diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml
new file mode 100644
index 0000000..9c04b42
--- /dev/null
+++ b/.gitea/workflows/docker-build.yml
@@ -0,0 +1,70 @@
+# docker-build.yml
+
+---
+name: Docker Build
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    env:
+      # Bring secrets into the job env so we can check them from shell steps
+      REGISTRY: ${{ secrets.REGISTRY }}
+      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Show git status (debug)
+        run: |
+          echo "GIT dir: $(pwd)"
+          git --version
+          git rev-parse --abbrev-ref HEAD || true
+          git remote -v || true
+
+      - name: Set IMAGE env (uses $GITHUB_SHA)
+        run: |
+          if [ -n "${REGISTRY}" ]; then
+            echo "IMAGE=${REGISTRY}/vitrify.me:${GITHUB_SHA}" >> $GITHUB_ENV
+          else
+            echo "IMAGE=vitrify.me:${GITHUB_SHA}" >> $GITHUB_ENV
+          fi
+          echo "IMAGE computed: $IMAGE"
+
+      - name: Set up QEMU (for multi-platform builds)
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry (only if secrets present)
+        if: ${{ secrets.REGISTRY && secrets.REGISTRY_USER && secrets.REGISTRY_PASSWORD }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build (and push only if logged in)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ secrets.REGISTRY && secrets.REGISTRY_USER && secrets.REGISTRY_PASSWORD }}
+          tags: ${{ env.IMAGE }}
+
+      - name: Inspect image (local)
+        if: ${{ ! (secrets.REGISTRY && secrets.REGISTRY_USER && secrets.REGISTRY_PASSWORD) }}
+        run: |
+          echo "Built local image ${IMAGE}"
+          docker images | grep vitrify.me || true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..ba19aa1
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,11 @@
+repos:
+
+  # --- Basic sanity checks ---
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+      - id: detect-private-key
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..0cae690
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,26 @@
+# Stage 1: Builder
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Install pnpm
+RUN npm install -g pnpm@9.0.0
+
+# Copy files
+COPY pnpm-lock.yaml ./
+COPY package.json ./
+COPY turbo.json ./
+COPY . .
+
+# Install deps and build
+RUN pnpm install --frozen-lockfile
+RUN pnpm build
+
+# Stage 2: Runtime
+FROM node:20-alpine
+
+WORKDIR /app
+
+COPY --from=builder /app ./
+
+CMD ["node", "apps/web/server.js"]