diff --git a/.dockerignore b/.dockerignore
index e8639ce94..3574dd55f 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -9,6 +9,7 @@
 !src/NadekoBot.Generators/**
 # Use Ayu stuff
 !src/ayu/**
+!docker-entrypoint.sh
 
 # ignore bin and obj folders in projects
 src/**/bin/*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5bb954008..cd5ffeefd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -95,4 +95,31 @@ upload-windows-updater-release:
     - sed -i "s/_VERSION_/$CI_COMMIT_TAG/g" releases-v3.json
     - aws --version
     - aws --endpoint-url $AWS_SERVICE_URL s3api put-object --bucket "$AWS_BUCKET_NAME" --key "dl/bot/$INSTALLER_FILE_NAME" --acl public-read --body "$INSTALLER_OUTPUT_DIR/$INSTALLER_FILE_NAME"
-    - aws --endpoint-url $AWS_SERVICE_URL s3api put-object --bucket "$AWS_BUCKET_NAME" --key "dl/bot/releases-v3.json" --acl public-read --body "releases-v3.json"
\ No newline at end of file
+    - aws --endpoint-url $AWS_SERVICE_URL s3api put-object --bucket "$AWS_BUCKET_NAME" --key "dl/bot/releases-v3.json" --acl public-read --body "releases-v3.json"
+
+docker-build:
+  # Use the official docker image.
+  image: docker:latest
+  stage: build
+  services:
+    - docker:dind
+  before_script:
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  # Default branch leaves tag empty (= latest tag)
+  # All other branches are tagged with the escaped branch name (commit ref slug)
+  script:
+    - |
+      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
+        tag=""
+        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
+      else
+        tag=":$CI_COMMIT_REF_SLUG"
+        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
+      fi
+    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
+    - docker push "$CI_REGISTRY_IMAGE${tag}"
+  # Run this job in a branch where a Dockerfile exists
+  rules:
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - Dockerfile
diff --git a/Dockerfile b/Dockerfile
index 63217e263..472409ee2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:5.0-buster-slim AS build
 WORKDIR /source
 
 COPY src/NadekoBot/*.csproj src/NadekoBot/
@@ -9,14 +9,33 @@ RUN dotnet restore src/NadekoBot/
 
 COPY . .
 WORKDIR /source/src/NadekoBot
-RUN dotnet --version
-RUN dotnet publish -c Release -o /app --no-restore
+RUN set -xe; \
+    dotnet --version; \
+    dotnet publish -c Release -o /app --no-restore; \
+    mv /app/data /app/data_init; \
+    rm -Rf libopus* libsodium* opus.* runtimes/win* runtimes/osx* runtimes/linux-arm* runtimes/linux-mips*; \
+    find /app -type f -exec chmod -x {} \; ;\
+    chmod +x /app/NadekoBot
 
 # final stage/image
-FROM mcr.microsoft.com/dotnet/runtime:5.0
+FROM mcr.microsoft.com/dotnet/runtime:5.0-buster-slim
+WORKDIR /app
+
+RUN set -xe; \
+    useradd -m nadeko; \
+    apt-get update; \
+    apt-get install -y libopus0 libsodium23 libsqlite3-0 curl ffmpeg python3 sudo; \
+    update-alternatives --install /usr/bin/python python /usr/bin/python3.7 1; \
+    echo 'Defaults>nadeko env_keep+="ASPNETCORE_* DOTNET_* NadekoBot_* shard_id total_shards TZ"' > /etc/sudoers.d/nadeko; \
+    curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl; \
+    chmod +x /usr/local/bin/youtube-dl
+
+COPY --from=build /app ./
+COPY docker-entrypoint.sh /usr/local/sbin
+
 ENV shard_id=0
 ENV total_shards=1
-WORKDIR /app
-COPY --from=build /app ./
-VOLUME [ "app/data", "app/creds.yml", "app/creds_example.yml" ]
-ENTRYPOINT dotnet NadekoBot.dll "$shard_id" "$total_shards"
\ No newline at end of file
+
+VOLUME [ "app/data" ]
+ENTRYPOINT [ "/usr/local/sbin/docker-entrypoint.sh" ]
+CMD dotnet NadekoBot.dll "$shard_id" "$total_shards"
\ No newline at end of file
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 000000000..3ea89cd1d
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e;
+
+data_init=/app/data_init
+data=/app/data
+
+# populate /app/data if empty
+for i in $(ls $data_init)
+do
+    if [ ! -e "$data/$i" ]; then
+        [ -f "$data_init/$i" ] && cp "$data_init/$i" "$data/$i"
+        [ -d "$data_init/$i" ] && cp -r "$data_init/$i" "$data/$i"
+    fi
+done
+
+# fix folder permissions
+chown -R nadeko:nadeko "$data"
+
+# drop to regular user and launch command
+exec sudo -u nadeko "$@"
\ No newline at end of file