Would be nice to have caddy run as a non-root user inside the container. This is especially useful for rootfull containers (e.g. Docker), where the uid=0 inside the container is the same as uid=0 outside. Additionally, since the/data dir and the/config have been specified as aVOLUME, others are unable to extend the container and change the ownership of those directories. I'm currently using the below Dockerfile to run caddy as a non-root user. I've changed it slightly to suit my needs but much of it should be re-usable for this repo.

FROM caddy:2-builder AS builderRUN caddy-builder github.com/caddy-dns/cloudflareFROM caddy:2-alpine AS deps# We cannot use FROM scratch because, despite adding cap_net_bind_service to the binary# it still won't run. Presuming because libcap isn't available? Not sure.FROM alpine:3.12COPY --from=deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crtCOPY --from=deps /etc/mime.types /etc/nsswitch.conf /etc/COPY --from=builder /usr/bin/caddy /caddyRUN set -eux; \    apk add --no-cache libcap; \    setcap cap_net_bind_service=ep /caddy; \    mkdir -p /config/caddy /data/caddy; \    addgroup -g 101 -S www-data; \    adduser -u 101 -D -S -G www-data www-data; \    chown -R www-data:www-data /config /dataUSER www-dataENV XDG_CONFIG_HOME=/config XDG_DATA_HOME=/dataVOLUME /config /dataEXPOSE 80EXPOSE 443ENTRYPOINT ["/caddy"]CMD ["run","--config","/Caddyfile","--adapter","caddyfile"]

One thing worth considering is that this might be not be an easy upgrade for many, indeed, it may be that we'd need a temporary stop gap that runs the container as root, changes ownership of files/folders, then drops privileges. Then after perhaps a couple of versions, this stop gap can be replaced fully with a non-root user without going through the trouble of dropping privileges.