chore: make Docker image rootless (#683)

* add first version of rootless docker image

* skip user creation if user is already a non root user

Dockerfile

@@ -30,9 +30,12 @@ RUN npm run build && npm prune --production
 FROM node:20-alpine AS runner
 ENV NODE_ENV=docker
 
+# Delete default node user
+RUN deluser --remove-home node
+
 RUN apk update --no-cache \
     && apk upgrade --no-cache \
-    && apk add --no-cache curl caddy
+    && apk add --no-cache curl caddy su-exec
 
 WORKDIR /opt/app/frontend
 COPY --from=frontend-builder /opt/app/public ./public
@@ -46,13 +49,14 @@ COPY --from=backend-builder /opt/app/dist ./dist
 COPY --from=backend-builder /opt/app/prisma ./prisma
 COPY --from=backend-builder /opt/app/package.json ./
 
-COPY ./reverse-proxy /etc/caddy
-COPY ./scripts/docker-entrypoint.sh /opt/app/docker-entrypoint.sh
-
 WORKDIR /opt/app
 
+COPY ./reverse-proxy /etc/caddy
+COPY ./scripts ./scripts
+
 EXPOSE 3000
 
 HEALTHCHECK --interval=10s --timeout=3s CMD curl -f http://localhost:3000/api/health || exit 1
 
-CMD ["sh", "/opt/app/docker-entrypoint.sh"]
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]

docs/docs/setup/configuration.md

@@ -49,8 +49,10 @@ For installation specific configuration, you can use environment variables. The
 | `PORT`    | `3000`                  | The port on which the frontend listens.  |
 | `API_URL` | `http://localhost:8080` | The URL of the backend for the frontend. |
 
-#### Reverse Proxy (inside the Docker container)
+#### Docker specific
+Environment variables that are only available when running Pingvin Share with Docker.
 
 | Variable      | Default Value | Description                                                                                                 |
 | ------------- | ------------- | ----------------------------------------------------------------------------------------------------------- |
 | `TRUST_PROXY` | `false`       | Whether Pingvin Share is behind a reverse proxy. If set to `true`, the `X-Forwarded-For` header is trusted. |
+| `PUID` and `PGID` | `1000`       |  The user and group ID of the user who should run Pingvin Share inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |

scripts/docker/create-user.sh

@@ -0,0 +1,30 @@
+# If we aren't running as root, just exec the CMD
+[ "$(id -u)" -ne 0 ] && exec "$@"
+
+echo "Creating user and group..."
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Check if the group with PGID exists; if not, create it
+if ! getent group pingvin-share-group > /dev/null 2>&1; then
+    addgroup -g "$PGID" pingvin-share-group
+fi
+
+# Check if a user with PUID exists; if not, create it
+if ! id -u pingvin-share > /dev/null 2>&1; then
+    if ! getent passwd "$PUID" > /dev/null 2>&1; then
+        adduser -u "$PUID" -G pingvin-share-group pingvin-share > /dev/null 2>&1
+    else
+        # If a user with the PUID already exists, use that user
+        existing_user=$(getent passwd "$PUID" | cut -d: -f1)
+        echo "Using existing user: $existing_user"
+    fi
+fi
+
+# Change ownership of the data directory
+mkdir -p /opt/app/backend/data
+find /opt/app/backend/data \( ! -group "${PGID}" -o ! -user "${PUID}" \) -exec chown "${PUID}:${PGID}" {} +
+
+# Switch to the non-root user
+exec su-exec "$PUID:$PGID" "$@"