diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
new file mode 100644
index 0000000..94f76f7
--- /dev/null
+++ b/.gitea/workflows/cd.yaml
@@ -0,0 +1,21 @@
+name: Continuous Delivery
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  build_n_upload:
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
+      - run: make upload
+        env:
+          PKG_TOKEN: ${{ secrets.PKG_TOKEN }}
+
diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
new file mode 100644
index 0000000..753f571
--- /dev/null
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,17 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint_n_build:
+    runs-on: self-hosted 
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b1128d2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*.swp
+*.env
+/.idea
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..274515b
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,88 @@
+NAME = netoik-vault
+VERSION = $(shell git describe --abbrev=0)
+RELEASE = $(shell git rev-parse --short HEAD)
+ARCH = noarch
+OWNER = netoik
+SUMMARY = "Netoïk Secrets Vault"
+LICENSE = "MIT"
+URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
+SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
+
+RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
+RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
+RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
+RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
+RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
+
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: name
+name:  ## Show project name
+	@echo "$(NAME)"
+
+.PHONY: version
+version:  ## Show current project version
+	@echo "$(VERSION)"
+
+.PHONY: release
+release:  ## Show current project release
+	@echo "$(RELEASE)"
+
+.PHONY: arch
+arch:  ## Show rpm arch target
+	@echo "$(ARCH)"
+
+.PHONY: owner
+owner:  ## Show project owner name
+	@echo "$(OWNER)"
+
+.PHONY: summary
+summary:  ## Show project summary
+	@echo "$(SUMMARY)"
+
+.PHONY: license
+license:  ## Show project license
+	@echo "$(LICENSE)"
+
+.PHONY: url
+url:  ## Show project homepage URL
+	@echo "$(URL)"
+
+.PHONY: source0
+source0:  ## Show rpm source0 file name
+	@echo "$(SOURCE0)"
+
+$(RPM_TARBALL_PATH): *
+	git archive --format=tar.gz \
+	            --output="$@" \
+	            --prefix="$(NAME)-$(VERSION)/" \
+	            --verbose \
+	            HEAD 
+
+.PHONY: tarball
+tarball: $(RPM_TARBALL_PATH)  ## Build rpm tarball
+
+.PHONY: install
+install:  ## Install files into rpm dest (requires env var DESTDIR)
+	@if [ -z "$(DESTDIR)" ]; then \
+		printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
+		exit 1; \
+	fi
+	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/z_default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+
+.PHONY: upload
+upload:  ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
+	@if [ -z "$(PKG_TOKEN)" ]; then \
+		printf "[CRITICAL] Missing env var PKG_TOKEN\n[CRITICAL] This command is designed to be called by Gitea Actions only!\n" 1>&2; \
+		exit 1; \
+	fi
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload
diff --git a/netoik-vault.spec b/netoik-vault.spec
new file mode 100644
index 0000000..16d48b0
--- /dev/null
+++ b/netoik-vault.spec
@@ -0,0 +1,35 @@
+%define debug_package %{nil}
+
+Name:           %(make name)
+Version:        %(make version)
+Release:        %(make release)
+Summary:        %(make summary)
+License:        %(make license)
+URL:            %(make url)
+
+Source0:        %(make source0)
+Buildarch:      %(make arch)
+BuildRequires:  make
+Requires:       netoik-rp netoik-db vaultwarden
+
+%description
+Install the secrets vault called vaultwarden with a predefined configuration.
+
+%prep
+%autosetup -v
+
+%install
+%make_install
+
+%post
+# Restart services
+systemctl daemon-reload
+systemctl reenable nginx.service vaultwarden.service 
+systemctl restart nginx.service vaultwarden.service
+
+%postun
+
+%files
+
+%changelog
+%autochangelog