diff --git a/docker/Dockerfile b/docker/Dockerfile
index 803a550..6419329 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,38 +1,52 @@
-FROM python:3.7-slim-buster
+FROM debian:buster
 
 ARG BUILD_SERIES=dev
 ARG BUILD_ID=0
 
 ENV DEBIAN_FRONTEND noninteractive
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    make \
-    && apt-get clean
+# This Dockerfile attempts to strike a balance between image size and time it
+# takes to do an incremental build on changes.
+# Improvements welcome.
 
-COPY Makefile /opt/snikket-web-portal/Makefile
+RUN set -eu; \
+    apt-get update ; \
+    apt-get install -y --no-install-recommends \
+        python3 python3-pip python3-setuptools python3-wheel \
+        libpython3-dev \
+        make build-essential \
+        ; \
+    apt-get clean ; rm -rf /var/lib/apt/lists
 
 COPY requirements.txt /opt/snikket-web-portal/requirements.txt
-
 COPY build-requirements.txt /opt/snikket-web-portal/build-requirements.txt
 
-COPY snikket_web/ /opt/snikket-web-portal/snikket_web
-
-COPY babel.cfg /opt/snikket-web-portal/babel.cfg
-
-COPY web_config.production.py /opt/snikket-web-portal/.local/web_config.py
-
 WORKDIR /opt/snikket-web-portal
 
-RUN pip install -r requirements.txt \
-    && pip install -r build-requirements.txt
+RUN set -eu; \
+    pip3 install -r requirements.txt; \
+    pip3 install -r build-requirements.txt; \
+    rm -rf /root/.cache;
 
-RUN make
+COPY Makefile /opt/snikket-web-portal/Makefile
+COPY snikket_web/ /opt/snikket-web-portal/snikket_web
+COPY babel.cfg /opt/snikket-web-portal/babel.cfg
 
+# NOTE: abusing true(1) as a terrible way to disable a specific command. If
+# one merged all the RUN commands into one, one would want to run the
+# uninstall/remove commands there, but with the split up RUN commands it is
+# rather pointless.
+RUN set -eu; \
+    make; \
+    true pip3 uninstall -yr build-requirements.txt; \
+    true apt-get remove -y build-essential make libpython3-dev; \
+    true apt-get autoremove -y; \
+    pip3 install hypercorn; \
+    rm -rf /root/.cache; \
+    apt-get clean ; rm -rf /var/lib/apt/lists
+
+COPY web_config.production.py /opt/snikket-web-portal/.local/web_config.py
 ENV SNIKKET_WEB_CONFIG "/opt/snikket-web-portal/.local/web_config.py"
 
-RUN pip install hypercorn
-
-ADD docker/entrypoint.sh /bin/entrypoint.sh
-
-ENTRYPOINT ["/bin/sh", "/bin/entrypoint.sh"]
+ADD docker/entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]
diff --git a/web_config.production.py b/web_config.production.py
index 022beb9..372d14a 100644
--- a/web_config.production.py
+++ b/web_config.production.py
@@ -26,8 +26,7 @@ except KeyError:
           'To avoid losing sessions on each server restart, please provide '
           'a SECRET_KEY.',
           file=sys.stderr)
-
-SECRET_KEY = os.environ.get('SECRET_KEY', secrets.token_urlsafe(nbytes=32))
+    SECRET_KEY = secrets.token_urlsafe(nbytes=32)
 
 # URL (without trailing /) of the prosody HTTP server.
 #