diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..965d793
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,3 @@
+DB_PASSWORD=changeme
+APP_URL=https://app.example.com
+LICENSE_KEY=my.123.key
\ No newline at end of file
diff --git a/.github/workflows/build-worker.yml b/.github/workflows/build-worker.yml
new file mode 100644
index 0000000..1564ead
--- /dev/null
+++ b/.github/workflows/build-worker.yml
@@ -0,0 +1,38 @@
+name: Build and push docker image
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubicloud-standard-8
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: windmill-labs/windmillhub
+          token: ${{ secrets.WINDMILLHUB_GITHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push privately
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: true
+          provenance: false
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: |
+            ${{ steps.metadata.outputs.labels }}
+            org.opencontainers.image.licenses=Windmill-Enterprise-License
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2eea525
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
\ No newline at end of file
diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..e705d8f
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,5 @@
+{$BASE_URL} {
+  bind {$ADDRESS}
+  reverse_proxy /* http://hub:3000
+  # tls /certs/cert.pem /certs/key.pem
+}
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..ba95c8e
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,50 @@
+version: '3.7'
+
+services:
+  db:
+    image: postgres:16
+    restart: always
+    volumes:
+      - db_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_DB: windmillhub
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  hub:
+    image: ghcr.io/windmill-labs/windmillhub-ee:main
+    privileged: true
+    restart: unless-stopped
+    expose:
+      - 3000
+    environment:
+      - DATABASE_URL=postgres://postgres:${DB_PASSWORD}@db/windmillhub?sslmode=disable
+      - PUBLIC_PRIVATE_HUB=true
+      - PUBLIC_APP_URL=${APP_URL}
+      - LICENSE_KEY=${LICENSE_KEY}
+
+    depends_on:
+      db:
+        condition: service_healthy
+  caddy:
+    image: caddy:2.5.2-alpine
+    restart: unless-stopped
+
+    # Configure the mounted Caddyfile and the exposed ports or use another reverse proxy if needed
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      # - ./certs:/certs # Provide custom certificate files like cert.pem and key.pem to enable HTTPS - See the corresponding section in the Caddyfile
+    ports:
+      # To change the exposed port, simply change 80:80 to <desired_port>:80. No other changes needed
+      - 80:80
+      # - 443:443 # Uncomment to enable HTTPS handling by Caddy
+    environment:
+      - BASE_URL=":80"
+      # - BASE_URL=":443" # uncomment and comment line above to enable HTTPS via custom certificate and key files
+      # - BASE_URL=hub.example.com # Uncomment and comment line above to enable HTTPS handling by Caddy
+
+volumes:
+  db_data: null