Add an unprivileged user to the Dockerfile in both production and
development images.

This MR is based on uis/devops/regent-house-ballots/ballots-webapp!83
which was successfully deployed to the development instance with no
deployment-side changes needed.

Regent house ballots is a good test because, unlike the bare
boilerplate, it installs some system dependencies in order to run tox.
This required adding a workaround to the `container:tox` image in order
to run tests as the unprivileged user but still install dependencies.

Specifically the `.gitlab/webapp.gitlab-ci.yml` file needed the `docker`
command which runs tests changed to:

    docker run --rm --network host --entrypoint=""
    -e TEST_USE_EXTERNAL_DATABASE -e EXTERNAL_SETTING_DATABASES
    --user root
    "$APPLICATION_IMAGE"
    "/bin/bash" "-c" "apt-get -y update && \
      apt-get -y install pkg-config build-essential libxmlsec1-dev && \
      su --shell=/usr/bin/bash \
        '--command=poetry install --no-root --sync' webapp && \
      su --shell=/usr/bin/bash '--command=poetry run pytest' webapp"

Since some other downstream projects may need similar workarounds, this
change is marked as **BREAKING**.

Closes #122

feat(Dockerfile)!: use an unprivileged user to run application

Closes #122

See merge request !134