diff --git a/Dockerfile b/Dockerfile
index 32749ee..d1c4124 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,66 +7,86 @@
 
 FROM debian:bookworm-slim
 
+# Build-time architecture detection
+ARG TARGETARCH
+ENV ARCH=${TARGETARCH:-amd64}
 ENV DEBIAN_FRONTEND=noninteractive
-ENV AWS_CLI_VERSION=2
-ENV KUBECTL_VERSION=1.32.0
-ENV ARCH=amd64
-ENV PLATFORM=Linux_${ARCH}
+ENV KUBECTL_VERSION=1.33.0
+ENV KUBECTL_DATE=2025-05-01
 
+# User config
 ENV DOCKER_USER=coder \
     UID=1000 \
     GID=1000 \
     PASSWORD=undefined \
     HASHED_PASSWORD=undefined
 
-RUN apt-get update && apt-get install -y \
+# Base packages
+RUN apt-get update && apt-get install --no-install-recommends -y \
     bash curl unzip gnupg net-tools tree bash-completion sudo \
     default-jre jq python3 python3-pip python3-venv virtualenv \
     siege tar ca-certificates wget git dumb-init nodejs npm \
     lsb-release iproute2 iptables uidmap dbus fuse3 xz-utils doas passwd \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
+# Docker
 RUN curl -fsSL https://get.docker.com | sh && dockerd --version
 
-RUN pip3 install --break-system-packages pipx && \
+# pre-commit
+RUN pip3 install --break-system-packages --no-cache-dir pipx && \
     pipx install pre-commit && \
     ln -s /root/.local/pipx/venvs/pre-commit/bin/pre-commit /usr/local/bin/pre-commit
 
-RUN curl -o awscliv2.zip https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip && \
+# AWS CLI (handle arch manually)
+RUN set -e; \
+    case "$ARCH" in \
+      amd64) AWS_ARCH="x86_64" ;; \
+      arm64) AWS_ARCH="aarch64" ;; \
+      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
+    esac && \
+    curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-${AWS_ARCH}.zip" && \
     unzip awscliv2.zip && ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
     rm -rf awscliv2.zip aws/
 
-RUN curl -o kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/${KUBECTL_VERSION}/2024-12-20/bin/linux/amd64/kubectl && \
+# kubectl
+RUN curl -o kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/${KUBECTL_VERSION}/${KUBECTL_DATE}/bin/linux/${ARCH}/kubectl && \
     chmod +x kubectl && mv kubectl /usr/local/bin/
 
-RUN curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_${PLATFORM}.tar.gz" && \
-    curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check && \
-    tar -xzf eksctl_${PLATFORM}.tar.gz -C /tmp && \
-    mv /tmp/eksctl /usr/local/bin && rm eksctl_${PLATFORM}.tar.gz
+# eksctl
+RUN curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_${ARCH}.tar.gz" && \
+    curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep "Linux_${ARCH}" | sha256sum --check && \
+    tar -xzf eksctl_Linux_${ARCH}.tar.gz -C /tmp && \
+    mv /tmp/eksctl /usr/local/bin && rm eksctl_Linux_${ARCH}.tar.gz
 
+# code-server (auto-detects arch)
 RUN curl -fsSL https://code-server.dev/install.sh | sh
 
-# Install prompt to root
+# Custom shell prompt
 RUN curl -Ls https://git.fridu.us/heckyel/hyperterm/raw/branch/master/install.sh -o "$HOME/install.sh" && \
-    bash "$HOME/install.sh" -s
+    bash "$HOME/install.sh" -s && rm "$HOME/install.sh"
 
-# Copy pre-commit config and setup script
+# Pre-commit config
 COPY .pre-commit-config.yaml /usr/local/share/default-pre-commit-config.yaml
 COPY .setup-precommit.sh /usr/local/bin/setup-precommit
 RUN chmod +x /usr/local/bin/setup-precommit
 
-# Install Gitleaks
-ENV GITLEAKS_VERSION="8.27.0"
-RUN curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o gitleaks.tar.gz && \
+# Gitleaks
+ENV GITLEAKS_VERSION="8.27.2"
+RUN set -e; \
+    case "$ARCH" in \
+      amd64) GITLEAKS_ARCH="x64" ;; \
+      arm64) GITLEAKS_ARCH="arm64" ;; \
+      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
+    esac && \
+    curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" -o gitleaks.tar.gz && \
     tar -xzf gitleaks.tar.gz gitleaks && \
-    mv gitleaks /usr/local/bin/gitleaks && \
-    chmod +x /usr/local/bin/gitleaks && \
+    mv gitleaks /usr/local/bin/gitleaks && chmod +x /usr/local/bin/gitleaks && \
     rm gitleaks.tar.gz
 
-# Install BFG Repo-Cleaner
+# BFG
 ENV BFG_VERSION=1.15.0
 RUN curl -L -o /usr/local/bin/bfg.jar "https://repo1.maven.org/maven2/com/madgag/bfg/${BFG_VERSION}/bfg-${BFG_VERSION}.jar" && \
-    echo '#!/bin/sh\nexec java -jar /usr/local/bin/bfg.jar "$@"' > /usr/local/bin/bfg && \
+    printf '#!/bin/sh\nexec java -jar /usr/local/bin/bfg.jar "$@"\n' > /usr/local/bin/bfg && \
     chmod +x /usr/local/bin/bfg
 
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh