fix: allow to run container as non-root user again (resolve #775)

2025-12-05 14:10:24 -08:00 · 2025-04-11 14:31:52 +02:00
parent 5a2994fe47
commit 4fc605c782
3 changed files with 21 additions and 8 deletions
--- a/5
+++ b/5
@@ -28,9 +28,6 @@ RUN mkdir ./data ./app && \
 FROM alpine:3
 WORKDIR /app

-# Note: we're intentionally not running as `app` user, because see https://github.com/muety/wakapi/issues/769.
-# The entrypoint script will take care of starting the wakapi process as `app` instead.
-
 RUN addgroup -g 1000 app && \
    adduser -u 1000 -G app -s /bin/sh -D app && \
    apk add --no-cache bash ca-certificates tzdata
@@ -56,6 +53,8 @@ LABEL org.opencontainers.image.url="https://github.com/muety/wakapi" \
      org.opencontainers.image.licenses="MIT" \
      org.opencontainers.image.description="A minimalist, self-hosted WakaTime-compatible backend for coding statistics"

+USER app
+
 EXPOSE 3000

 ENTRYPOINT /app/entrypoint.sh
--- a/compose.yml
+++ b/compose.yml
@@ -15,9 +15,23 @@ services:
      WAKAPI_PASSWORD_SALT_FILE: "/run/secrets/password_salt"   # alternatively, set WAKAPI_PASSWORD_SALT directly without the use of secrets
      WAKAPI_MAIL_SMTP_PASS_FILE: "/run/secrets/smtp_pass"      # alternatively, set WAKAPI_MAIL_SMTP_PASS directly without the use of secrets
    secrets:
-      - password_salt
-      - smtp_pass
-      - db_password
+      - source: password_salt
+        target: password_salt
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'
+
+      - source: smtp_pass
+        target: smtp_pass
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'
+
+      - source: db_password
+        target: db_password
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'

  db:
    image: postgres:17
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -29,8 +29,8 @@ file_env "WAKAPI_SUBSCRIPTIONS_STRIPE_SECRET_KEY"
 file_env "WAKAPI_SUBSCRIPTIONS_STRIPE_ENDPOINT_SECRET"

 if [ "$WAKAPI_DB_TYPE" == "sqlite3" ] || [ "$WAKAPI_DB_TYPE" == "" ]; then
-  exec su -c "./wakapi" app
+  exec ./wakapi
 else
  echo "Waiting for database to come up"
-  exec ./wait-for-it.sh "$WAKAPI_DB_HOST:$WAKAPI_DB_PORT" -s -t 60 -- su -c "./wakapi" app
+  exec ./wait-for-it.sh "$WAKAPI_DB_HOST:$WAKAPI_DB_PORT" -s -t 60 -- ./wakapi
 fi