diff --git a/.github/workflows/build-ova.yml b/.github/workflows/build-ova.yml
index 5d502f1..aecf8d7 100644
--- a/.github/workflows/build-ova.yml
+++ b/.github/workflows/build-ova.yml
@@ -1,6 +1,9 @@
 name: Build OVF Image
 
 on:
+  push:
+    branches:
+      - add-dockge
   workflow_dispatch:
     inputs:
       core_tag:
@@ -63,11 +66,14 @@ jobs:
         env:
           PACKER_LOG: 1
         run: |
+          CORE_TAG="${{ github.event.inputs.core_tag || '2.0.0-alpha2' }}"
+          PROXY_TAG="${{ github.event.inputs.proxy_tag || '2.0.0-alpha2' }}"
+          GATEWAY_TAG="${{ github.event.inputs.gateway_tag || '2.0.0-alpha2' }}"
           packer build \
             -var "iso_url=file://$PWD/ubuntu-24.04.4-live-server-amd64.iso" \
-            -var "core_tag=${{ github.event.inputs.core_tag }}" \
-            -var "proxy_tag=${{ github.event.inputs.proxy_tag }}" \
-            -var "gateway_tag=${{ github.event.inputs.gateway_tag }}" \
+            -var "core_tag=${CORE_TAG}" \
+            -var "proxy_tag=${PROXY_TAG}" \
+            -var "gateway_tag=${GATEWAY_TAG}" \
             defguard.pkr.hcl
 
       - name: Upload OVA to S3
@@ -75,12 +81,14 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: eu-central-1
-          CORE_TAG: ${{ github.event.inputs.core_tag }}
-          PROXY_TAG: ${{ github.event.inputs.proxy_tag }}
-          GATEWAY_TAG: ${{ github.event.inputs.gateway_tag }}
+          CORE_TAG: ${{ github.event.inputs.core_tag || '2.0.0-alpha2' }}
+          PROXY_TAG: ${{ github.event.inputs.proxy_tag || '2.0.0-alpha2' }}
+          GATEWAY_TAG: ${{ github.event.inputs.gateway_tag || '2.0.0-alpha2' }}
         run: |
           TIMESTAMP=$(date +%Y%m%d-%H%M%S)
           FILENAME="defguard_${TIMESTAMP}_core-${CORE_TAG}_edge-${PROXY_TAG}_gateway-${GATEWAY_TAG}.ova"
           ls -lh output/defguard/defguard.ova
           aws s3 cp output/defguard/defguard.ova "s3://defguard-downloads/ova/${FILENAME}"
           echo "Uploaded: s3://defguard-downloads/ova/${FILENAME}"
+          aws s3 cp output/defguard/defguard.ova "s3://defguard-downloads/ova/defguard-latest.ova" \
+            --cache-control "no-cache"
diff --git a/ova/defguard.pkr.hcl b/ova/defguard.pkr.hcl
index 1edd873..20ceb38 100644
--- a/ova/defguard.pkr.hcl
+++ b/ova/defguard.pkr.hcl
@@ -95,21 +95,21 @@ build {
   provisioner "shell" {
     inline = [
       "sudo bash /tmp/docker-setup.sh",
-      "sudo mkdir -p /opt/defguard",
-      "sudo mv /tmp/docker-compose.yaml /opt/defguard/docker-compose.yaml",
-      "sudo mv /tmp/docker-compose.standalone.yaml /opt/defguard/docker-compose.standalone.yaml",
-      "sudo mv /tmp/generate-env.sh /opt/defguard/generate-env.sh",
-      "sudo chmod +x /opt/defguard/generate-env.sh",
-      "sudo mv /tmp/start.sh /opt/defguard/start.sh",
-      "sudo chmod +x /opt/defguard/start.sh",
-      "echo 'DEFGUARD_CORE_TAG=${var.core_tag}' | sudo tee /opt/defguard/.image-tags > /dev/null",
-      "echo 'DEFGUARD_PROXY_TAG=${var.proxy_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
-      "echo 'DEFGUARD_GATEWAY_TAG=${var.gateway_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
+      "sudo mkdir -p /opt/stacks/defguard",
+      "sudo mv /tmp/docker-compose.yaml /opt/stacks/defguard/docker-compose.yaml",
+      "sudo mv /tmp/docker-compose.standalone.yaml /opt/stacks/defguard/docker-compose.standalone.yaml",
+      "sudo mv /tmp/generate-env.sh /opt/stacks/defguard/generate-env.sh",
+      "sudo chmod +x /opt/stacks/defguard/generate-env.sh",
+      "sudo mv /tmp/start.sh /opt/stacks/defguard/start.sh",
+      "sudo chmod +x /opt/stacks/defguard/start.sh",
+      "echo 'DEFGUARD_CORE_TAG=${var.core_tag}' | sudo tee /opt/stacks/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_PROXY_TAG=${var.proxy_tag}' | sudo tee -a /opt/stacks/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_GATEWAY_TAG=${var.gateway_tag}' | sudo tee -a /opt/stacks/defguard/.image-tags > /dev/null",
       "sudo mv /tmp/99-defguard.cfg /etc/cloud/cloud.cfg.d/99-defguard.cfg",
       "sudo mv /tmp/defguard-init.service /etc/systemd/system/defguard-init.service",
       "sudo systemctl daemon-reload",
       "sudo systemctl enable docker.service",
-      "sudo chown -R ubuntu:ubuntu /opt/defguard",
+      "sudo chown -R ubuntu:ubuntu /opt/stacks/defguard",
       "sudo rm -f /etc/netplan/00-installer-config.yaml /etc/netplan/50-cloud-init.yaml",
       "sudo cloud-init clean --logs",
       "sudo rm -f /etc/ssh/ssh_host_*",
diff --git a/ova/files/defguard-init.service b/ova/files/defguard-init.service
index 972eaca..f7ed544 100644
--- a/ova/files/defguard-init.service
+++ b/ova/files/defguard-init.service
@@ -5,8 +5,8 @@ Wants=network-online.target docker.service
 
 [Service]
 Type=oneshot
-WorkingDirectory=/opt/defguard
+WorkingDirectory=/opt/stacks/defguard
 StandardOutput=append:/var/log/defguard-startup.log
 StandardError=append:/var/log/defguard-startup.log
-ExecStart=/bin/bash /opt/defguard/generate-env.sh
-ExecStart=/bin/bash /opt/defguard/start.sh
+ExecStart=/bin/bash /opt/stacks/defguard/generate-env.sh
+ExecStart=/bin/bash /opt/stacks/defguard/start.sh
diff --git a/ova/files/docker-compose.standalone.yaml b/ova/files/docker-compose.standalone.yaml
index 48e0f1e..aee3f17 100644
--- a/ova/files/docker-compose.standalone.yaml
+++ b/ova/files/docker-compose.standalone.yaml
@@ -52,6 +52,19 @@ services:
       - ./.volumes/npm/data:/data
       - ./.volumes/npm/letsencrypt:/etc/letsencrypt
 
+  dockge:
+    image: louislam/dockge:1
+    restart: unless-stopped
+    profiles: [dockge]
+    ports:
+      - "5001:5001"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./.volumes/dockge:/app/data
+      - /opt/stacks:/opt/stacks
+    environment:
+      DOCKGE_STACKS_DIR: /opt/stacks
+
   db:
     restart: always
     profiles: [core]
diff --git a/ova/files/docker-compose.yaml b/ova/files/docker-compose.yaml
index 8fcebe0..65068db 100644
--- a/ova/files/docker-compose.yaml
+++ b/ova/files/docker-compose.yaml
@@ -53,6 +53,19 @@ services:
       - ./.volumes/npm/data:/data
       - ./.volumes/npm/letsencrypt:/etc/letsencrypt
 
+  dockge:
+    image: louislam/dockge:1
+    restart: unless-stopped
+    profiles: [dockge]
+    ports:
+      - "5001:5001"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./.volumes/dockge:/app/data
+      - /opt/stacks:/opt/stacks
+    environment:
+      DOCKGE_STACKS_DIR: /opt/stacks
+
   db:
     restart: always
     image: postgres:18-alpine
diff --git a/ova/files/generate-env.sh b/ova/files/generate-env.sh
index af5d67b..3ce3c11 100644
--- a/ova/files/generate-env.sh
+++ b/ova/files/generate-env.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
-# Generates /opt/defguard/.env with random secrets on first boot.
+# Generates /opt/stacks/defguard/.env with random secrets on first boot.
 # If .env already exists (e.g. provided via cloud-init), this script does nothing.
 
-ENV_FILE="/opt/defguard/.env"
+ENV_FILE="/opt/stacks/defguard/.env"
 
 if [ -f "$ENV_FILE" ]; then
   echo "DefGuard: .env already exists, skipping generation."
@@ -17,8 +17,8 @@ DEFGUARD_GATEWAY_SECRET=$(openssl rand -hex 32)
 DEFGUARD_YUBIBRIDGE_SECRET=$(openssl rand -hex 32)
 DB_PASSWORD=$(openssl rand -hex 16)
 
-if [ -f "/opt/defguard/.image-tags" ]; then
-  source "/opt/defguard/.image-tags"
+if [ -f "/opt/stacks/defguard/.image-tags" ]; then
+  source "/opt/stacks/defguard/.image-tags"
 fi
 
 : "${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}"
diff --git a/ova/files/start.sh b/ova/files/start.sh
index 3bce6a0..bacd81e 100644
--- a/ova/files/start.sh
+++ b/ova/files/start.sh
@@ -1,21 +1,53 @@
 #!/bin/bash
 # Starts defguard via docker compose.
 # Default (no active-profiles file): starts the full all-in-one stack.
-# To select specific components, create /opt/defguard/active-profiles with a
+# To select specific components, create /opt/stacks/defguard/active-profiles with a
 # space or newline-separated list of profiles: core, gateway, edge
+#
+# To enable the Dockge docker management UI (port 5001), create the file:
+#   /opt/stacks/defguard/enable-docker-management
+# Example cloud-init:
+#   write_files:
+#     - path: /opt/stacks/defguard/enable-docker-management
+#       content: ""
 
-PROFILES_FILE="/opt/defguard/active-profiles"
+PROFILES_FILE="/opt/stacks/defguard/active-profiles"
+ENABLE_DOCKER_MGMT_FILE="/opt/stacks/defguard/enable-docker-management"
+
+# Append the dockge profile if the opt-in flag file is present
+_maybe_add_dockge() {
+  local profiles="$1"
+  if [ -f "$ENABLE_DOCKER_MGMT_FILE" ]; then
+    if [ -z "$profiles" ]; then
+      echo "dockge"
+    else
+      echo "${profiles},dockge"
+    fi
+  else
+    echo "$profiles"
+  fi
+}
 
 if [ ! -f "$PROFILES_FILE" ]; then
-  docker compose -f /opt/defguard/docker-compose.yaml up -d
+  COMPOSE_PROFILES=$(_maybe_add_dockge "")
+  if [ -n "$COMPOSE_PROFILES" ]; then
+    export COMPOSE_PROFILES
+  fi
+  docker compose -f /opt/stacks/defguard/docker-compose.yaml up -d
 else
   COMPOSE_PROFILES=$(tr '[:space:]' ',' < "$PROFILES_FILE" | tr -s ',' | sed 's/,$//')
   if [ -z "$COMPOSE_PROFILES" ]; then
     echo "Warning: $PROFILES_FILE is empty or contains only whitespace; starting full all-in-one stack."
-    unset COMPOSE_PROFILES
-    docker compose -f /opt/defguard/docker-compose.yaml up -d
+    COMPOSE_PROFILES=$(_maybe_add_dockge "")
+    if [ -n "$COMPOSE_PROFILES" ]; then
+      export COMPOSE_PROFILES
+    else
+      unset COMPOSE_PROFILES
+    fi
+    docker compose -f /opt/stacks/defguard/docker-compose.yaml up -d
   else
+    COMPOSE_PROFILES=$(_maybe_add_dockge "$COMPOSE_PROFILES")
     export COMPOSE_PROFILES
-    docker compose -f /opt/defguard/docker-compose.standalone.yaml up -d
+    docker compose -f /opt/stacks/defguard/docker-compose.standalone.yaml up -d
   fi
 fi