use non-root nobody user for monolith docker image

apps/meteor/.docker/Dockerfile.alpine

@@ -4,9 +4,18 @@ LABEL maintainer="[email protected]"
 
 ENV LANG=C.UTF-8
 
-RUN apk add --no-cache deno ttf-dejavu
-
-ADD . /app
+# `nobody` user/group is historically reserved for NFS.
+# We don't use any NFS related tools in this image.
+# For the same reason of NFS using the uid, we can also use it as long as there are no conflicts in terms of running processes with the same euid (which is 1 in our case).
+# While 65534 raw uid/gid could be used, renaming nobody to rocketchat here for maximum compatibility with older debian image.
+# More info on nobody - https://wiki.ubuntu.com/nobody
+RUN apk add --no-cache deno ttf-dejavu \
+	&& apk add --no-cache --virtual .usermod shadow \
+	&& usermod -l rocketchat nobody \
+	&& groupmod -n rocketchat nobody \
+	&& apk del .usermod
+
+ADD --chown=rocketchat:rocketchat . /app
 
 # needs a mongo instance - defaults to container linking with alias 'mongo'
 ENV DEPLOY_METHOD=docker \
@@ -39,13 +48,15 @@ RUN set -x \
     && apk del .fetch-deps
 
 # TODO: remove hack once upstream builds are fixed
-COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
-COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
+COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
+COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
 
 VOLUME /app/uploads
 
 WORKDIR /app/bundle
 
 EXPOSE 3000
 
+USER rocketchat
+
 CMD ["node", "main.js"]