Merge pull request #111 from keyxmakerx/claude/fix-media-permissions-7BuTx

keyxmakerx · web-flow · commit c412facc5fcf · 2026-03-09T22:27:05.000-05:00
Claude/fix media permissions 7 bu tx
diff --git a/Dockerfile b/Dockerfile
@@ -42,9 +42,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /chronicle ./cmd/server
 # --- Stage 3: Runtime ---
 FROM alpine:3.20
 
-# Install CA certificates for HTTPS calls (if needed), timezone data, and
-# su-exec for dropping privileges in the entrypoint.
-RUN apk add --no-cache ca-certificates tzdata su-exec
+# Install CA certificates for HTTPS calls (if needed) and timezone data.
+RUN apk add --no-cache ca-certificates tzdata
 
 # Create non-root user for runtime security.
 RUN adduser -D -H -s /sbin/nologin chronicle
@@ -63,16 +62,10 @@ COPY --from=builder /src/db/migrations /app/db/migrations
 # Mount a volume at /app/data to persist media across container rebuilds.
 RUN mkdir -p /app/data/media && chown -R chronicle:chronicle /app/data
 
-# Copy entrypoint script that fixes bind-mount permissions before dropping to
-# the non-root chronicle user.
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
-
 WORKDIR /app
 
-# Container starts as root so the entrypoint can fix bind-mount ownership,
-# then drops to the chronicle user via su-exec.
-ENTRYPOINT ["docker-entrypoint.sh"]
+# Run as the unprivileged chronicle user.
+USER chronicle
 
 # The Go binary serves HTTP directly on this port.
 EXPOSE 8080
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -20,6 +20,9 @@ services:
       context: .
       dockerfile: Dockerfile
     container_name: chronicle
+    # Match the host directory owner for bind-mount permissions.
+    # Set PUID/PGID as environment variables (default: 1000).
+    user: "${PUID:-1000}:${PGID:-1000}"
     ports:
       - "8080:8080"
     restart: unless-stopped
