diff --git a/.gitea/workflows/build-builder-docker.yml b/.gitea/workflows/build-builder-docker.yml
new file mode 100644
index 0000000..cc6de5b
--- /dev/null
+++ b/.gitea/workflows/build-builder-docker.yml
@@ -0,0 +1,22 @@
+name: Build and Push Builder Image
+
+# Trigger this workflow when we change the Dockerfile
+on:
+  push:
+    paths:
+      - 'docker/Dockerfile'
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Login to Gitea Container Registry
+        run: docker login git.dws.rip -u ${{ gitea.actor }} -p ${{ secrets.GLOBAL_TOKEN }}
+      - name: Build and Push Image
+        run: |
+          IMAGE_TAG="git.dws.rip/dws/chrony-builder:latest"
+          docker build -t $IMAGE_TAG -f docker/Dockerfile .
+          docker push $IMAGE_TAG
diff --git a/.gitea/workflows/build-debian.yml b/.gitea/workflows/build-debian.yml
index ec67d26..d5155fc 100644
--- a/.gitea/workflows/build-debian.yml
+++ b/.gitea/workflows/build-debian.yml
@@ -13,46 +13,36 @@ on:
 
 jobs:
   build-and-upload-deb:
-    runs-on: ubuntu-24.04
-
+    runs-on: ubuntu:latest
+    container:
+      image: git.dws.rip/dws/chrony-builder:latest
     steps:
       - name: Get Build Version
         run: |
           if [[ "${{ gitea.event_name }}" == "push" ]]; then
             TRIGGER_TAG="${{ gitea.ref_name }}"
-            echo "Triggered by tag push: $TRIGGER_TAG"
           elif [[ "${{ gitea.event_name }}" == "workflow_dispatch" ]]; then
             TRIGGER_TAG="${{ inputs.tag }}"
-            echo "Triggered by manual dispatch: $TRIGGER_TAG"
           fi
-          if [ -z "$TRIGGER_TAG" ]; then
-            echo "Error: Could not determine tag name."
-            exit 1
-          fi
-
-          # The upstream chrony mirror uses "4.7", but our builder repo uses "v4.7".
-          # We strip the "v" to get the tag name for the mirror.
           UPSTREAM_TAG=$(echo $TRIGGER_TAG | sed 's/^v//')
           echo "Builder Tag: $TRIGGER_TAG"
           echo "Upstream Tag: $UPSTREAM_TAG"
-
-          echo "TRIGGER_TAG=${TRIGGER_TAG}" >> $GITEA_ENV
           echo "UPSTREAM_TAG=${UPSTREAM_TAG}" >> $GITEA_ENV
-
+        shell: bash # Explicitly use bash
       - name: Clone Chrony Source Code
         run: |
+          # git is already installed in our container!
           git clone https://git.dws.rip/dws/chrony.git
-          cd chrony
+          cd chrony-mirror
           echo "Checking out upstream tag: ${{ env.UPSTREAM_TAG }}"
           git checkout ${{ env.UPSTREAM_TAG }}
-      - name: Install Build Dependencies
-        run: |
-          sudo apt-get update
-          cd chrony
-          sudo apt-get install -y dpkg-dev debhelper devscripts build-essential
-          sudo apt-get build-dep -y .
-
+        shell: bash
       - name: Import GPG Key
+        run: |
+          apt-get update
+          apt-get install -y gpg gpg-agent
+        shell: bash
+      - name: Import GExample GPG
         uses: https://github.com/crazy-max/ghaction-import-gpg@v6
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
@@ -63,22 +53,25 @@ jobs:
 
       - name: Build the SIGNED .deb Package
         run: |
-          cd chrony
+          cd chrony-mirror
+          # dpkg-buildpackage is already installed!
           dpkg-buildpackage --unsigned-source -b
+        shell: bash
       - name: Upload to Gitea Debian Registry
         run: |
-          # --- Set your Gitea variables ---
           OWNER=dws
           DEBIAN_DIST=noble
           DEBIAN_COMP=main
-          # Find the .changes file (it's in the parent dir of chrony-mirror)
+          # curl is already installed!
           CHANGES_FILE=$(find . -maxdepth 1 -name "*.changes" | head -n 1)
           if [ -z "$CHANGES_FILE" ]; then
-            echo "Error: No .changes file found. Build may have failed."
+            echo "Error: No .changes file found."
             exit 1
           fi
+
           echo "Uploading $CHANGES_FILE..."
           curl -L --fail \
             -X POST "https://git.dws.rip/api/packages/${OWNER}/debian/upload/${DEBIAN_DIST}/${DEBIAN_COMP}" \
             -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
             -F "file=@${CHANGES_FILE}"
+        shell: bash
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..f8a6340
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,24 @@
+# Start from the same base as our target
+FROM ubuntu:24.04
+
+# Set non-interactive mode for apt to prevent it from asking questions
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Update, install build tools, and install chrony's specific build-deps
+RUN apt-get update && \
+    apt-get install -y \
+    build-essential \
+    debhelper \
+    devscripts \
+    dpkg-dev \
+    git \
+    curl \
+    gnupg \
+    # Chrony's specific dependencies (from its debian/control file)
+    libcap-dev \
+    libedit-dev \
+    libgnutls28-dev \
+    libnss3-dev \
+    libseccomp-dev \
+    # Clean up apt cache
+    && rm -rf /var/lib/apt/lists/*