diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..7a64adf
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,27 @@
+# General
+**/.DS_Store
+**/*.md
+**/LICENSE
+
+# Git
+**/.git
+**/.github
+**/.gitattributes
+**/.gitignore
+
+# Docker
+**/.dockerignore
+**/Dockerfile
+
+# Node
+**/node_modules/
+**/dist
+**/npm-debug.log
+
+# Env
+.env
+.env.*
+!.env.example
+
+# Generated certs
+.certs/
diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
new file mode 100644
index 0000000..0854f96
--- /dev/null
+++ b/.github/workflows/build-docker.yaml
@@ -0,0 +1,52 @@
+---
+name: Build & Publish Postgis Test
+
+on:  # yamllint disable-line rule:truthy
+  schedule:
+    - cron: "0 0 1,15 * *"  # Every 2 weeks
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-publish:
+    name: Build & Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker GitHub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata for the Docker image
+        id: meta
+        uses: docker/metadata-action@5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # set latest tag for default branch
+            type=raw,value=latest,enable={{is_default_branch}}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..58198ea
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,56 @@
+ARG NODE_VERSION=lts
+
+#
+# --- Build Stage ---
+#
+
+FROM node:${NODE_VERSION}-alpine as build
+
+# Install dependencies
+WORKDIR /app
+COPY package.json package-lock.json ./
+RUN npm install --frozen-lockfile
+
+# Copy codebase
+COPY . .
+
+#
+# --- Base Stage ---
+#
+
+FROM node:${NODE_VERSION}-alpine as base
+
+USER nobody
+
+# Copy codebase
+WORKDIR /app
+COPY --from=build --chown=nobody /app/package.json /app/index.js ./
+COPY --from=build --chown=nobody /app/node_modules node_modules
+COPY --from=build --chown=nobody /app/src src
+
+# Location of generated SSL certificates
+VOLUME /app/.certs
+
+#
+# --- App Stage ---
+#
+
+FROM base as app
+
+ENV NODE_ENV=production
+COPY --from=build --chown=nobody /app/app.js .
+
+# A comma-separated list of root domains to whitelist
+ENV WHITELIST_HOSTS=
+# A comma-separated list of root domains to blacklist
+ENV BLACKLIST_HOSTS=
+# The URL to redirect to when a blacklisted host is accessed
+ENV BLACKLIST_REDIRECT=
+# The host to enable `/stat` endpoint
+ENV HOME_DOMAIN=
+
+ENV HTTP_PORT=8080 HTTPS_PORT=8443
+EXPOSE 8080 8443
+
+ENTRYPOINT ["node"]
+CMD ["app.js"]