diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..8d35cb3
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+__pycache__
+*.pyc
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 449f792..ad4d272 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -4,7 +4,7 @@ repos:
     hooks:
       - id: system
         name: requirements.txt
-        entry: poetry export --format=requirements.txt --without-hashes --dev --output=requirements.txt
+        entry: poetry export --format=requirements.txt --without-hashes --output=requirements.txt
         pass_filenames: false
         language: system
   - repo: local
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d5914a6
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,40 @@
+ARG PYTHON_VERSION=3.9
+FROM docker.io/python:${PYTHON_VERSION}-alpine as builder
+ARG LIBOLM_VERSION=3.2.10
+RUN apk add --no-cache \
+    make \
+    cmake \
+    gcc \
+    g++ \
+    git \
+    libffi-dev \
+    yaml-dev \
+    python3-dev
+
+RUN  set -ex; \
+    git clone -b "${LIBOLM_VERSION}" https://gitlab.matrix.org/matrix-org/olm.git olm && cd olm; \
+    cmake . -Bbuild ; \
+    cmake --build build ; \
+    make install ; \
+    cd python && make olm-python3 ; \
+    mkdir -p "/python-libs" || true ; \
+    DESTDIR="/python-libs" make install-python3
+
+RUN mkdir -p /app/ops_bot
+COPY requirements.txt /app/requirements.txt
+RUN pip install --prefix="/python-libs" -r /app/requirements.txt
+
+FROM docker.io/python:${PYTHON_VERSION}-alpine
+
+COPY --from=builder /python-libs /usr/local
+COPY --from=builder /usr/local/lib/libolm* /usr/local/lib/
+
+RUN apk add --no-cache \
+    libstdc++ bash
+
+RUN mkdir -p /app/ops_bot
+COPY ops_bot/ /app/ops_bot/
+ENV MATRIX_STORE_PATH=/data
+VOLUME ["/data"]
+WORKDIR /app
+ENTRYPOINT ["/usr/local/bin/python", "-m", "ops_bot.main"]
diff --git a/README.md b/README.md
index 5e26df8..6682250 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,24 @@
 
 a bot for ops in matrix
 
-## Dev Setup
+## Usage
 
+```
+docker build -t registry.gitlab.com/guardianproject-ops/matrix-ops-bot .
+
+docker run --rm  \
+--name ops-bot \
+--volume /path/to/store:/data \
+--env MATRIX_HOMESERVER=https://matrix.org \
+--env MATRIX_USER_ID=@YOURBOT:matrix.org \
+--env MATRIX_PASSWORD="changeme" \
+--env MATRIX_DEVICE_NAME=my-bot-server \
+--env BOT_ROUTING_KEYS="{\"room1\": \"!XXXX:matrix.org\", \"room2\": \"!YYYYY:matrix.org\"}" \
+--env BOT_BEARER_TOKEN="changeme" \
+registry.gitlab.com/guardianproject-ops/matrix-ops-bot
+```
+
+## Dev Setup
 
 `.env`:
 ```
diff --git a/ops_bot/main.py b/ops_bot/main.py
index 795ed04..5b0166f 100644
--- a/ops_bot/main.py
+++ b/ops_bot/main.py
@@ -16,6 +16,7 @@ class BotSettings(BaseSettings):
 
     class Config:
         env_prefix = "BOT_"
+        secrets_dir = "/run/secrets"
         case_sensitive = False
 
 
@@ -101,3 +102,7 @@ def start_dev() -> None:
 
 def start() -> None:
     uvicorn.run("ops_bot.main:app", port=1111, host="0.0.0.0")  # nosec B104
+
+
+if __name__ == "__main__":
+    start()
diff --git a/ops_bot/matrix.py b/ops_bot/matrix.py
index 94c9187..89fa3ae 100644
--- a/ops_bot/matrix.py
+++ b/ops_bot/matrix.py
@@ -51,6 +51,7 @@ class MatrixClientSettings(BaseSettings):
 
     class Config:
         env_prefix = "MATRIX_"
+        secrets_dir = "/run/secrets"
         case_sensitive = False
 
 
diff --git a/requirements.txt b/requirements.txt
index aab923a..c6a9d04 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,68 +4,41 @@ aiohttp==3.8.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 aiosignal==1.2.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.6"
 anyio==3.6.1; python_version >= "3.6" and python_full_version >= "3.6.2"
 async-timeout==4.0.2; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.6"
-atomicwrites==1.4.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and (python_version >= "3.5" and python_full_version < "3.0.0" and sys_platform == "win32" or sys_platform == "win32" and python_version >= "3.5" and python_full_version >= "3.4.0")
-attrs==21.4.0; python_full_version >= "3.6.1" and python_version >= "3.6" and python_full_version < "4.0.0"
-bandit==1.7.4; python_version >= "3.7"
-black==22.6.0; python_full_version >= "3.6.2"
+atomicwrites==1.4.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
+attrs==21.4.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.6"
 cachetools==4.2.4; python_version >= "3.5" and python_version < "4.0" and python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 cffi==1.15.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 charset-normalizer==2.1.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.6"
-click==8.1.3; python_version >= "3.7" and python_full_version >= "3.6.2"
-colorama==0.4.5; sys_platform == "win32" and python_version >= "3.7" and python_full_version >= "3.6.2" and platform_system == "Windows"
+click==8.1.3; python_version >= "3.7"
+colorama==0.4.5; python_version >= "3.7" and python_full_version < "3.0.0" and platform_system == "Windows" or platform_system == "Windows" and python_version >= "3.7" and python_full_version >= "3.5.0"
 fastapi==0.79.0; python_full_version >= "3.6.1"
-flake8==4.0.1; python_version >= "3.6"
 frozenlist==1.3.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.7"
 future==0.18.2; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
-gitdb==4.0.9; python_version >= "3.7"
-gitpython==3.1.27; python_version >= "3.7"
 h11==0.12.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.7"
 h2==4.1.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 hpack==4.0.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 hyperframe==6.0.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 idna==3.3; python_full_version >= "3.6.2" and python_full_version < "4.0.0" and python_version >= "3.6"
 importlib-metadata==4.12.0; python_version < "3.10" and python_version >= "3.7"
-isort==5.10.1; python_full_version >= "3.6.1" and python_version < "4.0"
 jsonschema==3.2.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 logbook==1.5.3; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 markdown==3.4.1; python_version >= "3.7"
 matrix-nio==0.19.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
-mccabe==0.6.1; python_version >= "3.6"
-more-itertools==8.13.0; python_version >= "3.5"
 multidict==6.0.2; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.7"
-mypy-extensions==0.4.3; python_full_version >= "3.6.2" and python_version >= "3.6"
-mypy==0.971; python_version >= "3.6"
-packaging==21.3; python_version >= "3.6"
-pathspec==0.9.0; python_full_version >= "3.6.2"
-pbr==5.9.0; python_version >= "3.8"
 peewee==3.15.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
-platformdirs==2.5.2; python_version >= "3.7" and python_full_version >= "3.6.2"
-pluggy==0.13.1; python_version >= "3.5" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.5"
-py==1.11.0; python_version >= "3.5" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.5"
-pycodestyle==2.8.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.6"
 pycparser==2.21; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 pycryptodome==3.15.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 pydantic==1.9.1; python_full_version >= "3.6.1"
-pyflakes==2.4.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.6"
-pyparsing==3.0.9; python_full_version >= "3.6.8" and python_version >= "3.6"
 pyrsistent==0.18.1; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.7"
-pytest==5.4.3; python_version >= "3.5"
 python-dotenv==0.20.0; python_full_version >= "3.6.1" and python_version >= "3.5"
 python-olm==3.1.3; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 python-socks==2.0.3; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
-pyyaml==6.0; python_version >= "3.7"
 six==1.16.0; python_full_version >= "3.6.1" and python_full_version < "4.0.0"
-smmap==5.0.0; python_version >= "3.7"
 sniffio==1.2.0; python_version >= "3.6" and python_full_version >= "3.6.2"
 starlette==0.19.1; python_version >= "3.6" and python_full_version >= "3.6.1"
-stevedore==4.0.0; python_version >= "3.8"
 termcolor==1.1.0
-tomli==2.0.1; python_full_version < "3.11.0a7" and python_full_version >= "3.6.2" and python_version >= "3.7" and python_version < "3.11"
-types-markdown==3.4.0
-types-termcolor==1.1.5
-typing-extensions==4.3.0; python_version >= "3.7" and python_full_version >= "3.6.2" and python_version < "3.10"
+typing-extensions==4.3.0; python_version >= "3.7" and python_full_version >= "3.6.1" and python_version < "3.10"
 unpaddedbase64==2.1.0; python_version >= "3.6" and python_version < "4.0" and python_full_version >= "3.6.1" and python_full_version < "4.0.0"
 uvicorn==0.18.2; python_version >= "3.7"
-wcwidth==0.2.5; python_version >= "3.5"
 yarl==1.7.2; python_full_version >= "3.6.1" and python_full_version < "4.0.0" and python_version >= "3.6"
 zipp==3.8.1; python_version < "3.10" and python_version >= "3.7"