From c6fa2b0fbdb043066055cb44e3478ddaa3145261 Mon Sep 17 00:00:00 2001
From: sneak <sneak@sneak.berlin>
Date: Wed, 31 Dec 2025 16:17:59 -0800
Subject: [PATCH] Fix container to run app as routewatch user

Use runuser to drop privileges and execute the app as the routewatch
user (uid 1000). Fix data directory permissions at runtime since host
mounts may have incorrect ownership.
---
 Dockerfile    | 6 +++---
 entrypoint.sh | 7 +++++++
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 9247f40..fa1460b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,15 +51,15 @@ COPY --from=builder /routewatch-source.tar.zst /app/source/routewatch-source.tar
 # Set ownership
 RUN chown -R routewatch:routewatch /app
 
-USER routewatch
-
 ENV XDG_DATA_HOME=/var/lib
 
 # Expose HTTP port
 EXPOSE 8080
 
+COPY ./entrypoint.sh /entrypoint.sh
+
 # Health check using the health endpoint
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
     CMD curl -sf http://localhost:8080/.well-known/healthcheck.json || exit 1
 
-ENTRYPOINT ["/app/routewatch"]
+ENTRYPOINT ["/bin/bash", "/entrypoint.sh" ]
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..82acbbe
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+cd /var/lib/berlin.sneak.app.routewatch
+chown -R routewatch:routewatch .
+chmod 700 .
+
+exec runuser -u routewatch -- /app/routewatch