fix: allow container to run as non-root user

- Create mediamanager user and group (UID/GID 1000)
- Set ownership of /app and /data to mediamanager
- Configure uv to use writable cache directory in home
- Set UV_LINK_MODE=copy for better compatibility
- Closes #96

metadata_relay/Dockerfile

@@ -4,11 +4,27 @@ LABEL version=${VERSION}
 
 ENV BASE_PATH=""
 
-RUN apt-get update && apt-get install -y ca-certificates
+RUN apt-get update && apt-get install -y ca-certificates && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
+# Create a non-root user and group
+RUN groupadd -g 1000 mediamanager && \
+    useradd -m -u 1000 -g mediamanager mediamanager
 
 WORKDIR /app
-COPY . .
-RUN uv sync --locked
+# Ensure mediamanager owns the app directory
+RUN chown mediamanager:mediamanager /app
+
+USER mediamanager
+
+# Set uv cache to a writable home directory and use copy mode for volume compatibility
+ENV UV_CACHE_DIR=/home/mediamanager/.cache/uv \
+    UV_LINK_MODE=copy
+
+COPY --chown=mediamanager:mediamanager . .
+RUN --mount=type=cache,target=/home/mediamanager/.cache/uv,uid=1000,gid=1000 \
+    uv sync --locked
+
 EXPOSE 8000
-CMD ["uv", "run", "fastapi", "run", "/app/main.py"]
+CMD ["uv", "run", "fastapi", "run", "/app/main.py"]