diff --git a/conf.d/00-default.conf b/conf.d/00-default.conf
new file mode 100644
index 0000000..4cd2df5
--- /dev/null
+++ b/conf.d/00-default.conf
@@ -0,0 +1,20 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 404;
+
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+
+    ssl_certificate /etc/nginx/certs/default.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/default.psi.ch.key;
+
+    return 404;
+}
+
diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf
new file mode 100644
index 0000000..f34d885
--- /dev/null
+++ b/conf.d/panda-maintenance.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name panda-maintenance.psi.ch;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name panda-maintenance.psi.ch;
+
+    ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key;
+
+
+    rewrite ^/$ /cmdbuild/ permanent;
+    location / {
+        return 404;
+    }
+
+    location /cmdbuild {
+        proxy_pass http://panda-maintenance-app:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        # https://forum.cmdbuild.org/t/cmdbuild-behind-nginx-reverse-proxy/5070/3
+        add_header Content-Security-Policy upgrade-insecure-requests always;
+    }
+}
diff --git a/docker-compose.yaml b/docker-compose.yaml
index c1a6cb5..31fce05 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -259,10 +259,64 @@ services:
       timeout: 5s
       retries: 5
 
+# Christoph Hug <christoph.hug@psi.ch>, Simon Suter <simon.suter@psi.ch>
+# Panda-Maintenance (OpenMaint)
+  panda-maintenance-db:
+    image: postgis/postgis:17-3.5-alpine
+    container_name: panda-maintenance-db
+    volumes:
+      - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+    restart: always
+    mem_limit: 4000m
+    mem_reservation: 2000m
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 80s
+    networks:
+      - panda_maintenance_backend
+  panda-maintenance-app:
+    image: itmicus/cmdbuild:om-2.4-4.1.0
+    container_name: panda-maintenance-app
+    links:
+      - panda-maintenance-db
+    depends_on:
+      panda-maintenance-db:
+        condition: service_healthy
+    restart: always
+    volumes:
+      - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+      - POSTGRES_PORT=5432
+      - POSTGRES_HOST=panda-maintenance-db
+      - POSTGRES_DB=openmaint
+      - CMDBUILD_DUMP=empty.dump.xz
+      - JAVA_OPTS=-Xmx6000m -Xms3000m
+    mem_limit: 6000m
+    mem_reservation: 3500m
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 120s
+    networks:
+      - backend
+      - panda_maintenance_backend
+
+
 networks:
   public:
   backend:
   hedgedoc_backend:
   woodpecker_backend:
   it_strategy_dashboard_backend:
+  panda_maintenance_backend: