From 7f17b652786b074e9a50366b453a1ed5a8376f35 Mon Sep 17 00:00:00 2001
From: Oskar Kapala <oskar.kapala@gmail.com>
Date: Wed, 3 Jun 2026 18:19:58 +0200
Subject: [PATCH] fix(control-plane): run executor as uid 1000 with docker
 group access

Executor was the only control-plane container running as root (uid=0),
writing root-owned files to /opt/homelab via bind-mount and triggering
false sudo on every deploy.

- Dockerfile: add USER homelab after useradd (useradd already present)
- docker-compose.yml: add user: "1000:1000" and group_add: ["999"]
  (GID 999 = docker group on VPS) so executor retains docker.sock access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/control-plane/Dockerfile         | 1 +
 services/control-plane/docker-compose.yml | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/services/control-plane/Dockerfile b/services/control-plane/Dockerfile
index a98383a..581d7ad 100644
--- a/services/control-plane/Dockerfile
+++ b/services/control-plane/Dockerfile
@@ -20,4 +20,5 @@ ENV RUNTIME_PATH=/opt/homelab
 ENV PYTHONUNBUFFERED=1
 
 # Default command (will be overridden in docker-compose)
+USER homelab
 CMD ["python", "src/operator_ui.py"]
diff --git a/services/control-plane/docker-compose.yml b/services/control-plane/docker-compose.yml
index 7234bfa..4bea06f 100644
--- a/services/control-plane/docker-compose.yml
+++ b/services/control-plane/docker-compose.yml
@@ -56,6 +56,9 @@ services:
   executor:
     build: .
     container_name: control-plane-executor
+    user: "1000:1000"
+    group_add:
+      - "999"
     command: python src/executor.py
     volumes:
       - /opt/homelab:/opt/homelab