+
+python ./bin/update.py
+nix-build
+
+if [ "$TRAVIS_BRANCH" = master ]; then
+    git config user.name "Travis CI"
+    git config user.email "$COMMIT_AUTHOR_EMAIL"
+    
+    if [ -z "$(git diff --exit-code)" ]; then
+    	echo "No changes to the output on this push; exiting."
+    	exit 0
+    fi
+    
+    git add --all repos.json*
+
+    git commit -m "automatic update"
+    git push origin master
+fi
diff --git a/ci/deploy_key.enc b/ci/deploy_key.enc
new file mode 100644
index 000000000..35597b1f2
Binary files /dev/null and b/ci/deploy_key.enc differ