fix: entrypoint runs as root to fix bind-mount perms before dropping privs

The old GHCR image had USER chronicle baked in, so the entrypoint ran
as non-root and couldn't write to root-owned bind mounts. Now:
- Dockerfile has no USER directive; container starts as root
- Entrypoint creates /app/data/media, chowns to chronicle, then drops
  to chronicle via su-exec
- Entrypoint handles non-root fallback gracefully with a helpful warning
- chronicle user has fixed UID/GID 1000 for predictable bind-mount ownership
- All compose environment vars are configurable (no hardcoded values)

https://claude.ai/code/session_0153nX7vQSjEFPpZTgZdDmu5

Author: claude

Dockerfile

@@ -46,8 +46,10 @@ FROM alpine:3.20
 # dropping privileges in the entrypoint.
 RUN apk add --no-cache ca-certificates tzdata su-exec
 
-# Create non-root user for runtime security.
-RUN adduser -D -H -s /sbin/nologin chronicle
+# Create non-root user with a fixed UID/GID for predictable bind-mount
+# ownership. Host dirs must be owned by this UID for non-root operation.
+RUN addgroup -g 1000 chronicle \
+    && adduser -D -H -s /sbin/nologin -G chronicle -u 1000 chronicle
 
 # Copy the compiled binary.
 COPY --from=builder /chronicle /usr/local/bin/chronicle
@@ -58,7 +60,7 @@ COPY --from=builder /src/static /app/static
 # Copy database migrations for auto-migration on startup.
 COPY --from=builder /src/db/migrations /app/db/migrations
 
-# Create persistent data directory owned by the non-root user.
+# Create persistent data directory owned by the chronicle user.
 # Media uploads go under /app/data/media (matches MEDIA_PATH default "./data/media").
 # Mount a volume at /app/data to persist media across container rebuilds.
 RUN mkdir -p /app/data/media && chown -R chronicle:chronicle /app/data

docker-compose.yml

@@ -24,19 +24,18 @@ services:
       - "8080:8080"
     restart: unless-stopped
     environment:
-      # -- SECURITY: You MUST change these before deploying --
-      - ENV=production
-      - PORT=8080
-      - BASE_URL=http://localhost:8080
+      - ENV=${ENV:-production}
+      - PORT=${PORT:-8080}
+      - BASE_URL=${BASE_URL:-http://localhost:8080}
       # REQUIRED: Generate a unique key: openssl rand -base64 32
       - SECRET_KEY=${SECRET_KEY:?SECRET_KEY must be set. Run openssl rand -base64 32}
       # -- Database (DB_PASSWORD must match MYSQL_PASSWORD below) --
-      - DB_HOST=chronicle-db:3306
-      - DB_USER=chronicle
-      # REQUIRED: Change this password and match MYSQL_PASSWORD below.
+      - DB_HOST=${DB_HOST:-chronicle-db:3306}
+      - DB_USER=${DB_USER:-chronicle}
       - DB_PASSWORD=${DB_PASSWORD:-chronicle}
-      - DB_NAME=chronicle
-      - REDIS_URL=redis://chronicle-redis:6379
+      - DB_NAME=${DB_NAME:-chronicle}
+      - REDIS_URL=${REDIS_URL:-redis://chronicle-redis:6379}
+      - MEDIA_PATH=${MEDIA_PATH:-./data/media}
     volumes:
       - chronicle-data:/app/data
     depends_on:

docker-entrypoint.sh

@@ -1,15 +1,28 @@
 #!/bin/sh
-# docker-entrypoint.sh -- fix bind-mount permissions, then drop to non-root.
+# docker-entrypoint.sh -- fix bind-mount permissions, then run the server.
 #
-# When /app/data is a bind mount, the host directory's ownership may not match
-# the container's "chronicle" user. This script runs as root to ensure the data
-# directory is writable, then exec's the server as the unprivileged user.
+# When running as root (default), this script fixes /app/data ownership and
+# drops to the "chronicle" user via su-exec.
+# When running as non-root (e.g. Cosmos Cloud sets user: chronicle), it
+# creates subdirectories if writable and runs the server directly.
+#
+# For bind mounts with non-root user, ensure the host directory is owned by
+# the container's UID:  chown -R $(id -u chronicle):$(id -g chronicle) /path/to/data
 
 set -e
 
-# Ensure the media subdirectory exists and is owned by chronicle.
-mkdir -p /app/data/media
-chown -R chronicle:chronicle /app/data
-
-# Drop privileges and exec the main process.
-exec su-exec chronicle "$@"
+if [ "$(id -u)" = "0" ]; then
+    # Running as root: ensure dirs exist, fix ownership, drop privileges.
+    mkdir -p /app/data/media
+    chown -R chronicle:chronicle /app/data
+    exec su-exec chronicle "$@"
+else
+    # Running as non-root (platform-enforced user).
+    # Try to create media dir; if it fails, the bind mount host dir needs
+    # its ownership fixed (see comment above).
+    if ! mkdir -p /app/data/media 2>/dev/null; then
+        echo "WARNING: Cannot create /app/data/media -- bind mount not writable by UID $(id -u)." >&2
+        echo "Fix: chown -R $(id -u):$(id -g) <host-data-dir>" >&2
+    fi
+    exec "$@"
+fi