🐳 Use nginx-unprivileged as base image

docker/images/Dockerfile.frontend

@@ -1,6 +1,8 @@
-FROM nginx:1.23
+FROM nginxinc/nginx-unprivileged:1.27.1
 LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
 
+USER root
+
 RUN set -ex; \
     useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \
     mkdir -p /opt/data/assets; \
@@ -12,5 +14,13 @@ ADD ./files/nginx.conf /etc/nginx/nginx.conf.template
 ADD ./files/nginx-mime.types /etc/nginx/mime.types
 ADD ./files/nginx-entrypoint.sh /entrypoint.sh
 
+RUN chown -R 1001:0 /var/cache/nginx; \
+    chmod -R g+w /var/cache/nginx; \
+    chown -R 1001:0 /etc/nginx; \
+    chmod -R g+w /etc/nginx; \
+    chown -R 1001:0 /var/www; \
+    chmod -R g+w /var/www;
+
+USER penpot:penpot
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]

docker/images/docker-compose.yaml

@@ -35,7 +35,7 @@ services:
     image: "penpotapp/frontend:latest"
     restart: always
     ports:
-      - 9001:80
+      - 9001:8080
 
     volumes:
       - penpot_assets:/opt/data/assets

docker/images/files/nginx.conf

@@ -1,6 +1,5 @@
-user www-data;
 worker_processes auto;
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
@@ -9,6 +8,12 @@ events {
 }
 
 http {
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
@@ -56,7 +61,7 @@ http {
     include /etc/nginx/overrides.d/*.conf;
 
     server {
-        listen 80 default_server;
+        listen 8080 default_server;
         server_name _;
 
         client_max_body_size 100M;