diff --git a/Dockerfile b/Dockerfile
index bf4ce03..08a72c5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,16 @@
-# Multi-stage für kleinere finale Imagegröße
-FROM python:3.12-slim AS base
+# Alpine-basiertes Image für kleinere Größe
+FROM python:3.12-alpine AS base
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=1
 
-# System deps (tzdata optional falls benötigt)
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    && rm -rf /var/lib/apt/lists/*
+# Systemabhängigkeiten installieren (su-exec für Rechtewechsel)
+RUN apk add --no-cache ca-certificates su-exec
 
 # Non-root user
-RUN useradd -u 10001 -m appuser
+RUN addgroup -S appgroup \
+    && adduser -S -G appgroup -u 10001 appuser
 
 WORKDIR /app
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 2176363..758405b 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -4,13 +4,13 @@ set -e
 # If running as root, fix ownership of /data, then drop privileges
 if [ "$(id -u)" = "0" ]; then
   mkdir -p /data
-  chown -R appuser:appuser /data || echo "Warn: could not chown /data"
+  chown -R appuser:appgroup /data || echo "Warn: could not chown /data"
   # Copy example config only if missing target
   if [ ! -f /app/config.yaml ] && [ -f /app/config.example.yaml ]; then
     cp /app/config.example.yaml /app/config.yaml
-    chown appuser:appuser /app/config.yaml || true
+  chown appuser:appgroup /app/config.yaml || true
   fi
-  exec su -s /bin/sh appuser -c "$*"
+  exec su-exec appuser "$@"
 else
   exec "$@"
 fi