From 5afc828a45c5d8537d1b7a755fe746ccac700bd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= <gnuetzi@gmail.com>
Date: Tue, 16 Jul 2024 20:22:45 +0200
Subject: [PATCH] chore: add a user `non-root` to the container image (#38)

- Running as root is never good! Never! :cherries:
---
 tools/nix/images/tripsu.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tools/nix/images/tripsu.nix b/tools/nix/images/tripsu.nix
index 51041d2..7ad8a77 100644
--- a/tools/nix/images/tripsu.nix
+++ b/tools/nix/images/tripsu.nix
@@ -8,13 +8,23 @@ pkgs.dockerTools.buildLayeredImage {
 
   contents = [tripsu];
 
+  fakeRootCommands = ''
+    ${pkgs.dockerTools.shadowSetup}
+    groupadd -r non-root
+    useradd -r -g non-root non-root
+    mkdir -p /workspace
+    chown non-root:non-root /workspace
+  '';
+  enableFakechroot = true;
+
   config = {
     Entrypoint = ["tripsu"];
-    WorkingDir = "/";
+    WorkingDir = "/workspace";
     Labels = {
       "org.opencontainers.image.source" = "https://github.com/sdsc-ordes/tripsu";
       "org.opencontainers.image.description" = tripsu.meta.description;
       "org.opencontainers.image.license" = "Apache-2.0";
     };
+    User = "non-root";
   };
 }