chore: modernize Docker setup and project configuration

- Refactor Dockerfile for multi-stage builds and security enhancements
- Add `Taskfile.yml` for streamlined development workflows
- Update `.dockerignore` to exclude unnecessary files and directories
- Introduce `dev` optional dependencies group in `pyproject.toml` and `uv.lock`
- Cleanup unused entries from `uv.lock` and `pyproject.toml`

Author: Pdzly

Taskfile.yml

@@ -0,0 +1,13 @@
+# https://taskfile.dev
+
+version: '3'
+
+tasks:
+  dev:frontend:
+    env:
+      APP_DEBUG: true
+    cmd: docker compose --profile dev_frontend up -d --build
+  dev:backend:
+    env:
+      APP_DEBUG: true
+    cmd: docker compose --profile dev_backend up -d --build

backend/.dockerignore

@@ -1,4 +1,58 @@
-files/
+# Virtual environments
 .venv/
+venv/
+env/
+ENV/
+
+# Python cache and compiled files
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+.ruff_cache/
+
+# IDE and editor files
+.idea/
+.vscode/
+.claude/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Git
+.git/
+.gitignore
+.gitattributes
+
+# Documentation
+*.md
+README.md
+docs/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+
+# Build artifacts
+build/
+dist/
+*.egg-info/
+
+# Environment and secrets
+.env
+.env.*
+!.env.example
+alembic.ini
 .cleanup.lock
-alembic.ini
+
+# Storage directory (mounted as volume)
+files/
+
+# Development files
+Dockerfile
+Dockerfile.*
+.dockerignore
+docker-compose*.yml

backend/Dockerfile

@@ -1,28 +1,91 @@
-FROM python:3.13-slim
+# ============================================
+# Stage 1: Base - Common Configuration
+# ============================================
+FROM python:3.13.1-slim AS base
 
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
-
-ENV APP_PORT=8000
-ENV APP_RELOAD=false
-ENV PATH="/root/.local/bin:$PATH"
+# Install security updates and minimal runtime dependencies
+# Create non-root user (UID 10001 is common convention)
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl && \
+    rm -rf /var/lib/apt/lists/* && \
+    groupadd -g 10001 appuser && \
+    useradd -u 10001 -g appuser -m -s /bin/bash appuser
 
 WORKDIR /app
 
-# Copy project files
-COPY . .
+# ============================================
+# Stage 2: Builder - Dependency Installation
+# ============================================
+FROM base AS builder
+
+# Install build dependencies (only needed during build)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        gcc \
+        g++ \
+        libpq-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy uv from official image (pinned version for reproducibility)
+COPY --from=ghcr.io/astral-sh/uv:0.5.16 /uv /uvx /usr/local/bin/
+
+# Copy dependency files first for optimal layer caching
+# Changes to source code won't invalidate this layer
+COPY pyproject.toml uv.lock ./
+
+# Install dependencies
+# --frozen: Use exact versions from uv.lock (reproducible builds)
+# --no-dev: Exclude development dependencies
+# --extra migrations: Include migrations group (psycopg2-binary)
+# --no-cache: Prevent uv cache bloat in image
+RUN uv sync --frozen --no-dev --extra migrations --no-cache
+
+# ============================================
+# Stage 3: Runtime - Production Image
+# ============================================
+FROM base AS runtime
+
+# Copy uv for runtime execution
+COPY --from=ghcr.io/astral-sh/uv:0.5.16 /uv /uvx /usr/local/bin/
+
+# Copy installed dependencies from builder stage
+# This excludes build tools (gcc, g++, libpq-dev)
+COPY --from=builder /app/.venv /app/.venv
+
+# Copy application code
+COPY --chown=appuser:appuser . .
+
+# Copy Docker-specific alembic config
+COPY --chown=appuser:appuser alembic.docker.ini alembic.ini
+
+# Create files directory and set ownership for entire /app directory
+# This ensures appuser can write to .venv and create build artifacts
+RUN mkdir -p /app/files && \
+    chown -R appuser:appuser /app
 
-# Copy alembic config
-COPY alembic.docker.ini alembic.ini
+# Switch to non-root user for security
+USER appuser
 
-# Install system dependencies
-RUN apt-get update && apt-get install -y \
-    curl \
-    gcc \
-    && rm -rf /var/lib/apt/lists/*
+# Environment variables
+ENV APP_PORT=8000 \
+    APP_RELOAD=false \
+    PATH="/app/.venv/bin:$PATH" \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
 
-# Install Python dependencies using uv
-RUN uv sync --extra migrations
+# Expose application port
+EXPOSE 8000
 
-EXPOSE $PORT
+# Health check using existing /health endpoint
+# --interval=30s: Check every 30 seconds
+# --timeout=5s: Mark unhealthy if no response in 5s
+# --start-period=10s: Grace period for app startup
+# --retries=3: Require 3 consecutive failures before marking unhealthy
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD curl -f http://localhost:${APP_PORT:-8000}/health || exit 1
 
+# Use exec form for proper signal handling (graceful shutdown)
 CMD ["uv", "run", "main.py"]

backend/app/services/paste_service.py

@@ -49,7 +49,6 @@ def __init__(
         self._lock_file: Path = Path(".cleanup.lock")
         self._cleanup_service: CleanupService = cleanup_service
 
-
     async def _read_content(self, paste_path: str) -> str | None:
         try:
             async with aiofiles.open(paste_path) as f:

backend/pyproject.toml

@@ -15,20 +15,20 @@ dependencies = [
     "pydantic-settings>=2.12.0",
     "uuid>=1.30",
     "aiofiles>=25.1.0",
-    "setuptools>=68",
-    "wheel>=0.45.1",
     "alembic>=1.17.2",
     "slowapi>=0.1.9",
     "orjson>=3.11.5",
     "aiocache>=0.12.3",
     "fastapi-cors>=0.0.6",
-    "ruff>=0.14.9",
     "argon2-cffi>=23.1.0",
 ]
 [project.optional-dependencies]
 migrations = [
     "psycopg2-binary",
 ]
+dev = [
+    "ruff>=0.14.9",
+]
 
 [tool.uvicorn]
 factory = false