From a1e30b0654a97c46b8c8eaa645e21ba3ce58715b Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Tue, 14 May 2024 21:27:05 -0400 Subject: [PATCH] feat(hass): run as non-root (#1023) --- apps/home-assistant/Dockerfile | 7 +++++++ apps/home-assistant/entrypoint.sh | 3 --- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apps/home-assistant/Dockerfile b/apps/home-assistant/Dockerfile index 0303d7866..6bb75271e 100644 --- a/apps/home-assistant/Dockerfile +++ b/apps/home-assistant/Dockerfile @@ -91,6 +91,9 @@ RUN \ uv pip install --system --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \ homeassistant=="${VERSION}" \ && \ + mkdir -p /config \ + && chown nobody:nogroup -R /config \ + && \ apk del --purge .build-deps \ && \ rm -rf \ @@ -100,6 +103,10 @@ RUN \ COPY ./apps/home-assistant/entrypoint.sh /entrypoint.sh +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/home-assistant/entrypoint.sh b/apps/home-assistant/entrypoint.sh index 16a0c9dbb..89ead64b4 100755 --- a/apps/home-assistant/entrypoint.sh +++ b/apps/home-assistant/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config/logs - if [[ "${HOME_ASSISTANT__HACS_INSTALL}" == "true" ]]; then curl -sfSL https://hacs.xyz/install | bash - fi @@ -9,5 +7,4 @@ fi exec \ /usr/local/bin/hass \ --config /config \ - --log-file /config/logs/home-assistant.log \ "$@"