diff --git a/Dockerfile b/Dockerfile
index a52161a..5235bae 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,8 @@
 
 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
 ARG RUBY_VERSION=3.4.3
-FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim AS base
+FROM ghcr.io/surnet/alpine-wkhtmltopdf:3.22.0-024b2b2-full as wkhtmltopdf
+FROM ruby:${RUBY_VERSION}-alpine3.21 AS base
 
 # Rails app lives here
 WORKDIR /rails
@@ -13,14 +14,24 @@ ENV RAILS_ENV="production" \
     BUNDLE_PATH="/usr/local/bundle" \
     BUNDLE_WITHOUT="development"
 
-RUN apt-get update && apt-get install -y nodejs wkhtmltopdf
+# Install runtime dependencies
+RUN apk update && \
+    apk add --no-cache nodejs
+
+COPY --from=wkhtmltopdf /bin/wkhtmltopdf /bin/
 
 # Throw-away build stage to reduce size of final image
 FROM base AS build
 
 # Install packages needed to build gems
-RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y build-essential git libpq-dev libvips pkg-config libyaml-dev
+RUN apk update && \
+    apk add --no-cache \
+        build-base \
+        git \
+        postgresql-dev \
+        vips-dev \
+        pkgconfig \
+        yaml-dev
 
 # Install application gems
 COPY Gemfile Gemfile.lock ./
@@ -37,23 +48,24 @@ RUN bundle exec bootsnap precompile app/ lib/
 # Precompiling assets for production without requiring secret RAILS_MASTER_KEY
 RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
 
-
 # Final stage for app image
 FROM base
 
 # Install packages needed for deployment
-RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libvips postgresql-client && \
-    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+RUN apk update && \
+    apk add --no-cache \
+        curl \
+        vips \
+        postgresql-client
 
 # Copy built artifacts: gems, application
 COPY --from=build /usr/local/bundle /usr/local/bundle
 COPY --from=build /rails /rails
 
 # Run and own only the runtime files as a non-root user for security
-RUN useradd rails --create-home --shell /bin/bash && \
-    chown -R rails:rails db log storage tmp
-USER rails:rails
+RUN adduser -D -h /home/rails rails && \
+    chown -R rails:rails db log storage tmp || true
+USER rails
 
 # Entrypoint prepares the database.
 ENTRYPOINT ["/rails/bin/docker-entrypoint"]