diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml
index 4ab4813..900dc78 100644
--- a/.github/workflows/base.yml
+++ b/.github/workflows/base.yml
@@ -1,18 +1,18 @@
 # cSpell: disable
-name: Publish docker image on docker hub
+name: Build base image and RootFS
 on:
   workflow_dispatch:
   push:
     branches:
-      - "master"
+      - "main"
     tags:
       - "v*"
   pull_request:
     branches:
-      - "master"
+      - "main"
 
 jobs:
-  publish:
+  build-base:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -52,25 +52,47 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          outputs: type=tar,dest=alpine-boxes-base.tar
+          outputs: type=tar,dest=alpine-boxes-base.rootfs.tar
 
       - name: Compress root filesystem and compute checksum
         run: |
-          gzip alpine-boxes-base.tar
-          sha256sum alpine-boxes-base.tar.gz >> SHA256SUMS
+          gzip alpine-boxes-base.rootfs.tar
+          sha256sum alpine-boxes-base.rootfs.tar.gz >> SHA256SUMS
+
       - name: Upload root fs artifact
         uses: actions/upload-artifact@v3
         with:
           name: rootfs
           path: |
-            alpine-boxes-base.tar.gz
+            alpine-boxes-base.rootfs.tar.gz
+
+      - name: Upload shasums artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: shasums
+          path: |
             SHA256SUMS
+
+  build-docker:
+    needs: [build-base]
+    uses: ./.github/workflows/build-box.yml
+    with:
+      context: docker
+    secrets: inherit
+
+  release-rootfses:
+    needs: [build-base, build-docker]
+    runs-on: ubuntu-latest
+    if: contains(github.ref, 'refs/tags/v') && !github.event.release.prerelease
+    steps:
+      - name: Get Root File Systems
+        uses: actions/download-artifact@v3
+
       - name: release
-        if: contains(github.ref, 'refs/tags/v') && !github.event.release.prerelease
         uses: softprops/action-gh-release@v1
         with:
           files: |
-            alpine-boxes-base.tar.gz
+            alpine-boxes-*.rootfs.tar.gz
             SHA256SUMS
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build-box.yml b/.github/workflows/build-box.yml
new file mode 100644
index 0000000..7a1a219
--- /dev/null
+++ b/.github/workflows/build-box.yml
@@ -0,0 +1,84 @@
+# cSpell: disable
+name: Build a box
+on:
+  workflow_call:
+    inputs:
+      context:
+        required: true
+        type: string
+    # secrets:
+    #   token:
+    #     required: true
+
+jobs:
+  build-base:
+    runs-on: ubuntu-latest
+    outputs:
+      sha256sum: ${{ steps.compress.outputs.sha256sum }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          driver-opts: |
+            image=moby/buildkit:master
+      - name: Docker Login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}-${{ inputs.context }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: ${{ inputs.context }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Export as root fs
+        uses: docker/build-push-action@v3
+        with:
+          context: ${{ inputs.context }}
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: type=tar,dest=alpine-boxes-${{ inputs.context }}.rootfs.tar
+
+      - name: Get distributions
+        uses: actions/download-artifact@v3
+        with:
+          name: shasums
+
+      - name: Compress root filesystem and compute checksum
+        id: compress
+        env:
+          BOX_NAME: ${{ inputs.context }}
+        run: |
+          gzip alpine-boxes-${BOX_NAME}.rootfs.tar
+          sha256sum alpine-boxes-${BOX_NAME}.rootfs.tar.gz >> SHA256SUMS
+          echo "sha256sum=$(tail -1 SHA256SUMS)" >>$GITHUB_OUTPUT
+
+      - name: Upload root fs artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: rootfs
+          path: |
+            alpine-boxes-${{ inputs.context }}.rootfs.tar.gz
+
+      - name: shasums artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: shasums
+          path: |
+            SHA256SUMS
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..0b86757
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,10 @@
+ARG BASE_VERSION=latest
+
+FROM ghcr.io/kaweezle/alpine-boxes-base:${BASE_VERSION}
+
+USER root
+
+RUN apk add --no-cache docker && \
+    rc-update add docker default
+
+USER alpine