diff --git a/.gitea/workflows/build-publish.yml b/.gitea/workflows/build-publish.yml
new file mode 100644
index 0000000..b22583a
--- /dev/null
+++ b/.gitea/workflows/build-publish.yml
@@ -0,0 +1,140 @@
+name: build-and-publish
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install build deps
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y --no-install-recommends \
+            git curl wget ca-certificates dpkg-dev fakeroot \
+            build-essential gnupg dpkg-sig
+
+      - name: Build NGINX (run.sh new + build + postfix)
+        run: |
+          sudo touch /.dockerenv
+          sudo bash build/run.sh new
+          sudo bash build/run.sh build
+          sudo bash build/run.sh postfix
+
+      - name: Package .deb
+        id: pkg
+        run: |
+          set -e
+          PKG_NAME="twiy"
+          VERSION=$(nginx -v 2>&1 | awk -F'/' '{print $2}')
+          ARCH="amd64"
+          PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
+          DEB_DIR="${PKG_DIR}/DEBIAN"
+
+          sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
+                        "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
+                        "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
+                        "${PKG_DIR}/hostdata/default/public_html" \
+                        "${PKG_DIR}/usr/nginx_lua"
+
+          sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
+          sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
+          sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
+          sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
+          sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
+
+          for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
+            sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
+          done
+
+          sudo mkdir -p "${DEB_DIR}"
+          sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
+          Package: ${PKG_NAME}
+          Version: ${VERSION}
+          Section: base
+          Priority: optional
+          Architecture: ${ARCH}
+          Maintainer: Julio <me@julio.al>
+          Description: Nginx L7 DDoS Protection (The-World-Is-Yours) built by RAWeb CI.
+          EOF
+
+          sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
+          #!/bin/bash
+          useradd -r -d /usr/local/nginx -s /bin/false nginx || true
+          systemctl daemon-reload || true
+          EOF
+          sudo chmod 755 "${DEB_DIR}/postinst"
+
+          sudo dpkg-deb --build "${PKG_DIR}"
+          DEB_FILE="/opt/${PKG_NAME}_${VERSION}_${ARCH}.deb"
+          sudo mv "${PKG_DIR}.deb" "${DEB_FILE}"
+          echo "deb_file=${DEB_FILE}" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "pkg_name=${PKG_NAME}" >> "$GITHUB_OUTPUT"
+          ls -la "${DEB_FILE}"
+          sha256sum "${DEB_FILE}"
+
+      - name: Import GPG key + sign .deb
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE:  ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID:      ${{ secrets.GPG_KEY_ID }}
+          DEB_FILE:        ${{ steps.pkg.outputs.deb_file }}
+        run: |
+          set -e
+          export GNUPGHOME="$(mktemp -d)"
+          chmod 700 "$GNUPGHOME"
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
+          # Pre-cache passphrase via gpg-agent so dpkg-sig can sign non-interactively
+          echo "allow-loopback-pinentry"   >> "$GNUPGHOME/gpg-agent.conf"
+          echo "pinentry-mode loopback"    >> "$GNUPGHOME/gpg.conf"
+          gpg-connect-agent reloadagent /bye >/dev/null
+          # Sign with dpkg-sig (preferred) — falls back to debsigs if dpkg-sig missing
+          if command -v dpkg-sig >/dev/null; then
+            sudo --preserve-env=GNUPGHOME,GPG_PASSPHRASE dpkg-sig \
+              -k "$GPG_KEY_ID" \
+              -g "--batch --pinentry-mode loopback --passphrase $GPG_PASSPHRASE" \
+              --sign builder "$DEB_FILE"
+          fi
+          # Verify the signature is present (informational)
+          dpkg-sig --verify "$DEB_FILE" || true
+
+      - name: Publish to apt.julio.al/${{ secrets.NEXUS_REPO }}
+        env:
+          NEXUS_URL:  ${{ secrets.NEXUS_URL }}
+          NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
+          NEXUS_USER: ${{ secrets.NEXUS_USER }}
+          NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
+          DEB_FILE:   ${{ steps.pkg.outputs.deb_file }}
+          PKG_NAME:   ${{ steps.pkg.outputs.pkg_name }}
+        run: |
+          set -e
+          # Best-effort: delete an existing same-named component so re-publishes overwrite cleanly
+          COMPONENT_ID=$(curl -s -u "${NEXUS_USER}:${NEXUS_PASS}" \
+            "${NEXUS_URL}/service/rest/v1/components?repository=${NEXUS_REPO}" \
+            | python3 -c "
+          import sys, json
+          d=json.load(sys.stdin)
+          for c in d.get('items', []):
+              if c.get('name') == '${PKG_NAME}':
+                  print(c.get('id')); break
+          " || true)
+          if [ -n "$COMPONENT_ID" ]; then
+            echo "Removing previous ${PKG_NAME} component ${COMPONENT_ID}"
+            curl -s -u "${NEXUS_USER}:${NEXUS_PASS}" -X DELETE \
+              "${NEXUS_URL}/service/rest/v1/components/${COMPONENT_ID}"
+          fi
+
+          HTTP=$(curl -s -o /tmp/upload.out -w '%{http_code}' \
+            -u "${NEXUS_USER}:${NEXUS_PASS}" \
+            -X POST \
+            -F "apt.asset=@${DEB_FILE}" \
+            "${NEXUS_URL}/service/rest/v1/components?repository=${NEXUS_REPO}")
+          echo "Upload HTTP: $HTTP"
+          [ "$HTTP" = "204" ] || [ "$HTTP" = "201" ] || { cat /tmp/upload.out; exit 1; }
+          echo "Published $(basename "$DEB_FILE") to ${NEXUS_URL}/repository/${NEXUS_REPO}/"