diff --git a/Dockerfile b/Dockerfile
index be35c22..71c5c4d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,48 +1,64 @@
 # syntax=docker/dockerfile:1
 
 ARG BINARY
+ARG TARGETARCH
 
 # ==========================
 # Stage: minimal
 # ==========================
 FROM debian:12-slim AS minimal
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    binutils \
-    curl \
-    xz-utils \
-    ca-certificates \
-    && rm -rf /var/lib/apt/lists/* \
+ARG TARGETARCH
+ARG BINARY
+
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        binutils \
+        curl \
+        xz-utils \
+        ca-certificates; \
+    rm -rf /var/lib/apt/lists/*; \
     \
-    && curl -fL \
+    case "${TARGETARCH}" in \
+        amd64) UPX_ARCH="amd64" ;; \
+        arm64) UPX_ARCH="arm64" ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
+    esac; \
+    \
+    curl -fL \
         --retry 5 \
         --retry-delay 3 \
         --connect-timeout 10 \
         --max-time 120 \
         -o /tmp/upx.tar.xz \
-        https://github.com/telemt/telemt/releases/download/toolchains/upx-amd64_linux.tar.xz \
-    && tar -xf /tmp/upx.tar.xz -C /tmp \
-    && mv /tmp/upx*/upx /usr/local/bin/upx \
-    && chmod +x /usr/local/bin/upx \
-    && rm -rf /tmp/upx*
+        "https://github.com/telemt/telemt/releases/download/toolchains/upx-${UPX_ARCH}_linux.tar.xz"; \
+    \
+    tar -xf /tmp/upx.tar.xz -C /tmp; \
+    install -m 0755 /tmp/upx*/upx /usr/local/bin/upx; \
+    rm -rf /tmp/upx*
 
 COPY ${BINARY} /telemt
 
-RUN strip /telemt || true
-RUN upx --best --lzma /telemt || true
+RUN set -eux; \
+    test -f /telemt; \
+    strip --strip-unneeded /telemt || true; \
+    upx --best --lzma /telemt || true
 
 # ==========================
 # Debug image
 # ==========================
 FROM debian:12-slim AS debug
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    tzdata \
-    curl \
-    iproute2 \
-    busybox \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        tzdata \
+        curl \
+        iproute2 \
+        busybox; \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -55,7 +71,7 @@ ENTRYPOINT ["/app/telemt"]
 CMD ["config.toml"]
 
 # ==========================
-# Production (REAL distroless)
+# Production (distroless, for static MUSL binary)
 # ==========================
 FROM gcr.io/distroless/static-debian12 AS prod