Use dedicated users to run services

docker-entrypoint.sh

@@ -2,14 +2,15 @@
 
 set -xeo pipefail
 
-if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
-    echo "Generating SSH key..."
-    sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
-    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
+if [ ! -f /fdroid/ssh_host_rsa_key ]; then
+    echo "Generating host SSH key..."
+    ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa
+    chown fdroid: /fdroid/ssh_host_rsa_key
 fi
 
-mkdir -p /root/.ssh
-echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys
+mkdir -p /fdroid/.ssh
+echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys
+chmod 0600 /fdroid/.ssh/authorized_keys
 
 if [ ! -f /fdroid/keystore/keystore.jks ]; then
     keytool -genkey -noprompt \
@@ -25,6 +26,8 @@ echo "Updating configuration from environment..."
 envsubst < config.py.tmpl > config.py
 chmod 0600 config.py
 
-/fdroid-update.sh
+chown -R fdroid: /fdroid
 
-/usr/bin/supervisord
+su - fdroid /fdroid/fdroid-update.sh
+
+/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini