diff --git a/.github/workflows/ctr.yml b/.github/workflows/ctr.yml
new file mode 100644
index 0000000..4118553
--- /dev/null
+++ b/.github/workflows/ctr.yml
@@ -0,0 +1,66 @@
+name: Build & publish fpush ctr image
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+#      - name: Set up QEMU
+#        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository }}
+
+      - name: Build image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: docker/Dockerfile
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Log in to ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      ## currently not pushing the image to the github registry.
+
+      # - name: Build & push image
+      #   uses: docker/build-push-action@v3
+      #   if: github.event_name == 'push'
+      #   with:
+      #     context: .
+      #     file: docker/Dockerfile
+      #     labels: ${{ steps.meta.outputs.labels }}
+      #     platforms: linux/amd64
+      #     push: true
+      #     tags: ${{ steps.meta.outputs.tags }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..9902d1e
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,21 @@
+### alternative tag is e.g. '1.72.0'
+ARG RUST_VSN='stable'
+
+##### Build
+FROM docker.io/clux/muslrust:${RUST_VSN} as builder
+
+COPY / ./
+RUN cargo build --release
+
+RUN mkdir -p /rootfs/etc/fpush \
+ && mv $(find target/ -name fpush -type f -executable) /rootfs/fpush \
+ && touch /rootfs/etc/fpush/settings.json
+
+##### Runtime
+FROM gcr.io/distroless/static-debian12:nonroot AS prod
+
+COPY --from=builder /rootfs /
+
+ENV RUST_LOG=info
+
+ENTRYPOINT ["/fpush","/etc/fpush/settings.json"]
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000..c567f53
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,24 @@
+# Dockerfile for fpush
+
+This folder holds an example Dockerfile.
+
+To build the image, run the following command from the root of this repository:
+
+```bash
+docker build -t localhost/fpush:latest -f docker/Dockerfile .
+```
+
+Run the image with:
+
+```bash
+docker run --init -d \
+    --name fpush \
+    -v /path/to/settings.json:/etc/fpush/settings.json \
+    -v /path/to/apple.p12:/path/to/apple.p12 \
+    -v /path/to/google.json:/path/to/google.json \
+    -e RUST_LOG=info \
+    localhost/fpush:latest
+```
+
+Note: Apple's p12 and/or Google's json file need to be mounted into the
+container as you can see in the example above.