diff --git a/pypiscript/Dockerfile b/pypiscript/Dockerfile
new file mode 100644
index 000000000..f0cf9e495
--- /dev/null
+++ b/pypiscript/Dockerfile
@@ -0,0 +1,45 @@
+FROM python:3.8
+
+RUN groupadd --gid 10001 app && \
+    useradd -g app --uid 10001 --shell /usr/sbin/nologin --create-home --home-dir /app app
+
+RUN apt-get update \
+ && apt-get install -y zipalign osslsigncode \
+ && apt-get clean \
+ && ln -s /app/docker.d/healthcheck /bin/healthcheck
+
+ENV RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH \
+    RUST_VERSION=1.42.0
+
+RUN set -eux; \
+    url="https://static.rust-lang.org/rustup/archive/1.21.1/x86_64-unknown-linux-gnu/rustup-init"; \
+    wget "$url"; \
+    echo "ad1f8b5199b3b9e231472ed7aa08d2e5d1d539198a15c5b1e53c746aad81d27b *rustup-init" | sha256sum -c -; \
+    chmod +x rustup-init; \
+    ./rustup-init -y --no-modify-path --profile minimal --default-toolchain $RUST_VERSION; \
+    rm rustup-init; \
+    chmod -R a+w $RUSTUP_HOME $CARGO_HOME; \
+    rustup --version; \
+    cargo --version; \
+    rustc --version;
+
+COPY . /app
+COPY pypiscript/docker.d/* /app/docker.d
+RUN chown -R app:app /app
+
+USER app
+WORKDIR /app
+
+RUN python -m venv /app \
+ && cd pypiscript \
+ && /app/bin/pip install -r requirements/base.txt \
+ && cargo install --path . --root . \
+ && python -m venv /app/configloader_venv \
+ && cd /app/configloader \
+ && /app/configloader_venv/bin/pip install -r requirements/base.txt \
+ && /app/configloader_venv/bin/pip install . \
+ && cd /app
+
+CMD ["/app/docker.d/init.sh"]
diff --git a/pypiscript/docker.d/init_worker.sh b/pypiscript/docker.d/init_worker.sh
new file mode 100644
index 000000000..3788eff32
--- /dev/null
+++ b/pypiscript/docker.d/init_worker.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e errexit -o pipefail
+
+test_var_set() {
+  local varname=$1
+
+  if [[ -z "${!varname}" ]]; then
+    echo "error: ${varname} is not set"
+    exit 1
+  fi
+}
+
+#
+# Check that all required variables exist
+#
+test_var_set 'CONFIG_DIR'
+test_var_set 'CONFIG_LOADER'
+test_var_set 'COT_PRODUCT'
+test_var_set 'PROJECT_NAME'
+test_var_set 'TEMPLATE_DIR'
+
+
+export PASSWORDS_PATH=$CONFIG_DIR/passwords.json
+
+
+$CONFIG_LOADER $TEMPLATE_DIR/passwords.yml $PASSWORDS_PATH
diff --git a/pypiscript/docker.d/worker.yml b/pypiscript/docker.d/worker.yml
new file mode 100644
index 000000000..c867bce95
--- /dev/null
+++ b/pypiscript/docker.d/worker.yml
@@ -0,0 +1,7 @@
+artifact_dir: { "$eval": "ARTIFACTS_DIR" }
+project_config_file: "${PASSWORDS_PATH}"
+taskcluster_scope_prefix:
+  $flatten:
+    $match:
+      'COT_PRODUCT == "releng"':
+        - 'project:releng'
diff --git a/pypiscript/requirements/base.in b/pypiscript/requirements/base.in
new file mode 100644
index 000000000..e1e2285ab
--- /dev/null
+++ b/pypiscript/requirements/base.in
@@ -0,0 +1 @@
+scriptworker
diff --git a/pypiscript/requirements/base.txt b/pypiscript/requirements/base.txt
new file mode 100644
index 000000000..6b2b1532a
--- /dev/null
+++ b/pypiscript/requirements/base.txt
@@ -0,0 +1,45 @@
+# SHA1:c829b627d519a44c3705088241a3460302f21bf5
+#
+# This file is autogenerated by pip-compile-multi
+# To update, run:
+#
+#    pip-compile-multi
+#
+aiohttp==3.6.2            # via scriptworker, taskcluster
+aiomemoizettl==0.0.3      # via scriptworker
+arrow==0.15.5             # via scriptworker
+async-timeout==3.0.1      # via aiohttp, taskcluster
+attrs==19.3.0             # via aiohttp, jsonschema
+certifi==2019.11.28       # via requests
+cffi==1.14.0              # via cryptography
+chardet==3.0.4            # via aiohttp, requests
+cryptography==2.8         # via jwcrypto, scriptworker
+dictdiffer==0.8.1         # via scriptworker
+github3.py==1.3.0         # via scriptworker
+idna-ssl==1.1.0           # via aiohttp
+idna==2.9                 # via idna-ssl, requests, yarl
+immutabledict==1.0.0      # via scriptworker
+importlib-metadata==1.5.2  # via jsonschema
+json-e==4.0.1             # via scriptworker
+jsonschema==3.2.0         # via scriptworker
+jwcrypto==0.7             # via github3.py
+mohawk==1.1.0             # via taskcluster
+multidict==4.7.5          # via aiohttp, yarl
+pycparser==2.20           # via cffi
+pyrsistent==0.16.0        # via jsonschema
+python-dateutil==2.8.1    # via arrow, github3.py
+pyyaml==5.3.1             # via scriptworker
+requests==2.23.0          # via github3.py, taskcluster
+scriptworker==32.2.1      # via -r pypiscript/requirements/base.in
+six==1.14.0               # via cryptography, jsonschema, mohawk, pyrsistent, python-dateutil, taskcluster
+slugid==2.0.0             # via taskcluster
+taskcluster-urls==12.1.0  # via taskcluster
+taskcluster==28.1.0       # via scriptworker
+typing-extensions==3.7.4.1  # via aiohttp
+uritemplate==3.0.1        # via github3.py
+urllib3==1.25.8           # via requests
+yarl==1.4.2               # via aiohttp
+zipp==3.1.0               # via importlib-metadata
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools