| set -e | |
| # Fix data directory permissions when running as root. | |
| # Docker named volumes / host bind-mounts may be owned by root, | |
| # preventing the non-root app user from writing files. | |
| if [ "$(id -u)" = "0" ]; then | |
| mkdir -p /app/data | |
| # Use || true to avoid failure on read-only mounted files (e.g. config.yaml:ro) | |
| chown -R app:app /app/data 2>/dev/null || true | |
| # Re-invoke this script as the non-root user so the main process runs unprivileged. | |
| exec su-exec app "$0" "$@" | |
| fi | |
| # Compatibility: if the first arg looks like a flag (e.g. --help), | |
| # prepend the default binary so it behaves like the default CMD form. | |
| if [ "${1#-}" != "$1" ]; then | |
| set -- /app/server "$@" | |
| fi | |
| exec "$@" |