diff --git a/Dockerfile b/Dockerfile
index 914607d..fc2f27b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,9 @@
-FROM node:22-alpine@sha256:0340fa682d72068edf603c305bfbc10e23219fb0e40df58d9ea4d6f33a9798bf AS build-frontend
+ARG NODE_IMAGE=node:22-alpine
+ARG NODE_HASH=sha256:0340fa682d72068edf603c305bfbc10e23219fb0e40df58d9ea4d6f33a9798bf
+ARG PYTHON_IMAGE=python:3.13-alpine
+ARG PYTHON_HASH=sha256:e7e041128ffc3e3600509f508e44d34ab08ff432bdb62ec508d01dfc5ca459f7
+
+FROM ${NODE_IMAGE}@${NODE_HASH} AS build-frontend
 
 WORKDIR /src
 
@@ -11,11 +16,13 @@ RUN corepack enable && corepack prepare pnpm@latest --activate
 RUN pnpm install --frozen-lockfile && \
     pnpm run build-frontend
 
-FROM python:3.13-alpine@sha256:e7e041128ffc3e3600509f508e44d34ab08ff432bdb62ec508d01dfc5ca459f7
+FROM ${PYTHON_IMAGE}@${PYTHON_HASH}
 
 WORKDIR /app
 
-RUN apk add --no-cache ffmpeg espeak-ng opusfile libffi-dev
+RUN apk add --no-cache ffmpeg espeak-ng opusfile libffi-dev && \
+    addgroup -S meshchat && adduser -S meshchat -G meshchat && \
+    mkdir -p /config && chown meshchat:meshchat /config
 
 COPY pyproject.toml poetry.lock ./
 RUN apk add --no-cache --virtual .build-deps \
@@ -28,9 +35,10 @@ RUN apk add --no-cache --virtual .build-deps \
     poetry install --no-root --only main && \
     apk del .build-deps
 
-COPY meshchatx ./meshchatx
+COPY --chown=meshchat:meshchat meshchatx ./meshchatx
+COPY --from=build-frontend --chown=meshchat:meshchat /src/meshchatx/public ./meshchatx/public
 
-COPY --from=build-frontend /src/meshchatx/public ./meshchatx/public
+USER meshchat
 
 ENV PYTHONUNBUFFERED=1
 
diff --git a/Taskfile.yml b/Taskfile.yml
index 022e093..d7369e2 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -327,6 +327,11 @@ tasks:
         cmds:
             - 'MESHCHAT_IMAGE="{{.DOCKER_IMAGE}}" {{.DOCKER_COMPOSE_CMD}} -f {{.DOCKER_COMPOSE_FILE}} up --remove-orphans --pull never reticulum-meshchatx'
 
+    run-docker-dev:
+        desc: Run Docker container in development mode using docker-compose.dev.yml
+        cmds:
+            - 'MESHCHAT_IMAGE="{{.DOCKER_IMAGE}}" {{.DOCKER_COMPOSE_CMD}} -f docker-compose.dev.yml up --build --remove-orphans reticulum-meshchatx'
+
     docker-build-env:
         desc: Build the Docker image for containerized builds
         cmds:
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 13f17bb..e10d272 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -1,7 +1,10 @@
 services:
     reticulum-meshchatx:
+        build:
+            context: .
+            dockerfile: Dockerfile
         container_name: reticulum-meshchatx
-        image: git.quad4.io/rns-things/meshchatx-dev:dev
+        image: reticulum-meshchatx:local
         restart: unless-stopped
         security_opt:
             - no-new-privileges:true
diff --git a/docker-compose.yml b/docker-compose.yml
index 61e0674..0d9026a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
     reticulum-meshchatx:
         container_name: reticulum-meshchatx
-        image: git.quad4.io/rns-things/meshchatx:latest
+        image: ${MESHCHAT_IMAGE:-git.quad4.io/rns-things/meshchatx:latest}
         restart: unless-stopped
         security_opt:
             - no-new-privileges:true