From 72088dba9a9003ba66766f656b47f2c095857874 Mon Sep 17 00:00:00 2001
From: Beda Schmid <beda@tukutoi.com>
Date: Tue, 17 Mar 2026 16:37:59 -0300
Subject: [PATCH] Fix folder permissions

---
 README.md                           |  2 +-
 doc/operations-and-configuration.md |  2 +-
 docker-compose.yml                  | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 28c3ec6..029a9a6 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,7 @@ LedgerDock stores persistent runtime data in host bind mounts. By default the ho
 - `${DCM_DATA_DIR:-./data}/storage` for uploaded files and app storage
 - `${DCM_DATA_DIR:-./data}/typesense-data` for the search index
 
-Before first run, create storage and grant write access to container runtime user `uid=10001`:
+On startup, Compose runs a one-shot `storage-init` service that creates the storage tree and applies write access for the backend runtime user `uid=10001`. If you want to inspect or repair it manually, use:
 
 ```bash
 mkdir -p ${DCM_DATA_DIR:-./data}/storage
diff --git a/doc/operations-and-configuration.md b/doc/operations-and-configuration.md
index c826841..8dfe4ed 100644
--- a/doc/operations-and-configuration.md
+++ b/doc/operations-and-configuration.md
@@ -47,7 +47,7 @@ docker compose logs -f
 
 Compose is configured with host bind mounts for persistent data. Ensure host directories exist and are writable by the backend runtime user.
 
-Backend and worker run as non-root user `uid=10001` inside containers. For host-mounted storage paths:
+Backend and worker run as non-root user `uid=10001` inside containers. Compose bootstraps the storage bind mount through the one-shot `storage-init` service before either process starts. For manual inspection or repair of host-mounted storage paths:
 
 ```bash
 mkdir -p ${DCM_DATA_DIR:-./data}/storage
diff --git a/docker-compose.yml b/docker-compose.yml
index 9d1a1f2..1a43ec9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,19 @@
 services:
+  storage-init:
+    build:
+      context: ./backend
+    user: "0:0"
+    command:
+      - "sh"
+      - "-c"
+      - >
+        mkdir -p /data/storage/originals /data/storage/derived/previews /data/storage/tmp &&
+        chown -R 10001:10001 /data/storage &&
+        chmod -R u+rwX,g+rwX /data/storage
+    volumes:
+      - ${DCM_DATA_DIR:-./data}/storage:/data/storage
+    restart: "no"
+
   db:
     image: postgres:16-alpine
     environment:
@@ -90,6 +105,8 @@ services:
         condition: service_healthy
       redis:
         condition: service_started
+      storage-init:
+        condition: service_completed_successfully
       typesense:
         condition: service_started
     networks:
@@ -134,6 +151,8 @@ services:
         condition: service_healthy
       redis:
         condition: service_started
+      storage-init:
+        condition: service_completed_successfully
       typesense:
         condition: service_started
     restart: unless-stopped