diff --git a/.github/workflows/rootfs.yaml b/.github/workflows/rootfs.yaml
new file mode 100644
index 0000000..20027d4
--- /dev/null
+++ b/.github/workflows/rootfs.yaml
@@ -0,0 +1,54 @@
+name: Build and Push Rootfs Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  pull_request: # TODO: remove, we should only be pushing to ECR on merge to main.
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  workflow_dispatch:
+
+permissions:
+  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+  id-token: write
+  contents: write
+  pull-requests: write # TODO: remove, we should only be pushing to ECR on merge.
+
+jobs:
+  build-rootfs-image:
+    strategy:
+      #fail-fast: true
+      matrix:
+        os: ['ubuntu-latest']
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+          aws-region: ${{ secrets.REGION }}
+
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          submodules: true
+
+      - name: Build, Tag, and Push Image
+        run: |
+          # create sha256 of the Dockerfile to use as tag
+          HASH=$(sha256sum Dockerfile | cut -d ' ' -f 1)
+          # make empty tempdir for build context
+          BUILDCTX=$(mktemp -d)
+
+          DOCKER_BUILDKIT=1 docker build -f Dockerfile -t ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" "$BUILDCTX"
+          docker tag ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..5b9f227
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,30 @@
+# syntax = docker/dockerfile:1.4
+FROM public.ecr.aws/docker/library/fedora:38
+
+# install necessary cloud-server packages
+RUN dnf group install -y cloud-server-environment --exclude=plymouth* \
+    --exclude=geolite* \
+    --exclude=firewalld* \
+    --exclude=grub* \
+    --exclude=dracut* \
+    --exclude=shim-*
+
+RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final
+
+# enable systemd
+# disabled network conf in cloud config
+RUN <<EOF cat >> /etc/wsl.conf
+[boot]
+systemd=true
+EOF
+
+RUN <<EOF cat >> /etc/cloud/cloud.cfg
+network:
+      config: disabled
+EOF
+
+# cleanup
+RUN dnf clean all &&\
+    rm -f /etc/NetworkManager/system-connections/*.nmconnection && \
+    truncate -s 0 /etc/machine-id && \
+    rm -f /var/lib/systemd/random-seed
\ No newline at end of file