Run qbt-nox as non-root

This is mainly to avoid downloaded files being owned by root which
requires another one or two commands to change the file ownership.

dist/docker/Dockerfile

@@ -40,9 +40,17 @@ FROM alpine:latest
 
 RUN \
   apk --no-cache add \
+    doas \
     libtorrent-rasterbar \
     qt6-qtbase \
-    tini
+    tini && \
+  adduser \
+    -D \
+    -H \
+    -s /sbin/nologin \
+    -u 1000 \
+    qbtUser && \
+  echo "permit nopass :root" >> "/etc/doas.d/doas.conf"
 
 COPY --from=builder /usr/local/bin/qbittorrent-nox /usr/bin/qbittorrent-nox
 

dist/docker/entrypoint.sh

@@ -1,5 +1,6 @@
 #!/bin/sh
 
+downloadsPath="/downloads"
 profilePath="/config"
 qbtConfigFile="$profilePath/qBittorrent/config/qBittorrent.conf"
 
@@ -22,7 +23,13 @@ EOF
     fi
 fi
 
-qbittorrent-nox \
-    --profile="$profilePath" \
-    --webui-port="$QBT_WEBUI_PORT" \
-    "$@"
+# those are owned by root by default
+# don't change existing files owner in `$downloadsPath`
+chown qbtUser:qbtUser "$downloadsPath"
+chown qbtUser:qbtUser -R "$profilePath"
+
+doas -u qbtUser \
+    qbittorrent-nox \
+        --profile="$profilePath" \
+        --webui-port="$QBT_WEBUI_PORT" \
+        "$@"