diff --git a/Dockerfile.dev b/Dockerfile.dev
new file mode 100644
index 0000000..c5ea0e0
--- /dev/null
+++ b/Dockerfile.dev
@@ -0,0 +1,52 @@
+ARG RUST_VERSION=1.82
+ARG DEBIAN_LTS=bookworm
+
+########## COMPILE PHASE ##########
+FROM rust:${RUST_VERSION}-slim-${DEBIAN_LTS} AS build
+
+WORKDIR /hive
+
+# this looks strange but makes subsequent builds much faster
+# because it leverages:
+#       - a cache mount to /usr/local/cargo/registry/ to avoid
+#         re-downloading all dependencies every time;
+#       - a cache mount to /hive/target to avoid re-compiling
+#         all dependencies every time; and
+#       - a bind mount to the sources to avoid copying them
+#         into the container every time
+# after build we need to copy the binary to the container
+# filesystem before /hive/target is unmounted
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=./target \
+    --mount=type=bind,source=./Cargo.toml,target=./Cargo.toml \
+    --mount=type=bind,source=./Cargo.lock,target=./Cargo.lock \
+    --mount=type=bind,source=./src,target=./src \
+    --mount=type=bind,source=./locales,target=./locales \
+    --mount=type=bind,source=./migrations,target=./migrations \
+    --mount=type=bind,source=./templates,target=./templates \
+    --mount=type=bind,source=./rinja.toml,target=./rinja.toml \
+    \
+    cargo build --locked --release \
+    && cp ./target/release/hive .
+
+########## RUN PHASE ##########
+FROM debian:${DEBIAN_LTS}-slim AS final
+
+RUN apt-get update && apt-get install -y nginx
+
+ARG LOG_FILE=/var/log/hive.log
+
+RUN touch ${LOG_FILE}
+ENV HIVE_LOG_FLE=${LOG_FILE}
+
+WORKDIR /hive
+COPY --from=build /hive/hive .
+COPY ./static /hive/static
+
+EXPOSE ${HIVE_PORT:-6869}
+
+HEALTHCHECK --interval=1m --timeout=20s --retries=3 \
+            --start-period=5s --start-interval=1s \
+    CMD curl -f http://localhost:${HIVE_PORT} || exit 1
+
+ENTRYPOINT ["bash", "-c", "nginx && ./hive"]
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 0ee9aed..28c87d0 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,12 +1,30 @@
 services:
+  nyckeln:
+    image: ghcr.io/datasektionen/nyckeln-under-dorrmattan
+    configs:
+      - source: nyckeln.yaml
+        target: /config.yaml
+    ports:
+      - 7003:7003
+
   hive:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile.dev
     ports:
       - "6869:6869"
-    env_file: secrets.env
     environment:
       HIVE_DB_URL: postgresql://hive:hive@db:5432/hive
       TZ: Europe/Stockholm
+      HIVE_OIDC_ISSUER_URL: http://localhost:7003
+      HIVE_OIDC_CLIENT_ID: client-id
+      HIVE_OIDC_CLIENT_SECRET: client-secret
+      HIVE_SECRET_KEY: 2be50af223f3257ee45f0f95127be5190579c411c1fea2ecec9c9fbdcfb30d3458742011dda42d07b7773a01ca136372c0b13f7b673cf2e3b350b6a7614af020
+
+    configs:
+      - source: nginx.conf
+        target: /etc/nginx/nginx.conf
+
     develop:
       watch:
         - path: ./static
@@ -50,3 +68,34 @@ services:
 
 volumes:
   hive-db-data:
+
+configs:
+  nyckeln.yaml:
+    content: |
+      clients:
+        - id: "client-id"
+          secret: "client-secret"
+          redirect_uris:
+            - "http://localhost:6869/auth/oidc-callback"
+            - "http://localhost:6869/auth/login"
+
+      users:
+        - kth_id: turetek
+          email: turetek@kth.se
+          first_name: Ture
+          family_name: Teknolog
+
+  # This is very cursed, but we proxy localhost:7003 to the nyckeln service, so
+  # that we can use the same http://localhost:7003 url for the oidc provider worker
+  # and the browser when logging in via oidc.
+  nginx.conf:
+    content: |
+      events {}
+      http {
+        server {
+          listen 7003;
+          location / {
+            proxy_pass http://nyckeln:7003;
+          }
+        }
+      }