feat: enable non-root container behavior (#15)

johnpc · John Corser · web-flow · commit cbd253eeca6a · 2025-02-02T15:32:06.000-05:00
Co-authored-by: John Corser &lt;xss@amazon.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,17 @@
 # Use Node.js LTS (Long Term Support) as base image
 FROM node:20-bullseye
 
-# Set working directory
-WORKDIR /app
+# Create app user and group with configurable UID/GID
+ENV PUID=1000
+ENV PGID=1000
 
+RUN mkdir -p /app
+RUN chown node:node /app
+
+# Modify existing node user instead of creating new one
+RUN groupmod -g ${PGID} node && \
+    usermod -u ${PUID} -g ${PGID} node && \
+    chown -R node:node /home/node
 RUN apt-get clean
 
 # Install system dependencies including ffmpeg, Python, and cron
@@ -15,27 +23,21 @@ RUN apt-get update && apt-get install -y \
     cron \
     && rm -rf /var/lib/apt/lists/*
 
-# Install pipx
-RUN python3 -m pip install --user pipx \
-    && python3 -m pipx ensurepath
-
-# Add pipx to PATH
-ENV PATH="/root/.local/bin:$PATH"
-
-# Install ffsubsync and autosubsync using pipx
-RUN pipx install ffsubsync \
-    && pipx install autosubsync
+USER node
+# Set working directory
+WORKDIR /app
 
 # Copy package.json and package-lock.json (if available)
-COPY package*.json ./
+COPY --chown=node:node package*.json ./
 
 # Install Node.js dependencies while skipping husky installation
 ENV HUSKY=0
 RUN npm install --ignore-scripts
 
 # Copy the rest of your application
-COPY . .
-RUN mv bin/* /root/.local/bin/
+COPY --chown=node:node . .
+RUN mkdir -p /home/node/.local/bin/
+RUN cp bin/* /home/node/.local/bin/
 
 # Build TypeScript
 RUN npm run build
@@ -44,27 +46,33 @@ RUN npm run build
 # Set default cron schedule (if not provided by environment variable)
 ENV CRON_SCHEDULE="0 0 * * *"
 
-# Create startup script with environment variable
+# Install pipx
+RUN python3 -m pip install --user pipx \
+    && python3 -m pipx ensurepath
+
+# Add pipx to PATH
+ENV PATH="/home/node/.local/bin:$PATH"
+
+# Install ffsubsync and autosubsync using pipx
+RUN pipx install ffsubsync \
+    && pipx install autosubsync
+
+
+# Create startup script with proper permissions
 RUN echo '#!/bin/bash\n\
-# Add cron job\n\
-echo "${CRON_SCHEDULE} cd /app && /usr/local/bin/node /app/dist/index.js >> /var/log/cron.log 2>&1" > /etc/cron.d/subsyncarr\n\
-chmod 0644 /etc/cron.d/subsyncarr\n\
-crontab /etc/cron.d/subsyncarr\n\
-\n\
-# Start cron\n\
-service cron start\n\
+# Add cron job to user crontab\n\
+crontab - <<EOF\n\
+${CRON_SCHEDULE} cd /app && /usr/local/bin/node /app/dist/index.js >> /var/log/subsyncarr/cron.log 2>&1\n\
+EOF\n\
 \n\
 # Run the initial instance of the app\n\
 node dist/index.js\n\
-\n\
-# Keep container running\n\
-tail -f /var/log/cron.log' > /app/startup.sh
+mkdir -p /app/logs/\n\
+touch /app/logs/app.log\n\
+tail -f /app/logs/app.log' > /app/startup.sh
 
 # Make startup script executable
 RUN chmod +x /app/startup.sh
 
-# Create log file
-RUN touch /var/log/cron.log
-
 # Use startup script as entrypoint
 CMD ["/app/startup.sh"]
diff --git a/src/findAllSrtFiles.ts b/src/findAllSrtFiles.ts
@@ -22,6 +22,7 @@ export async function findAllSrtFiles(config: ScanConfig): Promise<string[]> {
         entry.isFile() &&
         extname(entry.name).toLowerCase() === '.srt' &&
         !entry.name.includes('.ffsubsync.') &&
+        !entry.name.includes('.alass.') &&
         !entry.name.includes('.autosubsync.')
       ) {
         files.push(fullPath);
