diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..bb5d812
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "nginx"]
+	path = nginx
+	url = git@github.com:nginx/nginx
+[submodule "nginx-acme"]
+	path = nginx-acme
+	url = git@github.com:nginx/nginx-acme
+[submodule "pebble"]
+	path = pebble
+	url = git@github.com:letsencrypt/pebble
diff --git a/nginx b/nginx
new file mode 160000
index 0000000..bc71625
--- /dev/null
+++ b/nginx
@@ -0,0 +1 @@
+Subproject commit bc71625dcca1f1cbd0db7450af853feb90ebba85
diff --git a/nginx-acme b/nginx-acme
new file mode 160000
index 0000000..e929adb
--- /dev/null
+++ b/nginx-acme
@@ -0,0 +1 @@
+Subproject commit e929adbf4f31cc27052cae78ed2eb3d664e894e1
diff --git a/nginx.conf b/nginx.conf
index 4ad0b39..85059cc 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -3,11 +3,13 @@ error_log /dev/stdout notice;
 pid /tmp/pid;
 daemon off;
 
+events {}
+
 http {
 	resolver 8.8.8.8:53;
 
-	acme_issuer acme_staging {
-		uri         https://acme-staging-v02.api.letsencrypt.org/directory;
+	acme_issuer local_pebble {
+		uri         https://0.0.0.0:14000/dir;
 		contact     ava@sunnypup.io;
 		state_path  /tmp;
 		accept_terms_of_service;
@@ -19,7 +21,7 @@ http {
 		listen 443 ssl;
 		server_name mylocalwebsite.com;
 
-		acme_certificate acme_staging;
+		acme_certificate local_pebble;
 
 		ssl_certificate       $acme_certificate;
 		ssl_certificate_key   $acme_certificate_key;
@@ -28,7 +30,7 @@ http {
 		ssl_certificate_cache max=2;
 
 		location / {
-			proxy_pass http://echo.sunnypup.io
+			proxy_pass http://echo.sunnypup.io;
 		}
 	}
 
diff --git a/pebble b/pebble
new file mode 160000
index 0000000..b2f382d
--- /dev/null
+++ b/pebble
@@ -0,0 +1 @@
+Subproject commit b2f382d9128addd7759eb06b060380b20d14b66d
diff --git a/pebble-config.json b/pebble-config.json
new file mode 100644
index 0000000..eba4544
--- /dev/null
+++ b/pebble-config.json
@@ -0,0 +1,22 @@
+{
+  "pebble": {
+    "listenAddress": "0.0.0.0:14000",
+    "managementListenAddress": "0.0.0.0:15000",
+    "certificate": "pebble/test/certs/localhost/cert.pem",
+    "privateKey": "pebble/test/certs/localhost/key.pem",
+    "httpPort": 5002,
+    "tlsPort": 5001,
+    "ocspResponderURL": "",
+    "externalAccountBindingRequired": false,
+    "retryAfter": {
+        "authz": 3,
+        "order": 5
+    },
+    "profiles": {
+      "default": {
+        "description": "The profile you know and love",
+        "validityPeriod": 7776000
+      }
+    }
+  }
+}
diff --git a/run.sh b/run.sh
new file mode 100755
index 0000000..02e51e8
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+set -ex
+
+here=$(dirname $(realpath "$0"))
+
+git submodule update --init --recursive
+mkdir -p pfx/logs
+
+cd pebble
+go build ./cmd/pebble
+cd $here
+
+if ! [ -f nginx/objs/nginx ]; then
+	cd nginx
+	auto/configure --with-compat --with-http_ssl_module \
+		--add-module=$here/nginx-acme --prefix=$here/pfx
+	make -j8
+	cd $here
+fi
+
+PEBBLE_VA_ALWAYS_VALID=1 pebble/pebble -config pebble-config.json &
+sleep 2
+
+nginx/objs/nginx -c $here/nginx.conf &
+sleep 2
+
+# todo xdg open url
+sleep infinity