diff --git a/.gitlab-ci.d/dockerfile-parse.sed b/.gitlab-ci.d/dockerfile-parse.sed
new file mode 100755
index 0000000000000000000000000000000000000000..09813a7831d8e5e22a135494f7a330c11688c32a
--- /dev/null
+++ b/.gitlab-ci.d/dockerfile-parse.sed
@@ -0,0 +1,4 @@
+#!/usr/bin/env sed -nlf
+
+s/FROM[ ]\{1,\}\([^ ]*:[^ ]*\).*/image \1/p
+s/ARG[ ]\{1,\}\([^= ]*\)=\(.*\)/var ${\1:=\2}/p
diff --git a/.gitlab-ci.d/funcs.sh b/.gitlab-ci.d/funcs.sh
new file mode 100644
index 0000000000000000000000000000000000000000..496676f55c9920ac1e2610c3f4b55d8536c971e2
--- /dev/null
+++ b/.gitlab-ci.d/funcs.sh
@@ -0,0 +1,35 @@
+# Copyright (c) 2020 Dominik Sekotill <dom.sekotill@kodo.org.uk>
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+values() {
+	CACHE_IMG=${CI_REGISTRY_IMAGE}/${TARGET}/cache
+	RW_CACHE1=${CACHE_IMG}:latest
+	RW_CACHE2=${CACHE_IMG}:${CI_COMMIT_REF_NAME}
+	RW_CACHE3=${CACHE_IMG}:${CI_COMMIT_SHA}
+	RO_CACHE1=${CACHE_IMG}:${CI_COMMIT_BEFORE_SHA}
+}
+
+cache_arg() {
+	values
+	arg="--cache-from=${RW_CACHE1},${RW_CACHE2},${RW_CACHE3},${RO_CACHE1}"
+	.gitlab-ci.d/dockerfile-parse.sed Dockerfile |
+	while read op value; do
+		case $op in
+			image) eval "arg+=\",$value\"" ;;
+			var) eval ": $value" ;;
+		esac
+	done
+	echo "$arg"
+}
+
+push_cache() (
+	values
+	for tag in ${RW_CACHE1} ${RW_CACHE2} ${RW_CACHE3}; do
+		docker tag $1 ${tag}
+		docker push ${tag}
+	done
+)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a30af8098d3f865f849dc2eeecd952fc812d4d00..52044dd11d8e787a9ebb34e15b7c78740de47c60 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,7 +12,7 @@ services:
 before_script:
 - docker info
 - docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
-
+- . .gitlab-ci.d/funcs.sh
 
 .build: &build
   stage: build
@@ -23,10 +23,13 @@ before_script:
     --pull=true
     --tag=${BUILD_TAG}
     --target=${TARGET}
-    ${NGINX_VERSION:+--build-arg=nginx_version=$NGINX_VERSION}
-    ${PHP_VERSION:+--build-arg=php_version=$PHP_VERSION}
-    ${WORDPRESS_VERSION:+--build-arg=wp_version=$WORDPRESS_VERSION}
+    --build-arg BUILDKIT_INLINE_CACHE=1
+    $(cache_arg)
+    ${NGINX_VERSION:+--build-arg=NGINX_VERSION=$NGINX_VERSION}
+    ${PHP_VERSION:+--build-arg=PHP_VERSION=$PHP_VERSION}
+    ${WORDPRESS_VERSION:+--build-arg=WORDPRESS_VERSION=$WORDPRESS_VERSION}
   - docker push ${BUILD_TAG}
+  - push_cache ${BUILD_TAG}
 
 .changes: &only-changes
   only: &change-files
diff --git a/Dockerfile b/Dockerfile
index 9778c7d96c3615dad3ce27e598ab9806c2258584..27e025ac764dbb8854d0bfa8ca89898a1f028bf5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,41 +1,74 @@
 # syntax = docker/dockerfile:1.0-experimental
 
-ARG nginx_version=latest
-FROM nginx:${nginx_version} as nginx
-LABEL uk.org.kodo.maintainer = "Dom Sekotill <dom.sekotill@kodo.org.uk>"
-COPY data/nginx /etc/nginx
-
+## Stage Nginx
+ARG NGINX_VERSION=latest
+FROM nginx:${NGINX_VERSION} as nginx-stage
+ENV STAGE=/stage
+COPY --from=docker.kodo.org.uk/kodo.org.uk/docker/docker-build-helpers:latest \
+    /scripts /bin
+RUN config-nsswitch nginx
+RUN collect-binaries /usr/sbin/nginx
+# Don't need nginx modules currently
+# RUN collect-binaries /etc/nginx/modules/*
+RUN mkdir -p $STAGE/var/log/nginx $STAGE/var/cache/nginx
+RUN ln -s /dev/stderr $STAGE/var/log/nginx/error.log
 
-ARG php_version=
-FROM php:${php_version:+$php_version-}fpm-alpine as deps
-RUN --mount=type=bind,source=scripts/install-deps.sh,target=/stage /stage
+## Nginx image
+FROM scratch as nginx
+COPY --from=nginx-stage /stage /
+COPY data/nginx /etc/nginx
+LABEL uk.org.kodo.maintainer "Dom Sekotill <dom.sekotill@kodo.org.uk>"
+STOPSIGNAL SIGTERM
+EXPOSE 80
+CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
 
-FROM deps as compile
-RUN --mount=type=bind,source=scripts/compile.sh,target=/stage /stage
 
-FROM deps as fastcgi
+## Stage PHP
+ARG PHP_VERSION=
+FROM php:${PHP_VERSION:+$PHP_VERSION-}fpm-alpine as php-stage
+ENV STAGE=/stage/php
+RUN --mount=type=bind,source=scripts/install-deps.sh,target=/step /step
+RUN --mount=type=bind,source=scripts/compile.sh,target=/step /step
+COPY --from=docker.kodo.org.uk/kodo.org.uk/docker/docker-build-helpers:1.0 \
+    /scripts /bin
+RUN --mount=type=bind,source=scripts/prepare-stage.sh,target=/step /step
 
-LABEL uk.org.kodo.maintainer "Dom Sekotill <dom.sekotill@kodo.org.uk>"
 
-ARG wp_version=latest
-WORKDIR /app
-ENV WORDPRESS_ROOT=/app
+## Stage Wordpress
+FROM php-stage as wordpress-stage
+ARG WORDPRESS_VERSION=latest
+WORKDIR /stage/wordpress/app
+ENV STAGE=/stage/wordpress WORDPRESS_ROOT=/stage/wordpress/app
+COPY scripts/wp.sh /stage/wordpress/usr/bin/wp
+COPY data/composer.json composer.json
+COPY plugins wp-content/mu-plugins
+RUN --mount=type=bind,source=scripts/install-wp.sh,target=/step \
+    /step ${WORDPRESS_VERSION}
 
-COPY --from=compile /usr/local/etc/php /usr/local/etc/php
-COPY --from=compile /usr/local/lib/php /usr/local/lib/php
-COPY scripts/wp.sh /usr/local/bin/wp
-COPY data/composer.json /app/composer.json
-RUN --mount=type=bind,source=scripts/install-wp.sh,target=/stage \
-    /stage ${wp_version}
 
-COPY plugins/* wp-content/mu-plugins/
-COPY data/fpm.conf /usr/local/etc/php-fpm.d/image.conf
-COPY data/opcache.ini /usr/local/etc/php/conf.d/opcache-recommended.ini
-COPY data/wp-config.php /usr/share/wordpress/wp-config.php
-COPY scripts/entrypoint.sh /bin/entrypoint
+## Stage configuration
+FROM wordpress-stage as config-stage
+WORKDIR /stage/config
+ENV STAGE=/stage/config
+COPY data/fpm.conf usr/local/etc/php-fpm.d/image.conf
+COPY data/opcache.ini usr/local/etc/php/conf.d/opcache-recommended.ini
+COPY data/wp-config.php usr/share/wordpress/wp-config.php
+COPY scripts/entrypoint.sh bin/entrypoint
 
-# PAGER is used by the wp-cli tool, the default 'less' is not installed
-ENV PAGER=more
 
+## Final image composed of three layers:
+##  1) PHP runtime and libs
+##  2) Wordpress
+##  3) Configuration
+FROM scratch as fastcgi
+LABEL uk.org.kodo.maintainer "Dom Sekotill <dom.sekotill@kodo.org.uk>"
+COPY --from=php-stage /stage/php /
+COPY --from=wordpress-stage /stage/wordpress /
+COPY --from=config-stage /stage/config /
+WORKDIR /app
+ENV PREFIX=/usr
+ENV WORDPRESS_ROOT=/app
+ENV PATH=/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
+EXPOSE 9000
 ENTRYPOINT ["/bin/entrypoint"]
 CMD ["php-fpm"]
diff --git a/scripts/compile.sh b/scripts/compile.sh
index bd52b78856135b94c21d979d4be4629d483ca91c..2655dbe56ab54b76beb1e58a8136ddd172d5eb67 100755
--- a/scripts/compile.sh
+++ b/scripts/compile.sh
@@ -1,18 +1,6 @@
 #!/bin/bash
 set -eux
 
-# Packaged build dependencies
-BUILD_DEPS=(
-	autoconf
-	build-base
-	gmp-dev
-	imagemagick-dev
-	jpeg-dev
-	libpng-dev
-	libwebp-dev
-	libzip-dev
-)
-
 # Distributed extensions
 PHP_EXT=(
 	bcmath
@@ -30,10 +18,6 @@ php_version() {
 		return 1
 }
 
-# Install packaged dependencies
-apk update
-apk add "${BUILD_DEPS[@]}"
-
 # Build & install distributed extensions
 if php_version -gt 7.4; then
 	GD_ARGS=( --with-jpeg=/usr --with-webp=/usr )
diff --git a/scripts/install-deps.sh b/scripts/install-deps.sh
index e6b4d75d2d995b43b7c3b36a0affe39e8bcb6bfe..49cbec6568384e4026f41165dc0bca2f913022c5 100755
--- a/scripts/install-deps.sh
+++ b/scripts/install-deps.sh
@@ -4,11 +4,14 @@ set -eux
 # Install packaged dependencies
 apk update
 apk add \
+	autoconf \
 	bash \
-	imagemagick-libs \
-	libgmpxx \
-	libjpeg \
-	libpng \
-	libwebp \
-	libzip \
+	build-base \
+	gmp-dev \
+	imagemagick-dev \
+	jpeg-dev \
+	less \
+	libpng-dev \
+	libwebp-dev \
+	libzip-dev \
 	rsync \
diff --git a/scripts/install-wp.sh b/scripts/install-wp.sh
index 55d1fb70ba91aae2680df75e8666d5708d081310..57076405d8ea8bea58eb884b62c1a52dabfed759 100755
--- a/scripts/install-wp.sh
+++ b/scripts/install-wp.sh
@@ -5,14 +5,18 @@ COMPOSER_INSTALLER_URL=https://getcomposer.org/installer
 WP_CLI_URL=https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 WP_PASSWORD_HASH=https://raw.githubusercontent.com/Ayesh/WordPress-Password-Hash/1.5.1
 
-# Install Composer
+# Prepare stage
+export PREFIX=$STAGE/usr/
+export PATH+=:$PREFIX/bin
+mkdir -p $PREFIX/bin $PREFIX/lib
+
+# Install Composer directly to STAGE
 curl -sSL ${COMPOSER_INSTALLER_URL} |
-	php -- --install-dir=/usr/local/lib --filename=composer.phar
-ln -s ../lib/composer.phar /usr/local/bin/composer
+	php -- --install-dir=$PREFIX/lib --filename=composer.phar
+ln -s ../lib/composer.phar $PREFIX/bin/composer
 
-# Install WP-CLI
-curl -sSL ${WP_CLI_URL} \
-    >/usr/local/lib/wp-cli.phar
+# Install WP-CLI directly to STAGE
+curl -sSL ${WP_CLI_URL} >$PREFIX/lib/wp-cli.phar
 
 # Install Wordpress core
 wp core download --skip-content --locale=en_GB --version=$1
diff --git a/scripts/prepare-stage.sh b/scripts/prepare-stage.sh
new file mode 100755
index 0000000000000000000000000000000000000000..a946426cf6be6a881679c3e89d20acedf20d46db
--- /dev/null
+++ b/scripts/prepare-stage.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+set -eux
+
+UTILS=(
+	cat
+	date
+	less
+	rsync
+	sort
+	xargs
+)
+
+UTILS+=(
+	ls
+	du
+)
+
+BASH_BINS=(
+	/bin/bash
+	/usr/lib/bash/head
+	/usr/lib/bash/sleep
+	/usr/lib/bash/unlink
+)
+
+bootstrap-stage
+stage-useradd www-data
+
+{
+	# Shell & cmdline utils
+	which "${UTILS[@]}"
+	printf "%s\n" "${BASH_BINS[@]}"
+
+	# PHP
+	echo /usr/local/bin/php
+	echo /usr/local/sbin/php-fpm
+	find /usr/local/lib/php /usr/local/etc/php -type f
+} | collect-binaries
+
+ln -s bash $STAGE/bin/sh
diff --git a/scripts/wp.sh b/scripts/wp.sh
index 1e70eab1225cf5459f0cba6ab37cd70913b880bf..d221305ec77de3c8712a87556cc1a2c283ba97fa 100755
--- a/scripts/wp.sh
+++ b/scripts/wp.sh
@@ -3,4 +3,4 @@
 # installing it as root is idiocy. WP needs to be installed owned by a user 
 # seperate from the server's user. 'root' is available for such, besides which 
 # root in a container is not really root.
-exec php -d memory_limit=512M /usr/local/lib/wp-cli.phar --allow-root "$@"
+exec php -d memory_limit=512M $PREFIX/lib/wp-cli.phar --allow-root "$@"