diff --git a/docker/Dockerfile.bookworm b/docker/Dockerfile.bookworm
new file mode 100644
index 000000000..d63da0f0f
--- /dev/null
+++ b/docker/Dockerfile.bookworm
@@ -0,0 +1,69 @@
+FROM rust:1-slim-bookworm AS bootstrap_os
+  ENV DEBIAN_FRONTEND="noninteractive"
+
+  RUN apt-get update -y \
+    && apt-get upgrade -y --no-install-recommends --no-install-suggests ca-certificates \
+    && apt-get install -y --no-install-recommends libssl3 zlib1g \
+    && apt-mark showmanual > /tmp/runtime_apt_mark.txt
+
+
+FROM bootstrap_os AS bootstrap_build_deps
+  RUN apt-mark auto '.*' > /dev/null \
+      && apt-get upgrade -y --no-install-recommends libssl-dev clang pkg-config \
+      && apt-mark manual $(cat /tmp/runtime_apt_mark.txt) > /dev/null
+
+
+FROM bootstrap_build_deps AS bootstrap_builder
+  ENV RUST_BACKTRACE=1 \
+      CC=clang \
+      CXX=clang++ \
+      MAKEOPTS="-j$(getconf _NPROCESSORS_ONLN)"
+
+  RUN cargo install sccache --message-format short \
+      && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+      && rm -rf /var/lib/apt/lists/*
+
+
+FROM debian:bookworm-slim AS pipeline
+  COPY --from=bootstrap_os /tmp/runtime_apt_mark.txt /tmp
+
+  ENV DEBIAN_FRONTEND="noninteractive"
+
+  RUN apt-get update -y \
+    && apt-get install -y --no-install-recommends --no-install-suggests ca-certificates \
+    && apt-mark manual $(cat /tmp/runtime_apt_mark.txt) > /dev/null \
+    && { \
+         echo '#!/bin/sh'; \
+         echo 'set -eu'; \
+         echo 'if [ "${#}" -gt 0 ] && [ "${1#-}" = "${1}" ] \'; \
+         echo '  && command -v "${1}" > "/dev/null" 2>&1; then'; \
+         echo '  exec "${@}"'; \
+         echo 'else exec /bin/shfmt "${@}"; fi'; \
+         echo 'exit 0'; \
+       } > /init && chmod +x /init
+
+  COPY --from=bootstrap_builder /usr/local/cargo/bin/sccache /usr/local/cargo/bin/
+
+  WORKDIR /usr/local/cargo/bin
+
+  RUN find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
+      | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
+      | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual \
+    && apt-get upgrade -y --no-install-recommends --no-install-suggests \
+    && rm -rf /var/lib/apt/lists/* /tmp/runtime_apt_mark.txt
+
+  ENV PATH="/usr/local/cargo/bin:${PATH}"
+
+  HEALTHCHECK --retries=1 --timeout=15s CMD /usr/local/cargo/bin/sccache --version
+
+  ENTRYPOINT [ "/init" ]
+
+
+FROM scratch
+  COPY --from=bootstrap_builder /usr/local/cargo/bin/sccache /bin/
+
+  ENTRYPOINT [ "/bin/sccache" ]
+
+  CMD [ "/bin/sccache" ]
+
+# vi: nospell