diff --git a/Dockerfile b/Dockerfile
index ca3cd4f..92c5e22 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine AS build
+FROM golang:alpine3.21 AS build
 
 WORKDIR /app/
 
@@ -10,7 +10,9 @@ COPY . .
 RUN  --mount=type=cache,target=/root/.cache/go-build \
     go build -ldflags "-s -w -X 'main.version=$(date '+%Y-%m-%d')-$(git rev-list --abbrev-commit -1 HEAD)'"
 
-FROM alpine:edge
+FROM alpine:3.21
+
+RUN adduser -u 10001 -S appuser
 
 RUN apk add --no-cache libwebp
 
@@ -18,4 +20,7 @@ WORKDIR /app/
 
 COPY --from=build /app/http3-ytproxy /app/http3-ytproxy
 
-CMD ./http3-ytproxy -l 0.0.0.0
+# Switch to non-privileged user
+USER appuser
+
+ENTRYPOINT ["/app/http3-ytproxy"]
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index b411d74..8aa7b71 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,13 +1,12 @@
-# Docker compose file for http3-proxy used in Invidious
-# IMPORTANT: Create the docker network manually before using gluetun
-# sudo docker network create --subnet=172.80.0.0/16 gluetun-http3-ytproxy
+# Docker compose file for http3-ytproxy used in inv.nadeko.net
 
 services:
   http3-proxy:
+    build: .
     image: git.nadeko.net/fijxu/http3-ytproxy:latest
     restart: always
     # Uncomment this IF YOU ARE using gluetun!
-    network_mode: "service:gluetun"
+    # network_mode: "service:gluetun"
     # Uncomment this IF YOU ARE NOT using gluetun!
     # ports:
     #   - "0.0.0.0:8443:8443/tcp" # HTTP/2
@@ -16,10 +15,16 @@ services:
     volumes:
       - ./key.key:/data/key.key:ro
       - ./fullchain.pem:/data/cert.pem:ro
-    command: "./http3-ytproxy -l 0.0.0.0 -p 8443 -https"
     depends_on:
-      - gluetun
+      gluetun:
+        condition: service_healthy
+    # Needed for HTTP/3, otherwise, quic-go will output this depending of the machine:
+    # "failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). 
+    # See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."
+    cap_add:
+      - NET_ADMIN
 
+  # You can comment this whole service if you are not going to use Gluetun at all
   gluetun:
     image: qmcgaw/gluetun:latest
     restart: always
@@ -37,17 +42,3 @@ services:
       - /dev/net/tun:/dev/net/tun
     volumes:
       - ./gluetun:/gluetun
-    environment:
-      - VPN_SERVICE_PROVIDER="${VPN_PROVIDER}"
-      - VPN_TYPE=wireguard
-      - WIREGUARD_PRIVATE_KEY="${WIREGUARD_KEY}"
-      - WIREGUARD_ADDRESSES="${WIREGUARD_ADDRESSES}"
-      - SERVER_HOSTNAMES="${SERVER_HOSTNAMES}"
-      # Use system DNS (Setup a caching DNS server!)
-      - DNS_KEEP_NAMESERVER=on
-    networks:
-      gluetun-http3-ytproxy:
-
-networks:
-  gluetun-http3-ytproxy:
-    external: true