From 2c842218160ba3507e632698422f8053065bd20b Mon Sep 17 00:00:00 2001
From: raul <raul@bulgariu.xyz>
Date: Tue, 11 Jun 2024 09:53:37 +0200
Subject: [PATCH] Use regular user for executing service

This is primarily useful in preventing files generated within shared
volumes from being owned by root
---
 Dockerfile         | 19 +++++++++++++++----
 docker-compose.yml |  4 ++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6b1f22f..6106a96 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,22 @@
 FROM golang:1.22-alpine
 
-RUN mkdir /app
+ENV USER=cert400
+ENV GROUPNAME=$USER
+ENV UID=1000
+ENV GID=1000
+ENV APP_HOME="/home/cert400/app"
 
-ADD . /app
+RUN addgroup --gid "$GID" "$GROUPNAME"
+RUN adduser --gecos "" --disabled-password --ingroup "$GROUPNAME" --uid "$UID" "$USER"
 
-WORKDIR /app
+USER cert400
+
+RUN mkdir "$APP_HOME"
+
+ADD . "$APP_HOME"
+
+WORKDIR "$APP_HOME"
 
 RUN go build -o main .
 
-CMD ["/app/main", "server"]
+CMD ["./main", "server"]
diff --git a/docker-compose.yml b/docker-compose.yml
index ef3cd60..70c0d01 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,7 @@ networks:
     driver: bridge
 
 services:
-  cert400:
+  default:
     container_name: "cert400"
     build:
       context: .
@@ -15,4 +15,4 @@ services:
     networks:
       - cert400
     volumes:
-      - ./sample-config/:/root/.config/cert400/
+      - ./sample-config/:/home/cert400/.config/cert400/