feat: entrypoint for safe config + permissions; optional counter seeding via USE_INITIAL_COUNTERS

Dockerfile

@@ -19,15 +19,17 @@ COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY bot.py ./
-COPY config.example.yaml ./config.yaml
+COPY config.example.yaml ./config.example.yaml
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
 # Datenverzeichnis
-RUN mkdir -p /data && chown -R appuser:appuser /data && chown appuser:appuser /app
+# Pre-create data dir (ownership may be adjusted again at runtime by entrypoint)
+RUN mkdir -p /data
 VOLUME ["/data"]
 
-USER appuser
-
 ENV DATA_DIR=/data \
     CONFIG_FILE=/app/config.yaml
 
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["python", "bot.py"]

bot.py

@@ -245,8 +245,16 @@ def setup_logging(level: str):
 
 
 def init_counters(existing: Dict[str, int], config: Dict[str, Any]) -> Dict[str, int]:
+    """Return existing counters or (optionally) seed initial ones.
+
+    Seeding now only happens if BOTH conditions apply:
+      1) No existing counters file/content
+      2) Env USE_INITIAL_COUNTERS is truthy (1/true/yes)
+    """
     if existing:
         return existing
+    if os.environ.get("USE_INITIAL_COUNTERS", "false").lower() not in {"1", "true", "yes"}:
+        return {}
     initial = config.get('initial_counters') or {}
     normalized = {norm_key(k): int(v) for k, v in initial.items()}
     if normalized:

docker-entrypoint.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+
+# If running as root, fix ownership of /data, then drop privileges
+if [ "$(id -u)" = "0" ]; then
+  mkdir -p /data
+  chown -R appuser:appuser /data || echo "Warn: could not chown /data"
+  # Copy example config only if missing target
+  if [ ! -f /app/config.yaml ] && [ -f /app/config.example.yaml ]; then
+    cp /app/config.example.yaml /app/config.yaml
+    chown appuser:appuser /app/config.yaml || true
+  fi
+  exec su -s /bin/sh appuser -c "$*"
+else
+  exec "$@"
+fi