Optimize and secure Docker image

[ix5]

The Dockerfile might be using non-optimal base images and have too many steps as of now.

I'm no docker expert and pretty much just threw together what I saw in other projects in order to make the image work with newer npm packages in https://github.com/posativ/isso/pull/841.

For instance, we might drop the root user, use some kind of tighter sandboxing, use signed images, only expose to localhost instead of 0.0.0.9, ...

I found following potentially relevant material:

• https://vsupalov.com/flask-megatutorial-review/
• https://medium.com/@luke_perry_dev/dockerizing-with-distroless-f3b84ae10f3a
• https://earthly.dev/blog/youre-using-docker-compose-wrong/

Maybe wonderfall has a few ideas, seeing https://github.com/souramoo/commentoplusplus/pull/89 and that they maintain(ed) https://github.com/wonderfall/docker-isso

Also: Allow configuration through environment variables passed to docker image. Related: https://github.com/posativ/isso/issues/397

Putting on backburner for now.

---

Another idea: Passing environment variables to the image, to be used instead of a config file. Requires general support for parsing env variables, see https://github.com/posativ/isso/issues/397

[dbrgn]

Another aspect: Automatically build and push the currently supported version(s) on a regular basis (e.g. every week). This ensures that security updates in base images are applied automatically.

Here's an example on how it could work, if you only support a single stable version: https://github.com/dbrgn/churz/blob/f0a27a9792c8064296077c0a4d444e79412806ec/.github/workflows/ci.yml#L31-L49 (Note the "schedule" trigger at the top.) For publishing multiple supported versions, some scripting would be required. Maybe something similar to this: https://github.com/threema-ch/threema-web/blob/master/docker/rebuild.sh