diff --git a/Dockerfile b/Dockerfile
index 19c484fe9bb0f75d85cb480539d2f53b59bb9c85..255f4f56b883468cca302aee40e91fd94c3661a4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,26 +5,36 @@ FROM golang:alpine as server-builder
 WORKDIR /server
 
 RUN apk update && apk upgrade && \
-    apk add --no-cache bash git openssh build-base
+    apk add --no-cache bash git openssh build-base && \
+    apk add --no-cache git ca-certificates tzdata libcap mailcap && \
+    update-ca-certificates
 ADD . .
 RUN go get -d -v && \
     go test ./... && \
     go build -o server
 
-# Running...
-
-FROM alpine
 
-WORKDIR /app
+RUN setcap cap_net_bind_service=+ep server
 
-RUN apk update && apk add ca-certificates libcap
-# RUN apk --no-cache add ca-certificates
-# ca-certificates for autocert (Let's Encrypt) and mailcap to get mime types for downloaded documents
+# Running...
+FROM scratch
 
-RUN echo "hosts: files dns" > /etc/nsswitch.conf
+WORKDIR /app
 
 COPY --from=server-builder /server/server /app
-
-RUN setcap cap_net_bind_service=+ep server
+COPY --from=server-builder /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=server-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=server-builder /etc/passwd /etc/passwd
+COPY --from=server-builder /etc/group /etc/group
+COPY --from=server-builder /etc/mime.types /etc/mime.types
+
+# Copy static executable and application resources
+COPY --from=server-builder /server/server /app/server
+COPY --from=server-builder /server/dev_certificates /app/dev_certificates
+COPY --from=server-builder /server/web /app/web
+COPY --from=server-builder /server/configs /app/configs
+
+# Use an unprivileged user.
+USER appuser:appuser
 
 ENTRYPOINT [ "./server"]