From fdbd40663ac0985ee4641e0555ac0b7dfe92627f Mon Sep 17 00:00:00 2001
From: oxdc <29519076+oxdc@users.noreply.github.com>
Date: Fri, 17 Apr 2026 20:30:52 +0800
Subject: [PATCH 1/2] update Dockerfile to set user and group IDs for runtime

---
 Dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index cb57201a..53848d65 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,11 @@ COPY . .
 RUN cargo install --locked --target "$(cat /tmp/rust_target)" --path .
 
 FROM scratch
+
+ARG UID=65534
+ARG GID=65534
+USER $UID:$GID
+
 COPY --from=builder /usr/local/cargo/bin/rustical /usr/local/bin/rustical
 CMD ["/usr/local/bin/rustical"]
 

From 7509aefdd92fa673668410de80d5ad6f2453f106 Mon Sep 17 00:00:00 2001
From: oxdc <29519076+oxdc@users.noreply.github.com>
Date: Sun, 19 Apr 2026 15:28:29 +0800
Subject: [PATCH 2/2] use entrypoint.sh and configurable PUID & PGID

---
 Dockerfile    | 11 ++++++-----
 entrypoint.sh | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 53848d65..39aaa60c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,14 +38,12 @@ RUN cargo chef cook --release --target "$(cat /tmp/rust_target)"
 COPY . .
 RUN cargo install --locked --target "$(cat /tmp/rust_target)" --path .
 
-FROM scratch
+FROM alpine
 
-ARG UID=65534
-ARG GID=65534
-USER $UID:$GID
+RUN apk add --no-cache su-exec
 
 COPY --from=builder /usr/local/cargo/bin/rustical /usr/local/bin/rustical
-CMD ["/usr/local/bin/rustical"]
+COPY --chmod=755 entrypoint.sh /entrypoint.sh
 
 ENV RUSTICAL_DATA_STORE__SQLITE__DB_URL=/var/lib/rustical/db.sqlite3
 
@@ -53,4 +51,7 @@ LABEL org.opencontainers.image.authors="Lennart Kämmle github.com/lennart-k"
 LABEL org.opencontainers.image.licenses="AGPL-3.0-or-later"
 EXPOSE 4000
 
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/usr/local/bin/rustical"]
+
 HEALTHCHECK --interval=30s --timeout=30s --start-period=3s --retries=3 CMD ["/usr/local/bin/rustical", "health"]
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 00000000..f7f54020
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+if [ "$(id -u)" -ne 0 ]; then
+    exec "$@"
+fi
+
+if ! getent group rustical > /dev/null 2>&1; then
+    addgroup -g "$PGID" rustical
+fi
+
+if ! id rustical > /dev/null 2>&1; then
+    if ! getent passwd "$PUID" > /dev/null 2>&1; then
+        adduser -D -u "$PUID" -G rustical rustical
+    fi
+fi
+
+mkdir -p /var/lib/rustical
+find /var/lib/rustical \( ! -user "$PUID" -o ! -group "$PGID" \) -exec chown "${PUID}:${PGID}" {} +
+
+exec su-exec "$PUID:$PGID" "$@"