From 5ad2ad691f7105e538834a38ca1b81f8532c2c50 Mon Sep 17 00:00:00 2001 From: Sebastian Slettebakken <43045439+sebastas@users.noreply.github.com> Date: Sat, 6 Jun 2026 17:27:10 +0200 Subject: [PATCH] Add non-root user support and entrypoint script for Docker setup --- Dockerfile | 13 ++++++++----- docker-compose.yml | 3 ++- entrypoint.sh | 17 +++++++++++++++++ 3 files changed, 27 insertions(+), 6 deletions(-) create mode 100644 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 8c4d23a..1ec5b87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,20 +19,23 @@ ENV NODE_ENV=production # DATA_DIR is the single volume mount point for both SQLite and uploads ENV DATA_DIR=/data -# Create a non-root user -RUN addgroup --system --gid 1001 nodejs && \ - adduser --system --uid 1001 nextjs && \ +# Create a non-root user with default UID/GID (overridable at runtime via PUID/PGID) +RUN apk add --no-cache su-exec shadow && \ + addgroup --gid 1001 nodejs && \ + adduser --uid 1001 --ingroup nodejs --disabled-password --gecos "" nextjs && \ mkdir -p /data/uploads && chown -R nextjs:nodejs /data # Copy standalone build output COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static COPY --from=builder --chown=nextjs:nodejs /app/public ./public - -USER nextjs +COPY --chmod=755 entrypoint.sh /entrypoint.sh EXPOSE 3000 ENV PORT=3000 ENV HOSTNAME=0.0.0.0 +ENV PUID=1001 +ENV PGID=1001 +ENTRYPOINT ["/entrypoint.sh"] CMD ["node", "server.js"] diff --git a/docker-compose.yml b/docker-compose.yml index 9cef501..f9644a5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,8 @@ services: volumes: - app_data:/data environment: - - DATA_DIR=/data + PUID: 1000 + PGID: 1000 restart: unless-stopped volumes: diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..e0be5f0 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +PUID=${PUID:-1001} +PGID=${PGID:-1001} + +# Only remap if the requested IDs differ from the defaults baked into the image +if [ "$PGID" != "1001" ]; then + groupmod -g "$PGID" nodejs +fi +if [ "$PUID" != "1001" ]; then + usermod -u "$PUID" nextjs +fi + +chown -R nextjs:nodejs /data + +exec su-exec nextjs "$@"