Merge pull request #157 from chillymattster/configure_uid_gid

micbar · web-flow · commit 79782cdd5ff3 · 2025-11-25T10:28:03.000+01:00
feat: improve security - configure container uid and gid
diff --git a/.env.example b/.env.example
@@ -69,6 +69,10 @@ TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
 # Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
 TRAEFIK_LOG_LEVEL=
+# The default for traefik is to run in privileged mode.
+# If you want to run traefik non-privileged, use the following variable and the format [UID]:[GID] to set user and group of your choice.
+# Ensure that the user has access to docker.sock and traefik volumes defined in traefik/opencloud.yml
+#TRAEFIK_CONTAINER_UID_GID="1000:1000"
 
 
 ## OpenCloud Settings ##
@@ -80,6 +84,11 @@ OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
 # The openCloud container version.
 # Defaults to "latest" and points to the latest stable tag.
 OC_DOCKER_TAG=
+# The default id used in opencloud containers is 1000 for user and group.
+# If you want to change the default, use the following variable and the format [UID]:[GID].
+# The change affects all containers with access to data volumes.
+# Ensure that the user has access to all volumes defined in docker-compose.yml
+#OC_CONTAINER_UID_GID="1000:1000"
 # Domain of openCloud, where you can find the frontend.
 # Defaults to "cloud.opencloud.test"
 OC_DOMAIN=
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,6 +4,7 @@ services:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
     # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
     # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     entrypoint:
diff --git a/radicale/radicale.yml b/radicale/radicale.yml
@@ -6,6 +6,7 @@ services:
       - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
   radicale:
     image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     logging:
diff --git a/traefik/opencloud.yml b/traefik/opencloud.yml
@@ -11,6 +11,7 @@ services:
   traefik:
     image: traefik:v3
     # release notes: https://github.com/traefik/traefik/releases
+    user: ${TRAEFIK_CONTAINER_UID_GID:-0:0}
     networks:
       opencloud-net:
         aliases:
diff --git a/weboffice/collabora.yml b/weboffice/collabora.yml
@@ -14,6 +14,7 @@ services:
 
   collaboration:
     image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    user: ${OC_CONTAINER_UID_GID:-1000:1000}
     networks:
       opencloud-net:
     depends_on:
