refactor: migrate to distroless multi-stage Docker build

Dockerfile

@@ -1,20 +1,41 @@
-FROM python:3.11
+# Multi-stage build to create a distroless image
+FROM python:3.11 AS builder
 
-RUN install -o www-data -g www-data -d -m 0755 /var/www
+# Install poetry and the export plugin
+# RUN pip install poetry poetry-plugin-export
 
-USER www-data
+# Create working directory
+WORKDIR /app
 
-RUN curl -sSL https://install.python-poetry.org | python3 -
+# Copy dependency files
+COPY requirements.txt ./
 
-ENV PATH=/var/www/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Export dependencies to requirements.txt
+# RUN poetry export -f requirements.txt --output requirements.txt --without-hashes
 
-COPY README.md pyproject.toml poetry.lock docker-entrypoint.sh index.html favicon.ico /var/www/
-COPY myice /var/www/myice
+# Install dependencies to a target directory that we can copy to the distroless image
+RUN pip install --no-cache-dir --target=/app/site-packages -r requirements.txt
 
-WORKDIR /var/www
+# Create distroless image
+FROM gcr.io/distroless/python3-debian12
 
-RUN poetry install && . $(poetry env info -p)
+# Copy installed packages and application from builder stage
+COPY --from=builder /app/site-packages /app/site-packages
 
+# Copy application code
+COPY index.html favicon.ico /app/
+COPY myice /app/myice
+
+# Set PYTHONPATH so Python can find our installed packages
+ENV PYTHONPATH=/app/site-packages
+
+# Set working directory
+WORKDIR /app
+
+# Expose port
 EXPOSE 8000
 
-ENTRYPOINT [ "/var/www/docker-entrypoint.sh" ]
+USER nonroot
+
+# Run the application directly with Python using the distroless entrypoint
+ENTRYPOINT ["/usr/bin/python3", "-m", "uvicorn", "myice.webapi:app", "--host", "0.0.0.0", "--port", "8000"]