diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6faa122
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+.git
+tmp
diff --git a/.drone.yml b/.drone.yml
index 99d873f..ff98812 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -202,3 +202,76 @@ steps:
       - uname -r
       - curl --version
       - curl -sS -X POST https://godocs.io/git.dotya.ml/${DRONE_REPO}/refresh -o /dev/null
+
+---
+kind: pipeline
+type: docker
+name: container
+
+platform:
+  os: linux
+  arch: amd64
+
+node:
+  r: as
+
+trigger:
+  event: [push, pull_request, cron, tag]
+
+steps:
+  - name: hadolint
+    pull: always
+    image: ghcr.io/hadolint/hadolint:v2.12.0-alpine
+    commands:
+      - hadolint --version
+      - hadolint Containerfile
+    when:
+      ref:
+        - refs/heads/development
+        - "refs/heads/feature-**"
+        - "refs/pull/**"
+        - "refs/tags/**"
+      event:
+        exclude: [cron]
+
+  - name: kaniko-build
+    pull: always
+    image: docker.io/immawanderer/drone-kaniko:linux-amd64
+    settings:
+      dockerfile: Containerfile
+      context: .
+      args:
+        - BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+        - VCS_REF=${DRONE_COMMIT_SHA:0:8}
+    when:
+      ref:
+        - "refs/heads/feature-**"
+        - "refs/pull/**"
+      event:
+        exclude: [cron]
+
+  - name: kaniko publish
+    pull: always
+    image: docker.io/immawanderer/drone-kaniko:linux-amd64
+    settings:
+      dockerfile: Containerfile
+      context: .
+      args:
+        - BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+        - VCS_REF=${DRONE_COMMIT_SHA:0:8}
+      tags:
+        - latest
+        - linux-amd64
+        - ${DRONE_COMMIT_SHA:0:8}
+        - ${DRONE_TAG}
+        - ${DRONE_TAG}-linux-amd64
+        - ${DRONE_TAG}-g${DRONE_COMMIT_SHA:0:8}
+      repo: immawanderer/mt-${DRONE_REPO_NAME}
+      username: immawanderer
+      password:
+        from_secret: dh_token
+    when:
+      ref:
+        include:
+          - "refs/tags/**"
+...
diff --git a/.hadolint.yaml b/.hadolint.yaml
new file mode 100644
index 0000000..9b70062
--- /dev/null
+++ b/.hadolint.yaml
@@ -0,0 +1,3 @@
+---
+failure-threshold: warning
+...
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8885e0e..2d0bc74 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -18,3 +18,7 @@ repos:
       - id: go-test-mod
       - id: go-build-mod
       - id: golangci-lint-mod
+  - repo: https://git.dotya.ml/wanderer/hadolint-pre-commit
+    rev: v0.0.1
+    hooks:
+      - id: hadolint-container
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..a87f4ec
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,50 @@
+# syntax=docker/dockerfile-upstream:master-labs
+FROM docker.io/library/alpine:3.18.0 as dhall-cache
+ENV XDG_CACHE_HOME=/var/cache
+ENV DHALL_VERSION=1.42.0
+
+ADD https://git.dotya.ml/mirre-mt/pcmt/raw/branch/development/exampleConfig.dhall /tmp
+ADD https://github.com/dhall-lang/dhall-haskell/releases/download/${DHALL_VERSION}/dhall-${DHALL_VERSION}-x86_64-linux.tar.bz2 /tmp/dhall.tar.bz2
+
+WORKDIR /tmp
+
+RUN tar xf /tmp/dhall.tar.bz2 \
+    && mv /tmp/bin/dhall /usr/bin \
+    && echo "Normalise exampleConfig.dhall (saving the result in cache)" \
+    && time dhall --file /tmp/exampleConfig.dhall
+
+
+FROM docker.io/library/golang:1.20.4-alpine3.17 as go-build
+ARG VERSION
+
+COPY . /go/pcmt
+
+WORKDIR /go/pcmt
+
+RUN CGO_ENABLED=0 \
+    GOLDFLAGS="-s -w -X main.version=${VERSION:-prod}" \
+    go build -v .
+
+
+FROM docker.io/immawanderer/scratch-cacerts:linux-amd64
+
+COPY --from=dhall-cache /var/cache/dhall-haskell /root/.cache/dhall-haskell
+COPY --from=dhall-cache /var/cache/dhall         /root/.cache/dhall
+COPY --from=dhall-cache /tmp/exampleConfig.dhall /etc/pcmt/config.dhall
+COPY --from=go-build    /go/pcmt/pcmt            /bin/pcmt
+
+ARG BUILD_DATE
+ARG VCS_REF
+
+ENV XDG_CACHE_HOME=/root/.cache
+
+LABEL description="Password Compromise Monitoring Tool" \
+      org.label-schema.build-date=$BUILD_DATE \
+      org.label-schema.vcs-url="https://git.dotya.ml/mirre-mt/pcmt.git" \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.license=AGPL-3.0-only
+
+ENTRYPOINT ["/bin/pcmt"]
+CMD ["-help"]
+
+#  vim: set ts=4 ft=dockerfile fenc=utf-8 ff=unix :
diff --git a/Dockerfile b/Dockerfile
new file mode 120000
index 0000000..5240dc0
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1 @@
+Containerfile
\ No newline at end of file
diff --git a/justfile b/justfile
index af86f81..1ec5104 100644
--- a/justfile
+++ b/justfile
@@ -1,3 +1,18 @@
+cmd := "podman"
+cfile := "Containerfile"
+tag := "docker.io/immawanderer/pcmt:testbuild"
+args := "build -t "+ tag + " " + buildargs + " --no-cache --pull -f " + cfile
+buildargs := "--build-arg VERSION=" + vcs_ref + " --build-arg BUILD_DATE=" + build_date + " --build-arg VCS_REF=" + vcs_ref
+kanikoargs := "run -it -w=" + kanikowdir + " -v $(pwd):" + kanikowdir + ":z " + kanikoexecutorimg + " -f=" + cfile + " -c=" + kanikocontext + " --use-new-run --snapshotMode=redo --no-push " + buildargs
+kanikoexecutorimg := "gcr.io/kaniko-project/executor:v1.9.0-debug"
+kanikowdir := "/src"
+kanikocontext := "."
+vcs_ref := "$(git rev-parse --short HEAD || echo dev)"
+build_date := "$(date -u +\"%Y-%m-%dT%H:%M:%SZ\")"
+hadolintimg := "docker.io/hadolint/hadolint"
+hadolinttag := "v2.12.0-alpine"
+hadolintargs := "run --rm -i -v $(pwd):/src:z --workdir=/src"
+
 # run tailwindcss tool in watch mode.
 watch-tw:
 	npm i
@@ -53,4 +68,16 @@ dbstop:
 svgo:
 	svgo -i templates/svg-*.tmpl
 
+# check Containerfile with hadolint.
+hadolint:
+	{{cmd}} {{hadolintargs}} {{hadolintimg}}:{{hadolinttag}} < {{cfile}}
+
+# build Container with kaniko.
+kaniko:
+	{{cmd}} {{kanikoargs}}
+
+# build container with podman.
+container:
+	{{cmd}} {{args}}
+
 #  vim: set ts=2 ft=just syntax=make fenc=utf-8 ff=unix :