diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
new file mode 100644
index 00000000..bb2c2d5b
--- /dev/null
+++ b/.github/workflows/docker-image.yml
@@ -0,0 +1,70 @@
+name: Publish Docker image
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*'
+
+env:
+  REGISTRY: ""
+  IMAGE_NAME: ipfs/ipfs-cluster
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          # registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Get tags
+        id: tags
+        run: |
+          echo "value<<EOF" >> $GITHUB_OUTPUT
+          ./docker/get-docker-tags.sh "$(date -u +%F)" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Build Docker image and publish to Docker Hub
+        uses: docker/build-push-action@v4
+        with:
+          platforms: linux/amd64,linux/arm/v7,linux/arm64/v8
+          context: .
+          push: true
+          file: ./Dockerfile
+          tags: "${{ steps.tags.outputs.value }}"
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache to limit growth
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
diff --git a/Dockerfile b/Dockerfile
index 396f4610..a0e91b42 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,34 +1,39 @@
-FROM golang:1.20-bullseye AS builder
-MAINTAINER Hector Sanjuan <hector@protocol.ai>
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.20-bullseye AS builder
+MAINTAINER Hector Sanjuan <code@hector.link>
 
 # This dockerfile builds and runs ipfs-cluster-service.
+ARG TARGETPLATFORM TARGETOS TARGETARCH
 
 ENV GOPATH      /go
 ENV SRC_PATH    $GOPATH/src/github.com/ipfs-cluster/ipfs-cluster
-ENV GO111MODULE on
 ENV GOPROXY     https://proxy.golang.org
 
-# Get the TLS CA certificates, they're not provided by busybox.
-RUN apt-get update && apt-get install -y ca-certificates tini gosu
-
 COPY --chown=1000:users go.* $SRC_PATH/
 WORKDIR $SRC_PATH
-RUN go mod download
+RUN go mod download -x
 
 COPY --chown=1000:users . $SRC_PATH
 RUN git config --global --add safe.directory /go/src/github.com/ipfs-cluster/ipfs-cluster
+
+ENV CGO_ENABLED 0
 RUN make install
 
 
 #------------------------------------------------------
-FROM busybox:1-glibc
+FROM alpine:3.18
 MAINTAINER Hector Sanjuan <hector@protocol.ai>
 
+LABEL org.opencontainers.image.source=https://github.com/ipfs-cluster/ipfs-cluster
+LABEL org.opencontainers.image.description="Pinset orchestration for IPFS"
+LABEL org.opencontainers.image.licenses=MIT+APACHE_2.0
+
+# Install binaries for $TARGETARCH
+RUN apk add --no-cache tini su-exec ca-certificates
+
 ENV GOPATH                 /go
 ENV SRC_PATH               /go/src/github.com/ipfs-cluster/ipfs-cluster
 ENV IPFS_CLUSTER_PATH      /data/ipfs-cluster
 ENV IPFS_CLUSTER_CONSENSUS crdt
-ENV IPFS_CLUSTER_DATASTORE pebble
 
 EXPOSE 9094
 EXPOSE 9095
@@ -38,16 +43,13 @@ COPY --from=builder $GOPATH/bin/ipfs-cluster-service /usr/local/bin/ipfs-cluster
 COPY --from=builder $GOPATH/bin/ipfs-cluster-ctl /usr/local/bin/ipfs-cluster-ctl
 COPY --from=builder $GOPATH/bin/ipfs-cluster-follow /usr/local/bin/ipfs-cluster-follow
 COPY --from=builder $SRC_PATH/docker/entrypoint.sh /usr/local/bin/entrypoint.sh
-COPY --from=builder /usr/bin/tini /usr/bin/tini
-COPY --from=builder /usr/sbin/gosu /usr/sbin/gosu
-COPY --from=builder /etc/ssl/certs /etc/ssl/certs
 
 RUN mkdir -p $IPFS_CLUSTER_PATH && \
     adduser -D -h $IPFS_CLUSTER_PATH -u 1000 -G users ipfs && \
     chown ipfs:users $IPFS_CLUSTER_PATH
 
 VOLUME $IPFS_CLUSTER_PATH
-ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/entrypoint.sh"]
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
 
 # Defaults for ipfs-cluster-service go here
 CMD ["daemon"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index d893106f..94da6607 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -11,7 +11,7 @@ if [ `id -u` -eq 0 ]; then
     echo "Changing user to $user"
     # ensure directories are writable
     su-exec "$user" test -w "${IPFS_CLUSTER_PATH}" || chown -R -- "$user" "${IPFS_CLUSTER_PATH}"
-    exec gosu "$user" "$0" $@
+    exec su-exec "$user" "$0" $@
 fi
 
 # Only ipfs user can get here
@@ -22,7 +22,7 @@ if [ -e "${IPFS_CLUSTER_PATH}/service.json" ]; then
 else
     echo "This container only runs ipfs-cluster-service. ipfs needs to be run separately!"
     echo "Initializing default configuration..."
-    ipfs-cluster-service init --consensus "${IPFS_CLUSTER_CONSENSUS}" --datastore "${IPFS_CLUSTER_DATASTORE}"
+    ipfs-cluster-service init --consensus "${IPFS_CLUSTER_CONSENSUS}"
 fi
 
 exec ipfs-cluster-service $@
diff --git a/docker/get-docker-tags.sh b/docker/get-docker-tags.sh
new file mode 100755
index 00000000..a5bd8742
--- /dev/null
+++ b/docker/get-docker-tags.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# get-docker-tags.sh produces Docker tags for the current build
+#
+# Usage:
+#   ./get-docker-tags.sh <build number> <git commit sha1> <git branch name> [git tag name]
+#
+# Example:
+#
+#   # get tag for the main branch
+#   ./get-docker-tags.sh $(date -u +%F) testingsha main
+#
+#   # get tag for a release tag
+#   ./get-docker-tags.sh $(date -u +%F) testingsha release v0.5.0
+#
+#   # Serving suggestion in CI
+#   ./get-docker-tags.sh $(date -u +%F) "$CI_SHA1" "$CI_BRANCH" "$CI_TAG"
+#
+set -euo pipefail
+
+if [[ $# -lt 1 ]] ; then
+  echo 'At least 1 arg required.'
+  echo 'Usage:'
+  echo './get-docker-tags.sh <build number> [git commit sha1] [git branch name] [git tag name]'
+  exit 1
+fi
+
+BUILD_NUM=$1
+GIT_SHA1=${2:-$(git rev-parse HEAD)}
+GIT_SHA1_SHORT=$(echo "$GIT_SHA1" | cut -c 1-7)
+GIT_BRANCH=${3:-$(git symbolic-ref -q --short HEAD || echo "unknown")}
+GIT_TAG=${4:-$(git describe --tags --exact-match 2> /dev/null || echo "")}
+
+IMAGE_NAME=${IMAGE_NAME:-ipfs/ipfs-cluster}
+
+echoImageName () {
+  local IMAGE_TAG=$1
+  echo "$IMAGE_NAME:$IMAGE_TAG"
+}
+
+if [[ $GIT_TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+-rc ]]; then
+  echoImageName "$GIT_TAG"
+
+elif [[ $GIT_TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  echoImageName "$GIT_TAG"
+  echoImageName "stable"
+
+elif [ "$GIT_BRANCH" = "master" ]; then
+  echoImageName "master-${BUILD_NUM}-${GIT_SHA1_SHORT}"
+  echoImageName "master-latest"
+
+else
+  echo "Nothing to do. No docker tag defined for branch: $GIT_BRANCH, tag: $GIT_TAG"
+
+fi