diff --git a/conf/pep/config.js.j2 b/conf/pep/config.js.j2
new file mode 100644
index 0000000..cd3be8e
--- /dev/null
+++ b/conf/pep/config.js.j2
@@ -0,0 +1,67 @@
+export default { config };
+
+var config = {
+  "pep-credentials" : "{{pep_credentials}}",
+  "hosts" : [
+    {
+      "host": "cdn-pep",
+      "audience" : "d4science-cdn",
+      "allow-basic-auth" : false,
+      "paths" : [
+	{
+          "name" : "Default Resource",
+          "path" : "^/config/d4s-cdn/.+$",
+          "methods" : [
+            {
+              "method" : "GET",
+              "scopes" : ["get"]
+            }
+          ]
+        },
+	{
+          "name" : "Default Resource",
+          "path" : "^/visuals/d4s-cdn/.*$",
+          "methods" : [
+            {
+              "method" : "GET"
+            }
+          ]
+	},
+        {
+          "name" : "Default Resource",
+          "path" : "^/d4s-cdn/.+$",
+          "methods" : [
+            {
+              "method" : "GET"
+            }
+          ]
+        },
+        {
+          "name" : "Default Resource",
+          "path" : "^/services/d4s-cdn/.*$",
+          "methods" : [
+            {
+              "method" : "OPTIONS"
+            },
+	    {
+              "method" : "POST"
+            },
+            {
+              "method" : "HEAD"
+            },
+            {
+              "method" : "PUT"
+            },
+            {
+              "method" : "DELETE"
+            },
+            {
+              "method" : "GET"
+            }
+          ]
+        }
+      ]
+    }
+  ]  
+}
+
diff --git a/conf/router/default.conf b/conf/router/default.conf
new file mode 100644
index 0000000..5eb9ba8
--- /dev/null
+++ b/conf/router/default.conf
@@ -0,0 +1,71 @@
+server {
+
+  listen *:80;
+  listen [::]:80;
+
+  # this is the internal Docker DNS, cache only for 30s
+  resolver 127.0.0.11 valid=30s;
+
+  server_name cdn.dev.d4science.org;
+ 
+    location /health {
+        add_header Content-Length 0;
+        add_header Content-Type "text/plain";
+	return 200;
+    }
+
+    #add one such location for all new cdn islands
+    location ~ /.*/d4s-cdn/ {
+      if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin '*';
+            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header Content-Type text/plain;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+            add_header Content-Length 0;
+            return 204;
+      }
+      add_header Access-Control-Allow-Origin *;
+      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+      add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+     
+      # use dynamic setting of upstream so that router can be started also when not all backend cdn services are deployed  
+      set $upstream cdn-pep;
+      proxy_pass http://$upstream;
+    }
+
+    location ~* .*/d4s-vre-manager/ {
+      if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin '*';
+            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header Content-Type text/plain;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+            add_header Content-Length 0;
+            return 204;
+      }
+      add_header Access-Control-Allow-Origin *;
+      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+      add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+      
+      set $upstream d4s-vre-manager-pep;
+      proxy_pass http://$upstream;
+    }
+
+    location ~* .*/d4s-navigation/ {
+      if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin '*';
+            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header Content-Type text/plain;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+            add_header Content-Length 0;
+            return 204;
+      }
+      add_header Access-Control-Allow-Origin *;
+      add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+      add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept, Origin";
+      
+      set $upstream d4s-navigation-pep;
+      proxy_pass http://$upstream; 
+    }
+
+
+}
diff --git a/conf/secrets.yaml b/conf/secrets.yaml
new file mode 100644
index 0000000..33eaadf
--- /dev/null
+++ b/conf/secrets.yaml
@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.2;AES256;cdn123
+34616537363232663933616666383734356430656137666236636235623539323431306165306663
+3035373262386465613561343036386233316466333032350a636533613530393766666163653562
+66326664323665613262343737363637353632616464643636666438626662336437306263633338
+3266303461393731610a633939313530366266613431626136333636353638396230663236356134
+62326462363234613364393030336439386239643766613233323730373338343137643338373231
+62393432303163376461666434386336323836633738626536386163353536363737356662366239
+33333836353636326232656165613833376463343034376366646636353463393038636236343637
+35363135323961616631346639646338656132363961343639656532333335363636306462363165
+64356132626234363231363166643030653965623139393365636235613734646431613538653763
+65663465643930313735623262306162656362393162346464623731646361653864343466376538
+66393135663732663661323039626539353230616362353736326138383535613462663062626339
+32663431346561636339
diff --git a/conf/service/auth.json.j2 b/conf/service/auth.json.j2
new file mode 100644
index 0000000..2115009
--- /dev/null
+++ b/conf/service/auth.json.j2
@@ -0,0 +1,13 @@
+{
+
+  "keycloakurl" : "https://accounts.dev.d4science.org",
+  "keycloakrealm" : "d4science",
+
+  "clientid" : "d4science-example-wp",
+  "client_redirect_uri" : "http://d4science-cdn-public/d4s-cdn/auth/oidc-callback",
+
+  "user-manager-client-id" : "orchestrator",
+  "user-manager-client-secret" : "{{ user_manager_client_secret }}"
+
+}
+
diff --git a/conf/service/d4s-cdn.json b/conf/service/d4s-cdn.json
new file mode 100644
index 0000000..deb862f
--- /dev/null
+++ b/conf/service/d4s-cdn.json
@@ -0,0 +1,8 @@
+{
+  "d4science_realm" : "d4science",
+  "d4science_iam_base" : "https://accounts.dev.d4science.org/auth",
+  "d4science_cdn_base" : "http://cdn.dev.d4science.org",
+  "gateways" : {
+    "/gcube/devsec" : ["d4science-example-wp"]
+  }
+}
diff --git a/images/Dockerfile b/images/Dockerfile
new file mode 100644
index 0000000..6adba2f
--- /dev/null
+++ b/images/Dockerfile
@@ -0,0 +1,12 @@
+### 1. Get muscle classic
+FROM nubisware/muscle-classic:latest
+
+# 2. Install applicative fibers
+ADD .muscle/ /root/.muscle/
+RUN git fiber install -p G3 -n d4s-cdn \
+ && git service create -n cdn -w auth -w utils -w config -w error -w utils -w inspect -w resources -w d4s-cdn --debug \
+ && rm -rf /root/.muscle
+
+WORKDIR cdn
+EXPOSE 8984
+ENTRYPOINT ./start.sh
diff --git a/site.yaml b/site.yaml
new file mode 100644
index 0000000..71a1525
--- /dev/null
+++ b/site.yaml
@@ -0,0 +1,25 @@
+---
+- hosts: localhost
+  vars_files:
+    - conf/secrets.yaml
+  vars:
+    infrastructure: "local"
+    dry: false 
+  tasks:
+    - name: Patch PEP config
+      template:
+        src: "conf/pep/config.js.j2"
+        dest: "conf/pep/config.js"
+    
+    - name: Patch service auth config
+      template:
+        src: "conf/service/auth.json.j2"
+        dest: "conf/service/auth.json" 
+
+    - name: Start swarm
+      docker_stack:
+        name: 'cdn-{{ infrastructure }}'
+        state: present
+        compose:
+          - "swarm.yaml"
+      when: dry is not defined or not dry|bool
diff --git a/swarm.yaml b/swarm.yaml
new file mode 100644
index 0000000..7d29ff9
--- /dev/null
+++ b/swarm.yaml
@@ -0,0 +1,81 @@
+version: '3.6'
+
+services:
+  
+  cdn-router-dev:
+    image: nginx:stable-alpine
+    networks:
+      - cdn-network
+    ports:
+      - "80:80"
+    deploy:
+      mode: replicated
+      replicas: 2 
+      restart_policy:
+        condition: on-failure
+        delay: 10s
+        window: 120s
+    configs:
+      - source: nginx_router_conf
+        target: /etc/nginx/templates/default.conf.template
+
+  cdn-pep:
+    image: nginx:stable-alpine
+    networks:
+      - cdn-network
+    deploy:
+      mode: replicated
+      replicas: 2 
+      restart_policy:
+        condition: on-failure
+        delay: 10s
+        window: 120s
+    configs:
+      - source: cdn_pep_conf
+        target: /etc/nginx/templates/default.conf.template
+      - source: cdn_pep_baseconf
+        target: /etc/nginx/nginx.conf
+      - source: cdn_pep
+        target: /etc/nginx/pep.js
+      - source: cdn_pepconfig
+        target: /etc/nginx/config.js
+
+
+  d4s-cdn:
+    image: nubisware/d4s-cdn
+    networks:
+      - cdn-network
+    deploy:
+      mode: replicated
+      replicas: 2
+      restart_policy:
+        condition: on-failure
+        delay: 10s
+        window: 200s
+    configs:
+        - source: cdn_conf
+          target: /opt/app/cdn/conf/d4s-cdn.json
+        - source: cdn_auth_conf
+          target: /opt/app/cdn/conf/auth.json
+
+networks:
+  cdn-network:
+
+configs:
+  nginx_router_conf:
+    file: ./conf/router/default.conf
+
+  cdn_pep_conf:
+    file: ./conf/pep/default.conf
+  cdn_pep_baseconf:
+    file: ./conf/pep/nginx.conf
+  cdn_pep:
+    file: ./conf/pep/pep.js
+  cdn_pepconfig:
+    file: ./conf/pep/config.js
+  
+  cdn_conf:
+    file: ./conf/service/d4s-cdn.json
+  cdn_auth_conf:
+    file: ./conf/service/auth.json
+