diff --git a/ssh-ci/Dockerfile b/ssh-ci/Dockerfile
new file mode 100644
index 0000000..fddd68b
--- /dev/null
+++ b/ssh-ci/Dockerfile
@@ -0,0 +1,8 @@
+FROM alpine:3.16
+
+COPY entrypoint.sh /entrypoint
+
+RUN chmod +x /entrypoint && \
+    apk add --no-cache openssh-client
+
+ENTRYPOINT ["/entrypoint"]
diff --git a/ssh-ci/Makefile b/ssh-ci/Makefile
new file mode 100644
index 0000000..aa19502
--- /dev/null
+++ b/ssh-ci/Makefile
@@ -0,0 +1,24 @@
+IMG_NAME=ssh-ci
+REGISTRY=registry.monotremata.xyz
+IMG=$(REGISTRY)/$(IMG_NAME)
+PLATFORMS=linux/amd64,linux/arm64
+
+.PHONY: push buildx clean
+
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
+	docker build -t $(IMG) .
+	echo $(IMG) > $@
+
+push: out/image-id
+	docker image push $(IMG)
+
+buildx: Dockerfile entrypoint.sh
+	docker buildx build \
+		--platform $(PLATFORMS) \
+		--tag $(IMG) \
+		--push \
+		.
+
+clean:
+	rm -rf out
diff --git a/ssh-ci/entrypoint.sh b/ssh-ci/entrypoint.sh
new file mode 100644
index 0000000..8b82072
--- /dev/null
+++ b/ssh-ci/entrypoint.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+set -e
+
+# check settings
+
+HOST="${HOST:-${PLUGIN_HOST}}"
+if [ -z "$HOST" ]; then
+    echo "'host' must be specified"
+    exit 1
+fi
+
+USER="${USER:-${PLUGIN_USER:-root}}"
+PORT="${PORT:-${PLUGIN_PORT:-22}}"
+
+SSH_KEY="${SSH_KEY:-${PLUGIN_KEY}}"
+if [ -z "$SSH_KEY" ]; then
+    echo "ssh_key must be specified"
+    exit 1
+fi
+
+KNOWN_HOSTS="${KNOWN_HOSTS:=${PLUGIN_KNOWN_HOSTS}}"
+
+COMMANDS="${COMMANDS:-${PLUGIN_COMMANDS}}"
+if [ -z "$COMMANDS" ]; then
+    echo "specify at least one command to run"
+    exit 1
+fi
+
+ARGS=${ARGS:-${PLUGIN_ARGS}}
+
+# prepare SSH
+
+mkdir -p "$HOME/.ssh"
+keyfile="$HOME/.ssh/id_rsa"
+echo "$SSH_KEY" > "$keyfile"
+chmod 0600 "$keyfile"
+
+known_hosts_file="${HOME}/.ssh/known_hosts"
+[ -n "${KNOWN_HOSTS}" ] && echo "${KNOWN_HOSTS}" >> "$known_hosts_file"
+[ -f "${known_hosts_file}" ] && chmod 0600 "$known_hosts_file"
+
+# run commands
+
+IFS=","
+for COMMAND in $COMMANDS; do
+    echo "running '$COMMAND' remotely"
+    # shellcheck disable=SC2086,SC2029
+    ssh -p "${PORT}" $ARGS "$USER"@"${HOST}" "$COMMAND"
+done