diff --git a/deploy/config/edgeguard.yaml b/deploy/config/edgeguard.yaml
new file mode 100644
index 0000000..65ddbea
--- /dev/null
+++ b/deploy/config/edgeguard.yaml
@@ -0,0 +1,22 @@
+# EdgeGuard — Hauptconfig
+# Diese Datei ist als conffile markiert: dpkg fragt bei Upgrade-Konflikt nach.
+# Sensible Werte (DB-Passwörter, JWT-Secret) gehören in /etc/edgeguard/api.env (Mode 0600).
+
+api:
+  listen: "127.0.0.1:9443"
+
+database:
+  socket: "/var/run/postgresql"
+  name:   "edgeguard"
+  user:   "edgeguard"
+
+keydb:
+  addr: "127.0.0.1:6379"
+
+cluster:
+  # Eindeutige Node-ID; wird beim ersten Start aus /etc/machine-id abgeleitet
+  # falls leer.
+  node_id: ""
+
+logging:
+  level: "info"
diff --git a/packaging/debian/edgeguard-meta/DEBIAN/control b/packaging/debian/edgeguard-meta/DEBIAN/control
index 8e0af6f..3b02b32 100644
--- a/packaging/debian/edgeguard-meta/DEBIAN/control
+++ b/packaging/debian/edgeguard-meta/DEBIAN/control
@@ -8,7 +8,7 @@ Description: EdgeGuard — meta package
  third-party services (HAProxy, Angie, Squid, WireGuard, nftables).
  .
  Install this package to get a complete EdgeGuard node.
-Depends: edgeguard-api (= ${binary:Version}), edgeguard-ui (= ${binary:Version})
+Depends: edgeguard-api (= __VERSION__), edgeguard-ui (= __VERSION__)
 Section: admin
 Priority: optional
 Installed-Size: 0
diff --git a/packaging/debian/edgeguard-ui/DEBIAN/control b/packaging/debian/edgeguard-ui/DEBIAN/control
index b5ff51c..f0ff160 100644
--- a/packaging/debian/edgeguard-ui/DEBIAN/control
+++ b/packaging/debian/edgeguard-ui/DEBIAN/control
@@ -6,7 +6,7 @@ Homepage: https://edgeguard.netcell-it.de
 Description: EdgeGuard — management UI (static React build)
  React 19 + Ant Design 6 single-page admin UI for EdgeGuard.
  Served by the Angie reverse proxy bundled in edgeguard-api.
-Depends: edgeguard-api (= ${binary:Version}), angie
+Depends: edgeguard-api (= __VERSION__), angie
 Section: admin
 Priority: optional
 Installed-Size: 0
diff --git a/scripts/apt-repo/build-package.sh b/scripts/apt-repo/build-package.sh
index cefdd65..761bab3 100755
--- a/scripts/apt-repo/build-package.sh
+++ b/scripts/apt-repo/build-package.sh
@@ -1,10 +1,128 @@
-#!/usr/bin/env bash
-# Build .deb packages for EdgeGuard.
-# Usage: build-package.sh <amd64|arm64> <version>
-# Output: build/deb/edgeguard-{api,ui,meta}_<version>_<arch>.deb
+#!/bin/bash
+# EdgeGuard — .deb builder.
 #
-# TODO — Stub. Wird mit Task #3 (Spike-Build) implementiert.
+# Pattern: direct dpkg-deb, no debhelper / dh_make / fpm.
+# Mirrors mail-gateway/scripts/apt-repo/build-package.sh.
+#
+# Usage: build-package.sh <arch> [version]
+#   Arches: amd64 · arm64
+#
+# Consumes: build/<arch>/edgeguard-{api,scheduler,ctl} (from `make build-linux-<arch>`)
+# Output:   build/deb/edgeguard-api_<version>_<arch>.deb
 set -euo pipefail
-ARCH="${1:?arch required}"
-VERSION="${2:?version required}"
-echo "build-package.sh stub — would build edgeguard-{api,ui,meta}_${VERSION}_${ARCH}.deb"
+
+ARCH="${1:?Usage: $0 <arch> [version]}"
+case "$ARCH" in amd64|arm64) ;; *) echo "unknown arch: $ARCH" >&2; exit 1 ;; esac
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+VERSION="${2:-$(cat "$REPO_ROOT/VERSION" 2>/dev/null || echo 0.0.1-dev)}"
+
+OUT_DIR="$REPO_ROOT/build/deb"
+mkdir -p "$OUT_DIR"
+
+log() { echo "[build-package] $*"; }
+
+# ── edgeguard-api ────────────────────────────────────────────────────────
+build_api() {
+    local pkg="edgeguard-api"
+    local pkg_src="$REPO_ROOT/packaging/debian/$pkg"
+    local build_dir
+    build_dir="$(mktemp -d "/tmp/${pkg}-deb-XXXXXX")"
+    trap 'rm -rf "$build_dir"' RETURN
+
+    log "$pkg ($ARCH) version $VERSION"
+
+    [ -d "$REPO_ROOT/build/$ARCH" ] || {
+        log "binaries missing — run 'make build-linux-$ARCH' first" >&2; return 1; }
+
+    mkdir -p "$build_dir/DEBIAN" \
+             "$build_dir/usr/bin" \
+             "$build_dir/etc/edgeguard" \
+             "$build_dir/etc/systemd/system" \
+             "$build_dir/usr/share/edgeguard/templates"
+
+    # default config (conffile — survives upgrades, dpkg prompts on conflict)
+    install -m 0644 "$REPO_ROOT/deploy/config/edgeguard.yaml" \
+                    "$build_dir/etc/edgeguard/edgeguard.yaml"
+
+    # control with version + arch substitution
+    sed -e "s/__VERSION__/$VERSION/g" \
+        -e "s/^Architecture:.*/Architecture: $ARCH/" \
+        "$pkg_src/DEBIAN/control" > "$build_dir/DEBIAN/control"
+
+    # maintainer scripts
+    for s in preinst postinst prerm postrm; do
+        [ -f "$pkg_src/DEBIAN/$s" ] || continue
+        cp "$pkg_src/DEBIAN/$s" "$build_dir/DEBIAN/$s"
+        chmod 0755 "$build_dir/DEBIAN/$s"
+    done
+
+    [ -f "$pkg_src/DEBIAN/conffiles" ] && cp "$pkg_src/DEBIAN/conffiles" "$build_dir/DEBIAN/"
+
+    # binaries
+    for bin in edgeguard-api edgeguard-scheduler edgeguard-ctl; do
+        install -m 0755 "$REPO_ROOT/build/$ARCH/$bin" "$build_dir/usr/bin/$bin"
+    done
+
+    # systemd units
+    install -m 0644 "$REPO_ROOT/deploy/systemd/edgeguard-api.service" \
+                    "$build_dir/etc/systemd/system/"
+    install -m 0644 "$REPO_ROOT/deploy/systemd/edgeguard-scheduler.service" \
+                    "$build_dir/etc/systemd/system/"
+
+    # Installed-Size in KB (rounded up)
+    local size
+    size="$(du -sk "$build_dir" | awk '{print $1}')"
+    sed -i "s/^Installed-Size:.*/Installed-Size: $size/" "$build_dir/DEBIAN/control"
+
+    # build
+    local out="$OUT_DIR/${pkg}_${VERSION}_${ARCH}.deb"
+    dpkg-deb --root-owner-group --build "$build_dir" "$out" >/dev/null
+    log "→ $out ($(du -h "$out" | awk '{print $1}'))"
+}
+
+# ── edgeguard-ui (architecture: all) ─────────────────────────────────────
+build_ui() {
+    local pkg="edgeguard-ui"
+    local ui_dist="$REPO_ROOT/management-ui/dist"
+    if [ ! -d "$ui_dist" ] || [ -z "$(ls -A "$ui_dist" 2>/dev/null)" ]; then
+        log "$pkg: management-ui/dist/ empty — skipping (run 'make ui' first)"
+        return 0
+    fi
+    local pkg_src="$REPO_ROOT/packaging/debian/$pkg"
+    local build_dir
+    build_dir="$(mktemp -d "/tmp/${pkg}-deb-XXXXXX")"
+    trap 'rm -rf "$build_dir"' RETURN
+
+    log "$pkg version $VERSION (arch: all)"
+    mkdir -p "$build_dir/DEBIAN" "$build_dir/usr/share/edgeguard/ui"
+    sed -e "s/__VERSION__/$VERSION/g" "$pkg_src/DEBIAN/control" > "$build_dir/DEBIAN/control"
+    cp -r "$ui_dist/." "$build_dir/usr/share/edgeguard/ui/"
+    local size
+    size="$(du -sk "$build_dir" | awk '{print $1}')"
+    sed -i "s/^Installed-Size:.*/Installed-Size: $size/" "$build_dir/DEBIAN/control"
+    local out="$OUT_DIR/${pkg}_${VERSION}_all.deb"
+    dpkg-deb --root-owner-group --build "$build_dir" "$out" >/dev/null
+    log "→ $out ($(du -h "$out" | awk '{print $1}'))"
+}
+
+# ── edgeguard meta ───────────────────────────────────────────────────────
+build_meta() {
+    local pkg="edgeguard"
+    local pkg_src="$REPO_ROOT/packaging/debian/edgeguard-meta"
+    local build_dir
+    build_dir="$(mktemp -d "/tmp/${pkg}-meta-deb-XXXXXX")"
+    trap 'rm -rf "$build_dir"' RETURN
+
+    log "$pkg (meta) version $VERSION (arch: all)"
+    mkdir -p "$build_dir/DEBIAN"
+    sed -e "s/__VERSION__/$VERSION/g" "$pkg_src/DEBIAN/control" > "$build_dir/DEBIAN/control"
+    local out="$OUT_DIR/${pkg}_${VERSION}_all.deb"
+    dpkg-deb --root-owner-group --build "$build_dir" "$out" >/dev/null
+    log "→ $out ($(du -h "$out" | awk '{print $1}'))"
+}
+
+build_api
+build_ui
+build_meta