diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d22e8f975..02ee9c3f8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,7 +15,11 @@ variables:
 stages:
   - frontend:build
   - backend:build
+  - test
   - docker:build
+  - prepare release
+  - upload
+  - release
   
 node dependencies:
   stage: frontend:build
@@ -34,6 +38,11 @@ node dependencies:
     - install -v -T -m 0644 "${SSH_KNOWN_HOSTS}" ~/.ssh/known_hosts
     - install -v -T -m 0400 "${SSH_DEPLOY_KEY}" ~/.ssh/deploy && echo "IdentityFile ~/.ssh/deploy" >> ~/.ssh/config; 
     - install -v -T -m 0644 "${FONTAWESOME_NPM_AUTH_FILE}" /etc/fontawesome-token
+    - |
+      if [ -n "${REGISTRY_AUTHFILE}" ]; then
+        mkdir -p ~/.docker
+        install -v -T -m 0400 "${REGISTRY_AUTHFILE}" ~/.docker/config.json
+      fi
   artifacts:
     paths:
       - node-dependencies.nar.xz
@@ -81,37 +90,127 @@ frontend:
   retry: 2
   interruptible: true
 
-backend:
+uniworx:lib:uniworx:
   stage: backend:build
   script:
     - xzcat frontend.nar.xz | nix-store --import
-    - nix -L build -o result .#uniworxBackend
-    - cp -pr --reflink=auto -L result/bin .
-    - nix-store --export $(nix-store -qR result) | xz > backend.nar.xz
+    - nix -L build -o result .#uniworx:lib:uniworx
+    - nix-store --export $(nix-store -qR result) | xz > uniworx:lib:uniworx.nar.xz
   before_script: *nix-before
   needs:
     - job: frontend
       artifacts: true
   artifacts:
     paths:
-      - backend.nar.xz
+      - uniworx:lib:uniworx.nar.xz
     name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
     expire_in: "1 day"
   retry: 2
   interruptible: true
 
+uniworx:exe:uniworx:
+  stage: backend:build
+  script:
+    - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import
+    - nix -L build -o result .#uniworx:exe:uniworx
+    - nix-store --export $(nix-store -qR result) | xz > uniworx:exe:uniworx.nar.xz
+  before_script: *nix-before
+  needs:
+    - job: uniworx:lib:uniworx
+      artifacts: true
+  artifacts:
+    paths:
+      - uniworx:exe:uniworx.nar.xz
+    name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
+    expire_in: "1 day"
+  retry: 2
+  interruptible: true
+
+uniworx:exe:uniworx-wflint:
+  stage: backend:build
+  script:
+    - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import
+    - nix -L build -o result .#uniworx:exe:uniworx-wflint
+    - nix-store --export $(nix-store -qR result) | xz > uniworx:exe:uniworx-wflint.nar.xz
+  before_script: *nix-before
+  needs:
+    - job: uniworx:lib:uniworx
+      artifacts: true
+  artifacts:
+    paths:
+      - uniworx:exe:uniworx-wflint.nar.xz
+    name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
+    expire_in: "1 day"
+  retry: 2
+  interruptible: true
+
+uniworx:exe:uniworxdb:
+  stage: backend:build
+  script:
+    - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import
+    - nix -L build -o result .#uniworx:exe:uniworxdb
+    - nix-store --export $(nix-store -qR result) | xz > uniworx:exe:uniworxdb.nar.xz
+  before_script: *nix-before
+  needs:
+    - job: uniworx:lib:uniworx
+      artifacts: true
+  artifacts:
+    paths:
+      - uniworx:exe:uniworxdb.nar.xz
+    name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
+    expire_in: "1 day"
+  retry: 2
+  interruptible: true
+
+uniworx:exe:uniworxload:
+  stage: backend:build
+  script:
+    - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import
+    - nix -L build -o result .#uniworx:exe:uniworxload
+    - nix-store --export $(nix-store -qR result) | xz > uniworx:exe:uniworxload.nar.xz
+  before_script: *nix-before
+  needs:
+    - job: uniworx:lib:uniworx
+      artifacts: true
+  artifacts:
+    paths:
+      - uniworx:exe:uniworxload.nar.xz
+    name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
+    expire_in: "1 day"
+  retry: 2
+  interruptible: true
+
+check:
+  stage: test
+  script:
+    - xzcat frontend.nar.xz | nix-store --import
+    - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import
+    - nix -L flake check
+  before_script: *nix-before
+  needs:
+    - job: frontend
+      artifacts: true
+    - job: uniworx:lib:uniworx
+      artifacts: true
+  retry: 2
+  interruptible: true
+
 demo docker:
   stage: docker:build
   script:
-    - xzcat backend.nar.xz | nix-store --import
+    - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
     - nix -L build -o result .#uniworxDemoDocker
+    - nix-store --export $(nix-store -qR result) > uniworx-demo.nar # image is already compressed, no need for xz
     - cp -pr --reflink=auto -L result uniworx-demo.tar.gz
   before_script: *nix-before
   needs:
-    - job: backend
+    - job: uniworx:exe:uniworx
       artifacts: true
+    - job: check
+      artifacts: false
   artifacts:
     paths:
+      - uniworx-demo.nar
       - uniworx-demo.tar.gz
     name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
     expire_in: "1 day"
@@ -121,17 +220,82 @@ demo docker:
 docker:
   stage: docker:build
   script:
-    - xzcat backend.nar.xz | nix-store --import
+    - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
     - nix -L build -o result .#uniworxDocker
+    - nix-store --export $(nix-store -qR result) > uniworx.nar # image is already compressed, no need for xz
     - cp -pr --reflink=auto -L result uniworx.tar.gz
   before_script: *nix-before
   needs:
-    - job: backend
+    - job: uniworx:exe:uniworx
       artifacts: true
+    - job: check
+      artifacts: false
   artifacts:
     paths:
+      - uniworx.nar
       - uniworx.tar.gz
     name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
     expire_in: "1 day"
   retry: 2
   interruptible: true
+
+parse-changelog:
+  stage: prepare release
+  needs:
+    - job: node dependencies
+      artifacts: true
+  rules:
+    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
+      when: on_success
+  before_script: *nix-before
+  script:
+    - xzcat node-dependencies.nar.xz | nix-store --import
+    - nix -L run .#jqChangelogJson -- -r '.versions[0].version' > .current-version
+    - nix -L run .#jqChangelogJson -- -r '.versions[0].body' > .current-changelog.md
+  artifacts:
+    paths:
+      - .current-version
+      - .current-changelog.md
+    name: "changelog-${CI_COMMIT_SHORT_SHA}"
+    expire_in: "1 day"
+  retry: 2
+  interruptible: true
+
+upload docker:
+  stage: upload
+  script:
+    - nix-store --import < uniworx.nar
+    - nix -L run .#pushUniworxDocker
+  before_script: *nix-before
+  needs:
+    - job: docker
+      artifacts: true
+  rules:
+    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
+      when: on_success
+
+upload demo docker:
+  stage: upload
+  script:
+    - nix-store --import < uniworx-demo.nar
+    - nix -L run .#pushUniworxDemoDocker
+  before_script: *nix-before
+  needs:
+    - job: demo docker
+      artifacts: true
+  rules:
+    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
+      when: on_success
+
+release:
+  variables:
+    GIT_STRATEGY: none
+  stage: release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  rules:
+    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
+      when: on_success
+  before_script:
+    - export VERSION="$(cat .current-version)"
+  script:
+    - release-cli create --name "${VERSION}" --tag-name $CI_COMMIT_TAG --description .current-changelog.md
diff --git a/flake.nix b/flake.nix
index 141118d40..7f9ffa33d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -106,6 +106,7 @@
             haskell-nix.overlay
             (import ./nix/uniworx { inherit inputs frontendSource backendSource; })
             (import ./nix/docker { inherit self; })
+            (import ./nix/parse-changelog.nix {})
           ];
           haskellFlake = pkgs.uniworx.flake {};
 
@@ -116,25 +117,16 @@
             [[ -n "''${1}" ]] && shift
             ${pkgs.skopeo}/bin/skopeo ''${@} --insecure-policy copy docker-archive://${dockerImage} ''${target}
           '';
-          uniworxBackend = pkgs.symlinkJoin {
-            name = "uniworx";
-            paths = [
-              haskellFlake.packages."uniworx:exe:uniworx"
-              haskellFlake.packages."uniworx:exe:uniworxdb"
-              haskellFlake.packages."uniworx:exe:uniworxload"
-              haskellFlake.packages."uniworx:exe:uniworx-wflint"
-            ];
-          };
       in {
         packages = haskellFlake.packages // {
-          inherit (pkgs) uniworxNodeDependencies uniworxWellKnown uniworxFrontend uniworxDemoDocker uniworxDocker ciDocker;
-          inherit uniworxBackend;
+          inherit (pkgs) uniworxNodeDependencies uniworxWellKnown uniworxFrontend uniworxDemoDocker uniworxDocker ciDocker changelogJson;
         };
         apps = haskellFlake.apps // {
           pushUniworxDemoDocker = flake-utils.lib.mkApp { drv = mkPushDocker "uniworx-demo" pkgs.uniworxDemoDocker; };
           pushUniworxDocker = flake-utils.lib.mkApp { drv = mkPushDocker "uniworx" pkgs.uniworxDocker; };
           pushCIDocker = flake-utils.lib.mkApp { drv = mkPushDocker "nix-unstable" pkgs.ciDocker; };
           calculateMaterializedSha = flake-utils.lib.mkApp { drv = pkgs.uniworx.stack-nix.passthru.calculateMaterializedSha; exePath = ""; };
+          jqChangelogJson = flake-utils.lib.mkApp { drv = pkgs.jqChangelogJson; };
         };
         checks = haskellFlake.checks // {
           uniworxFrontend = pkgs.uniworxFrontend.check;
diff --git a/nix/parse-changelog.nix b/nix/parse-changelog.nix
new file mode 100644
index 000000000..62dc6102d
--- /dev/null
+++ b/nix/parse-changelog.nix
@@ -0,0 +1,13 @@
+{}: prev: final: rec {
+  changelogJson = prev.runCommand "changelog.json" {
+  } ''
+    ln -s ${final.uniworxNodeDependencies}/lib/node_modules ./node_modules
+    export PATH="${final.uniworxNodeDependencies}/bin:$PATH"
+
+    changelog-parser ${../CHANGELOG.md} > $out
+  '';
+
+  jqChangelogJson = prev.writeShellScriptBin "jq-changelog" ''
+    exec -- ${final.jq}/bin/jq $@ < ${changelogJson}
+  '';
+}