diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
new file mode 100644
index 0000000..005c752
--- /dev/null
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,45 @@
+name: docker build and push
+
+on:
+  push:
+    branches: ["main"]
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/reduxisu/quantumsolver
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=,format=short
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..465b100
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,21 @@
+FROM python:3.12-slim
+
+RUN groupadd --system quantumsolver \
+    && useradd --system --gid quantumsolver --no-create-home quantumsolver
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY --chown=quantumsolver:quantumsolver app/ app/
+COPY --chown=quantumsolver:quantumsolver gunicorn.conf.py .
+
+# gunicorn.conf.py binds a unix socket here in addition to TCP 27100
+RUN mkdir -p /run/quantumsolver && chown quantumsolver:quantumsolver /run/quantumsolver
+
+USER quantumsolver
+
+EXPOSE 27100
+
+CMD ["gunicorn", "--config", "gunicorn.conf.py", "app:app"]