diff --git a/Dockerfile b/Dockerfile
index bf44193..788eb5a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1 +1,52 @@
-IyBCdWlsZCBzdGFnZQpGUk9NIGdvbGFuZzoxLjI0LWFscGluZSBBUyBidWlsZGVyCgojIEluc3RhbGwgYnVpbGQgZGVwZW5kZW5jaWVzClJVTiBhcGsgYWRkIC0tbm8tY2FjaGUgZ2NjIG11c2wtZGV2IHNxbGl0ZS1kZXYKCldPUktESVIgL2FwcAoKIyBDb3B5IGdvIG1vZCBmaWxlcwpDT1BZIGdvLm1vZCBnby5zdW0gLi8KUlVOIGdvIG1vZCBkb3dubG9hZAoKIyBDb3B5IHNvdXJjZSBjb2RlCkNPUFkgLiAuCgojIEJ1aWxkIHdpdGggQ0dPIGZvciBTUUxpdGUKRU5WIENHT19FTkFCTEVEPTEKUlVOIGdvIGJ1aWxkIC1sZGZsYWdzPSItcyAtdyIgLW8gL2dpdGVhLW5vdGlmaWNhdGlvbi1odWIgLi9jbWQvc2VydmVyCgojIFJ1bnRpbWUgc3RhZ2UKRlJPTSBhbHBpbmU6My4xOQoKIyBJbnN0YWxsIHJ1bnRpbWUgZGVwZW5kZW5jaWVzIChzcWxpdGUgQ0xJICsganEgZm9yIG1hbnVhbCBtYXBwaW5ncykKUlVOIGFwayBhZGQgLS1uby1jYWNoZSBjYS1jZXJ0aWZpY2F0ZXMgc3FsaXRlLWxpYnMgdHpkYXRhIHNxbGl0ZSBqcQoKIyBDcmVhdGUgbm9uLXJvb3QgdXNlcgpSVU4gYWRkdXNlciAtRCAtZyAnJyBhcHB1c2VyCgpXT1JLRElSIC9hcHAKCiMgQ29weSBiaW5hcnkgZnJvbSBidWlsZGVyCkNPUFkgLS1mcm9tPWJ1aWxkZXIgL2dpdGVhLW5vdGlmaWNhdGlvbi1odWIgLgoKIyBDb3B5IGVudHJ5cG9pbnQgc2NyaXB0CkNPUFkgZG9ja2VyLWVudHJ5cG9pbnQuc2ggLgpSVU4gY2htb2QgK3ggZG9ja2VyLWVudHJ5cG9pbnQuc2gKCiMgQ3JlYXRlIGRhdGEgZGlyZWN0b3J5ClJVTiBta2RpciAtcCAvYXBwL2RhdGEgJiYgY2hvd24gLVIgYXBwdXNlcjphcHB1c2VyIC9hcHAKCiMgU3dpdGNoIHRvIG5vbi1yb290IHVzZXIKVVNFUiBhcHB1c2VyCgojIEV4cG9zZSBwb3J0CkVYUE9TRSA4MDgwCgojIEhlYWx0aCBjaGVjawpIRUFMVEhDSEVDSyAtLWludGVydmFsPTMwcyAtLXRpbWVvdXQ9M3MgLS1zdGFydC1wZXJpb2Q9NXMgLS1yZXRyaWVzPTMgXAogICAgQ01EIHdnZXQgLS1uby12ZXJib3NlIC0tdHJpZXM9MSAtLXNwaWRlciBodHRwOi8vbG9jYWxob3N0OjgwODAvaGVhbHRoIHx8IGV4aXQgMQoKIyBSdW4KRU5UUllQT0lOVCBbIi9iaW4vc2giLCAiLi9kb2NrZXItZW50cnlwb2ludC5zaCJdCg==
\ No newline at end of file
+# Build stage
+FROM golang:1.24-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache gcc musl-dev sqlite-dev
+
+WORKDIR /app
+
+# Copy go mod files
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build with CGO for SQLite
+ENV CGO_ENABLED=1
+RUN go build -ldflags="-s -w" -o /gitea-notification-hub ./cmd/server
+
+# Runtime stage
+FROM alpine:3.19
+
+# Install runtime dependencies (sqlite CLI + jq for manual mappings)
+RUN apk add --no-cache ca-certificates sqlite-libs tzdata sqlite jq
+
+# Create non-root user
+RUN adduser -D -g '' appuser
+
+WORKDIR /app
+
+# Copy binary from builder
+COPY --from=builder /gitea-notification-hub .
+
+# Copy entrypoint script
+COPY docker-entrypoint.sh .
+RUN chmod +x docker-entrypoint.sh
+
+# Create data directory
+RUN mkdir -p /app/data && chown -R appuser:appuser /app
+
+# Switch to non-root user
+USER appuser
+
+# Expose port
+EXPOSE 8080
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
+
+# Run
+ENTRYPOINT ["/bin/sh", "./docker-entrypoint.sh"]