diff --git a/.gitignore b/.gitignore
index 89d9e0141..21a15bb40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -93,3 +93,7 @@ po/*.po
 docs/swagger
 _build
 *.prof
+
+# Docker
+docker-bake.*.json
+metadata.json
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6fffc68df..a4995231d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -431,72 +431,66 @@ deploy_docs:
   script:
     - rsync -r -e "ssh -p 2282" $CI_PROJECT_DIR/public/ docs@docs.funkwhale.audio:/htdocs/$CI_COMMIT_REF_NAME
 
-.docker:
+docker:
   interruptible: false
+  tags: [docker, privileged, multiarch]
   stage: build
   needs:
     - job: test_api
       optional: true
     - job: test_front
       optional: true
+  rules:
+    - if: $CI_COMMIT_TAG
+      variables:
+        BUILD_ARGS: >
+          --set *.platform=linux/amd64,linux/arm64,linux/arm/v7
+          --set *.no-cache
+          --push
+
+    - if: $CI_COMMIT_BRANCH =~ /(stable|develop)/
+      variables:
+        BUILD_ARGS: >
+          --set *.platform=linux/amd64,linux/arm64,linux/arm/v7
+          --set *.cache-from=type=registry,ref=$DOCKER_CACHE_IMAGE:$CI_COMMIT_BRANCH
+          --set *.cache-to=type=registry,ref=$DOCKER_CACHE_IMAGE:$CI_COMMIT_BRANCH,mode=max
+          --push
+
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      variables:
+        BUILD_ARGS: >
+          --set *.platform=linux/amd64
+          --set *.cache-from=type=registry,ref=$DOCKER_CACHE_IMAGE:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
 
   image: $CI_REGISTRY/funkwhale/ci/docker:20
-  parallel:
-    matrix:
-      - COMPONENT: ["api", "front"]
   services:
     - docker:20-dind
   variables:
     <<: *keep_git_files_permissions
-
-    IMAGE_NAME: funkwhale/$COMPONENT
-    IMAGE: $IMAGE_NAME:$CI_COMMIT_REF_NAME
-    IMAGE_LATEST: $IMAGE_NAME:latest
-
     DOCKER_HOST: tcp://docker:2375/
     DOCKER_DRIVER: overlay2
     DOCKER_TLS_CERTDIR: ""
-    BUILD_PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
-  tags:
-    - multiarch
+    BUILDKIT_PROGRESS: plain
+
+    DOCKER_CACHE_IMAGE: $CI_REGISTRY/funkwhale/funkwhale/cache
   before_script:
-    - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
+    - >
+      echo "$CI_REGISTRY_PASSWORD" | docker login --username "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY";
+      if [[ "$BUILD_ARGS" =~ "--push" ]]; then
+        echo "$DOCKER_PASSWORD" | docker login --username "$DOCKER_LOGIN" --password-stdin docker.io;
+      fi
+  script:
     - >
       if [[ -z "$CI_COMMIT_TAG" ]]; then
         ./scripts/set-api-build-metadata.sh $CI_COMMIT_SHORT_SHA;
       fi
-  cache:
-    key: docker_public_${CI_COMMIT_REF_NAME}
+    - docker buildx create --use
+    - make docker-build BUILD_ARGS="--metadata-file metadata.json $BUILD_ARGS"
+    - cat metadata.json
+  artifacts:
+    name: docker_build_files_${CI_COMMIT_REF_NAME}
     paths:
-      - ~/.cargo
-
-docker_stable:
-  extends: .docker
-  rules:
-    - if: $CI_COMMIT_TAG && $CI_COMMIT_REF_NAME =~ /^[0-9]+(.[0-9]+){1,2}$/
-  script:
-    - ./docs/get-releases-json.py | scripts/is-docker-latest.py $CI_COMMIT_TAG - && export DOCKER_LATEST_TAG="-t $IMAGE_LATEST" || export DOCKER_LATEST_TAG=;
-    - export major="$(echo $CI_COMMIT_REF_NAME | cut -d '.' -f 1)"
-    - export minor="$(echo $CI_COMMIT_REF_NAME | cut -d '.' -f 1,2)"
-    - cd $COMPONENT
-    - docker buildx create --use --name A$CI_COMMIT_SHORT_SHA
-    - docker buildx build --platform $BUILD_PLATFORMS --push -t $IMAGE $DOCKER_LATEST_TAG -t $IMAGE_NAME:$major -t $IMAGE_NAME:$minor .
-
-docker_unstable:
-  extends: .docker
-  rules:
-    - if: $CI_COMMIT_TAG && $CI_COMMIT_REF_NAME !~ /^[0-9]+(.[0-9]+){1,2}$/
-  script:
-    - cd $COMPONENT
-    - docker buildx create --use --name A$CI_COMMIT_SHORT_SHA
-    - docker buildx build --platform $BUILD_PLATFORMS --push -t $IMAGE .
-
-docker_dev:
-  extends: .docker
-  only:
-    - develop@funkwhale/funkwhale
-    - stable@funkwhale/funkwhale
-  script:
-    - cd $COMPONENT
-    - docker buildx create --use --name A$CI_COMMIT_SHORT_SHA
-    - docker buildx build --platform $BUILD_PLATFORMS --push -t $IMAGE .
+      - docker-bake.json
+      - docker-bake.api.json
+      - docker-bake.front.json
+      - metadata.json
diff --git a/Makefile b/Makefile
new file mode 100644
index 000000000..6cf4a7fe5
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+SHELL := bash
+CPU_CORES := $(shell N=$$(nproc); echo $$(( $$N > 4 ? 4 : $$N )))
+
+BAKE_FILES = \
+	docker-bake.json \
+	docker-bake.api.json \
+	docker-bake.front.json
+
+docker-bake.%.json:
+	./scripts/build_metadata.py --format bake --bake-target $* --bake-image docker.io/funkwhale/$* > $@
+
+docker-build: $(BAKE_FILES)
+	docker buildx bake $(foreach FILE,$(BAKE_FILES), --file $(FILE)) --print $(BUILD_ARGS)
+	docker buildx bake $(foreach FILE,$(BAKE_FILES), --file $(FILE)) 		 $(BUILD_ARGS)
diff --git a/api/Dockerfile b/api/Dockerfile
index bd7cb4a87..2ff935169 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17 as pre-build
+FROM alpine:3.17 as requirements
 
 # We need this additional step to avoid having poetrys deps interacting with our
 # dependencies. This is only required until alpine 3.16 is released, since this
@@ -50,8 +50,8 @@ RUN set -eux; \
 RUN python3 -m venv --system-site-packages /venv
 ENV PATH="/venv/bin:$PATH"
 
-COPY --from=pre-build /requirements.txt /requirements.txt
-COPY --from=pre-build /dev-requirements.txt /dev-requirements.txt
+COPY --from=requirements /requirements.txt /requirements.txt
+COPY --from=requirements /dev-requirements.txt /dev-requirements.txt
 
 RUN set -eux; \
   pip3 install --upgrade pip; \
@@ -80,7 +80,7 @@ RUN set -eux; \
    watchfiles==0.18.1; \
   fi
 
-FROM alpine:3.17 as image
+FROM alpine:3.17 as production
 
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
diff --git a/changes/changelog.d/ci-use-buildx-bake-in-docker-job.misc b/changes/changelog.d/ci-use-buildx-bake-in-docker-job.misc
new file mode 100644
index 000000000..8901bed00
--- /dev/null
+++ b/changes/changelog.d/ci-use-buildx-bake-in-docker-job.misc
@@ -0,0 +1 @@
+Use buildx bake in docker job
diff --git a/docker-bake.json b/docker-bake.json
new file mode 100644
index 000000000..95bda2c84
--- /dev/null
+++ b/docker-bake.json
@@ -0,0 +1,17 @@
+{
+  "group": {
+    "default": {
+      "targets": ["api", "front"]
+    }
+  },
+  "target": {
+    "api": {
+      "context": "api",
+      "target": "production"
+    },
+    "front": {
+      "context": "front",
+      "target": "production"
+    }
+  }
+}
diff --git a/front/Dockerfile b/front/Dockerfile
index be6842a2e..5e750c478 100644
--- a/front/Dockerfile
+++ b/front/Dockerfile
@@ -1,8 +1,4 @@
-ARG BUILDPLATFORM=linux/amd64
-# default to building on linux/amd64 for legacy builders
-# docker buildx overwrites this ARG
-
-FROM --platform=$BUILDPLATFORM node:18-alpine as builder
+FROM --platform=linux/amd64 node:18-alpine as builder
 
 WORKDIR /app
 COPY package.json yarn.lock /app/
@@ -16,7 +12,7 @@ RUN yarn install
 RUN yarn build:deployment
 
 
-FROM nginx:1.23.4-alpine as final
+FROM nginx:1.23.4-alpine as production
 
 COPY --from=builder /app/dist /usr/share/nginx/html
 COPY docker/funkwhale.conf.template /etc/nginx/templates/default.conf.template