chore: make Docker image run without root user (#67)

Dockerfile

@@ -21,7 +21,10 @@ RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 
 # Stage 3: Production Image
 FROM node:20-alpine
-RUN apk add --no-cache caddy
+# Delete default node user
+RUN deluser --remove-home node
+
+RUN apk add --no-cache caddy su-exec
 COPY ./reverse-proxy /etc/caddy/
 
 WORKDIR /app
@@ -41,5 +44,5 @@ RUN chmod +x ./scripts/*.sh
 EXPOSE 80
 ENV APP_ENV=production
 
-# Use a shell form to run both the frontend and backend
-CMD ["sh", "./scripts/docker-entrypoint.sh"]
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]

README.md

@@ -150,6 +150,7 @@ docker compose up -d
 | ---------------------- | ----------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `PUBLIC_APP_URL`       | `http://localhost`      | yes                   | The URL where you will access the app.                                                                                                                                                |
 | `TRUST_PROXY`          | `false`                 | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                            |
+| `PUID`                  and `PGID` | `1000`                  | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables).                                                                                                                       |
 | `DB_PATH`              | `data/pocket-id.db`     | no                    | The path to the SQLite database.                                                                                                                                                      |
 | `UPLOAD_PATH`          | `data/uploads`          | no                    | The path where the uploaded files are stored.                                                                                                                                         |
 | `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no                    | The URL where the backend is accessible.                                                                                                                                              |

scripts/docker/create-user.sh

@@ -0,0 +1,28 @@
+
+echo "Creating user and group..."
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Check if the group with PGID exists; if not, create it
+if ! getent group pocket-id-group > /dev/null 2>&1; then
+    addgroup -g "$PGID" pocket-id-group
+fi
+
+# Check if a user with PUID exists; if not, create it
+if ! id -u pocket-id > /dev/null 2>&1; then
+    if ! getent passwd "$PUID" > /dev/null 2>&1; then
+        adduser -u "$PUID" -G pocket-id-group pocket-id
+    else
+        # If a user with the PUID already exists, use that user
+        existing_user=$(getent passwd "$PUID" | cut -d: -f1)
+        echo "Using existing user: $existing_user"
+    fi
+fi
+
+# Change ownership of the /app directory
+mkdir -p /app/backend/data
+find /app/backend/data \( ! -group "${PGID}" -o ! -user "${PUID}" \) -exec chown "${PUID}:${PGID}" {} +
+
+# Switch to the non-root user
+exec su-exec "$PUID:$PGID" "$@"