diff --git a/packaging/.gitignore b/packaging/.gitignore
new file mode 100644
index 000000000..c20bebf54
--- /dev/null
+++ b/packaging/.gitignore
@@ -0,0 +1,4 @@
+*.tar.gz
+*.rpm
+/results_openvox-server
+/puppetserver-*
diff --git a/packaging/README.md b/packaging/README.md
new file mode 100644
index 000000000..84560ce9c
--- /dev/null
+++ b/packaging/README.md
@@ -0,0 +1,42 @@
+# Building RPM packaging
+
+This layout is compatible with [fedpkg](https://pagure.io/fedpkg/).
+
+## Creating an SRPM
+
+First you need the source files
+
+```sh
+spectool -g openvox-server.spec
+```
+
+Then you can use fedpkg to create the SRPM:
+
+```sh
+fedpkg srpm
+```
+
+## Building locally
+
+Using mock it's easy to build locally.
+
+```sh
+fedpkg mockbuild --enable-network
+```
+
+Now you can find your files in `results_openvox-server`.
+
+By default the above builds using Fedora Rawhide, but the release can be specified:
+
+```sh
+fedpkg --release epel10 mockbuild --enable-network
+```
+
+## Building in COPR
+
+This again relies on having the source present.
+It is needed to enable network access during the build.
+
+```sh
+fedpkg copr-build ekohl/openvox8 -- --enable-net on
+```
diff --git a/packaging/openvox-server.spec b/packaging/openvox-server.spec
new file mode 100644
index 000000000..7a4dba4e4
--- /dev/null
+++ b/packaging/openvox-server.spec
@@ -0,0 +1,284 @@
+%global agentvendordir /opt/puppetlabs/puppet/lib/ruby/vendor_gems
+%global serverdir /opt/puppetlabs/server
+# TODO use datadir variable?
+%global appdir %{serverdir}/apps/puppetserver
+# TODO use name variable?
+%global etcdir %{_sysconfdir}/puppetlabs/puppetserver
+%global service puppetserver
+
+%global __requires_exclude_from .+/vendored-jruby-gems/bin/.*$
+
+Name:           openvox-server
+Version:        8.10.0
+Release:        1%{?dist}
+Summary:        Server component for OpenVox agents
+License:        Apache-2.0
+URL:            https://voxpupuli.org
+Source0:        https://artifacts.voxpupuli.org/%{name}/%{version}/%{name}-%{version}.tar.gz
+Source1:        openvox-server.sysusers
+
+BuildArch: noarch
+
+%if 0%{?rhel} && 0%{?rhel} < 9
+BuildRequires: systemd
+%else
+BuildRequires: systemd-rpm-macros
+%endif
+
+%if 0%{?sles_version}
+BuildRequires: sysuser-tools
+%sysusers_requires
+%else
+%{?sysusers_requires_compat}
+%endif
+
+%if 0%{?sles_version}
+%global java java-11-openjdk-headless
+%elif 0%{?rhel} >= 10 || 0%{?fedora}
+%global java jre-21-headless
+%global java_bin /usr/lib/jvm/jre-21/bin/java
+%else
+%if 0%{?rhel} == 7
+%global java jre-11-headless
+%global java_bin /usr/lib/jvm/jre-11/bin/java
+%else
+%global java jre-17-headless
+%global java_bin /usr/lib/jvm/jre-17/bin/java
+%endif
+%endif
+BuildRequires: %{java}
+
+%if 0%{?amzn}
+Requires: tzdata-java
+%endif
+
+Requires: %{java}
+# First version to include OpenFact
+Requires: openvox-agent >= 8.21.1
+
+Provides: puppetserver
+Obsoletes: puppetserver < 9
+
+%description
+Server component
+
+%prep
+# inside the tarball there's still puppetserver
+%setup -n puppetserver-%{version}
+
+%build
+%if 0%{?java_bin:1}
+sed -i 's|/usr/bin/java|%{java_bin}|' ext/redhat/puppetserver.service
+sed -i 's|java|%{java_bin}|' ext/build-scripts/install-vendored-gems.sh
+%endif
+
+%if 0%{?sles_version}
+%sysusers_generate_pre %{SOURCE1} puppet %{name}.conf
+%endif
+
+%install
+# TODO: this needs internet access
+DESTDIR=%{buildroot} bash ext/build-scripts/install-vendored-gems.sh
+
+# Clean up vendored gems
+rm -rf %{buildroot}%{serverdir}/data/puppetserver/vendored-jruby-gems/gems/*/.github
+rm -rf %{buildroot}%{serverdir}/data/puppetserver/vendored-jruby-gems/gems/gettext-*/samples
+rm -rf %{buildroot}%{serverdir}/data/puppetserver/vendored-jruby-gems/gems/locale-*/samples
+
+# Clean up shebangs - based on brp-mangle-shebangs
+%if 0%{?java_bin:1}
+java_shebang=$(realpath %{java_bin})
+%else
+java_shebang=$(realpath /usr/bin/java)
+%endif
+find %{buildroot}%{serverdir} %{buildroot}%{agentvendordir} -executable -type f ! -path '*:*' ! -path $'*\n*' \
+| file -N --mime-type -f - \
+| grep -P ".+(?=: (text/|application/javascript))" \
+| {
+while IFS= read -r line; do
+  f=${line%%:*}
+
+  # Remove the dot
+  path="${f#.}"
+
+
+  if ! read shebang_line < "$f"; then
+    echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit"
+    ts=$(stat -c %y "$f")
+    chmod -x "$f"
+    touch -d "$ts" "$f"
+    continue
+  fi
+
+  orig_shebang="${shebang_line#\#!}"
+  if [ "$orig_shebang" = "$shebang_line" ]; then
+    echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit"
+    ts=$(stat -c %y "$f")
+    chmod -x "$f"
+    touch -d "$ts" "$f"
+    continue
+  fi
+
+  # Trim spaces
+  while shebang="${orig_shebang//  / }"; [ "$shebang" != "$orig_shebang" ]; do
+    orig_shebang="$shebang"
+  done
+  # Treat "#! /path/to " as "#!/path/to"
+  orig_shebang="${orig_shebang# }"
+
+  shebang="$orig_shebang"
+
+  if [ -z "$shebang" ]; then
+    echo >&2 "*** WARNING: $f is executable but has empty shebang, removing executable bit"
+    ts=$(stat -c %y "$f")
+    chmod -x "$f"
+    touch -d "$ts" "$f"
+    continue
+  fi
+  if [ -n "${shebang##/*}" ]; then
+    echo >&2 "*** ERROR: $f has shebang which doesn't start with '/' ($shebang)"
+    continue
+  fi
+
+  # TODO: look at $java_shebang
+  #if ! { echo "$shebang" | grep -q -P "^/(?:usr/)?(?:bin|sbin)/"; }; then
+  #  continue
+  #fi
+
+  # Replace "special" env shebang:
+  # /whatsoever/env -whatever /whatever/foo → /whatever/foo
+  shebang=$(echo "$shebang" | sed -r -e 's@^(.+)/env( -[^ ]+)* /(.+)$@/\3@')
+  # /whatsoever/env -whatever foo → /whatsoever/foo
+  shebang=$(echo "$shebang" | sed -r -e 's@^(.+/)env( -[^ ]+)* (.+)$@\1\3@')
+
+  if [ "$shebang" = "/usr/bin/ruby" ] ; then
+    shebang=/opt/puppetlabs/puppet/bin/ruby
+  elif [[ "$shebang" == "${java_shebang}"* ]] ; then
+    # Something looks for the realpath but we want to use the symlink
+    shebang="%{java_bin}${shebang#${java_shebang}}"
+  fi
+
+  if [ "#!$shebang" != "#!$orig_shebang" ]; then
+    echo "mangling shebang in $path from $orig_shebang to #!$shebang"
+    ts=$(stat -c %y "$f")
+    sed -i -e "1c #!$shebang" "$f"
+    touch -d "$ts" "$f"
+  fi
+
+done
+}
+
+install -p -D -m 0644 puppet-server-release.jar %{buildroot}%{appdir}/puppet-server-release.jar
+install -p -D -m 0644 ext/system-config/services.d/bootstrap.cfg %{buildroot}%{appdir}/config/services.d/bootstrap.cfg
+
+install -p -D -m 0644 ext/ezbake.manifest %{buildroot}%{_docdir}/%{name}/ezbake.manifest
+
+install -p -D -m 0755 ext/bin/puppetserver %{buildroot}/opt/puppetlabs/bin/puppetserver
+# TODO: should rubygem-puppetserver-ca actually ship this file?
+install -p -D -m 0755 ext/cli/ca %{buildroot}%{appdir}/cli/apps/ca
+install -p -D -m 0755 ext/cli/irb %{buildroot}%{appdir}/cli/apps/irb
+install -p -D -m 0755 ext/cli/gem %{buildroot}%{appdir}/cli/apps/gem
+install -p -D -m 0755 ext/cli/prune %{buildroot}%{appdir}/cli/apps/prune
+install -p -D -m 0755 ext/cli/ruby %{buildroot}%{appdir}/cli/apps/ruby
+
+install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -p -D -m 0644 ext/redhat/puppetserver.service %{buildroot}%{_unitdir}/%{service}.service
+install -p -D -m 0644 ext/default %{buildroot}%{_sysconfdir}/sysconfig/%{service}
+
+mkdir -p -m 0755 %{buildroot}%{etcdir}/ca
+install -p -D -m 0644 ext/config/conf.d/auth.conf %{buildroot}%{etcdir}/conf.d/auth.conf
+install -p -D -m 0644 ext/config/conf.d/ca.conf %{buildroot}%{etcdir}/conf.d/ca.conf
+install -p -D -m 0644 ext/config/conf.d/global.conf %{buildroot}%{etcdir}/conf.d/global.conf
+install -p -D -m 0644 ext/config/conf.d/metrics.conf %{buildroot}%{etcdir}/conf.d/metrics.conf
+install -p -D -m 0644 ext/config/conf.d/puppetserver.conf %{buildroot}%{etcdir}/conf.d/puppetserver.conf
+install -p -D -m 0644 ext/config/conf.d/web-routes.conf %{buildroot}%{etcdir}/conf.d/web-routes.conf
+install -p -D -m 0644 ext/config/conf.d/webserver.conf %{buildroot}%{etcdir}/conf.d/webserver.conf
+
+install -p -D -m 0644 ext/config/request-logging.xml %{buildroot}%{etcdir}/request-logging.xml
+install -p -D -m 0644 ext/config/logback.xml %{buildroot}%{etcdir}/logback.xml
+
+install -p -D -m 0644 ext/config/services.d/ca.cfg %{buildroot}%{etcdir}/services.d/ca.cfg
+
+mkdir -p -m 0755 %{buildroot}%{serverdir}/data/puppetserver/{yaml,jars}
+
+%pre
+%if 0%{?rhel} >= 9 || 0%{?fedora}
+%sysusers_create_compat %{SOURCE1}
+%elif 0{?sles_version}
+%{name}.pre
+%service_add_pre %{service}.service
+%else
+%sysusers_create_package %{name} %{SOURCE1}
+%endif
+
+%post
+%if 0%{?rhel} || 0%{?fedora}
+%systemd_post %{service}.service
+%elif 0{?sles_version}
+%service_add_post %{service}.service
+%endif
+
+if [ "$1" = "1" ]; then
+    : # Null command in case additional_postinst_install is empty
+    #install --directory /etc/puppetlabs/puppet/ssl
+    #chown -R puppet:puppet /etc/puppetlabs/puppet/ssl
+    #find /etc/puppetlabs/puppet/ssl -type d -print0 | xargs -0 chmod 770
+fi
+
+%preun
+%if 0%{?rhel} || 0%{?fedora}
+%systemd_preun %{service}.service
+%elif 0{?sles_version}
+%service_del_preun %{service}.service
+%endif
+
+%postun
+%if 0%{?rhel} || 0%{?fedora}
+%systemd_postun_with_restart %{service}.service
+%elif 0{?sles_version}
+%service_del_postun %{service}.service
+%endif
+
+%files
+# apps
+/opt/puppetlabs/bin/puppetserver
+%{appdir}/cli/apps
+
+# service
+%{appdir}/config/services.d/bootstrap.cfg
+%{appdir}/puppet-server-release.jar
+
+%dir %attr(0775,puppet,puppet) %{serverdir}/data
+%dir %attr(0775,puppet,puppet) %{serverdir}/data/puppetserver
+%dir %attr(0700,puppet,puppet) %{serverdir}/data/puppetserver/jars
+%dir %attr(0750,puppet,puppet) %{serverdir}/data/puppetserver/yaml
+
+# TODO: LICENSE
+%doc %{_docdir}/%{name}/ezbake.manifest
+
+# vendored gems
+%agentvendordir
+%attr(0755,puppet,puppet) %{serverdir}/data/puppetserver/vendored-jruby-gems
+%exclude %{serverdir}/data/puppetserver/vendored-jruby-gems/cache
+
+# systemd
+%{_sysusersdir}/%{name}.conf
+%{_unitdir}/%{service}.service
+%config(noreplace) %{_sysconfdir}/sysconfig/%{service}
+
+# configs
+# TODO: why owned by puppet?
+%dir %attr(0750,puppet,puppet) %{etcdir}/ca
+%config(noreplace) %{etcdir}/conf.d/auth.conf
+%config(noreplace) %{etcdir}/conf.d/ca.conf
+%config(noreplace) %{etcdir}/conf.d/global.conf
+%config(noreplace) %{etcdir}/conf.d/metrics.conf
+%config(noreplace) %{etcdir}/conf.d/puppetserver.conf
+%config(noreplace) %{etcdir}/conf.d/web-routes.conf
+%config(noreplace) %{etcdir}/conf.d/webserver.conf
+%config(noreplace) %{etcdir}/logback.xml
+%config(noreplace) %{etcdir}/request-logging.xml
+%config(noreplace) %{etcdir}/services.d/ca.cfg
+
+%changelog
+%autochangelog
diff --git a/packaging/openvox-server.sysusers b/packaging/openvox-server.sysusers
new file mode 100644
index 000000000..b7f9bde20
--- /dev/null
+++ b/packaging/openvox-server.sysusers
@@ -0,0 +1 @@
+u     puppet  52   "Puppet"  /opt/puppetlabs/server/data/puppetserver      /sbin/nologin