From e957419b778573ebf87cb681deec24b0f9c492c6 Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Sun, 22 Feb 2026 09:54:35 +0100
Subject: [PATCH] fix(docker): use existing nobody user instead of creating UID
 65534

---
 web/Dockerfile | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/web/Dockerfile b/web/Dockerfile
index c464d0b..0d19ec2 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -25,16 +25,14 @@ RUN bun run build
 # ─────────────────────────────────────────────
 FROM node:22-alpine
 
-# UID 65534 = nobody on Alpine, matches podSecurityContext.runAsUser
-RUN adduser -D -u 65534 -g '' nonroot
-
 WORKDIR /app
 
 COPY --from=builder /app/build ./build
 COPY --from=deps /app/node_modules ./node_modules
 COPY --from=builder /app/package.json .
 
-USER nonroot:nonroot
+# node:22-alpine already ships nobody at UID 65534 — matches podSecurityContext.runAsUser
+USER nobody:nobody
 
 # ORIGIN is required by adapter-node for CSRF protection.
 # Must match the public-facing URL exactly (set via k8s ConfigMap).