make image turning in none root user

backend/Dockerfile

@@ -1,10 +1,16 @@
 FROM python:3.12-slim-bullseye AS poetry
 
+# set fixed UID and GID - see github.com/hexops/dockerfile
+ARG UID=10000
+ARG GID=10001
+
+RUN addgroup --gid ${GID} appgroup
+RUN adduser --uid ${UID} --disabled-password --home /app --shell /bin/sh --ingroup appgroup appuser
+
 RUN  --mount=type=cache,target=/root/.cache \
      pip install poetry
 RUN poetry config virtualenvs.create false
 
-RUN mkdir /app
 WORKDIR /app
 
 COPY pyproject.toml /app
@@ -14,14 +20,19 @@ RUN --mount=type=cache,target=/root/.cache \
     poetry install --no-root
 
 COPY . /app
+RUN chown -R appuser:appgroup /app
 
 RUN --mount=type=cache,target=/root/.cache \
     poetry install
 
+RUN chown -R appuser:appgroup /app
+
+USER appuser
+
 CMD ["serve_prod"]
 
 FROM server as check
-
+USER root
 RUN --mount=type=cache,target=/root/.cache \
     poetry install --no-root --with check
 

frontend/Dockerfile

@@ -19,3 +19,14 @@ ENV CUSTOM_SCRIPTS_DIRECTORY ""
 COPY --from=builder /app/dist /app
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY ./docker-entrypoint.sh /
+
+## add permissions
+RUN chown -R nginx:nginx /app && chmod -R 755 /app && \
+        chown -R nginx:nginx /var/cache/nginx && \
+        chown -R nginx:nginx /var/log/nginx && \
+        chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx.pid
+
+## switch to non-root user
+USER nginx

frontend/nginx.conf

@@ -1,4 +1,4 @@
-user  nginx;
+# user  nginx;
 worker_processes  1;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;