harden runtime config and automate first-run permissions

Run the container as a non-root user in production to fail fast on insecure deployments. Add DEBUG env-based request/response logging for container diagnostics, and introduce a one-shot init-permissions service in docker-compose so fresh installs automatically fix data/uploads ownership for SQLite write access.
2026-03-30 13:19:01 -03:00
parent d04629605e
commit 10ebf46a98
4 changed files with 50 additions and 0 deletions
--- a/3
+++ b/3
@@ -30,6 +30,9 @@ COPY --from=client-builder /app/client/public/fonts ./public/fonts
 RUN mkdir -p /app/data /app/uploads/files /app/uploads/covers /app/uploads/avatars /app/uploads/photos && \
    mkdir -p /app/server && ln -s /app/uploads /app/server/uploads && ln -s /app/data /app/server/data

+RUN chown -R node:node /app
+USER node
+
 # Umgebung setzen
 ENV NODE_ENV=production
 ENV PORT=3000