Dont use root

Dockerfile

@@ -5,8 +5,13 @@ ARG TARGETPLATFORM
 
 # We don't actually need to create a new user
 # Just set a reasonable home directory
-WORKDIR /home/root
-ENV HOME=/home/root
+ARG UID=1000
+ARG GID=1000
+ENV USERNAME=rgpeach10
+RUN addgroup -g ${GID} ${USERNAME} 2>/dev/null || addgroup ${USERNAME}; \
+    adduser -D -H -u ${UID} -G ${USERNAME} ${USERNAME} 2>/dev/null || \
+    (echo "${USERNAME}:x:${UID}:${GID}::/home/${USERNAME}:/bin/sh" >> /etc/passwd && \
+     mkdir -p /home/${USERNAME} && chown ${UID}:${GID} /home/${USERNAME})
 
 # Stable repos first, edge as fallback for packages not yet in stable
 # Stable repos first
@@ -95,12 +100,7 @@ RUN apk add --no-cache --repositories-file /etc/apk/repositories.edge \
     helmfile \
   && rm -rf /var/cache/apk/*
 
-# Cargo installs
-ENV PATH="/home/root/.cargo/bin:$PATH"
-
-# uv installs
-ENV PATH="$HOME/.local/bin:$PATH"
-RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+# Build dependencies needed for uv tool compilation (requires root)
 RUN apk --no-cache --virtual .build-deps add \
       gcc \
       g++ \
@@ -124,9 +124,18 @@ RUN apk --no-cache --virtual .build-deps add \
       sshpass \
       patch \
       build-base \
-      gcc-doc && \
+      gcc-doc
+
+# Drop root — all remaining commands run as the non-root user
+USER ${USERNAME}
+WORKDIR /home/${USERNAME}
+ENV HOME=/home/${USERNAME}
+
+# uv installs (as user)
+ENV PATH="$HOME/.local/bin:$PATH"
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+RUN uv tool install --verbose pre-commit && \
       # uv tool install aider-chat && \ TODO: Fix this, something to do with scipy
-      uv tool install --verbose pre-commit && \
       uv tool install --verbose ruff && \
       uv tool install --verbose ipython && \
       uv tool install --verbose ipdb && \
@@ -137,15 +146,21 @@ RUN apk --no-cache --virtual .build-deps add \
       uv tool install --verbose thefuck && \
       uv tool install --verbose ansible
 
-# npm installs
-RUN npm install -g \
+# npm installs (user-local prefix to avoid root)
+RUN mkdir -p "$HOME/.npm-global" && \
+    npm config set prefix "$HOME/.npm-global" && \
+    npm install -g \
     prettier \
     pyright
+ENV PATH="$HOME/.npm-global/bin:$PATH"
 
 # Install tfenv
 RUN git clone --depth=1 https://github.com/tfutils/tfenv.git $HOME/.tfenv
 RUN .tfenv/bin/tfenv install latest
 
+# Rust installs
+ENV PATH="$HOME/.local/bin:$HOME/.cargo/bin:$PATH"
+
 # Go installs
 ENV PATH="$HOME/go/bin:$PATH"
 
@@ -155,7 +170,7 @@ RUN curl -sS https://webi.sh/gh | sh
 
 # Install Oh My Zsh
 RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
-ENV ZSH_CUSTOM=/home/root/.oh-my-zsh/custom
+ENV ZSH_CUSTOM=/home/${USERNAME}/.oh-my-zsh/custom
 RUN git clone https://github.com/zsh-users/zsh-autosuggestions $ZSH_CUSTOM/plugins/zsh-autosuggestions
 RUN git clone https://github.com/zsh-users/zsh-syntax-highlighting.git $ZSH_CUSTOM/plugins/zsh-syntax-highlighting
 RUN git clone --depth=1 https://github.com/romkatv/powerlevel10k.git $ZSH_CUSTOM/themes/powerlevel10k
@@ -165,11 +180,11 @@ RUN git clone --depth=1 https://github.com/romkatv/powerlevel10k.git $ZSH_CUSTOM
 # REF: https://github.com/eth-p/bat-extras/issues/126
 RUN git clone https://github.com/eth-p/bat-extras.git \
   && cd bat-extras \
-  && ./build.sh --install --no-verify
+  && ./build.sh --install --prefix="$HOME/.local" --no-verify
 
 # Copies
 ENV SHELL_DIR=$HOME/shell
-COPY . $SHELL_DIR
+COPY --chown=${USERNAME}:${USERNAME} . $SHELL_DIR
 RUN set -e \
   && cd $SHELL_DIR \
   && if [ -z "$(git status --porcelain)" ]; then echo "No changes"; else git status --porcelain; exit 1; fi
@@ -186,4 +201,8 @@ RUN find $SHELL_DIR/home/bin -type f -exec chmod +x {} \;
 # terminal colors with xterm
 ENV TERM=xterm-256color
 
+# Entrypoint must run as root to modify the user
+USER root
+WORKDIR /home/${USERNAME}/mnt
+ENV MNT=/home/${USERNAME}/mnt
 CMD ["/bin/zsh"]

Justfile

@@ -1,28 +1,41 @@
 build:
-    docker buildx build --progress=plain -t rgpeach10/shell:local . --load
+    docker buildx build \
+        --progress=plain \
+        --build-arg UID=$(id -u) \
+        --build-arg GID=$(id -g) \
+        --build-arg USERNAME=$(whoami) \
+        -t rgpeach10/shell:local \
+        . \
+        --load
 
 run-local:
     docker run -it --rm \
-        -v $HOME/.ssh:/home/root/.ssh \
-        -v $HOME:/home/root/mnt \
-        -w /home/root/mnt \
+        --user $(id -u) \
+        -v $HOME:/home/$(whoami)/mnt \
+        -v /var/run/docker.sock:/var/run/docker.sock \
         -e GITHUB_TOKEN=$(gh auth token) \
-        -e MNT=/home/root/mnt \
-        -e DEBUG=1 \
+        --pull=always \
         rgpeach10/shell:local
 
 run-remote tag="local":
     docker run -it --rm \
-        -v $HOME/.ssh:/home/root/.ssh \
-        -v $HOME:/home/root/mnt \
-        -w /home/root/mnt \
+        --user $(id -u) \
+        -v $HOME:/home/$(whoami)/mnt \
+        -v /var/run/docker.sock:/var/run/docker.sock \
         -e GITHUB_TOKEN=$(gh auth token) \
-        -e MNT=/home/root/mnt \
         --pull=always \
         rgpeach10/shell:{{tag}}
 
 build-all tag="local":
-    docker buildx build --progress=plain -t rgpeach10/shell:{{tag}} --platform linux/amd64,linux/arm64 . --push
+    docker buildx build \
+        --progress=plain \
+        --build-arg UID=$(id -u) \
+        --build-arg GID=$(id -g) \
+        --build-arg USERNAME=$(whoami) \
+        -t rgpeach10/shell:{{tag}} \
+        --platform linux/amd64,linux/arm64 \
+        . \
+        --push
 
 test:
     just build

README.md

@@ -37,16 +37,16 @@ Create a `~/.docker-shell.sh` file with the following contents:
 #!/usr/bin/env bash
 
 docker run -it --rm \
-    -v $HOME/.ssh:/home/root/.ssh \
-    -v $HOME:/home/root/mnt \
+    --user $(id -u) \
+    -v $HOME:/home/rgpeach10/mnt \
     -v /var/run/docker.sock:/var/run/docker.sock \
-    -w /home/root/mnt \
     -e GITHUB_TOKEN=$(gh auth token) \
-    -e MNT=/home/rgpeach10/mnt \
     --pull=always \
     rgpeach10/shell:main
 ```
 
+NOTE: User must match the $UID and $(id -g) must match $GID build args. Othwerwise, please build this locally then run it.
+
 Then set your terminal to launch this script when you open it.
 
 Or you could put it in your `~/.bash_profile`, `~/.bashrc`, or `~/.zshrc` file.