diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index fc003784..d50b6255 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -4,21 +4,24 @@ on:
   push:
     tags:
       - "*"
+  workflow_dispatch:
 
 jobs:
   deployment:
+    permissions:
+      packages: write
     environment: deploy
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@v4
       with:
         node-version: 16
     - name: Set up JDK 11
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: 11
         distribution: 'temurin'
@@ -27,21 +30,28 @@ jobs:
         server-username: MAVEN_USERNAME
         server-password: MAVEN_PASSWORD
     - name: Set up cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
         restore-keys: |
           ${{ runner.os }}-maven-
 
-    - name: Extract Maven project version
-      run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
-      id: project
-    - name: Check if git tag matches project version
+    - name: Determine the version
+      run: echo "version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)" >> $GITHUB_OUTPUT
+      id: versioncheck
+
+    - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name
       run: |
-        echo "Project version ${{ steps.project.outputs.version }} does not match git tag ${{ github.ref_name }}"
+        echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch"
         exit 1
-      if: ${{ steps.project.outputs.version != github.ref_name }}
+      if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT'))
+
+    - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml
+      run: |
+        echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}"
+        exit 1
+      if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name
 
     - name: Deploy with Maven
       run: mvn --batch-mode deploy -DskipTests
@@ -115,3 +125,86 @@ jobs:
         asset_path: /home/runner/work/OpenConext-myconext/OpenConext-myconext/myconext-server/target/myconext-server-${{ github.ref_name }}.jar
         asset_name: myconext-server-${{ github.ref_name }}.jar
         asset_content_type: application/zip
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for MyConext GUI Docker
+      id: meta_account_gui
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/openconext/openconext-myconext/myconext-gui
+        flavor: |
+          latest=false
+        tags: |
+          type=ref,event=tag
+          type=raw,event=tag,value=latest
+          type=raw,event=workflow_dispatch,value=snapshot
+          type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
+          type=sha
+
+    - name: Extract metadata (tags, labels) for acount GUI Docker
+      id: meta_server_gui
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/openconext/openconext-myconext/account-gui
+        flavor: |
+          latest=false
+        tags: |
+          type=ref,event=tag
+          type=raw,event=tag,value=latest
+          type=raw,event=workflow_dispatch,value=snapshot
+          type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
+          type=sha
+
+    - name: Extract metadata (tags, labels) for Server Docker
+      id: meta_server
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/openconext/openconext-myconext/myconext-server
+        flavor: |
+          latest=false
+        tags: |
+          type=ref,event=tag
+          type=raw,event=tag,value=latest
+          type=raw,event=workflow_dispatch,value=snapshot
+          type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
+          type=sha
+
+
+    - name: Build and push the account gui image
+      uses: docker/build-push-action@v5
+      with:
+        context: account-gui
+        file: account-gui/docker/Dockerfile
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.meta_account_gui.outputs.tags }}
+        labels: ${{ steps.meta_account_gui.outputs.labels }}
+
+    - name: Build and push the myconext gui image
+      uses: docker/build-push-action@v5
+      with:
+        context: myconext-gui
+        file: myconext-gui/docker/Dockerfile
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.meta_server_gui.outputs.tags }}
+        labels: ${{ steps.meta_server_gui.outputs.labels }}
+
+    - name: Build and push the server image
+      uses: docker/build-push-action@v5
+      with:
+        context: myconext-server
+        file: myconext-server/docker/Dockerfile
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.meta_server.outputs.tags }}
+        labels: ${{ steps.meta_server.outputs.labels }}
diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile
new file mode 100644
index 00000000..815fb316
--- /dev/null
+++ b/account-gui/docker/Dockerfile
@@ -0,0 +1,3 @@
+FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf
+COPY ./build/ /var/www/
diff --git a/account-gui/docker/conf/000-default.conf b/account-gui/docker/conf/000-default.conf
new file mode 100644
index 00000000..d6a38e6a
--- /dev/null
+++ b/account-gui/docker/conf/000-default.conf
@@ -0,0 +1,59 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/myconext
+RewriteCond %{REQUEST_URI} !^/mobile
+RewriteCond %{REQUEST_URI} !^/tiqr
+RewriteCond %{REQUEST_URI} !^/config
+RewriteCond %{REQUEST_URI} !^/register
+RewriteCond %{REQUEST_URI} !^/doLogin
+RewriteCond %{REQUEST_URI} !^/doLogout
+RewriteCond %{REQUEST_URI} !^/create-from-institution-login
+RewriteCond %{REQUEST_URI} !^/saml
+RewriteCond %{REQUEST_URI} !^/actuator
+RewriteCond %{REQUEST_URI} !^/internal
+RewriteCond %{REQUEST_URI} !^/fonts
+RewriteCond %{REQUEST_URI} !^/.well-known
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /myconext/api http://myconext:8080/myconext/api retry=0
+ProxyPassReverse /myconext/api http://myconext:8080/myconext/api
+
+ProxyPass /mobile http://myconext:8080/mobile retry=0
+ProxyPassReverse /mobile http://myconext:8080/mobile
+
+ProxyPass /tiqr http://myconext:8080/tiqr retry=0
+ProxyPassReverse /tiqr http://myconext:8080/tiqr
+
+ProxyPass /saml/guest-idp http://myconext:8080/saml/guest-idp retry=0
+ProxyPassReverse /saml/guest-idp http://myconext:8080/saml/guest-idp
+
+ProxyPass /actuator http://myconext:8080/internal retry=0
+ProxyPass /internal http://myconext:8080/internal retry=0
+ProxyPass /config http://myconext:8080/config retry=0
+ProxyPass /register http://myconext:8080/register retry=0
+ProxyPass /doLogin http://myconext:8080/doLogin retry=0
+ProxyPass /doLogout http://myconext:8080/doLogout retry=0
+ProxyPass /create-from-institution-login http://myconext:8080/create-from-institution-login retry=0
+
+DocumentRoot "/var/www"
+
+<Directory "/var/www">
+  Require all granted
+  Options     -Indexes
+</Directory>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "same-origin"
+Header always set X-Content-Type-Options "nosniff"
+
+
diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile
new file mode 100644
index 00000000..a46e57c8
--- /dev/null
+++ b/myconext-gui/docker/Dockerfile
@@ -0,0 +1,4 @@
+FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+COPY ./build/ /var/www/
+COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf
+
diff --git a/myconext-gui/docker/conf/000-default.conf b/myconext-gui/docker/conf/000-default.conf
new file mode 100644
index 00000000..e810606b
--- /dev/null
+++ b/myconext-gui/docker/conf/000-default.conf
@@ -0,0 +1,87 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/myconext
+RewriteCond %{REQUEST_URI} !^/tiqr
+RewriteCond %{REQUEST_URI} !^/actuator
+RewriteCond %{REQUEST_URI} !^/internal
+RewriteCond %{REQUEST_URI} !^/config
+RewriteCond %{REQUEST_URI} !^/login
+RewriteCond %{REQUEST_URI} !^/startSSO
+RewriteCond %{REQUEST_URI} !^/fonts
+RewriteCond %{REQUEST_URI} !^/.well-known
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /Shibboleth.sso !
+
+ProxyPass /myconext/api http://myconext:8080/myconext/api
+ProxyPassReverse /myconext/api http://myconext:8080/myconext/api
+
+ProxyPass /tiqr http://myconext:8080/tiqr
+ProxyPassReverse /tiqr http://myconext:8080/tiqr
+
+ProxyPass /internal http://myconext:8080/internal
+ProxyPass /actuator http://myconext:8080/internal 
+ProxyPass /login http://myconext:8080/login
+ProxyPass /startSSO http://myconext:8080/startSSO
+ProxyPass /config http://myconext:8080/config
+
+<Location />
+  AuthType shibboleth
+  ShibUseHeaders On
+  ShibRequireSession On
+  Require valid-user
+</Location>
+
+DocumentRoot "/var/www"
+
+<Directory "/var/www">
+  Require all granted
+  Options     -Indexes
+</Directory>
+
+# Public endpoints
+<Location ~ "/(config|register|404)">
+  Require all granted
+</Location>
+
+# After logout / delete
+<Location ~ "/landing(.*)">
+  Require all granted
+</Location>
+
+<Location ~ "/create-from-institution(.*)">
+  Require all granted
+</Location>
+
+<Location ~ "/internal/">
+  Require all granted
+</Location>
+
+# Svelte resources
+<Location ~ "(.*)(eot|svg|ttf|woff2|woff|js|js\.map|css|css\.map|png|jpg|ico)$">
+  Require all granted
+</Location>
+
+<Location ~ "/.well-known/">
+  Require all granted
+</Location>
+
+<Location ~ "/(asset-)?manifest.json$">
+  Require all granted
+</Location>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "same-origin"
+Header always set X-Content-Type-Options "nosniff"
+
diff --git a/myconext-server/docker/Dockerfile b/myconext-server/docker/Dockerfile
new file mode 100644
index 00000000..6db5b001
--- /dev/null
+++ b/myconext-server/docker/Dockerfile
@@ -0,0 +1,3 @@
+FROM eclipse-temurin:11-jdk-alpine
+COPY target/*.jar app.jar
+ENTRYPOINT ["java","-jar","/app.jar"]