From de476bab458ea505ceee97d5e14365f1bb01486e Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 16 Feb 2026 08:07:36 -0800
Subject: [PATCH] Run navidrome as non-root user with fsGroup for volume access

Instead of running as root, create a dedicated navidrome user (UID 1000)
in the container and use Kubernetes fsGroup to ensure PVC volumes are
writable. This provides defense-in-depth against container escape attacks.

- Dockerfile: add navidrome user/group (1000), set USER 1000
- Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup)
- Deployment: add container securityContext (runAsNonRoot, no privilege escalation)
- Bump image to v1.0.3 (v1.0.2 was built without these changes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 argocd/manifests/navidrome/deployment.yaml               | 9 ++++++++-
 containers/navidrome/Dockerfile                          | 5 ++++-
 .../changelog.d/fix-navidrome-container-v1.0.2.bugfix.md | 2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/argocd/manifests/navidrome/deployment.yaml b/argocd/manifests/navidrome/deployment.yaml
index 157fe91..09ee82c 100644
--- a/argocd/manifests/navidrome/deployment.yaml
+++ b/argocd/manifests/navidrome/deployment.yaml
@@ -14,9 +14,16 @@ spec:
       labels:
         app: navidrome
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       containers:
         - name: navidrome
-          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.2
+          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.3
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           ports:
             - containerPort: 4533
               name: http
diff --git a/containers/navidrome/Dockerfile b/containers/navidrome/Dockerfile
index 4bf5231..3267b95 100644
--- a/containers/navidrome/Dockerfile
+++ b/containers/navidrome/Dockerfile
@@ -42,10 +42,13 @@ LABEL org.opencontainers.image.description="Navidrome is a self-hosted music ser
 # Points to upstream canonical source, not the forge mirror used for builds
 LABEL org.opencontainers.image.source=https://github.com/navidrome/navidrome
 
-RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg
+RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg \
+ && addgroup -g 1000 navidrome \
+ && adduser -u 1000 -G navidrome -D navidrome
 
 COPY --from=build /navidrome /usr/bin/navidrome
 
 EXPOSE 4533
 
+USER 1000
 CMD ["/usr/bin/navidrome"]
diff --git a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
index 077e4a9..4c9c687 100644
--- a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
+++ b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
@@ -1 +1 @@
-Fix navidrome custom container image (removed non-root user that prevented SQLite writes)
+Switch navidrome to custom container image with dedicated non-root user and fsGroup security context