diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4ba9fc2..b827ec6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -63,3 +63,12 @@ jobs:
         run: sudo sysctl vm.overcommit_memory=1
 
       - run: cargo test --all-features
+
+  docker:
+    name: docker build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Build Docker image
+        run: docker build .
diff --git a/Dockerfile b/Dockerfile
index 45d532a..6442571 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,24 +1,25 @@
-FROM dhi.io/rust:1.92-alpine3.22-dev AS build
+FROM debian:13
+USER root
 
-RUN apk add --no-cache openssl-dev pkgconfig file make git openssl-libs-static
+# `-` is reserved by deb maintainer, should use '~' instead
+# If no version is specified, the latest available version will be installed
+ARG version
 
-WORKDIR /build
+RUN useradd --create-home --shell /bin/false ds_proxy
 
-RUN --mount=type=bind,source=src,target=src \
-    --mount=type=bind,source=Cargo.toml,target=Cargo.toml \
-    --mount=type=bind,source=Cargo.lock,target=Cargo.lock \
-    --mount=type=bind,source=build.rs,target=build.rs \
-    --mount=type=cache,target=/build/target/ \
-    --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/usr/local/cargo/registry/ \
-    cargo build --locked --release && \
-    cp /build/target/release/ds_proxy /build/ds_proxy
+# Add DS/DN repo
+RUN apt-get update && apt-get -y install curl gpg \
+    && curl -sS https://demarche.numerique.gouv.fr/packages.demarche.numerique.gouv.fr.gpg | gpg --dearmor -o /usr/share/keyrings/packages.demarche.numerique.gouv.fr.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/packages.demarche.numerique.gouv.fr.gpg] http://packages.demarche.numerique.gouv.fr/jammy/ /" > /etc/apt/sources.list.d/packages_demarche_numerique_gouv_fr_jammy.list \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ca-certificates \
+    && apt-get -y install ds-proxy${version:+=${version}} \
+    && apt-get remove --purge -y curl gpg \
+    && apt-get autoremove -y \
+    && apt-get clean
 
-
-FROM dhi.io/alpine-base:3.22 AS production
-
-COPY --from=build --chown=nonroot:nonroot /build/ds_proxy /dsproxy/ds_proxy
+USER ds_proxy
 
 EXPOSE 4444
 
-ENTRYPOINT ["/dsproxy/ds_proxy"]
\ No newline at end of file
+ENTRYPOINT ["/usr/bin/ds_proxy"]
diff --git a/Dockerfile_from_deb b/Dockerfile_from_deb
deleted file mode 100644
index c87c476..0000000
--- a/Dockerfile_from_deb
+++ /dev/null
@@ -1,17 +0,0 @@
-FROM debian:13
-USER root
-
-# Add DS/DN repo
-RUN apt-get update && apt-get -y install curl gpg \
-    && curl -sS http://packages.demarches-simplifiees.fr/KEY.gpg | gpg --dearmor -o /usr/share/keyrings/demarches-simplifiees.gpg \
-    && echo "deb [signed-by=/usr/share/keyrings/demarches-simplifiees.gpg] http://packages.demarches-simplifiees.fr/jammy /" > /etc/apt/sources.list.d/packages_demarches_simplifiees_fr_jammy.list \
-    && apt-get update && apt-get -y install ds-proxy \
-    && adduser --disabled-password --gecos "" ds_proxy \
-    && apt-get remove --purge -y curl gpg \
-    && apt-get clean
-
-USER ds_proxy
-
-EXPOSE 4444
-
-ENTRYPOINT ["/usr/bin/ds_proxy"]
diff --git a/Dockerfile_from_sources b/Dockerfile_from_sources
new file mode 100644
index 0000000..45d532a
--- /dev/null
+++ b/Dockerfile_from_sources
@@ -0,0 +1,24 @@
+FROM dhi.io/rust:1.92-alpine3.22-dev AS build
+
+RUN apk add --no-cache openssl-dev pkgconfig file make git openssl-libs-static
+
+WORKDIR /build
+
+RUN --mount=type=bind,source=src,target=src \
+    --mount=type=bind,source=Cargo.toml,target=Cargo.toml \
+    --mount=type=bind,source=Cargo.lock,target=Cargo.lock \
+    --mount=type=bind,source=build.rs,target=build.rs \
+    --mount=type=cache,target=/build/target/ \
+    --mount=type=cache,target=/usr/local/cargo/git/db \
+    --mount=type=cache,target=/usr/local/cargo/registry/ \
+    cargo build --locked --release && \
+    cp /build/target/release/ds_proxy /build/ds_proxy
+
+
+FROM dhi.io/alpine-base:3.22 AS production
+
+COPY --from=build --chown=nonroot:nonroot /build/ds_proxy /dsproxy/ds_proxy
+
+EXPOSE 4444
+
+ENTRYPOINT ["/dsproxy/ds_proxy"]
\ No newline at end of file
diff --git a/build.rs b/build.rs
index 80e9cb2..fd6e30c 100644
--- a/build.rs
+++ b/build.rs
@@ -8,6 +8,24 @@ fn main() {
         .args(["rev-parse", "HEAD"])
         .output()
         .unwrap();
-    let git_hash = String::from_utf8(output.stdout).unwrap();
-    println!("cargo:rustc-env=GIT_HASH={}", git_hash);
+    let git_hash = String::from_utf8(output.stdout).unwrap().trim().to_string();
+
+    let tag = Command::new("git")
+        .args(["describe", "--tags", "--exact-match", "HEAD"])
+        .output()
+        .ok()
+        .and_then(|o| {
+            if o.status.success() {
+                Some(String::from_utf8(o.stdout).unwrap().trim().to_string())
+            } else {
+                None
+            }
+        });
+
+    let version = match tag {
+        Some(t) => format!("{} {}", t, git_hash),
+        None => git_hash,
+    };
+
+    println!("cargo:rustc-env=GIT_HASH={}", version);
 }