diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..33e8247
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,15 @@
+kind: pipeline
+name: default
+
+steps:
+- name: docker
+  image: plugins/docker
+  build_args:
+    - UBUNTU_MIRROR=http://de.archive.ubuntu.com/ubuntu
+  settings:
+    repo: sneak/work
+    dry_run: true
+    #auto_tag: true
+    tags:
+      - ${DRONE_COMMIT_SHA}
+      - ${DRONE_BRANCH}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..751b1d0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+build.log
diff --git a/Dockerfile b/Dockerfile
index e300ef7..7390394 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,2 +1,42 @@
 FROM ubuntu@sha256:8e1c1ee12a539d652c371ee2f4ee66909f4f5fd8002936d8011d958f05faf989
 
+ENV DEBIAN_FRONTEND noninteractive
+
+ARG UBUNTU_MIRROR=http://us.archive.ubuntu.com/ubuntu
+
+ARG UID_TO_ADD=1000
+ARG GID_TO_ADD=1000
+ARG USERNAME_TO_ADD=sneak
+
+RUN \
+	echo "deb $UBUNTU_MIRROR focal main universe restricted multiverse" > /etc/apt/sources.list.new && \
+	echo "deb $UBUNTU_MIRROR focal-updates main universe restricted multiverse" >> /etc/apt/sources.list.new && \
+	echo "deb $UBUNTU_MIRROR focal-security main universe restricted multiverse" >> /etc/apt/sources.list.new && \
+	echo "deb $UBUNTU_MIRROR focal-backports main universe restricted multiverse" >> /etc/apt/sources.list.new && \
+	mv /etc/apt/sources.list.new /etc/apt/sources.list
+
+ADD https://sneak.cloud/authorized_keys /root/.ssh/authorized_keys
+
+# we only install essential system packages here
+ARG SYSTEM_PACKAGES="build-essential ca-certificates openssh-server git golang rsync runit locales"
+
+RUN \
+    apt update && \
+    apt -y upgrade && \
+    apt -y install $SYSTEM_PACKAGES && \
+    groupadd -g $GID_TO_ADD $USERNAME_TO_ADD && \
+    useradd -u $UID_TO_ADD -g $GID_TO_ADD -s /bin/bash $USERNAME_TO_ADD && \
+    usermod -p '*' $USERNAME_TO_ADD && \
+    go get -v -u github.com/peterbourgon/runsvinit && \
+    cp /root/go/bin/runsvinit /usr/local/sbin/runsvinit && \
+    rm -rf /root/go && \
+    rm /etc/ssh/*host*key*
+
+COPY ./setup /tmp/setup
+RUN bash /tmp/setup/run.sh
+
+COPY ./root /
+
+RUN chmod +rx /etc/service/*/run
+
+CMD ["/usr/local/sbin/runsvinit"]
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..cb78d6a
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+default: build
+
+build:
+	sudo docker build . 2>&1 | tee -a build.log
diff --git a/bin/start b/bin/start
new file mode 100755
index 0000000..d21af5d
--- /dev/null
+++ b/bin/start
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+pushd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)/../"
+docker build -t sneak/work .
+popd
+
+
+# FIXME ssh host keys
+docker run \
+    -d \
+    --name work \
+    -v /:/hostroot \
+    -v /home/sneak/.ssh/id_rsa:/home/sneak/.ssh/id_rsa \
+    -v /home/sneak/.ssh/config:/home/sneak/.ssh/config \
+    -v /home/sneak/.ssh/known_hosts:/home/sneak/.ssh/known_hosts \
+    -v /home/sneak/Documents:/home/sneak/Documents \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    sneak/work
diff --git a/root/etc/service/cron/run b/root/etc/service/cron/run
new file mode 100644
index 0000000..ba91c76
--- /dev/null
+++ b/root/etc/service/cron/run
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# mostly cribbed from
+# https://github.com/phusion/baseimage-docker/tree/master/image/services/cron
+
+chmod 600 /etc/crontab
+# https://github.com/phusion/baseimage-docker/issues/345
+#sed -i 's/^\s*session\s\+required\s\+pam_loginuid.so/# &/' /etc/pam.d/cron
+
+## Remove useless cron entries.
+# Checks for lost+found and scans for mtab.
+rm -f /etc/cron.daily/standard
+rm -f /etc/cron.daily/upstart
+rm -f /etc/cron.daily/dpkg
+rm -f /etc/cron.daily/password
+rm -f /etc/cron.weekly/fstrim
+
+# Touch cron files to fix 'NUMBER OF HARD LINKS > 1' issue. See
+# https://github.com/phusion/baseimage-docker/issues/198
+touch -c /var/spool/cron/crontabs/*
+touch -c /etc/crontab
+touch -c /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/*
+/etc/cron.monthly/* /etc/cron.weekly/*
+
+exec /usr/sbin/cron -f
+
diff --git a/setup/packages.txt b/setup/packages.txt
new file mode 100644
index 0000000..a8445d2
--- /dev/null
+++ b/setup/packages.txt
@@ -0,0 +1,110 @@
+
+apt-transport-https
+apt-utils
+aspell
+aspell-en
+automake
+bash-completion
+bc
+bind9-host
+bonnie++
+build-essential
+byobu
+ca-certificates
+cmake
+command-not-found
+curl
+daemontools
+debmirror
+default-jre
+diffstat
+dnsutils
+docker.io
+dos2unix
+editorconfig
+ffmpeg
+fonts-indic
+fonts-ipafont-gothic
+fonts-ipafont-mincho
+fortune
+git
+gnupg2
+gnupg-agent
+golang-go
+host
+imagemagick
+iputils-ping
+irssi
+jq
+lcov
+ldap-auth-client
+ldap-utils
+libasound2
+libatk1.0-0
+libboost-all-dev
+libdb++-dev
+libgconf-2-4
+libgtk-3-0
+libjpeg-dev
+libnss3
+libnss-mdns
+libpng-dev
+libssl-dev
+libtool
+libxcursor1
+libxml2
+libxml2-dev
+libxslt1-dev
+locales
+lsof
+mailutils
+make
+man
+man-db
+mercurial
+mosh
+mutt
+netcat-openbsd
+nmap
+nscd
+openssh-server
+pandoc
+pass
+pbzip2
+pinentry-curses
+pkg-config
+psmisc
+pv
+pwgen
+python3
+python3-dev
+python3-pip
+rbenv
+rsync
+rsyslog
+rsyslog-gnutls
+rsyslog-relp
+runit
+screen
+snmp
+snmpd
+socat
+software-properties-common
+strace
+sudo
+tcpdump
+telnet
+texlive-latex-base
+tmux
+tree
+ttf-wqy-microhei
+ttf-wqy-zenhei
+vagrant
+vim
+vim-gtk
+wamerican-insane
+wget
+xterm
+zfsutils-linux
+zip
+zsh
diff --git a/setup/run.sh b/setup/run.sh
new file mode 100644
index 0000000..888ce04
--- /dev/null
+++ b/setup/run.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+TD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)"
+
+cd "$TD"
+
+apt install -y $(cat packages.txt)