Rootless Docker image

AFCMS · AFCMS · commit 8298bdfba8d0 · 2025-10-17T11:11:51.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -11,3 +11,4 @@ prettier.config.js
 README.md
 vercel.json
 vitest.config.ts
+dist
diff --git a/.github/README_ARTIFACTHUB.md b/.github/README_ARTIFACTHUB.md
@@ -13,8 +13,9 @@ An elegant, offline‑first Progressive Web App (PWA) video player. This contain
 
 ## Docker Image
 
-- Preconfigured Caddy server serving static files from /srv
+- Preconfigured Caddy server serving static files
 - Hardened HTTP security headers
+- Rootless user
 - No volumes or env vars required
 - No TLS support (reverse proxy required for production use)
 - Expose port 80 in the container
diff --git a/Dockerfile b/Dockerfile
@@ -31,9 +31,20 @@ RUN pnpm build
 
 FROM caddy:2-alpine
 
-COPY --from=builder /app/dist /srv
+RUN adduser \
+    --gecos "" \
+    --system \
+    --no-create-home \
+    --uid "900" \
+    "appuser"
 
-COPY Caddyfile /etc/caddy/Caddyfile
+USER appuser
+
+COPY --from=builder --chown=appuser:appuser /app/dist /srv
+
+# COPY --chown=appuser:appuser dist /srv
+
+COPY --chown=appuser:appuser Caddyfile /etc/caddy/Caddyfile
 
 EXPOSE 80
 
