diff --git a/Dockerfile b/Dockerfile
index 8a02b13..f166840 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,36 @@
 FROM golang:1.25.6-alpine AS builder
 
-WORKDIR /go/src/git.zio.sh/telegram-approval-join
+WORKDIR /src
+
+# Install git for module downloads
+RUN apk add --no-cache git
+
+# Cache modules
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source and build a static, stripped binary
 COPY . .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o /bin/telegram-approval-join ./...
 
-RUN apk update && \
-    apk add --no-cache git bash && \
-    go get -d -v ./... && \
-    go install
+FROM alpine:3.19
 
-FROM alpine:latest
+# Install CA certs for TLS
+RUN apk add --no-cache ca-certificates
 
-COPY --from=builder /go/bin/telegram-approval-join /usr/local/bin/telegram-approval-join
+# Set working directory where config.yaml will live
+WORKDIR /opt
 
-CMD ["telegram-approval-join"]
\ No newline at end of file
+# Copy binary into a standard location
+COPY --from=builder /bin/telegram-approval-join /usr/local/bin/telegram-approval-join
+
+# Create a non-root user and group with specific UID:GID and set ownership
+RUN addgroup -g 65532 app && \
+    adduser -D -H -u 65532 -G app -s /sbin/nologin app -h /opt && \
+    chown -R app:app /opt/telegram-approval-join /usr/local/bin/telegram-approval-join
+
+# Run as the created non-root user
+USER app:app
+
+ENTRYPOINT ["/usr/local/bin/telegram-approval-join"]
\ No newline at end of file