diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..af42332
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,60 @@
+# ───────────────────
+# Stage 1: Base Image
+# ───────────────────
+FROM archlinux:base-devel-20250511.0.348143 as base
+
+ARG DEV_USER=devuser
+ARG DEV_UID=1001
+ARG DEV_GID=1001
+
+# Install all necessary packages and clean up cache
+RUN pacman -Sy --noconfirm && \
+  pacman -S --noconfirm --needed \
+  base-devel neovim git git-lfs fish tmux \
+  nodejs python podman fzf fd ripgrep jdk-openjdk fisher yazi less \
+  lazygit luarocks python-pynvim npm bash-completion tree-sitter-cli kitty-terminfo \
+  lua51 openssh && \
+  pacman -Scc --noconfirm && \
+  rm -rf /var/cache/pacman/pkg/*
+
+# Create user/groups as per your script, with -l to avoid system user quirks
+RUN groupadd -g $DEV_GID $DEV_USER && \
+  groupadd -g 1002 secproc && \
+  useradd -l -ms /bin/fish -G secproc -u $DEV_UID -g $DEV_GID $DEV_USER
+
+# ────────────────────────
+# Stage 2: Workspace Image
+# ────────────────────────
+FROM base as workspace
+
+ARG DEV_USER=devuser
+ARG DEV_UID=1001
+ARG DEV_GID=1001
+ARG DEV_HOME=/home/$DEV_USER
+
+# Use ADD for extracting archives
+ADD home.tar.gz $DEV_HOME
+
+# Prepare .ssh and known_hosts, and fix permissions only if dirs exist
+RUN mkdir -p $DEV_HOME/.ssh && \
+  ssh-keyscan -p 2222 10.88.0.1 >> $DEV_HOME/.ssh/known_hosts && \
+  ssh-keyscan -p 22 github.com >> $DEV_HOME/.ssh/known_hosts && \
+  for d in $DEV_HOME/.local \
+  $DEV_HOME/.config/fish/completions \
+  $DEV_HOME/.config/fish/functions \
+  $DEV_HOME/.config/fish/fish_variables \
+  $DEV_HOME/.ssh; do \
+  if [ -e "$d" ]; then chown -R $DEV_USER:$DEV_USER "$d"; fi; \
+  done && \
+  for d in $DEV_HOME/.local \
+  $DEV_HOME/.config \
+  $DEV_HOME/.config/fish \
+  $DEV_HOME/.config/tmux; do \
+  if [ -e "$d" ]; then chown $DEV_USER:$DEV_USER "$d"; fi; \
+  done
+
+WORKDIR /app
+ENV CONTAINER_HOST=unix:///run/podman/podman.sock
+USER $DEV_USER
+
+CMD ["/home/devuser/start.sh"]