diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d55b48a
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,36 @@
+FROM golang:1.25.6-alpine AS builder
+
+WORKDIR /src
+
+# Install git for module downloads
+RUN apk add --no-cache git
+
+# Cache modules
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source and build a static, stripped binary
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o /bin ./...
+
+FROM alpine:3.19
+
+# Install CA certs for TLS
+RUN apk add --no-cache ca-certificates
+
+# Set working directory where config.yaml will live
+WORKDIR /opt
+
+# Copy binary into a standard location
+COPY --from=builder /bin/telegram-join-approval-nuzzles /usr/local/bin/telegram-approval-join
+
+# Create a non-root user and group with specific UID:GID and set ownership
+RUN addgroup -g 65532 app && \
+    adduser -D -H -u 65532 -G app -s /sbin/nologin app -h /opt && \
+    chown -R app:app /opt /usr/local/bin/telegram-approval-join
+
+# Run as the created non-root user
+USER app:app
+
+ENTRYPOINT ["/usr/local/bin/telegram-approval-join"]
\ No newline at end of file
diff --git a/scripts/sync.sh b/scripts/sync.sh
index 2714172..058fe58 100755
--- a/scripts/sync.sh
+++ b/scripts/sync.sh
@@ -31,7 +31,7 @@ NEW_COMMIT=$(git -C "$SUBMODULE_DIR" rev-parse HEAD 2>/dev/null || echo "")
 # ── 2. Wipe and re-copy the submodule source ──────────────────────────────────
 echo "→ Copying telegram-approval-join source to root..."
 # Clean up directories that will be replaced
-rm -rf "$ROOT_DIR/cmd" "$ROOT_DIR/internal" "$ROOT_DIR/Dockerfile" "$ROOT_DIR/go.mod" "$ROOT_DIR/go.sum" "$ROOT_DIR/config.yaml.example"
+rm -rf "$ROOT_DIR/cmd" "$ROOT_DIR/internal" "$ROOT_DIR/go.mod" "$ROOT_DIR/go.sum" "$ROOT_DIR/config.yaml.example"
 
 # Copy source files, excluding .git and keeping patches/ and scripts/
 rsync -a --stats --exclude='.git' --exclude='internal/telegram-approval-join' \