diff --git a/.circleci/config.yml b/.circleci/config.yml
new file mode 100644
index 0000000..bd8ccfe
--- /dev/null
+++ b/.circleci/config.yml
@@ -0,0 +1,38 @@
+version: 2.1
+
+jobs:
+  build:
+    docker:
+      - image: circleci/ruby:2.7
+    working_directory: ~/deb
+    steps:
+      - checkout
+      - aws-cli/install
+      - run:
+          name: Download and import signing key
+          command: |
+            aws s3 cp s3://offen-secrets/signing-key.asc /tmp
+            gpg --import /tmp/signing-key.asc
+      - run:
+          name: Install fpm and dpkg-sig
+          command: |
+            gem install --no-document fpm
+            sudo apt-get install dpkg-sig
+      - run:
+          name: Package deb
+          command: ./package
+      - run:
+          name: Upload to S3
+          command: |
+            aws s3 cp *.deb s3://offen/deb/
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - build:
+          context: AWS
+          filters:
+            branches:
+              only:
+                - master
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ca8f702
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+bin
+*.deb
diff --git a/README.md b/README.md
index 0ad86d1..f3b09f6 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,15 @@
 # deb
+
 Packaging Offen as a Debian package
+
+This repo holds a script and some configuration files to package Offen as a Debian package. It can be run as:
+
+```
+./package
+```
+
+where the version to package is defined as `OFFEN_VERSION` in the `version` file.
+
+---
+
+The packaging script is licensed under the Mozilla Public License 2.0. Offen itself and the scripts and files included in the package are licensed under the Apache 2.0 License.
diff --git a/offen.env b/offen.env
new file mode 100644
index 0000000..bd0d132
--- /dev/null
+++ b/offen.env
@@ -0,0 +1,43 @@
+# Copyright 2020 - Offen Authors <hioffen@posteo.de>
+# SPDX-License-Identifier: Apache-2.0
+
+# This file holds system-wide configuration values for Offen
+# Refer to https://docs.offen.dev/running-offen/configuring-the-application/
+# for further instructions.
+
+# You likely want to populate the following values or set them as
+# environment variables.
+
+# Use `offen secret -quiet` to generate a secret
+#
+# OFFEN_SECRET="<RANDOM_BASE64_ENCODED_SECRET>"
+
+# If you expose Offen directly to the internet without running behind a
+# reverse proxy, define a comma separated list of domains to acquire a
+# SSL certificate for using Let's Encrypt
+#
+# OFFEN_SERVER_AUTOTLS="offen.example.com,other.example.com"
+
+# If you run Offen behind a reverse proxy, you can set a port
+# here (default is 3000):
+#
+# OFFEN_SERVER_PORT="9876"
+
+# This is the SMTP configuration used for sending transactional email. If
+# not configured, Offen tries to use local sendmail.
+#
+# OFFEN_SMTP_HOST="exampleserver.com"
+# OFFEN_SMTP_PASSWORD="password"
+# OFFEN_SMTP_USER="user@exampleserver.com"
+# OFFEN_SMTP_SENDER="offen-noreply@exampleserver.com"
+
+# If you want use a database other than the default SQLite file, configure the
+# following for MySQL:
+#
+# OFFEN_DATABASE_DIALECT="mysql"
+# OFFEN_DATABASE_CONNECTIONSTRING="user:pass@tcp(localhost:3306)/offen?parseTime=true"
+#
+# or use Postgres like this:
+#
+# OFFEN_DATABASE_DIALECT="postgres"
+# OFFEN_DATABASE_CONNECTIONSTRING="postgres://user:pass@localhost:5432/offen"
diff --git a/offen.service b/offen.service
new file mode 100644
index 0000000..13b6f34
--- /dev/null
+++ b/offen.service
@@ -0,0 +1,12 @@
+# Copyright 2020 - Offen Authors <hioffen@posteo.de>
+# SPDX-License-Identifier: Apache-2.0
+
+[Unit]
+Description=Offen Web Analytics
+
+[Service]
+ExecStart=/usr/local/bin/offen
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/package b/package
new file mode 100755
index 0000000..1513d7d
--- /dev/null
+++ b/package
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# Copyright 2020 - Offen Authors <hioffen@posteo.de>
+# SPDX-License-Identifier: MPL-2.0
+
+set -eo pipefail
+
+check_deps () {
+  deps=("curl" "fpm" "gpg" "dpkg" "dpkg-sig")
+  for dep in $deps; do
+    if [ -z $(which $dep) ]; then
+      echo "This script requires $dep to be installed, cannot continue"
+      exit 1
+    fi
+  done
+}
+
+download () {
+  rm -rf bin && mkdir bin
+  curl -sSL https://get.offen.dev/$1 | tar -xvz -C bin
+  curl https://keybase.io/hioffen/pgp_keys.asc | gpg --import
+  gpg --verify bin/offen-linux-amd64.asc bin/offen-linux-amd64
+}
+
+package () {
+  stripped_version=$(echo $1 | cut -c 2-)
+  rm -f *.deb
+
+  artifact="offen_${stripped_version}_amd64.deb"
+
+  fpm \
+    --maintainer "Offen Authors <hioffen@posteo.de>" \
+    --url "https://www.offen.dev" \
+    --license "Apache-2.0" \
+    --vendor "Offen" \
+    --description "Offen is an open alternative to common web analytics tools. Gain insights while your users have full access to their data." \
+    --post-install "post_install.sh" \
+    --deb-systemd "offen.service" \
+    -p "offen_${stripped_version}_amd64.deb" \
+    -s dir -t deb -n offen -v $stripped_version \
+    bin/offen-linux-amd64=/usr/local/bin/offen \
+    offen.env=/etc/offen/
+
+  dpkg-sig --sign builder $artifact
+  echo "Successfully packaged and signed $artifact"
+}
+
+check_deps
+
+source ./version
+if [ -z "$OFFEN_VERSION" ]; then
+  echo "Expected OFFEN_VERSION to be set, got none."
+  exit 1
+fi
+
+echo "Packaging Offen at version $OFFEN_VERSION ..."
+download $OFFEN_VERSION
+package $OFFEN_VERSION
diff --git a/post_install.sh b/post_install.sh
new file mode 100644
index 0000000..e00498f
--- /dev/null
+++ b/post_install.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Copyright 2020 - Offen Authors <hioffen@posteo.de>
+# SPDX-License-Identifier: Apache-2.0
+
+mkdir -p /var/opt/offen
+mkdir -p /var/www/.cache
diff --git a/version b/version
new file mode 100644
index 0000000..ee6e023
--- /dev/null
+++ b/version
@@ -0,0 +1 @@
+OFFEN_VERSION="v0.1.5"