diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..5246e0e
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,74 @@
+#
+# Attempts are made to follow the guidelines at
+# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
+#
+
+FROM library/ubuntu:16.04
+
+# If there are security updates for any of the packages we install,
+# bump the date in this environment variable to invalidate the Docker
+# build cache and force installation of the new packages.  Otherwise,
+# Docker's image/layer cache may prevent the security update from
+# being retrieved.
+ENV SECURITY_UPDATES="2017-15-01"
+
+# Tell apt/dpkg/debconf that we're non-interactive so it won't write
+# annoying warnings as it installs the software we ask for.  Making
+# this an `ARG` sets it in the environment for the duration of the
+# _build_ only - preventing this from having any effect on a container
+# running this image (which shouldn't really be installing more
+# software but who knows...).
+ARG DEBIAN_FRONTEND=noninteractive
+
+# We'll do an upgrade because the base Ubuntu image isn't guaranteed
+# to include the latest security updates.  This is counter to best
+# practice recommendations but security updates are important.
+RUN apt-get --quiet update && \
+    apt-get --quiet install -y unattended-upgrades && \
+    unattended-upgrade --minimal_upgrade_steps && \
+rm -rf /var/lib/apt/lists/*
+
+RUN apt-get --quiet update && apt-get --quiet install -y \
+    python-dev \
+    libffi-dev \
+    openssl \
+    libssl-dev \
+    \
+    python-virtualenv \
+&& rm -rf /var/lib/apt/lists/*
+
+# Create a virtualenv into which to install magicwormhole in to.
+RUN virtualenv /app/env
+
+# Get a newer version of pip.
+RUN /app/env/bin/pip install --upgrade pip
+
+# Create the website account, the user as which the infrastructure
+# server will run.
+ENV WORMHOLE_USER_NAME="wormhole"
+
+# Force the allocated user to uid 1000 because we hard-code 1000
+# below.
+RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"
+
+# Run the application with this working directory.
+WORKDIR /app/run
+
+# And give it to the user the application will run as.
+RUN chown ${WORMHOLE_USER_NAME} /app/run
+
+# Facilitate network connections to the application.
+EXPOSE 4000
+
+# Put the source somewhere pip will be able to see it.
+ADD . /src
+
+# Get the app we want to run!
+RUN /app/env/bin/pip install /src
+
+# Switch to a non-root user.
+USER 1000
+
+CMD /app/env/bin/wormhole-server start \
+    --rendezvous tcp:4000 \
+    --no-daemon