diff --git a/.github/goreleaser.yaml b/.github/goreleaser.yaml
index f7c48c2ef..de52a3cd2 100644
--- a/.github/goreleaser.yaml
+++ b/.github/goreleaser.yaml
@@ -199,3 +199,79 @@ brews:
     folder: Formula
     install: |
       bin.install "pomerium"
+
+nfpms:
+  - id: pomerium
+
+    builds:
+      - pomerium
+
+    package_name: pomerium
+    vendor: Pomerium, Inc.
+    homepage: https://www.pomerium.com
+    description: Identity Aware Proxy
+    maintainer:
+    license: Apache 2.0
+    epoch: 1
+    release: 1
+    meta: false
+
+    formats:
+      - deb
+      - rpm
+
+    bindir: /usr/sbin
+
+    empty_folders:
+      - /etc/pomerium
+
+    scripts:
+      preinstall: ospkg/preinstall.sh
+      postinstall: ospkg/postinstall.sh
+
+    config_files:
+      "ospkg/conf/config.yaml": "/etc/pomerium/config.yaml"
+
+    overrides:
+      deb:
+        dependencies:
+          - libsystemd0
+        file_name_template: "{{ .ProjectName }}_{{ .Version }}-{{ .Release }}_{{ .Arch }}"
+      rpm:
+        dependencies:
+          - systemd-libs
+        replacements:
+          arm64: aarch64
+          amd64: x86_64
+        file_name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Release }}.{{ .Arch }}"
+  - id: pomerium-cli
+
+    builds:
+      - pomerium-cli
+
+    package_name: pomerium-cli
+    vendor: Pomerium, Inc.
+    homepage: https://www.pomerium.com
+    description: Identity Aware Proxy
+    maintainer:
+    license: Apache 2.0
+    epoch: 1
+    release: 1
+    meta: false
+
+    formats:
+      - deb
+      - rpm
+
+    bindir: /usr/sbin
+
+    overrides:
+      deb:
+        replacements:
+          arm64: arm64
+        file_name_template: '{{ .ProjectName }}-cli_{{ .Version }}-{{ .Release }}_{{ .Arch }}{{ if .Arm }}{{if eq .Arm "7"}}hf{{ end }}{{ end }}'
+      rpm:
+        replacements:
+          arm64: aarch64
+          amd64: x86_64
+        file_name_template: '{{ .ProjectName }}-cli_{{ .Version }}-{{ .Release }}_{{ .Arch }}{{ if .Arm }}{{if eq .Arm "7"}}hf{{ end }}{{ end }}'
diff --git a/docs/docs/installation.md b/docs/docs/installation.md
index 22a6b43c5..5de21411f 100644
--- a/docs/docs/installation.md
+++ b/docs/docs/installation.md
@@ -32,6 +32,13 @@ curl -L https://github.com/pomerium/pomerium/releases/download/${VERSION}/pomeri
     | tar -z -x
 ```
 
+### Packages
+
+- Supported formats: `rpm`, `deb`
+- Requires `systemd` support
+
+Official packages can be found on our [GitHub Releases](https://github.com/pomerium/pomerium/releases) page.
+
 ### Docker Image
 
 Pomerium utilizes a [minimal](https://github.com/GoogleContainerTools/distroless) [docker container](https://www.docker.com/resources/what-container). You can find Pomerium's images on [dockerhub](https://hub.docker.com/r/pomerium/pomerium). Pomerium can be pulled in several flavors and architectures.
@@ -97,6 +104,11 @@ VERSION=[desired version]
 curl -L https://github.com/pomerium/pomerium/releases/download/${VERSION}/pomerium-cli-${OS}-${ARCH}.tar.gz \
     | tar -z -x
 ```
+### Packages
+
+- Supported formats: `rpm`, `deb`
+
+Official packages can be found on our [GitHub Releases](https://github.com/pomerium/pomerium/releases) page.
 
 ### Homebrew
 
diff --git a/ospkg/conf/config.yaml b/ospkg/conf/config.yaml
new file mode 100644
index 000000000..5b6949991
--- /dev/null
+++ b/ospkg/conf/config.yaml
@@ -0,0 +1,22 @@
+# Required settings below.  See complete documentation at https://www.pomerium.com/reference/
+
+# To run on :443 set AmbientCapabilities=CAP_NET_BIND_SERVICE
+# in a systemd override
+address: :8443
+
+authenticate_service_url: https://authenticate.localhost.pomerium.io
+certificates:
+  - cert: /etc/pomerium/cert.pem
+    key: /etc/pomerium/key.pem
+shared_secret: XXXXXX
+cookie_secret: YYYYY
+idp_provider: "google"
+idp_client_id: XXXX
+idp_client_secret: YYYY
+idp_service_account: XXXXXX
+
+policy:
+  - from: https://yoursite.localhost.pomerium.io
+    to: https://yoursite.local
+    allowed_users:
+      - user@domain.com
diff --git a/ospkg/pomerium.service b/ospkg/pomerium.service
new file mode 100644
index 000000000..8a48665a9
--- /dev/null
+++ b/ospkg/pomerium.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Pomerium
+
+[Service]
+ExecStart=/usr/sbin/pomerium -config /etc/pomerium/config.yaml
+User=pomerium
+Group=pomerium
+Environment=AUTOCERT_DIR=/etc/pomerium/
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ospkg/postinstall.sh b/ospkg/postinstall.sh
new file mode 100644
index 000000000..8d8777ef9
--- /dev/null
+++ b/ospkg/postinstall.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+chown pomerium:pomerium -R /etc/pomerium
+chmod 750 /etc/pomerium
diff --git a/ospkg/preinstall.sh b/ospkg/preinstall.sh
new file mode 100755
index 000000000..4665e1ed0
--- /dev/null
+++ b/ospkg/preinstall.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if ! getent passwd pomerium >/dev/null; then
+    useradd --system -d / -s /sbin/nologin pomerium
+fi