diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 00000000..626827a1
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,47 @@
+name: Docker
+
+on:
+  schedule:
+    - cron: '25 12 * * *'
+  push:
+    branches: [ main ]
+    tags: [ 'v*.*.*' ] # Publish semver tags as releases.
+  pull_request:
+    branches: [ main ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: eugeny/warpgate
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          file: docker/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 00000000..a2fc55cb
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,37 @@
+FROM rust:bullseye AS build
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN curl -fsSL https://deb.nodesource.com/setup_17.x | bash - \
+    && apt-get update \
+    && apt-get install -y nodejs openjdk-17-jdk \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g yarn \
+    && cargo install just
+
+COPY . /opt/warpgate
+
+RUN cd /opt/warpgate \
+    && just yarn \
+    && just openapi \
+    && just yarn build \
+    && cargo build --release
+
+FROM debian:bullseye
+LABEL maintainer=heywoodlh
+
+COPY --from=build /opt/warpgate/target/release/warpgate /usr/local/bin/warpgate
+COPY docker/run.sh /run.sh
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update \
+    && apt-get install -y openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+EXPOSE 2222
+EXPOSE 8888
+
+VOLUME /data
+
+ENTRYPOINT ["/run.sh"]
diff --git a/docker/run.sh b/docker/run.sh
new file mode 100755
index 00000000..69b4234c
--- /dev/null
+++ b/docker/run.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+[[ -n ${ADMIN_USER} ]] || ADMIN_USER='admin'
+[[ -n ${ADMIN_PASS} ]] || ADMIN_PASS='admin'
+
+[[ -e /data/web-admin.certificate.pem ]] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /data/web-admin.key.pem -out /data/web-admin.certificate.pem -subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com"
+
+password_hash=$(echo -n "${ADMIN_PASS}" | warpgate hash | cat)
+
+
+[[ -f '/data/warpgate.yaml'  ]] || cat << EOF > /data/warpgate.yaml
+---
+targets:
+  - name: web-admin
+    allow_roles:
+      - "warpgate:admin"
+    web_admin: {}
+users:
+  - username: ${ADMIN_USER}
+    credentials:
+      - type: password
+        hash: "${password_hash}"
+    roles:
+      - "warpgate:admin"
+roles:
+  - name: "warpgate:admin"
+recordings:
+  enable: true
+  path: /data/recordings
+web_admin:
+  enable: true
+  listen: "0.0.0.0:8888"
+  certificate: /data/web-admin.certificate.pem
+  key: /data/web-admin.key.pem
+database_url: "sqlite:/data/db"
+ssh:
+  listen: "0.0.0.0:2222"
+  keys: /data/ssh-keys
+  client_key: "./client_key"
+retention: 7days
+EOF
+
+[[ -L /etc/warpgate.yaml  ]] || ln -s /data/warpgate.yaml /etc/warpgate.yaml
+
+warpgate $@