diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..c07c711
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,20 @@
+# Don't track git
+.git/*
+
+# Don't track cargo generated files
+target/*
+app/target/*
+model/target/*
+
+# Don't track the generated JS
+app/pkg/*
+
+# Don't track changes to the Dockerfile, triggering a rebuild without cache
+Dockerfile
+.dockerignore
+
+# Various config files that shouldn't be tracked
+lldap_config.toml
+server_key
+users.db*
+.gitignore
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..9de935c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,55 @@
+# Build image
+FROM rust:alpine AS builder
+
+RUN set -x \
+    # Add user
+    && addgroup --gid 10001 app \
+    && adduser --disabled-password \
+        --gecos '' \
+        --ingroup app \
+        --home /app \
+        --uid 10001 \
+        app
+RUN set -x \
+    # Install required packages
+    && apk add npm openssl-dev musl-dev
+USER app
+WORKDIR /app
+RUN set -x \
+    # Install build tools
+    && RUSTFLAGS=-Ctarget-feature=-crt-static cargo install wasm-pack \
+    && npm install rollup
+# Build
+COPY --chown=app:app . /app
+RUN cargo build --release
+# TODO: release mode.
+RUN ./app/build.sh
+
+
+# Final image
+FROM alpine
+
+RUN set -x \
+    # Add user
+    && addgroup --gid 10001 app \
+    && adduser --disabled-password \
+        --gecos '' \
+        --ingroup app \
+        --home /app \
+        --uid 10001 \
+        app
+
+RUN mkdir /data && chown app:app /data
+USER app
+WORKDIR /app
+COPY --chown=app:app --from=builder /app/app/index.html app/index.html
+COPY --chown=app:app --from=builder /app/app/main.js app/main.js
+COPY --chown=app:app --from=builder /app/app/pkg app/pkg
+COPY --chown=app:app --from=builder /app/target/release/lldap lldap
+
+ENV LDAP_PORT=3890
+ENV HTTP_PORT=17170
+
+EXPOSE ${LDAP_PORT} ${HTTP_PORT}
+
+CMD ["/app/lldap", "--config_file", "/data/lldap_config.toml"]
diff --git a/README.md b/README.md
index 3c4c2aa..266dae4 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,44 @@ Make sure that you run `cargo fmt` in each crate that you modified (top-level,
 
 ### Setup
 
+#### With Docker
+
+The image is available at `nitnelave/lldap`. You should persist the `/data`
+folder, which contains your configuration, the database and the private key
+file (unless you move them in the config).
+
+Configure the server by copying the `lldap_config.docker_template.toml` to
+`/data/lldap_config.toml` and updating the configuration values (especially the
+`jwt_secret` and `ldap_user_pass`, unless you override them with env variables).
+
+Example for docker compose:
+
+```yaml
+volumes:
+  lldap_data:
+    driver: local
+
+services:
+  lldap:
+    image: nitnelave/lldap
+    ports:
+      # For LDAP
+      - "3890:3890"
+      # For the web front-end
+      - "17170:17170"
+    volumes:
+      - "lldap_data:/data"
+    environment:
+      - JWT_SECRET=REPLACE_WITH_RANDOM
+      - LDAP_USER_PASS=REPLACE_WITH_PASSWORD
+      - LDAP_BASE_DN=dc=example,dc=com
+```
+
+Then the service will listen on two ports, one for LDAP and one for the web
+front-end.
+
+#### From source
+
 To bring up the server, you'll need to compile the frontend. In addition to
 cargo, you'll need:
 
diff --git a/lldap_config.docker_template.toml b/lldap_config.docker_template.toml
new file mode 100644
index 0000000..d625eb4
--- /dev/null
+++ b/lldap_config.docker_template.toml
@@ -0,0 +1,65 @@
+## Default configuration for Docker.
+## All the values can be overridden through environment variables. For
+## instance, "ldap_port" can be overridden with the "LDAP_PORT" variable.
+
+## The port on which to have the LDAP server.
+#ldap_port = 3890
+
+## The port on which to have the HTTP server, for user login and
+## administration.
+#http_port = 17170
+
+## Random secret for JWT signature.
+## This secret should be random, and should be shared with application
+## servers that need to consume the JWTs.
+## Changing this secret will invalidate all user sessions and require
+## them to re-login.
+## You should probably set it through the JWT_SECRET environment
+## variable from a secret ".env" file.
+## You can generate it with (on linux):
+## LC_ALL=C tr -dc 'A-Za-z0-9!"#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
+#jwt_secret = "REPLACE_WITH_RANDOM"
+
+## Base DN for LDAP.
+## This is usually your domain name, and is used as a
+## namespace for your users. The choice is arbitrary, but will be needed
+## to configure the LDAP integration with other services.
+## The sample value is for "example.com", but you can extend it with as
+## many "dc" as you want, and you don't actually need to own the domain
+## name.
+#ldap_base_dn = "dc=example,dc=com"
+
+## Admin username.
+## For the LDAP interface, a value of "admin" here will create the LDAP
+## user "cn=admin,dc=example,dc=com" (with the base DN above).
+## For the administration interface, this is the username.
+#ldap_user_dn = "admin"
+
+## Admin password.
+## Password for the admin account, both for the LDAP bind and for the
+## administration interface.
+## You can set it with the LDAP_USER_PASS environment variable.
+## Note: you can create another admin user for LDAP/administration, this
+## is just the default one.
+#ldap_user_pass = "REPLACE_WITH_PASSWORD"
+
+## Database URL.
+## This encodes the type of database (SQlite, Mysql and so
+## on), the path, the user, password, and sometimes the mode (when
+## relevant).
+## Note: Currently, only SQlite is supported. SQlite should come with
+## "?mode=rwc" to create the DB if not present.
+## Example URLs:
+##  - "postgres://postgres-user:password@postgres-server/my-database"
+##  - "mysql://mysql-user:password@mysql-server/my-database"
+##
+## This can be overridden with the DATABASE_URL env variable.
+database_url = "sqlite:///data/users.db?mode=rwc"
+
+## Private key file.
+## Contains the secret private key used to store the passwords safely.
+## Note that even with a database dump and the private key, an attacker
+## would still have to perform an (expensive) brute force attack to find
+## each password.
+## Randomly generated on first run if it doesn't exist.
+key_file = "/data/private_key"