diff --git a/build_arch.sh b/build_arch.sh
index 1bbd755..797fb38 100755
--- a/build_arch.sh
+++ b/build_arch.sh
@@ -2,8 +2,23 @@
 . ./common.sh
 set -e
 
+arch_install() {
+    buildah run --user 0:0 "$1" curl -Lo /tmp/package.pkg.zst "$2"
+    buildah run --user 0:0 "$1" pacman --noconfirm -U "/tmp/package.pkg.zst"
+}
+
 init_container "archlinux" "docker.io/archlinux"
+buildah run --user 0:0 "archlinux" pacman-key --init
+buildah run --user 0:0 "archlinux" pacman-key --populate
+buildah run --user 0:0 "archlinux" tee -a /etc/pacman.conf <<EOF
+[packete.gitea.sebastian-tobie.de]
+Server = https://gitea.sebastian-tobie.de/api/packages/packete/arch/packete/$$arch
+SigLevel = Required
+EOF
+curl -s https://gitea.sebastian-tobie.de/api/packages/packete/arch/repository.key | buildah run --user 0:0 "archlinux" pacman-key -a -
+buildah run --user 0:0 archlinux pacman-key --lsign-key 'packete@noreply.gitea.sebastian-tobie.de'
 
 buildah run --user 0:0 "archlinux" pacman --noconfirm -Syu nodejs git base-devel
+arch_install "$container" "https://github.com/openbao/openbao/releases/download/v${openbao_version}/bao_${openbao_version}_linux_amd64.pkg.tar.zst"
 commit "archlinux" "oci:archlinux"
 du -sh archlinux
diff --git a/build_debian.sh b/build_debian.sh
index c461109..0c707ee 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -6,7 +6,7 @@ container="debian_${version}"
 
 
 debian_install(){
-    buildah run --user _apt --workdir /tmp "$1" curl -o package.deb "$2"
+    buildah run --user _apt "$1" curl -Lo /tmp/package.deb "$2"
     buildah run --user 0:0 "$1" apt install /tmp/package.deb
 }
 
@@ -19,13 +19,14 @@ debian_selection(){
 init_container "$container" "docker.io/debian:${version}"
 buildah config -e DEBIAN_FRONTEND=noninteractive "$container"
 debian_list=$(mktemp)
-sed "s;VERSION;${version};g" repos/debian.list >"$debian_list"
+sed "s;VERSION;${version};g" repos/debian.sources >"$debian_list"
 buildah run --user 0:0 "$container" apt update
 buildah run --user 0:0 "$container" apt install -y ca-certificates
-buildah copy  "$container" "$debian_list" /etc/apt/sources.list.d/eigene.list
+buildah copy  "$container" "$debian_list" /etc/apt/sources.list.d/eigene.sources
 buildah run --user 0:0 "$container" apt update
 debian_selection "$container" selections.txt
-buildah run --user 0:0 "$container" apt install -y build-essential nodejs git git-buildpackage
+buildah run --user 0:0 "$container" apt install -y build-essential nodejs git git-buildpackage ca-certificates-st
+debian_install "$container" "https://github.com/openbao/openbao/releases/download/v${openbao_version}/bao_${openbao_version}_linux_amd64.deb"
 commit "$container" "oci:debian:${version}"
 
 du -sh debian
diff --git a/build_ubi.sh b/build_ubi.sh
index fbed0bc..a527bd7 100755
--- a/build_ubi.sh
+++ b/build_ubi.sh
@@ -17,8 +17,12 @@ add_repo(){
     buildah run --user 0:0 "$container" dnf config-manager --add-repo "${forgejo}/api/packages/${org}/${group}"
 }
 
+ubi_install(){
+    buildah run "$1" rpm -i "$2"
+}
 
 init_container "$container" "registry.access.redhat.com/ubi${version}:latest"
 buildah run --user 0:0 "$container" dnf install -y nodejs git rpm-build
+ubi_install "$container" "https://github.com/openbao/openbao/releases/download/v${openbao_version}/bao_${openbao_version}_linux_amd64.rpm"
 commit "$container" "oci:ubi:$version"
 du -sh ubi
diff --git a/cleanup.sh b/cleanup.sh
index 3b389b3..a7c82da 100755
--- a/cleanup.sh
+++ b/cleanup.sh
@@ -1,10 +1,13 @@
 #!/bin/sh
 mount=$(buildah mount $1)
 [ -z "$mount" ] && (echo "no mount given" ;exit 1)
-rm -rf "$mount"/usr/share/doc/*
-rm -rf "$mount"/usr/share/man/*
-rm -rf "$mount"/usr/share/locale/*
-rm -rf "$mount"/var/lib/apt/lists/*
-rm -rf "$mount"/var/cache/*
-rm -rf "$mount"/tmp/*
+rm -rvf "$mount"/usr/share/doc/*
+rm -rvf "$mount"/usr/share/man/*
+rm -rvf "$mount"/usr/share/locale/*
+rm -rvf "$mount"/var/lib/apt/lists/*
+rm -rvf "$mount"/var/cache/*
+rm -rvf "$mount"/tmp/*pod
+rm -rvf "$mount"/opt/openbao/tls
+rm -rvf "$mount"/etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,S.}*
+
 hardlink -potm --reflink=always $mount
diff --git a/common.sh b/common.sh
index 8b9bea4..83b7ca2 100644
--- a/common.sh
+++ b/common.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 empty_dir=$(mktemp -d)
+openbao_version=2.2.1
 
 init_container () {
     local container_name="$1"
@@ -13,11 +14,10 @@ init_container () {
 commit(){
     local container="$1"
     buildah config -e - -l - -a - -p - "$container"
-    buildah config -e PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" "$container"
-    buildah run --user 0:0 mkdir /src
-    buildah run --user 0:0 useradd -M -u 1000 -U -g 1000 -d /src build
-    buildah run --user 0:0 chown 1000:1000 /src
-    buildah config -u build
+    buildah config -u build -e PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" "$container"
+    buildah run --user 0:0 "$container" mkdir /src
+    buildah run --user 0:0 "$container" useradd -M -u 1000 -U -d /src build
+    buildah run --user 0:0 "$container" chown 1000:1000 /src
     buildah unshare ./cleanup.sh "$container"
     buildah commit --rm -f oci --squash "$container" "$2"
     trap - EXIT
diff --git a/repos/debian.list b/repos/debian.list
deleted file mode 100644
index eb2c120..0000000
--- a/repos/debian.list
+++ /dev/null
@@ -1 +0,0 @@
-#deb https://gitea.sebastian-tobie.de/api/packages/packete/debian VERSION certs
\ No newline at end of file
diff --git a/repos/debian.sources b/repos/debian.sources
new file mode 100644
index 0000000..2d29955
--- /dev/null
+++ b/repos/debian.sources
@@ -0,0 +1,39 @@
+Architectures: all
+Components: main
+X-Repolib-Name: gitea_sebastian-tobie_de-packete
+Suites: VERSION
+Types: deb
+URIs: https://gitea.sebastian-tobie.de/api/packages/packete/debian
+Signed-By:
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ .
+ xsBNBGfOCecBCACncmihYR/BXi0x+lYyClj9Ta4FghbL2PBUCcrro7MuF4Y67Ris
+ MXkrLmi/qWucMSVhYHtDovqtDywNHnfhK9HOAHkVgEuhPCRKvxyNmlPaeEIvGXee
+ ZdEUGFJmNneNoqvD6TiULFkmW6zv4fQDGo/vDhHJ59hBjJIV7NWoKrEulO5Qb03K
+ F7kROaTrhXECWCpBgnqmfY4uqj4jyNUA5F8ZUBMrG9H+1vhP8ONODmfUyYkE4AMe
+ eOxyAOu/YbKPHhczc33s4/f9Yu/BEwyid+S6abNK6fTDaUTUxjZ2/yL9EADyC5CA
+ u2lgX21nwkunUZtA4VK1I8AjnCXsDl+L7ZcrABEBAAHNEShEZWJpYW4gUmVnaXN0
+ cnkpwsC7BBMBCABvBYJnzgnnAgsHCZCeMF8IvS26IzUUAAAAAAAcABBzYWx0QG5v
+ dGF0aW9ucy5vcGVucGdwanMub3Jnr6n/QuqBmOcuDa6t3hOG8AIVCAIWAAIZAQKb
+ AwIeARYhBJoSBbV7U5zMSy8Kn54wXwi9LbojAABxawf/dGvIORGVgo8F2MG12F6/
+ BIr1Pugeo91D50l98Y1kL7gm7ti+U6eHSxm0am7+bLd1RPunPnp4eEjoL7HaiQz8
+ eq25Mvjsnb/D/WioRqdaOk8NTNf41Mwi74LIa8MowGOW0hWm+shaZRreBI7lfIIz
+ EqTkmBNiLjGCEnohgERO6zsoKpdEyC7FmdZT7lHRcRG4Jsawb8+Vzfeop17i3Eng
+ SkFjbTwSfCqJrUJii6meGK1Fu6PjieZtrMm24j3WTB0PYz8RLErHPB5HzdV3oYXA
+ 0M4mOfYcfKxA/SbgDT/A95N9y5ND7TJsGbOFJYuTUbYw9uSM2PjAzy/5VdgtsYuF
+ Ds7ATQRnzgnnAQgAzDJUCXKEcsD33uCHy1ZF2BVBF6PrsxKp6SvZbmOEI+fm/+/j
+ xvfcaiRDaUZRQ113mzBRpMHZtB8m4dw8gnjILNUZlrM72FemcQ9g7wqQFmaYtIw+
+ YmLyQ8Whj28tZWWKnbn8wCfbzKxYpwkaSTncXgdvSEwflUep0a7A3K3X0sSyD3X5
+ htvg3ogRRz2zCrdqH5RWUXrlWcJn9Ap2d4S7QvN32SrNsIW5JivSroZVnTZ+X/M7
+ IcIJlIE7zkJg6gc7orZN4qNKP36omLO01Jq1yq9q+WMulX3FjcwQbspjLKDRahqj
+ Z1fPhFvvFJkXttS+pSQYegu1m8H9nT/4RfxG5QARAQABwsCsBBgBCABgBYJnzgnn
+ CZCeMF8IvS26IzUUAAAAAAAcABBzYWx0QG5vdGF0aW9ucy5vcGVucGdwanMub3Jn
+ Tg9mAaQc9R+kuX0PpC0uHAKbDBYhBJoSBbV7U5zMSy8Kn54wXwi9LbojAACW5QgA
+ heAiJ3S15cumjMGOeS5kMtDKVqNLcFKCqrjv6TCk2jpD4YnW9rVvIfZvb+KGLKPC
+ T4jl4RcxGPEIqIOobEH/rrW4pV82MQxnX0sUsfl6lLAYslYwAF40AGqD0i0+KEKk
+ yj7mNx9Jl8RGrsy21+dKdxzaB+TOxvGrTYhR459ze9aRDiAdYvN9Sqmm2gjiJhfJ
+ gX0tHLaOir66Aya257avkta51MZE3mKZUmsxOqpcmr8OelqSdYjW3L8G+zqy6k74
+ PblvPzL01aBxf/88ss8lkaKMqm7oi2dWyxeaS+HJX+euMsaP+eszXMqHJI4eB3sb
+ 7rA/D58QHTTlYhGVQhvjyg==
+ =cjZM
+ -----END PGP PUBLIC KEY BLOCK-----