try it with gosu instead so it can be automatic

Author: rubinlinux

docker-compose.yml-example

@@ -36,8 +36,6 @@ services:
   #   # build: ./tools/linesync
   #   container_name: linesync
   #   restart: unless-stopped
-  #   # Match your host user's UID:GID for bind mount permissions
-  #   user: "${UID}:${GID}"
   #   depends_on:
   #     - nefarious
   #   volumes:

tools/linesync/Dockerfile

@@ -6,14 +6,13 @@
 #   setup   - Clone the linesync repository (initial setup)
 #   sync    - Continuous sync loop (default)
 #
-# Supports UID/GID remapping via fixuid. In docker-compose:
-#   user: "${UID}:${GID}"
+# Automatically detects UID/GID from mounted directories for proper permissions.
 
 FROM debian:12-slim
 
-# Default UID/GID (can be remapped at runtime via fixuid)
-ENV GID=1234
-ENV UID=1234
+# Default UID/GID (will be overridden at runtime based on mounted directory ownership)
+ENV LINESYNC_UID=1000
+ENV LINESYNC_GID=1000
 
 # Install required tools
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -25,6 +24,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
     gnupg \
+    gosu \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Docker CLI (for sending signals to nefarious container)
@@ -36,16 +36,9 @@ RUN install -m 0755 -d /etc/apt/keyrings \
     && apt-get install -y --no-install-recommends docker-ce-cli \
     && rm -rf /var/lib/apt/lists/*
 
-# Create user
-RUN groupadd -g ${GID} linesync \
-    && useradd -u ${UID} -g ${GID} -m linesync
-
-# Install fixuid for UID/GID remapping at runtime
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-${ARCH}.tar.gz" | tar -C /usr/local/bin -xzf - && \
-    chmod 4755 /usr/local/bin/fixuid && \
-    mkdir -p /etc/fixuid && \
-    printf "user: linesync\ngroup: linesync\npaths:\n  - /home/linesync\n" > /etc/fixuid/config.yml
+# Create user (UID/GID will be adjusted at runtime)
+RUN groupadd -g ${LINESYNC_GID} linesync \
+    && useradd -u ${LINESYNC_UID} -g ${LINESYNC_GID} -m linesync
 
 # Create directories
 RUN mkdir -p /home/linesync/.ssh \
@@ -57,12 +50,11 @@ COPY gitsync.sh /home/linesync/gitsync.sh
 COPY linesync-entrypoint.sh /home/linesync/entrypoint.sh
 RUN chmod +x /home/linesync/gitsync.sh /home/linesync/entrypoint.sh
 
-USER linesync:linesync
-WORKDIR /home/linesync
+# SSH config template (will be copied to user's .ssh at runtime)
+RUN echo "Host *\n  StrictHostKeyChecking accept-new\n  UserKnownHostsFile /home/linesync/.ssh/known_hosts" > /etc/ssh/ssh_config.d/linesync.conf
 
-# SSH config for git
-RUN echo "Host *\n  StrictHostKeyChecking accept-new\n  UserKnownHostsFile /home/linesync/.ssh/known_hosts" > /home/linesync/.ssh/config \
-    && chmod 600 /home/linesync/.ssh/config
+WORKDIR /home/linesync
 
-ENTRYPOINT ["fixuid", "-q", "/home/linesync/entrypoint.sh"]
+# Run as root initially; entrypoint will drop privileges after detecting UID/GID
+ENTRYPOINT ["/home/linesync/entrypoint.sh"]
 CMD ["sync"]

tools/linesync/README.md

@@ -9,7 +9,7 @@ A Docker sidecar container for automated git-based configuration synchronization
 - Configurable sync interval
 - Support for SSL certificate sync via git tags
 - Multiple operation modes: keygen, setup, sync, once
-- Automatic UID/GID remapping via fixuid for bind mount compatibility
+- Automatic UID/GID detection from bind mounts (no manual configuration needed)
 
 ## Quick Start
 
@@ -24,7 +24,7 @@ docker build -t linesync .
 
 ```bash
 mkdir -p ./linesync-ssh ./linesync
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   linesync keygen
 ```
@@ -34,7 +34,7 @@ This outputs a public key. Add it to your git repository's deploy keys.
 ### 3. Initial repository setup
 
 ```bash
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \
@@ -47,7 +47,6 @@ docker run --rm -u "$(id -u):$(id -g)" \
 ```bash
 docker run -d \
   --name linesync \
-  -u "$(id -u):$(id -g)" \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \
@@ -60,20 +59,18 @@ docker run -d \
 
 ## Command Line Usage
 
-**Note:** Use `-u "$(id -u):$(id -g)"` to match your host user's UID/GID for proper file permissions on bind mounts.
-
 ### Generate SSH keypair
 
 ```bash
 mkdir -p ./linesync-ssh
 
 # Generate ed25519 key (default, recommended)
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   linesync keygen
 
 # Generate RSA key
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   linesync keygen rsa
 ```
@@ -82,7 +79,7 @@ docker run --rm -u "$(id -u):$(id -g)" \
 
 ```bash
 mkdir -p ./linesync
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \
@@ -93,7 +90,7 @@ docker run --rm -u "$(id -u):$(id -g)" \
 ### Run sync once
 
 ```bash
-docker run --rm -u "$(id -u):$(id -g)" \
+docker run --rm \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \
@@ -105,7 +102,7 @@ docker run --rm -u "$(id -u):$(id -g)" \
 ### Interactive shell (debugging)
 
 ```bash
-docker run --rm -it -u "$(id -u):$(id -g)" \
+docker run --rm -it \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \
@@ -129,8 +126,6 @@ services:
   linesync:
     image: ghcr.io/evilnet/nefarious2-linesync:latest
     container_name: linesync
-    # Match your host user's UID:GID for bind mount permissions
-    user: "${UID}:${GID}"
     depends_on:
       - nefarious
     volumes:
@@ -158,17 +153,17 @@ mkdir -p ./linesync-ssh ./linesync
 touch ./local.conf
 
 # 1. Generate SSH key
-UID=$(id -u) GID=$(id -g) docker compose run --rm linesync keygen
+docker compose run --rm linesync keygen
 
 # 2. Add the public key to your git repo's deploy keys
 
 # 3. Clone the linesync repository
-UID=$(id -u) GID=$(id -g) docker compose run --rm \
+docker compose run --rm \
   -e GIT_REPOSITORY=git@github.com:yourorg/linesync-data.git \
   linesync setup
 
 # 4. Start the services
-UID=$(id -u) GID=$(id -g) docker compose up -d
+docker compose up -d
 ```
 
 ## Environment Variables
@@ -229,18 +224,19 @@ docker run ... -e CERT_TAG=myserver-cert linesync sync
 - The Docker socket mount grants significant privileges. The container can control other containers.
 - Use read-only deploy keys in your git repository
 - Consider running the sidecar with `--read-only` filesystem (with tmpfs for `/tmp`)
-- SSH keys should be stored in a named volume or secrets manager
+- SSH keys should be stored securely
 
-## UID/GID Remapping
+## UID/GID Auto-Detection
 
-The container uses [fixuid](https://github.com/boxboat/fixuid) to automatically remap the internal user's UID/GID to match yours at runtime. This ensures files created in bind-mounted directories are owned by your host user.
+The container automatically detects the UID/GID of your bind-mounted directories and runs as that user. This means files created by the container will be owned by your host user without any manual configuration.
 
 **How it works:**
-1. You specify `user: "${UID}:${GID}"` in docker-compose (or `-u "$(id -u):$(id -g)"` on command line)
-2. fixuid runs at container startup and remaps the `linesync` user to match
-3. All file operations use your host UID/GID
+1. Container starts as root
+2. Entrypoint detects the owner of mounted directories (e.g., `./linesync-ssh`)
+3. Modifies the internal `linesync` user to match that UID/GID
+4. Drops privileges and runs the actual command as that user
 
-**Without UID/GID mapping:** Files would be owned by UID 1234 (the container's default), causing permission issues.
+This happens automatically - no `-u` flags or environment variables needed.
 
 ## Troubleshooting
 
@@ -259,19 +255,9 @@ Run `setup` mode first to clone the repository.
 ### "Could not signal container"
 Ensure the Docker socket is mounted and the container name matches `NEFARIOUS_CONTAINER`.
 
-### Permission denied on bind mounts
-Make sure you're passing the UID/GID:
-```bash
-# Command line
-docker run -u "$(id -u):$(id -g)" ...
-
-# Docker compose
-UID=$(id -u) GID=$(id -g) docker compose up
-```
-
 ### Debug with shell access
 ```bash
-docker run --rm -it -u "$(id -u):$(id -g)" \
+docker run --rm -it \
   -v ./linesync-ssh:/home/linesync/.ssh \
   -v ./local.conf:/home/linesync/ircd/local.conf \
   -v ./linesync:/home/linesync/ircd/linesync \

tools/linesync/linesync-entrypoint.sh

@@ -4,6 +4,64 @@
 
 set -e
 
+# =============================================================================
+# UID/GID Auto-Detection and Privilege Dropping
+# =============================================================================
+# If running as root, detect the UID/GID from mounted directories and drop
+# privileges to match. This allows bind mounts to work without manual -u flags.
+
+if [ "$(id -u)" = "0" ]; then
+    # Detect UID/GID from mounted directories (in order of preference)
+    TARGET_UID=""
+    TARGET_GID=""
+
+    for detect_path in /home/linesync/.ssh /home/linesync/ircd; do
+        if [ -d "$detect_path" ]; then
+            TARGET_UID=$(stat -c %u "$detect_path")
+            TARGET_GID=$(stat -c %g "$detect_path")
+            # Skip if owned by root (probably not a bind mount)
+            if [ "$TARGET_UID" != "0" ]; then
+                break
+            fi
+        fi
+    done
+
+    # Default to 1000:1000 if detection failed or got root
+    : "${TARGET_UID:=1000}"
+    : "${TARGET_GID:=1000}"
+
+    # Get current linesync UID/GID
+    CURRENT_UID=$(id -u linesync)
+    CURRENT_GID=$(id -g linesync)
+
+    # Modify user/group if needed
+    if [ "$TARGET_GID" != "$CURRENT_GID" ]; then
+        groupmod -g "$TARGET_GID" linesync 2>/dev/null || true
+    fi
+    if [ "$TARGET_UID" != "$CURRENT_UID" ]; then
+        usermod -u "$TARGET_UID" linesync 2>/dev/null || true
+    fi
+
+    # Fix ownership of home directory
+    chown -R linesync:linesync /home/linesync 2>/dev/null || true
+
+    # Ensure SSH config exists
+    if [ ! -f /home/linesync/.ssh/config ]; then
+        mkdir -p /home/linesync/.ssh
+        echo -e "Host *\n  StrictHostKeyChecking accept-new\n  UserKnownHostsFile /home/linesync/.ssh/known_hosts" > /home/linesync/.ssh/config
+        chmod 700 /home/linesync/.ssh
+        chmod 600 /home/linesync/.ssh/config
+        chown -R linesync:linesync /home/linesync/.ssh
+    fi
+
+    # Re-exec this script as linesync user
+    exec gosu linesync "$0" "$@"
+fi
+
+# =============================================================================
+# Main Entrypoint (running as linesync user)
+# =============================================================================
+
 # Configuration with defaults
 : "${SYNC_INTERVAL:=300}"           # Sync interval in seconds (default: 5 minutes)
 : "${IRCD_CONF:=/home/linesync/ircd/ircd.conf}"
@@ -58,7 +116,7 @@ do_keygen() {
     # Check if directory is writable
     if [ ! -w "$sshdir" ]; then
         echo "Error: SSH directory $sshdir is not writable"
-        echo "Fix permissions on the host: chmod 700 ./linesync-ssh && chown $(id -u):$(id -g) ./linesync-ssh"
+        echo "Check that the directory exists and has correct permissions"
         exit 1
     fi