feat(docker): improve Dockerfile building with non-root user and replacing CMD with ENTRYPOINT

[danny900714]

Resolves #221.

I also changed the followings for the Dockerfile:

1. Replace CMD with ENTRYPOINT so that user can directly pass arguments to deeplx binary when running docker run.
2. EXPOSE port 1188 (served as documentation purpose, see Dockerfile reference)

If this PR is accepted, may I know when this change will be published?

[danny900714]

New commit 3aa23e1 uses deterministic UID/GID (which is 1000:1000) in this case to run deeplx binrary.

[missuo]

A small concern about the user creation on Alpine specifically:

addgroup -g 1000 -S deeplx && adduser -h /app -G deeplx -SH -u 1000 deeplx

Mixing -S (system account) with -u 1000 is semantically inconsistent on Alpine/busybox. By Alpine convention, system users live in the 100–999 UID range, while 1000+ is reserved for regular users. busybox's adduser/addgroup doesn't enforce this so the account is created without complaint, but it leaves a few rough edges on this base image:

• Future UID collision: nothing currently sits at UID 1000 in base Alpine, but if a future Alpine release (or any package layered on top) installs a user there, this Dockerfile will fail to build. Hard-coding 1000 together with -S is a fragile assumption against Alpine's own conventions.
• Security scanner / policy noise: tools and org base-image policies that classify accounts as "UID < 1000 → system, ≥ 1000 → regular" will see a regular UID despite the -S intent. Most won't care, but some will flag it.
• Volume mount UX: UID 1000 happens to match the first regular user on most host distros, which can be desirable (bind-mount permission alignment) or surprising depending on intent — worth being explicit.

Two cleaner options depending on which behavior you actually want:

• Truly a system user: drop -u 1000 and let busybox pick from the system range, or pick a clearly non-conflicting UID like 65532 (distroless convention).
• Regular user for volume UX: drop -S from both addgroup and adduser and keep -u 1000.

Minor nit unrelated to Alpine: -h /app -H is redundant — -H already prevents home directory creation, and /app already exists from WORKDIR /app above, so -h /app doesn't add anything.

Otherwise the change looks good and the ENTRYPOINT switch is a nice usability win.

[missuo]

Thanks for the contribution and for the patience on the follow-up!

On the release timing: we cut new versions only when a functionally-necessary change is ready to ship — Dockerfile improvements alone won't trigger a release on their own, so I can't give you a concrete date.

If you'd like to start using the non-root image right away, the most straightforward path is to git clone the repo at current main and run docker build locally. That gives you the security improvement immediately without waiting on a tagged release.