diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..e855853
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,5 @@
+# Xcode
+Apple/
+
+# Rust
+target/
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
new file mode 100644
index 0000000..1ce7a9a
--- /dev/null
+++ b/.github/workflows/build-docker.yml
@@ -0,0 +1,45 @@
+name: Build Docker
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - "*"
+jobs:
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+    - name: Setup QEMU
+      uses: docker/setup-qemu-action@v2
+      with:
+        platforms: arm64
+    - name: Setup BuildKit
+      uses: docker/setup-buildx-action@v2
+    - name: Authenticate
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Extract Metadata
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: ghcr.io/${{ github.repository }}
+        tags: |
+          type=sha
+          type=raw,value=latest,enable={{is_default_branch}}
+    - name: Build and Push
+      uses: docker/build-push-action@v4
+      with:
+        platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64'  }}
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..b1500bb
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,75 @@
+FROM docker.io/library/rust:1.70.0-slim-bookworm AS builder
+
+ARG TARGETPLATFORM
+ARG LLVM_VERSION=16
+
+ENV KEYRINGS /etc/apt/keyrings
+
+RUN set -eux && \
+    mkdir -p $KEYRINGS && \
+    apt-get update && \
+    apt-get install --no-install-recommends -y gpg curl musl-dev && \
+    curl --proto '=https' --tlsv1.2 -sSf https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dearmor --output $KEYRINGS/llvm.gpg && \
+    echo "deb [signed-by=$KEYRINGS/llvm.gpg] http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list && \
+    apt-get update && \
+    apt-get install --no-install-recommends -y clang-$LLVM_VERSION llvm-$LLVM_VERSION lld-$LLVM_VERSION && \
+    ln -s clang-$LLVM_VERSION /usr/bin/clang && \
+    ln -s clang /usr/bin/clang++ && \
+    ln -s lld-$LLVM_VERSION /usr/bin/ld.lld && \
+    ln -s clang-$LLVM_VERSION /usr/bin/clang-cl && \
+    ln -s llvm-ar-$LLVM_VERSION /usr/bin/llvm-lib && \
+    ln -s lld-link-$LLVM_VERSION /usr/bin/lld-link && \
+    update-alternatives --install /usr/bin/cc cc /usr/bin/clang 100 && \
+    update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++ 100 && \
+    apt-get remove -y --auto-remove && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN case $TARGETPLATFORM in \
+     "linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
+     "linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
+     *) exit 1 ;; \
+    esac && \
+    rustup target add $LLVM_TARGET
+
+ENV CC_x86_64_unknown_linux_musl=clang-$LLVM_VERSION \
+    AR_x86_64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
+    CC_aarch64_unknown_linux_musl=clang-$LLVM_VERSION \
+    AR_aarch64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
+    CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/x86_64-linux-musl -L/lib/x86_64-linux-musl -C linker=rust-lld" \
+    CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/aarch64-linux-musl -L/lib/aarch64-linux-musl -C linker=rust-lld" \
+    CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
+
+COPY . .
+
+RUN case $TARGETPLATFORM in \
+     "linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
+     "linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
+     *) exit 1 ;; \
+    esac && \
+    cargo install --path burrow --target $LLVM_TARGET
+
+WORKDIR /tmp/rootfs
+
+RUN set -eux && \
+    mkdir -p ./bin ./etc ./tmp ./data && \
+    mv /usr/local/cargo/bin/burrow ./bin/burrow && \
+    echo 'burrow:x:10001:10001::/tmp:/sbin/nologin' > ./etc/passwd && \
+    echo 'burrow:x:10001:' > ./etc/group && \
+    chown -R 10001:10001 ./tmp ./data && \
+    chmod 0777 ./tmp
+
+FROM scratch as runtime
+LABEL \
+    # https://github.com/opencontainers/image-spec/blob/master/annotations.md
+    org.opencontainers.image.title="burrow" \
+    org.opencontainers.image.description="Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club." \
+    org.opencontainers.image.url="https://github.com/hackclub/burrow" \
+    org.opencontainers.image.source="https://github.com/hackclub/burrow" \
+    org.opencontainers.image.vendor="hackclub" \
+    org.opencontainers.image.licenses="GPL-3.0"
+
+USER 10001:10001
+COPY --from=builder /tmp/rootfs /
+WORKDIR /data
+
+ENTRYPOINT ["/bin/burrow"]