diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f9d46324531b0902876338b1107955fcb66d43fc..372346bd514ffde4d4d9d5584f6f396f5966578e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1 +1,31 @@
-include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
+image: docker:latest
+
+stages:
+  - docker_build
+  - release
+
+services:
+  - docker:dind
+
+variables:
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+  RELEASE_TAG: $CI_REGISTRY_IMAGE:latest
+  GIT_SUBMODULE_STRATEGY: recursive
+
+docker_build:
+  stage: docker_build
+  script:
+    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.git.autistici.org
+    - docker build --build-arg ci_token=$CI_JOB_TOKEN --pull -t $IMAGE_TAG .
+    - docker push $IMAGE_TAG
+
+release:
+  stage: release
+  script:
+    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.git.autistici.org
+    - docker pull $IMAGE_TAG
+    - docker tag $IMAGE_TAG $RELEASE_TAG
+    - docker push $RELEASE_TAG
+  only:
+    - master
+
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..b99907bfee5db314ee5c00aa9d38e8361271b7f4
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,10 @@
+FROM debian:buster AS build
+RUN apt-get -q update && env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential libyara-dev pkg-config golang-go
+
+ADD . /go/src/git.autistici.org/ai3/tools/yarascan
+WORKDIR /go/src/git.autistici.org/ai3/tools/yarascan
+RUN env GOPATH=/go go build -o /yarascan ./cmd/yarascan && strip /yarascan
+
+FROM debian:buster
+RUN apt-get -q update && env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends libyara3
+COPY --from=build /yarascan /usr/bin/yarascan
diff --git a/README.md b/README.md
index 622526b4906cc9dcfc608224a78011e8ad31d297..3418ca319ea51b32d6e0e5055f7975a05c8d2950 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,12 @@ $ go install git.autistici.org/ai3/tools/yarascan/cmd/yarascan
 
 which will install the *yarascan* binary in *$GOPATH/bin*.
 
+## Packages
+
+The *yarascan* tool can be packaged either as a Debian package (it
+requires at least *buster* to build), or as a Docker image. This is
+due to the libyara3 dependency.
+
 # Usage
 
 The *yarascan* utility supports a few different commands. The most