unbreak mount permissions on linux

.env-sample

@@ -7,6 +7,10 @@
 
 # n.b. SECRETS_* env variables get pulled in on demand from files in ./secrets
 
+# XXX: how do we interpolate this in?
+USER_ID=
+GROUP_ID=
+
 VOLUME_PATH=.
 DOMAIN=example.com
 HOMESERVER_FQDN=matrix.$DOMAIN

compose.yml

@@ -1,4 +1,5 @@
 # FIXME: define a frontend & backend network, and only expose backend services to the frontend (nginx)
+
 networks:
   backend:
 
@@ -18,6 +19,7 @@ services:
   # dependencies for optionally generating default configs + secrets
   generate-synapse-secrets:
     image: ghcr.io/element-hq/synapse:latest
+    user: $USER_ID:$GROUP_ID
     restart: "no"
     volumes:
       - ${VOLUME_PATH}/data/synapse:/data:rw
@@ -33,6 +35,7 @@ services:
   generate-mas-secrets:
     restart: "no"
     image: ghcr.io/element-hq/matrix-authentication-service:latest
+    user: $USER_ID:$GROUP_ID
     volumes:
       - ${VOLUME_PATH}/data/mas:/data:rw
     # FIXME: stop this regenerating a spurious default config every time
@@ -42,6 +45,7 @@ services:
   # dependency for templating /data-template into /data (having extracted any secrets from any default generated configs)
   init:
     build: init
+    user: $USER_ID:$GROUP_ID
     restart: "no"
     volumes:
       - ${VOLUME_PATH}/secrets:/secrets
@@ -58,6 +62,7 @@ services:
 
   nginx:
     image: nginx:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     ports:
       - "80:80"
@@ -99,6 +104,7 @@ services:
 
   postgres:
     image: postgres:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     volumes:
       - ${VOLUME_PATH}/data/postgres:/var/lib/postgresql/data:rw
@@ -123,6 +129,7 @@ services:
 
   redis:
     image: redis:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     # healthcheck:
     #   test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
@@ -134,6 +141,7 @@ services:
 
   synapse:
     image: ghcr.io/element-hq/synapse:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     volumes:
       - ${VOLUME_PATH}/data/synapse:/data:rw
@@ -157,6 +165,7 @@ services:
 
   synapse-generic-worker-1:
     image: ghcr.io/element-hq/synapse:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-generic-worker-1.yaml"]
     healthcheck:
@@ -182,6 +191,7 @@ services:
 
   synapse-federation-sender-1:
     image: ghcr.io/element-hq/synapse:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-federation-sender-1.yaml"]
     healthcheck:
@@ -202,6 +212,7 @@ services:
 
   mas:
     image: ghcr.io/element-hq/matrix-authentication-service:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     # ports:
     #   - 8083:8080
@@ -221,6 +232,7 @@ services:
   # as a basic local MTA
   mailhog:
     image: mailhog/mailhog:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     ports:
       - 8025:8025
@@ -230,6 +242,7 @@ services:
 
   element-web:
     image: vectorim/element-web:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     # ports:
     #   - 8080:80
@@ -248,6 +261,7 @@ services:
 
   element-call:
     image: ghcr.io/element-hq/element-call
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     # ports:
     #   - 8082:80
@@ -261,6 +275,7 @@ services:
 
   livekit:
     image: livekit/livekit-server:latest
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     volumes:
       - ${VOLUME_PATH}/data/livekit/config.yaml:/etc/livekit.yaml
@@ -295,6 +310,7 @@ services:
         FROM alpine:latest
         RUN apk update && apk add bash
         COPY --from=builder /lk-jwt-service /
+    user: $USER_ID:$GROUP_ID
     restart: unless-stopped
     volumes:
       - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt