docs: run as non-root in Docker containers

docs/docker.md

@@ -29,13 +29,11 @@ FROM dunglas/frankenphp
 
 # add additional extensions here:
 RUN install-php-extensions \
-    pdo_mysql \
-    gd \
-    intl \
-    zip \
-    opcache
-
-# ...
+	pdo_mysql \
+	gd \
+	intl \
+	zip \
+	opcache
 ```
 
 ## How to Install More Caddy Modules
@@ -53,13 +51,13 @@ COPY --from=caddy:builder /usr/bin/xcaddy /usr/bin/xcaddy
 # CGO must be enabled to build FrankenPHP
 ENV CGO_ENABLED=1 XCADDY_SETCAP=1 XCADDY_GO_BUILD_FLAGS="-ldflags '-w -s'"
 RUN xcaddy build \
-    --output /usr/local/bin/frankenphp \
-    --with github.com/dunglas/frankenphp=./ \
-    --with github.com/dunglas/frankenphp/caddy=./caddy/ \
-    # Mercure and Vulcain are included in the official build, but feel free to remove them
-    --with github.com/dunglas/mercure/caddy \
-    --with github.com/dunglas/vulcain/caddy
-    # Add extra Caddy modules here
+	--output /usr/local/bin/frankenphp \
+	--with github.com/dunglas/frankenphp=./ \
+	--with github.com/dunglas/frankenphp/caddy=./caddy/ \
+	# Mercure and Vulcain are included in the official build, but feel free to remove them
+	--with github.com/dunglas/mercure/caddy \
+	--with github.com/dunglas/vulcain/caddy
+	# Add extra Caddy modules here
 
 FROM dunglas/frankenphp AS runner
 
@@ -127,3 +125,22 @@ volumes:
   caddy_data:
   caddy_config:
 ```
+
+## Running as a Non-Root User
+
+FrankenPHP can run as non root user in Docker.
+
+Here is a sample `Dockerfile` doing this:
+
+```dockerfile
+FROM dunglas/frankenphp
+
+ARG USER=www-data
+USER ${USER}
+
+RUN adduser -D ${USER} \
+	# Caddy requires an additional capability to bind to port 80 and 443
+	setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/frankenphp
+	# Caddy requires write access to /data/caddy and /config/caddy
+	RUN chown -R ${USER}:${USER} /data/caddy && chown -R ${USER}:${USER} /config/caddy
+```