1 files changed, 17 insertions, 1 deletions

diff --git a/Dockerfile b/Dockerfile
index 5e72d4be2..abb8c1947 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,6 @@
 # syntax=docker/dockerfile:1.3
+# Dockerfile reference: https://docs.docker.com/engine/reference/builder/
+
 # stage 1: generate up-to-date swagger.yaml to put in the final container
 FROM --platform=${BUILDPLATFORM} quay.io/goswagger/swagger:v0.30.0 AS swagger
 
@@ -20,6 +22,20 @@ RUN yarn install --cwd web/source && \
 # stage 3: build the executor container
 FROM --platform=${TARGETPLATFORM} alpine:3.15.4 as executor
 
+# switch to non-root user:group for GtS
+USER 1000:1000
+
+# Because we're doing multi-arch builds we can't easily do `RUN mkdir [...]`
+# but we can hack around that by having docker's WORKDIR make the dirs for
+# us, as the user created above.
+#
+# See https://docs.docker.com/engine/reference/builder/#workdir
+#
+# First make sure storage exists + is owned by 1000:1000, then go back
+# to just /gotosocial, where we'll run from
+WORKDIR "/gotosocial/storage"
+WORKDIR "/gotosocial"
+
 # copy the dist binary created by goreleaser or build.sh
 COPY --chown=1000:1000 gotosocial /gotosocial/gotosocial
 
@@ -27,5 +43,5 @@ COPY --chown=1000:1000 gotosocial /gotosocial/gotosocial
 COPY --chown=1000:1000 --from=bundler web /gotosocial/web
 COPY --chown=1000:1000 --from=swagger /go/src/github.com/superseriousbusiness/gotosocial/swagger.yaml web/assets/swagger.yaml
 
-WORKDIR "/gotosocial"
+VOLUME [ "/gotosocial/storage" ]
 ENTRYPOINT [ "/gotosocial/gotosocial", "server", "start" ]