diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..c4c85e4
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,70 @@
+# Build stage
+FROM golang:1.24-bookworm AS builder
+
+# Install build dependencies (zstd for archive, gcc for CGO/sqlite3)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    zstd \
+    gcc \
+    libc6-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /src
+
+# Copy go.mod and go.sum first for better layer caching
+COPY go.mod go.sum ./
+
+# Download and vendor dependencies
+RUN go mod download
+RUN go mod vendor
+
+# Copy source code
+COPY . .
+
+# Build the binary with CGO enabled (required for sqlite3)
+RUN CGO_ENABLED=1 GOOS=linux go build -o /routewatch ./cmd/routewatch
+
+# Create source archive with vendored dependencies
+RUN tar --zstd -cf /routewatch-source.tar.zst \
+    --exclude='.git' \
+    --exclude='*.tar.zst' \
+    .
+
+# Runtime stage
+FROM debian:bookworm-slim
+
+# Install runtime dependencies
+# - ca-certificates: for HTTPS connections
+# - curl: for health checks
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN useradd -r -u 1000 -m routewatch
+
+# Create state directory
+RUN mkdir -p /var/lib/routewatch && chown routewatch:routewatch /var/lib/routewatch
+
+WORKDIR /app
+
+# Copy binary and source archive from builder
+COPY --from=builder /routewatch /app/routewatch
+COPY --from=builder /routewatch-source.tar.zst /app/source/routewatch-source.tar.zst
+
+# Set ownership
+RUN chown -R routewatch:routewatch /app
+
+USER routewatch
+
+# Default state directory
+ENV ROUTEWATCH_STATE_DIR=/var/lib/routewatch
+
+# Expose HTTP port
+EXPOSE 8080
+
+# Health check using the health endpoint
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD curl -sf http://localhost:8080/.well-known/healthcheck.json || exit 1
+
+ENTRYPOINT ["/app/routewatch"]