diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 568b3dc3..61684492 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,3 +24,35 @@ jobs:
           bin: diode-send,diode-receive,diode-send-file,diode-receive-file,diode-send-udp,diode-receive-udp
           archive: lidi-$tag
           token: ${{ secrets.GITHUB_TOKEN }}
+  build-and-push-docker-image:
+    name: Builds and pushes a tagged docker image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        lidi_service:
+          - send
+          - receive
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        id: docker_meta
+        with:
+          images: docker.io/anssi/lidi-${{ matrix.lidi_service }}
+          tags: |
+              type=semver,pattern={{version}}
+              type=semver,pattern={{major}}.{{minor}}
+              type=semver,pattern={{major}}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          target: ${{ matrix.lidi_service }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+      
+
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 00000000..43edbe48
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,19 @@
+# NOTE: use Google's "distroless with libgcc1" base image, see:
+#       https://github.com/GoogleContainerTools/distroless/blob/6755e21ccd99ddead6edc8106ba03888cbeed41a/cc/README.md
+ARG BASE_IMAGE_FINAL_STAGES="gcr.io/distroless/cc:nonroot"
+
+FROM rust:1-bookworm AS builder
+
+WORKDIR /usr/src/lidi
+COPY . .
+RUN cargo install --path .
+
+FROM ${BASE_IMAGE_FINAL_STAGES} AS send
+
+COPY --from=builder --chown=root:root --chmod=755 /usr/local/cargo/bin/diode-send /usr/local/bin/
+ENTRYPOINT ["diode-send"]
+
+FROM ${BASE_IMAGE_FINAL_STAGES} AS receive
+
+COPY --from=builder --chown=root:root --chmod=755 /usr/local/cargo/bin/diode-receive /usr/local/bin/
+ENTRYPOINT ["diode-receive"]
\ No newline at end of file
diff --git a/Dockerfile.receive b/Dockerfile.receive
deleted file mode 100644
index 2e056559..00000000
--- a/Dockerfile.receive
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM rust:latest AS builder
-WORKDIR /usr/src/lidi
-COPY . .
-RUN cargo install --path .
-
-FROM debian:buster-slim
-COPY --from=builder /usr/local/cargo/bin/diode-receive /usr/local/bin
-ENTRYPOINT ["diode-receive"]
diff --git a/Dockerfile.send b/Dockerfile.send
deleted file mode 100644
index 41c4e250..00000000
--- a/Dockerfile.send
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM rust:latest AS builder
-WORKDIR /usr/src/lidi
-COPY . .
-RUN cargo install --path .
-
-FROM debian:buster-slim
-COPY --from=builder /usr/local/cargo/bin/diode-send /usr/local/bin
-ENTRYPOINT ["diode-send"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 8c60252a..7ad81f43 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,8 @@ services:
     image: diode:send
     build:
       context: .
-      dockerfile: Dockerfile.send
+      dockerfile: Dockerfile
+      target: send
     networks:
       diode_net:
         ipv4_address: 172.16.0.2
@@ -31,7 +32,8 @@ services:
     image: diode:receive
     build:
       context: .
-      dockerfile: Dockerfile.receive
+      dockerfile: Dockerfile
+      target: receive
     networks:
       diode_net:
         ipv4_address: 172.16.0.3