From b41634e9787bc21d78a75b01b41f53457fa89a03 Mon Sep 17 00:00:00 2001
From: Jonathan Freedman <jonafree@gmail.com>
Date: Wed, 29 Apr 2026 12:27:25 -0700
Subject: [PATCH] better handling of non-root and in-container ssh

---
 Dockerfile                |  8 ++++++++
 scripts/docker-entrypoint | 26 +++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 242c7c4..ae23f53 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,4 +19,12 @@ RUN uv venv /opt/avakas && \
     uv pip install --python /opt/avakas/bin/python /tmp/avakas && \
     rm -rf /tmp/avakas
 
+# Support non-root usage: create writable home at /avakas-home.
+# When run with -u UID:GID, the user has no /etc/passwd entry and
+# HOME defaults to /. This gives a predictable writable HOME.
+RUN mkdir -p /avakas-home/.ssh && \
+    chmod a+rwx /avakas-home && \
+    chmod a+rwx /avakas-home/.ssh
+ENV HOME=/avakas-home
+
 ENTRYPOINT ["docker-entrypoint"]
diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint
index ad951b3..94875dd 100755
--- a/scripts/docker-entrypoint
+++ b/scripts/docker-entrypoint
@@ -18,7 +18,15 @@ fi
 
 ARGS="$*"
 if [ "$ACTION" = "bump" ] || [ "$ACTION" = "set" ] ; then
-    mkdir -p "${HOME}/.ssh"
+    # Ensure writable SSH config directory
+    SSH_DIR="${HOME}/.ssh"
+    mkdir -p "${SSH_DIR}" 2>/dev/null || {
+        # HOME may be unwritable (e.g., /root when running as non-root)
+        SSH_DIR="/tmp/.ssh"
+        mkdir -p "${SSH_DIR}"
+        export HOME="/tmp"
+    }
+
     if [ -z "$SSH_AUTH_SOCK" ] ; then
         if [ ! -e "$SSH_KEY" ] ; then
             problems "SSH private key not found"
@@ -28,10 +36,22 @@ if [ "$ACTION" = "bump" ] || [ "$ACTION" = "set" ] ; then
 	    fi
         fi
     fi
-    ssh-keyscan "$SSH_SCAN_HOST" 2> /dev/null 1> "${HOME}/.ssh/known_hosts" || problems "Unable to load git host key"
-    chmod -R og-rwx "${HOME}/.ssh"
+
+    if [ -n "$SSH_SCAN_HOST" ] ; then
+        ssh-keyscan "$SSH_SCAN_HOST" 2>/dev/null 1>"${SSH_DIR}/known_hosts" || problems "Unable to load git host key"
+    fi
+    chmod -R og-rwx "${SSH_DIR}" 2>/dev/null || true
+
+    # Tell SSH/git to use our known_hosts location explicitly.
+    # OpenSSH reads config from /etc/passwd home, not $HOME.
+    export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=${SSH_DIR}/known_hosts"
 fi
 
+# Mark mounted directories as safe for git (ownership mismatch in containers).
+# Use --system so it lands in /etc/gitconfig, which git always reads
+# regardless of HOME or /etc/passwd mismatches.
+git config --system --add safe.directory '*'
+
 if [ -e "/etc/avakas/avakasrc" ] ; then
     # shellcheck disable=SC1091
     . /etc/avakas/avakasrc