Fix navidrome custom container image v1.0.2 (#194)

## Summary - Switch navidrome deployment from upstream `deluan/navidrome:0.60.3` back to custom image `registry.ops.eblu.me/blumeops/navidrome:v1.0.2` - The v1.0.1 image was tagged before the `USER 65534` removal commit, so it still ran as a non-root user that couldn't write to the SQLite data directory - v1.0.2 is built from current main which includes both the `zlib-dev` build fix and the non-root user removal ## Deployment and Testing - [ ] Wait for CI to build `navidrome:v1.0.2` image - [ ] Sync via ArgoCD and verify pod starts without CrashLoopBackOff - [ ] Verify navidrome UI accessible at https://navidrome.ops.eblu.me Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/194
2026-02-16 08:24:33 -08:00 · 2026-02-16 08:24:33 -08:00 · 74294094e3
commit 74294094e3
parent 7ffbd12ac8
3 changed files with 13 additions and 2 deletions
--- a/argocd/manifests/navidrome/deployment.yaml
+++ b/argocd/manifests/navidrome/deployment.yaml
@ -14,9 +14,16 @@ spec:
      labels:
        app: navidrome
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
      containers:
        - name: navidrome
-          image: deluan/navidrome:0.60.3
+          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.3
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
          ports:
            - containerPort: 4533
              name: http
--- a/containers/navidrome/Dockerfile
+++ b/containers/navidrome/Dockerfile
@ -42,10 +42,13 @@ LABEL org.opencontainers.image.description="Navidrome is a self-hosted music ser
 # Points to upstream canonical source, not the forge mirror used for builds
 LABEL org.opencontainers.image.source=https://github.com/navidrome/navidrome

-RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg
+RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg \
+ && addgroup -g 1000 navidrome \
+ && adduser -u 1000 -G navidrome -D navidrome

 COPY --from=build /navidrome /usr/bin/navidrome

 EXPOSE 4533

+USER 1000
 CMD ["/usr/bin/navidrome"]
--- a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
+++ b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
@ -0,0 +1 @@
+Switch navidrome to custom container image with dedicated non-root user and fsGroup security context
				`@ -0,0 +1 @@`
				`Switch navidrome to custom container image with dedicated non-root user and fsGroup security context`