Feature Proposal: Support setting PUID and PGID via environment variables at container startup

[edward-jazzhands]

Thanks for the detailed explanation in the previous discussion. So now that I understand how the vaults folder permissions are set by the image build process, I’d like to propose a feature that could solve the external access / backup issue without compromising the security model.

I've seen that many containers in the ecosystem, particularly those following the linuxserver.io pattern, allow users to set PUID and PGID as environment variables on container launch. A startup script then adjusts the container’s user and group IDs accordingly. Implementing this in the Many Notes container would allow users to map the container’s www-data user to their host system IDs, granting external access (e.g. for SMB shares or backup tools) without needing to build your own version of the docker image.

I realize its surely a small niche of people that are homelab enthusiasts like me and want to externally back up the notes/vaults using backup software. Like I said I'm not an expert in writing docker images or docker security, but I have seen this commonly employed in other containers to solve this exact problem with the container not matching users on the server. So I thought I'd mention it and see what you think.

Also just like to say again the app is awesome, I wouldn't bother writing this if I didn't really want to use it

[brufdev]

The pattern used in linuxserver images is common in self-hosting images, but not everyone likes it because it is not rootless. The container starts as root, adapts permissions to the passed IDs, and then drops privileges to run as an unprivileged user. Each container boot is slower because it has to adapt permissions, but this approach is more convenient since there's no need to modify anything during the build phase. It's possible that I'm being more cautious than necessary but the reasons for my decision are in this discussion.

I'm currently migrating the frontend framework and still have quite a bit of work to do. After that, I'll take a look at this again, but in the meantime, let's keep this issue open so others can leave their input. Until then, use the build phase approach like I do so you can do your backups.

I realize its surely a small niche of people that are homelab enthusiasts like me and want to externally back up the notes/vaults using backup software.

I want to believe that most people back up their stuff and you are doing the right thing. Not everyone uses ZFS filesystems to take snapshots, so they have to use some other software.

Also just like to say again the app is awesome, I wouldn't bother writing this if I didn't really want to use it

Thank you, it means a lot!