From 792465dab2f9961152612e1576cd33288b45386b Mon Sep 17 00:00:00 2001
From: Arian Nasr <arian@2ari.ca>
Date: Tue, 14 Apr 2026 12:09:54 -0400
Subject: [PATCH] run deb package pip install stage as navidrome-uploader user
 instead of root

---
 debian/navidrome-uploader.postinst | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/debian/navidrome-uploader.postinst b/debian/navidrome-uploader.postinst
index 2740e26..d729ecd 100644
--- a/debian/navidrome-uploader.postinst
+++ b/debian/navidrome-uploader.postinst
@@ -3,20 +3,24 @@ set -e
 
 APP_DIR="/opt/navidrome-uploader"
 VENV_DIR="${APP_DIR}/venv"
+APP_USER="navidrome-uploader"
 
 case "$1" in
-    configure)
-        python3 -m venv "${VENV_DIR}"
-        "${VENV_DIR}/bin/pip" install --no-cache-dir --upgrade pip
-        "${VENV_DIR}/bin/pip" install --no-cache-dir -r "${APP_DIR}/requirements.txt"
+  configure)
+    chown -R "$APP_USER:$APP_USER" "$APP_DIR"
 
-        if command -v systemctl > /dev/null 2>&1; then
-            systemctl daemon-reload || true
-            systemctl enable navidrome-uploader.service || true
-            systemctl restart navidrome-uploader.service || true
-        fi
-        ;;
+    runuser -u "$APP_USER" -- python3 -m venv "$VENV_DIR"
+    runuser -u "$APP_USER" -- "$VENV_DIR/bin/pip" install --no-cache-dir --upgrade pip
+    runuser -u "$APP_USER" -- "$VENV_DIR/bin/pip" install --no-cache-dir -r "$APP_DIR/requirements.txt"
+
+    if command -v systemctl >/dev/null 2>&1; then
+      systemctl daemon-reload || true
+      systemctl enable navidrome-uploader.service || true
+      systemctl restart navidrome-uploader.service || true
+    fi
+    ;;
 esac
 
 exit 0
 
+