diff --git a/.forgejo/workflows/container-build.yml b/.forgejo/workflows/container-build.yml
index 9dda17e..9ad668e 100644
--- a/.forgejo/workflows/container-build.yml
+++ b/.forgejo/workflows/container-build.yml
@@ -14,9 +14,14 @@ jobs:
     steps:
       - name: Fetch repo
         uses: actions/checkout@v3
-      - name: buildah build
-        run: "buildah build -t image ${{ env.CONTAINERFILE }}"
-      - name: skopeo copy image
-        run: "skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:image ${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}"
+      - name: Container build
+        run: "./build_container.sh"
+      - name: Container push
+        run: |
+          skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:localhost/keycloak:latest docker://${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}:latest
+          skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:localhost/keycloak:latest docker://${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}:${{ env.GITHUB_RUN_NUMBER}}
+          
       - name: Cleanup
-        run: "buildah prune -af"
\ No newline at end of file
+        run: |
+          buildah rmi -f localhost/keycloak
+          buildah prune -f
\ No newline at end of file
diff --git a/Containerfile b/Containerfile
deleted file mode 100644
index b57fa7c..0000000
--- a/Containerfile
+++ /dev/null
@@ -1,31 +0,0 @@
-FROM quay.io/keycloak/keycloak:latest as builder
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-ENV KC_HEALTH_ENABLED=false
-ENV KC_DB=postgres
-ENV KC_CACHE_STACK=tcp
-ENV KC_HTTPS_CLIENT_AUTH=request
-ENV KC_FEATURES=dynamic-scopes,recovery-codes,preview
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-RUN kc.sh build
-
-FROM quay.io/keycloak/keycloak:latest
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-COPY --from=builder /opt/keycloak/ /opt/keycloak/
-
-WORKDIR /opt/keycloak
-ENV KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de"
-ENV KC_HOSTNAME_URL="https://sso.sebastian-tobie.de"
-ENV KC_DB_USERNAME=keycloak
-ENV KC_DB_PASSWORD=changeme
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-
-ENV KEYCLOAK_ADMIN="admin"
-ENV KEYCLOAK_ADMIN_PASSWORD="admin"
-EXPOSE 8080
-COPY --chown=root:root tobie-ca.crt /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER root
-RUN keytool -importcert -alias tobieca -cacerts -storepass changeit -noprompt -trustcacerts -file /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER keycloak
-ENTRYPOINT ["kc.sh", "start", "--optimized", "--http-enabled", "true", "--proxy", "edge", "--log-console-format", "'%-5p [%c] (%t) %s%e%n'", "--hostname-strict-backchannel=true"]
diff --git a/build_container.sh b/build_container.sh
new file mode 100755
index 0000000..97920da
--- /dev/null
+++ b/build_container.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+both() {
+    "$@" builder
+    "$@" final
+}
+
+source=quay.io/keycloak/keycloak:latest
+buildah from --name builder --pull=newer $source
+buildah from --name final $source
+
+buildah config -l - -e - -a - -p - final
+buildah config \
+    -e PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" \
+    -e KC_HTTPS_CLIENT_AUTH=request \
+    builder
+buildah config \
+    -e KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" \
+    -e KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" \
+    -e KC_DB_USERNAME=keycloak \
+    -e KC_DB_PASSWORD=changeme \
+    -e KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak \
+    -e KEYCLOAK_ADMIN="admin" \
+    -e KEYCLOAK_ADMIN_PASSWORD="admin" \
+    -p 8080/tcp \
+    -u keycloak:keycloak \
+    --entrypoint "[\"kc.sh\", \"start\", \"--optimized\", \"--http-enabled\", \"true\", \"--proxy\", \"edge\", \"--log-console-format\", \"'%-5p [%c] (%t) %s%e%n'\", \"--hostname-strict-backchannel=true\"]" \
+    final
+set -x
+buildah run -- builder kc.sh build --db=postgres --metrics-enabled=true --https-client-auth request --features web-authn,passkeys,persistent-user-sessions,recovery-codes --features-disabled kerberos,docker,ciba,fips
+
+buildah copy --from builder --chown root:root final /opt/keycloak/ /opt/keycloak/
+buildah rm builder
+buildah commit -f oci --rm final containers-storage:localhost/keycloak:latest
\ No newline at end of file