From 4fc605c7822be951d6973afc358f0ee565bb5612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferdinand=20M=C3=BCtsch?= <ferdinand@muetsch.io>
Date: Fri, 11 Apr 2025 14:31:52 +0200
Subject: [PATCH] fix: allow to run container as non-root user again (resolve
 #775)

---
 Dockerfile    |  5 ++---
 compose.yml   | 20 +++++++++++++++++---
 entrypoint.sh |  4 ++--
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 56e168f..5a42579 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,9 +28,6 @@ RUN mkdir ./data ./app && \
 FROM alpine:3
 WORKDIR /app
 
-# Note: we're intentionally not running as `app` user, because see https://github.com/muety/wakapi/issues/769.
-# The entrypoint script will take care of starting the wakapi process as `app` instead.
-
 RUN addgroup -g 1000 app && \
     adduser -u 1000 -G app -s /bin/sh -D app && \
     apk add --no-cache bash ca-certificates tzdata
@@ -56,6 +53,8 @@ LABEL org.opencontainers.image.url="https://github.com/muety/wakapi" \
       org.opencontainers.image.licenses="MIT" \
       org.opencontainers.image.description="A minimalist, self-hosted WakaTime-compatible backend for coding statistics"
 
+USER app
+
 EXPOSE 3000
 
 ENTRYPOINT /app/entrypoint.sh
diff --git a/compose.yml b/compose.yml
index 8e2337f..aaa8142 100644
--- a/compose.yml
+++ b/compose.yml
@@ -15,9 +15,23 @@ services:
       WAKAPI_PASSWORD_SALT_FILE: "/run/secrets/password_salt"   # alternatively, set WAKAPI_PASSWORD_SALT directly without the use of secrets
       WAKAPI_MAIL_SMTP_PASS_FILE: "/run/secrets/smtp_pass"      # alternatively, set WAKAPI_MAIL_SMTP_PASS directly without the use of secrets
     secrets:
-      - password_salt
-      - smtp_pass
-      - db_password
+      - source: password_salt
+        target: password_salt
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'
+
+      - source: smtp_pass
+        target: smtp_pass
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'
+
+      - source: db_password
+        target: db_password
+        uid: '1000'
+        gid: '1000'
+        mode: '0400'
 
   db:
     image: postgres:17
diff --git a/entrypoint.sh b/entrypoint.sh
index daaf9a8..6568e9f 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -29,8 +29,8 @@ file_env "WAKAPI_SUBSCRIPTIONS_STRIPE_SECRET_KEY"
 file_env "WAKAPI_SUBSCRIPTIONS_STRIPE_ENDPOINT_SECRET"
 
 if [ "$WAKAPI_DB_TYPE" == "sqlite3" ] || [ "$WAKAPI_DB_TYPE" == "" ]; then
-  exec su -c "./wakapi" app
+  exec ./wakapi
 else
   echo "Waiting for database to come up"
-  exec ./wait-for-it.sh "$WAKAPI_DB_HOST:$WAKAPI_DB_PORT" -s -t 60 -- su -c "./wakapi" app
+  exec ./wait-for-it.sh "$WAKAPI_DB_HOST:$WAKAPI_DB_PORT" -s -t 60 -- ./wakapi
 fi