diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 33975a53..095b93e8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
       - id: mixed-line-ending
         exclude: ^.*\.(lock)$
       - id: detect-private-key
-        exclude: api/src/tests/integration/mock_authentication.py
+        exclude: api/tests/integration/mock_authentication.py
       - id: no-commit-to-branch
         args: [--branch, main, --branch, master]
         stages: [commit-msg]
@@ -80,7 +80,7 @@ repos:
     hooks:
       - id: pytest
         name: pytest-check
-        entry: sh -c "cd ./api/src/ && poetry run pytest ./tests/"
+        entry: sh -c "cd ./api/ && poetry run pytest ./tests/"
         language: system
         pass_filenames: false
         always_run: true
diff --git a/api/.dockerignore b/api/.dockerignore
index 88789aa7..771c2628 100644
--- a/api/.dockerignore
+++ b/api/.dockerignore
@@ -1,3 +1,11 @@
-.venv
-.pytest_cache
-.mypy_cache
+# Ignore all by default
+*
+!pyproject.toml
+!poetry.lock
+
+!src/**/*.py
+!src/*.py
+!src/init.sh
+
+!tests/**/*.py
+!tests/test_data/
diff --git a/api/Dockerfile b/api/Dockerfile
index 33780b7c..3712ca65 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -1,26 +1,76 @@
-FROM --platform=linux/amd64 python:3.12-slim AS base
+# syntax=docker/dockerfile:1
+FROM python:3.13.2-alpine3.21 AS base
+ENV XDG_CACHE_HOME=/var/lib/
+ENV SITE_PACKAGES=/usr/local/lib/python3.13/site-packages
+
+ENV USER="api-user"
+
+RUN adduser \
+    --disabled-password \
+    --home /code \
+    --gecos "" \
+    --uid 1000 \
+    "$USER"
+
 WORKDIR /code
 CMD ["/code/src/init.sh", "api"]
 EXPOSE 5000
 
 ENV PYTHONUNBUFFERED=1
-ENV PYTHONPATH=/code
+ENV PYTHONPATH=/code/src
+
+FROM base AS dependencies
+ENV POETRY_VERSION=1.8.5
+
+ENV TO_BE_REMOVED="/usr/local/share/to-be-removed.txt"
+# Enumerate files that should not be present in dependencies-slim
+# that way, the relevant folders can be COPY-ed without incurring the size cost of already existing items
+RUN <<EOF
+#!/usr/bin/env sh
+set -eu
 
-RUN pip install --upgrade pip && \
-    pip install poetry && \
+find /usr/local/bin -mindepth 1 > "$TO_BE_REMOVED"
+find "$SITE_PACKAGES" -maxdepth 1 -mindepth 1 >> "$TO_BE_REMOVED"
+
+EOF
+
+ENV PATH="/root/.local/bin:$PATH"
+RUN \
+    --mount=type=cache,target="$XDG_CACHE_HOME/pip" \
+    pip install --upgrade pip && \
+    pip install --user "poetry==$POETRY_VERSION" && \
     poetry config virtualenvs.create false
 
-COPY pyproject.toml pyproject.toml
-COPY poetry.lock poetry.lock
+RUN --mount=type=cache,target=/var/cache/apk \
+    apk add  \
+        linux-headers \
+        musl-dev \
+        gcc
+
+COPY --chown="$USER:$USER" \
+    pyproject.toml poetry.lock ./
+RUN --mount=type=cache,target="$XDG_CACHE_HOME/pip" \
+    poetry install --no-dev
+
+FROM dependencies AS dependencies-slim
+RUN <<EOF
+#!/usr/bin/env sh
+set -eu
+
+# Remove all files / directories that are (already) present in the final image
+cat "$TO_BE_REMOVED" | while IFS= read -r path; do
+    rm -rf "$path"
+done
+EOF
 
-FROM base AS development
-RUN poetry install
-WORKDIR /code/src
-COPY src .
+FROM dependencies AS development
+RUN --mount=type=cache,target="$XDG_CACHE_HOME/pip" \
+    poetry install --with dev
+COPY --chown="$USER:$USER" . .
 USER 1000
 
 FROM base AS prod
-RUN poetry install --without dev
-WORKDIR /code/src
-COPY src .
+COPY --from=dependencies-slim "$SITE_PACKAGES" "$SITE_PACKAGES"
+COPY --from=dependencies-slim /usr/local/bin/ /usr/local/bin/
+COPY --chown="$USER:$USER" src src
 USER 1000
diff --git a/api/poetry.lock b/api/poetry.lock
index 3cc8eddd..524f5753 100644
--- a/api/poetry.lock
+++ b/api/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
 
 [[package]]
 name = "annotated-types"
@@ -2278,4 +2278,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.12"
-content-hash = "479092f75c7386e1707535858b09cf802ee2a1f8b6eee8fafc1e41c2ec6a2803"
+content-hash = "6f1438c577737462af19e6ebc0fa47eb64f8041595cfd169c0c4f06cf29f6cd1"
diff --git a/api/pyproject.toml b/api/pyproject.toml
index 4a9d777a..fe8763fb 100644
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -20,6 +20,7 @@ pydantic-extra-types = "^2.10"
 azure-monitor-opentelemetry = "^1.6.2"
 opentelemetry-instrumentation-fastapi = "^0.48b0"
 cryptography = "^44.0.0"
+click = "^8.1.8"
 
 [tool.poetry.group.dev.dependencies]
 pre-commit = ">=3"
@@ -65,7 +66,7 @@ strict = true
 
 [tool.ruff]
 
-src = ["src"]
+src = [".", "src"]
 target-version = "py311"
 line-length = 119
 
@@ -87,7 +88,7 @@ ignore = [
 
 [tool.ruff.lint.per-file-ignores]
 "__init__.py" = ["E402"]  # Ignore `E402` (import violations) in all `__init__.py` files
-"src/tests/*" = ["S101"]  # Allow the use of ´assert´ in tests
+"tests/*" = ["S101"]  # Allow the use of ´assert´ in tests
 
 [tool.codespell]
 skip = "*.lock,*.cjs"
@@ -100,6 +101,9 @@ markers = [
     "integration: mark a test as integration test."
 ]
 testpaths = [
-    "src/tests/unit",
-    "src/tests/integration"
+    "tests/unit",
+    "tests/integration"
+]
+pythonpath = [
+    "src"
 ]
diff --git a/api/src/init.sh b/api/src/init.sh
index ab98d07f..c12de11d 100755
--- a/api/src/init.sh
+++ b/api/src/init.sh
@@ -1,8 +1,11 @@
-#!/bin/sh
+#!/usr/bin/env sh
 set -eu
 
+ROOT_DIR="$(cd "$(dirname -- "$0")" && pwd -P)"
+readonly ROOT_DIR
+
 if [ "$1" = 'api' ]; then
-  python3 ./app.py run
+  python3 "$ROOT_DIR/app.py" run
 else
   exec "$@"
 fi
diff --git a/api/src/tests/__init__.py b/api/tests/__init__.py
similarity index 100%
rename from api/src/tests/__init__.py
rename to api/tests/__init__.py
diff --git a/api/src/tests/conftest.py b/api/tests/conftest.py
similarity index 100%
rename from api/src/tests/conftest.py
rename to api/tests/conftest.py
diff --git a/api/src/tests/integration/__init__.py b/api/tests/integration/__init__.py
similarity index 100%
rename from api/src/tests/integration/__init__.py
rename to api/tests/integration/__init__.py
diff --git a/api/src/tests/integration/common/test_exception_handler.py b/api/tests/integration/common/test_exception_handler.py
similarity index 100%
rename from api/src/tests/integration/common/test_exception_handler.py
rename to api/tests/integration/common/test_exception_handler.py
diff --git a/api/src/tests/integration/features/health_check/test_health_check_feature.py b/api/tests/integration/features/health_check/test_health_check_feature.py
similarity index 100%
rename from api/src/tests/integration/features/health_check/test_health_check_feature.py
rename to api/tests/integration/features/health_check/test_health_check_feature.py
diff --git a/api/src/tests/integration/features/todo/test_todo_feature.py b/api/tests/integration/features/todo/test_todo_feature.py
similarity index 100%
rename from api/src/tests/integration/features/todo/test_todo_feature.py
rename to api/tests/integration/features/todo/test_todo_feature.py
diff --git a/api/src/tests/integration/features/whoami/test_whoami_feature.py b/api/tests/integration/features/whoami/test_whoami_feature.py
similarity index 100%
rename from api/src/tests/integration/features/whoami/test_whoami_feature.py
rename to api/tests/integration/features/whoami/test_whoami_feature.py
diff --git a/api/src/tests/integration/mock_authentication.py b/api/tests/integration/mock_authentication.py
similarity index 100%
rename from api/src/tests/integration/mock_authentication.py
rename to api/tests/integration/mock_authentication.py
diff --git a/api/src/tests/unit/__init__.py b/api/tests/unit/__init__.py
similarity index 100%
rename from api/src/tests/unit/__init__.py
rename to api/tests/unit/__init__.py
diff --git a/api/src/tests/unit/common/test_exception_handler_integration.py b/api/tests/unit/common/test_exception_handler_integration.py
similarity index 100%
rename from api/src/tests/unit/common/test_exception_handler_integration.py
rename to api/tests/unit/common/test_exception_handler_integration.py
diff --git a/api/src/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py b/api/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py
similarity index 100%
rename from api/src/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py
rename to api/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py
diff --git a/api/src/tests/unit/features/__init__.py b/api/tests/unit/features/__init__.py
similarity index 100%
rename from api/src/tests/unit/features/__init__.py
rename to api/tests/unit/features/__init__.py
diff --git a/api/src/tests/unit/features/todo/__init__.py b/api/tests/unit/features/todo/__init__.py
similarity index 100%
rename from api/src/tests/unit/features/todo/__init__.py
rename to api/tests/unit/features/todo/__init__.py
diff --git a/api/src/tests/unit/features/todo/conftest.py b/api/tests/unit/features/todo/conftest.py
similarity index 100%
rename from api/src/tests/unit/features/todo/conftest.py
rename to api/tests/unit/features/todo/conftest.py
diff --git a/api/src/tests/unit/features/todo/entities/__init__.py b/api/tests/unit/features/todo/entities/__init__.py
similarity index 100%
rename from api/src/tests/unit/features/todo/entities/__init__.py
rename to api/tests/unit/features/todo/entities/__init__.py
diff --git a/api/src/tests/unit/features/todo/entities/test_todo_item.py b/api/tests/unit/features/todo/entities/test_todo_item.py
similarity index 100%
rename from api/src/tests/unit/features/todo/entities/test_todo_item.py
rename to api/tests/unit/features/todo/entities/test_todo_item.py
diff --git a/api/src/tests/unit/features/todo/repository/__init__.py b/api/tests/unit/features/todo/repository/__init__.py
similarity index 100%
rename from api/src/tests/unit/features/todo/repository/__init__.py
rename to api/tests/unit/features/todo/repository/__init__.py
diff --git a/api/src/tests/unit/features/todo/repository/test_todo_repository.py b/api/tests/unit/features/todo/repository/test_todo_repository.py
similarity index 100%
rename from api/src/tests/unit/features/todo/repository/test_todo_repository.py
rename to api/tests/unit/features/todo/repository/test_todo_repository.py
diff --git a/api/src/tests/unit/features/todo/use_cases/test_add_todo.py b/api/tests/unit/features/todo/use_cases/test_add_todo.py
similarity index 97%
rename from api/src/tests/unit/features/todo/use_cases/test_add_todo.py
rename to api/tests/unit/features/todo/use_cases/test_add_todo.py
index f2520e0d..f8881645 100644
--- a/api/src/tests/unit/features/todo/use_cases/test_add_todo.py
+++ b/api/tests/unit/features/todo/use_cases/test_add_todo.py
@@ -1,17 +1,17 @@
-import pytest
-from pydantic import ValidationError
-
-from features.todo.repository.todo_repository_interface import TodoRepositoryInterface
-from features.todo.use_cases.add_todo import AddTodoRequest, add_todo_use_case
-
-
-def test_add_with_valid_title_should_return_todo(todo_repository: TodoRepositoryInterface):
-    data = AddTodoRequest(title="new todo")
-    result = add_todo_use_case(data, user_id="xyz", todo_repository=todo_repository)
-    assert result.title == data.title
-
-
-def test_add_with_empty_title_should_throw_validation_error(todo_repository: TodoRepositoryInterface):
-    with pytest.raises(ValidationError):
-        data = AddTodoRequest(title="")
-        add_todo_use_case(data, user_id="xyz", todo_repository=todo_repository)
+import pytest
+from pydantic import ValidationError
+
+from features.todo.repository.todo_repository_interface import TodoRepositoryInterface
+from features.todo.use_cases.add_todo import AddTodoRequest, add_todo_use_case
+
+
+def test_add_with_valid_title_should_return_todo(todo_repository: TodoRepositoryInterface):
+    data = AddTodoRequest(title="new todo")
+    result = add_todo_use_case(data, user_id="xyz", todo_repository=todo_repository)
+    assert result.title == data.title
+
+
+def test_add_with_empty_title_should_throw_validation_error(todo_repository: TodoRepositoryInterface):
+    with pytest.raises(ValidationError):
+        data = AddTodoRequest(title="")
+        add_todo_use_case(data, user_id="xyz", todo_repository=todo_repository)
diff --git a/api/src/tests/unit/features/todo/use_cases/test_delete_todo_by_id.py b/api/tests/unit/features/todo/use_cases/test_delete_todo_by_id.py
similarity index 100%
rename from api/src/tests/unit/features/todo/use_cases/test_delete_todo_by_id.py
rename to api/tests/unit/features/todo/use_cases/test_delete_todo_by_id.py
diff --git a/api/src/tests/unit/features/todo/use_cases/test_get_todo_all.py b/api/tests/unit/features/todo/use_cases/test_get_todo_all.py
similarity index 100%
rename from api/src/tests/unit/features/todo/use_cases/test_get_todo_all.py
rename to api/tests/unit/features/todo/use_cases/test_get_todo_all.py
diff --git a/api/src/tests/unit/features/todo/use_cases/test_get_todo_by_id.py b/api/tests/unit/features/todo/use_cases/test_get_todo_by_id.py
similarity index 100%
rename from api/src/tests/unit/features/todo/use_cases/test_get_todo_by_id.py
rename to api/tests/unit/features/todo/use_cases/test_get_todo_by_id.py
diff --git a/api/src/tests/unit/features/todo/use_cases/test_update_todo.py b/api/tests/unit/features/todo/use_cases/test_update_todo.py
similarity index 100%
rename from api/src/tests/unit/features/todo/use_cases/test_update_todo.py
rename to api/tests/unit/features/todo/use_cases/test_update_todo.py
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 2f0d6dd0..36e50705 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -6,6 +6,7 @@ services:
     image: template-api-dev
     volumes:
       - ./api/src/:/code/src
+      - ./api/tests/:/code/tests
     env_file:
       - .env
     environment:
diff --git a/documentation/docs/contribute/development-guide/03-testing.md b/documentation/docs/contribute/development-guide/03-testing.md
index 5282be75..b4b48ef4 100644
--- a/documentation/docs/contribute/development-guide/03-testing.md
+++ b/documentation/docs/contribute/development-guide/03-testing.md
@@ -11,7 +11,7 @@ The application has two types of API tests: unit tests and integration tests.
 
 ### Unit tests
 
-You will find unit tests under `src/tests/unit`.
+You will find unit tests under `tests/unit`.
 
 <Tabs groupId="api-testing">
 <TabItem value="using-docker" label="Using docker">
@@ -36,7 +36,7 @@ As a general rule, unit tests should not have any external dependencies - especi
 
 ### Integration tests
 
-The integrations tests can be found under `src/tests/integration`.
+The integrations tests can be found under `tests/integration`.
 
 To run integration tests add `--integration` as argument for pytest.
 
diff --git a/documentation/docs/contribute/development-guide/coding/extending-the-api/02-adding-entities.md b/documentation/docs/contribute/development-guide/coding/extending-the-api/02-adding-entities.md
index 31730fe8..50e6b1de 100644
--- a/documentation/docs/contribute/development-guide/coding/extending-the-api/02-adding-entities.md
+++ b/documentation/docs/contribute/development-guide/coding/extending-the-api/02-adding-entities.md
@@ -24,7 +24,7 @@ Entities should not be affected by any change external to them.
 ## Testing entities
 
 ```mdx-code-block
-import Test from '!!raw-loader!@site/../api/src/tests/unit/features/todo/entities/test_todo_item.py';
+import Test from '!!raw-loader!@site/../api/tests/unit/features/todo/entities/test_todo_item.py';
 
 <CodeBlock language="jsx">{Test}</CodeBlock>
 ```
diff --git a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/01-clients.md b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/01-clients.md
index d383198f..45b12492 100644
--- a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/01-clients.md
+++ b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/01-clients.md
@@ -15,7 +15,7 @@ import MongoClient from '!!raw-loader!@site/../api/src/data_providers/clients/mo
 The `test_client` fixture are using the mongomock instead of real database.
 
 ```mdx-code-block
-import Test from '!!raw-loader!@site/../api/src/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py';
+import Test from '!!raw-loader!@site/../api/tests/unit/data_providers/clients/mongodb/test_mongo_database_client.py';
 
 <CodeBlock language="jsx">{Test}</CodeBlock>
 ```
diff --git a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/03-repositories.md b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/03-repositories.md
index fd3519b2..9939cf62 100644
--- a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/03-repositories.md
+++ b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-data-providers/03-repositories.md
@@ -17,7 +17,7 @@ Use the `test_client` fixture as input to TodoRepository. The `test_client` fixt
 real database.
 
 ```mdx-code-block
-import Test from '!!raw-loader!@site/../api/src/tests/unit/features/todo/repository/test_todo_repository.py';
+import Test from '!!raw-loader!@site/../api/tests/unit/features/todo/repository/test_todo_repository.py';
 
 <CodeBlock language="jsx">{Test}</CodeBlock>
 ```
diff --git a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/01-controllers.md b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/01-controllers.md
index ec156619..6bf0f5d0 100644
--- a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/01-controllers.md
+++ b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/01-controllers.md
@@ -29,7 +29,7 @@ FastAPI is built around the [OpenAPI Specification](https://github.com/OAI/OpenA
 Use the `test_client` fixture to populate the database with test data and `test_app` fixture to perform REST API calls.
 
 ```mdx-code-block
-import Test from '!!raw-loader!@site/../api/src/tests/integration/features/todo/test_todo_feature.py';
+import Test from '!!raw-loader!@site/../api/tests/integration/features/todo/test_todo_feature.py';
 
 <CodeBlock language="jsx">{Test}</CodeBlock>
 ```
diff --git a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/02-use-cases.md b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/02-use-cases.md
index 7a8be020..84608b9e 100644
--- a/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/02-use-cases.md
+++ b/documentation/docs/contribute/development-guide/coding/extending-the-api/adding-features/02-use-cases.md
@@ -30,7 +30,7 @@ The use-case should only know of the repository interface (abstract class) befor
 Use the `todo_repository` fixture as input to use_cases.
 
 ```mdx-code-block
-import Test from '!!raw-loader!@site/../api/src/tests/unit/features/todo/use_cases/test_add_todo.py';
+import Test from '!!raw-loader!@site/../api/tests/unit/features/todo/use_cases/test_add_todo.py';
 
 <CodeBlock language="jsx">{Test}</CodeBlock>
 ```
diff --git a/web/.dockerignore b/web/.dockerignore
index 50eb0783..4c6aef2b 100644
--- a/web/.dockerignore
+++ b/web/.dockerignore
@@ -1,2 +1,23 @@
-node_modules
-src/build
+# ignore all by default
+*
+
+# Nginx
+!nginx/*.conf
+!nginx/*/*.conf
+
+# Single Page Application
+# Dependencies
+!package.json
+!yarn.lock
+
+# Application
+!public/
+!index.html
+!src/**/*.tsx
+!src/**/*.ts
+!src/*.tsx
+!src/*.ts
+
+# Configuration / build files
+!vite.config.mts
+!tsconfig.json
diff --git a/web/Dockerfile b/web/Dockerfile
index b620604c..331f7284 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,63 +1,88 @@
-FROM nginx:1.22.0-alpine AS server
-
-RUN apk upgrade --update-cache
-
-# Run as non-root
-RUN deluser nginx
-RUN adduser --disabled-password --no-create-home --gecos "" --uid 1000  nginx
-
-# Copy configs
-COPY nginx/nginx.conf /etc/nginx/nginx.conf
-COPY nginx/config/ /etc/nginx/config
-
-# Remove default nginx config
-RUN rm /etc/nginx/conf.d/default.conf
-
-# Copy sites-available into sites-enabled
-COPY nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
-
-# Create log directory if not present, set permissions
-RUN mkdir -p /var/log/nginx && \
-    chown -R nginx:nginx /var/log/nginx
-
-# Create tmp directory if not present, set permissions
-RUN mkdir -p /tmp/nginx && \
-    chown -R nginx:nginx /tmp/nginx
-
-# Create pidfile, set permissions
-RUN touch /var/run/nginx.pid && \
-    chown -R nginx:nginx /var/run/nginx.pid
-
-# Run master process as non-root user
-USER 1000
-
-FROM node:22 AS base
-ARG AUTH_ENABLED=0
-# Azure AD requires a scope.
-ARG AUTH_SCOPE=""
-ARG CLIENT_ID=""
-ARG TENANT_ID=""
-ENV VITE_AUTH_SCOPE=$AUTH_SCOPE
-ENV VITE_AUTH=$AUTH_ENABLED
-ENV VITE_AUTH_CLIENT_ID=$CLIENT_ID
-ENV VITE_AUTH_TENANT=$TENANT_ID
-ENV VITE_TOKEN_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/v2.0/token
-ENV VITE_AUTH_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/v2.0/authorize
-ENV VITE_LOGOUT_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/logout
-
-WORKDIR /code
-COPY ./ ./
-RUN yarn install
-
-FROM base AS development
-CMD ["yarn", "start"]
-
-FROM server AS nginx-dev
-COPY nginx/environments/web.dev.conf  /etc/nginx/environments/
-
-FROM base AS build
-RUN yarn build
-
-FROM server AS nginx-prod
-COPY nginx/environments/web.prod.conf /etc/nginx/environments/
-COPY --from=build /code/build /data/www
+# syntax=docker/dockerfile:1
+FROM nginx:1.27.4-alpine3.21-slim AS server
+
+# Create a non-root user, which will be running the server
+
+RUN <<EOF
+#!/usr/bin/env sh
+set -eu
+
+# Ensure that the nginx-user has a uid >= 1000
+# that way, it is not a privileged user, and radix will be happy
+deluser "nginx"
+adduser \
+    --disabled-password \
+    --no-create-home \
+    --gecos "" \
+    --uid 1000 \
+    "nginx"
+
+# Remove default nginx config
+rm /etc/nginx/conf.d/default.conf
+
+# Create log directory if not present, set permissions
+mkdir -p /var/log/nginx
+chown -R "nginx:nginx" /var/log/nginx
+
+# Create tmp directory if not present, set permissions
+mkdir -p /tmp/nginx
+chown -R "nginx:nginx" /tmp/nginx
+
+# Create pidfile, set permissions
+touch /var/run/nginx.pid
+chown -R "nginx:nginx" /var/run/nginx.pid
+EOF
+
+# Copy configs
+COPY nginx/nginx.conf /etc/nginx/nginx.conf
+COPY nginx/config/ /etc/nginx/config
+
+# Copy sites-available into sites-enabled
+COPY nginx/sites-available/default.conf /etc/nginx/sites-enabled/default.conf
+
+# Run master process as non-root user
+USER 1000
+
+FROM node:22.13.1-alpine3.21 AS base
+ARG AUTH_ENABLED=0
+# Azure AD requires a scope.
+ARG AUTH_SCOPE=""
+ARG CLIENT_ID=""
+ARG TENANT_ID=""
+ENV VITE_AUTH_SCOPE=$AUTH_SCOPE
+ENV VITE_AUTH=$AUTH_ENABLED
+ENV VITE_AUTH_CLIENT_ID=$CLIENT_ID
+ENV VITE_AUTH_TENANT=$TENANT_ID
+ENV VITE_TOKEN_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/v2.0/token
+ENV VITE_AUTH_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/v2.0/authorize
+ENV VITE_LOGOUT_ENDPOINT=https://login.microsoftonline.com/${VITE_AUTH_TENANT}/oauth2/logout
+
+ENV YARN_CACHE_FOLDER=/var/cache/yarn
+
+RUN mkdir /code && \
+    chown -R "node:node" /code
+
+WORKDIR /code
+USER "node"
+COPY --chown="node:node" package.json yarn.lock ./
+RUN --mount=type=cache,target=$YARN_CACHE_FOLDER,uid=1000 \
+     yarn install
+
+COPY --chown="node:node" public public
+COPY --chown="node:node" tsconfig.json vite.config.mts index.html ./
+COPY --chown="node:node" src src
+
+FROM base AS development
+ENV YARN_CACHE_FOLDER=""
+CMD ["yarn", "start"]
+
+FROM server AS nginx-dev
+COPY nginx/environments/web.dev.conf  /etc/nginx/environments/
+
+FROM base AS build
+RUN --mount=type=cache,target=$YARN_CACHE_FOLDER,uid=1000 \
+    yarn build
+
+FROM server AS nginx-prod
+COPY nginx/environments/web.prod.conf /etc/nginx/environments/
+COPY --from=build /code/build /data/www