diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..494da66
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,27 @@
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+install_confproxy = $(CHROOT)/opt/confproxy
+
+CONFPROXY_URL = https://www.islonline.com/system/installer_latest_linux64
+
+systemd-units: appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/usr/local/bin
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(install_confproxy):
+	# user islcp with fixed uid 950
+	-RUN useradd --system --comment="ISL ConfProxy User" --home-dir="/opt/confproxy" --shell="/bin/sh" --no-create-home --uid 950 --user-group islcp
+	# virtual-appliance starts the build environment with sh instead of systemd as pid1; skip start service
+	RUN sh -c 'wget $(CONFPROXY_URL) -O /tmp/confproxy-installer.bin && sed -e "s:\"systemd\":\"sh\":g" -e "s:status \"Starting ISL Conference Proxy (confproxy.service)\":exit 0:" -i /tmp/confproxy-installer.bin && sh /tmp/confproxy-installer.bin'
+
+preinstall:
+
+postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(install_confproxy)
diff --git a/appliance/02firstboot.start b/appliance/02firstboot.start
new file mode 100755
index 0000000..4a7ff79
--- /dev/null
+++ b/appliance/02firstboot.start
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+TLD="example.com"
+HOST="isl"
+ORGNAME="ISL Online example"
+
+# start
+set -e
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# Certificate
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+
+rm -rf /opt/confproxy/ssl
+rm -rf /etc/ssl/nginx
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/opt/confproxy/ssl" "/opt/confproxy/ssl"
+ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
+
+/etc/ssl/cert-renew.sh
+
+systemctl restart confproxy
+
+rm /02firstboot
diff --git a/appliance/cert-renew.service b/appliance/cert-renew.service
new file mode 100644
index 0000000..59ec86d
--- /dev/null
+++ b/appliance/cert-renew.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh
diff --git a/appliance/cert-renew.sh b/appliance/cert-renew.sh
new file mode 100755
index 0000000..a7cb50d
--- /dev/null
+++ b/appliance/cert-renew.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+HOST="isl"
+TLD="example.com"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_EJABBERD=/$LABEL/etc/ssl/ejabberd
+CERT_CONFPROXY=/$LABEL/opt/confproxy/ssl
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update ISL Conference Proxy certificate..."
+  mkdir -p $CERT_CONFPROXY
+  cp $CERT_DIR/$FQDN/$FQDN-cert.pem $CERT_CONFPROXY/cert.pem
+  cp $CERT_DIR/$FQDN/$FQDN-chain.pem $CERT_CONFPROXY/chain.pem
+  cp $CERT_DIR/$FQDN/$FQDN-key.pem $CERT_CONFPROXY/privkey.pem
+  echo "Restart ISL Conference Proxy..."
+  systemctl is-active --quiet confproxy && systemctl restart confproxy
+
+  echo "Update Nginx certificate..."
+  mkdir -p $CERT_NGINX
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
+  chown nginx:nginx $CERT_NGINX/nginx.*
+  chmod 444 $CERT_NGINX/nginx.pem
+  chmod 400 $CERT_NGINX/nginx.key
+  echo "Restarting Nginx..."
+  systemctl is-active --quiet nginx && systemctl restart nginx
+fi
+
+exit 0
diff --git a/appliance/cert-renew.timer b/appliance/cert-renew.timer
new file mode 100644
index 0000000..8c531f1
--- /dev/null
+++ b/appliance/cert-renew.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 01:47:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target
diff --git a/package.use b/package.use
new file mode 100644
index 0000000..c685937
--- /dev/null
+++ b/package.use
@@ -0,0 +1,2 @@
+# Nginx
+www-servers/nginx nginx_modules_stream_map nginx_modules_stream_ssl_preread
diff --git a/world b/world
new file mode 100644
index 0000000..ddf73ad
--- /dev/null
+++ b/world
@@ -0,0 +1,4 @@
+app-crypt/certbot-nginx
+dev-perl/Authen-Radius
+dev-perl/perl-ldap
+www-servers/nginx