Fix EACCES on bind-mounted /app/data

Bind mounts override the image's chown, so the container's nextjs
user (uid 1001) couldn't write to /app/data when it was mounted from
a host dir owned by someone else. Start as root, fix ownership in an
entrypoint, then drop to nextjs via su-exec.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Dockerfile

@@ -24,7 +24,8 @@ ENV NEXT_TELEMETRY_DISABLED=1
 ENV PORT=3000
 ENV HOSTNAME=0.0.0.0
 
-RUN addgroup --system --gid 1001 nodejs \
+RUN apk add --no-cache su-exec \
+ && addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 nextjs
 
 COPY --from=builder /app/public ./public
@@ -33,7 +34,12 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 
 RUN mkdir -p /app/data && chown nextjs:nodejs /app/data
 
-USER nextjs
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+# Stay as root so the entrypoint can fix bind-mount ownership, then drop
+# privileges via su-exec before launching the server.
 EXPOSE 3000
 VOLUME ["/app/data"]
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "server.js"]

docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+# /app/data is usually a bind mount from the host, so whatever permissions the
+# image set during build don't survive. Fix ownership on boot, then drop root.
+if [ -d /app/data ]; then
+  chown -R nextjs:nodejs /app/data 2>/dev/null || true
+fi
+
+exec su-exec nextjs:nodejs "$@"