Pr 9

[lklynet]

i believe cap_drop: ALL was too restrictive for the current container entrypoints, which would cause the app to crash in standard Linux environments.

I've tested and suggest the following:

1. Backend cap_add: Added CHOWN. This is required because backend/docker-entrypoint.sh needs to fix permissions on the /app/data volume before dropping privileges. Without it, the container fails to start if the volume has the wrong permissions.
2. Frontend cap_add: Added NET_BIND_SERVICE. Nginx listens on port 80 (a privileged port). Without this capability, Nginx will log a "Permission denied" error and crash.
3. Backend Healthcheck: Switched localhost to 127.0.0.1 in the Dockerfile. This is more reliable in minimal Alpine-based networking environments.

Summary of Capabilities:

Container	Capabilities Added	Why?
Backend	SETUID, SETGID, CHOWN	User switching + Volume permission management.
Frontend	SETUID, SETGID, CHOWN, NET_BIND_SERVICE	Nginx worker setup + Binding to port 80.

Want to double check these and see if you agree? @ggfevans

[ggfevans]

Hm, my bad. I'd tested the PR though glad you did too! I'll give this PR a go in my environment (docker on Debian 13)

[lklynet]

Hm, my bad. I'd tested the PR though glad you did too! I'll give this PR a go in my environment (docker on Debian 13)

Your PR worked! I'm just worried about edge cases where it may fail.

[ggfevans]

I had admittedly tested it on macOS Docker - so there may be some behavioural differences that I didn't account for.

As for your PR here I see a mangled docker compose, I will amend with a fixed one in a sec here. I think going with yours and erring a bit on the side of safety is the way to go, rather than locking it down so far that we shoot ourselves in the foot and break existing installs.

[ggfevans]

See #15 - I think that was my bad for somehow ommitting NET_BIND_SERVICE, nginx would definitely need this to bind to :80. I'm curious how I managed to get it working previously, but whatever! let me know what you think.