feat: add nix dependency and enhance socket permissions handling

apps/agent/Dockerfile

@@ -23,6 +23,9 @@ ENV S6_KEEP_ENV=1
 ENV YANPM_AGENT_SOCK=/var/run/yanpm/yanpm-agent.sock
 ENV YANPM_NGINX_CONFIG_DIR=/etc/nginx/conf.d
 ENV YANPM_AGENT_SOCK_PERM=660
+ENV YANPM_AGENT_SOCK_GID=""
+ENV YANPM_AGENT_UID=1000
+ENV YANPM_AGENT_GID=1000
 
 WORKDIR /app
 
@@ -36,23 +39,18 @@ RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && rm /tmp/s6-overlay-noarch.ta
 ADD https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp/s6-overlay.tar.xz
 RUN tar -C / -Jxpf /tmp/s6-overlay.tar.xz && rm /tmp/s6-overlay.tar.xz
 
-# Create non-root user for agent and set permissions
-RUN addgroup -S app && adduser -S -G app app
-
-# add user to nginx group to allow reading of nginx configs
-RUN adduser app nginx
-# create directory for yanpm agent socket
-RUN mkdir -p /var/run/yanpm && chown -R app:app /var/run/yanpm
+# Runtime user creation handled by s6 cont-init (see /etc/cont-init.d)
+# create directory for yanpm agent socket; ownership will be fixed at container start
+RUN mkdir -p /var/run/yanpm
 
 # Copy s6 service definitions (created in repo under s6/) into image
 COPY ./docker/s6/services.d /etc/services.d
-RUN chmod +x /etc/services.d/*/run
+COPY ./docker/s6/cont-init.d /etc/cont-init.d
+RUN chmod +x /etc/services.d/*/run && chmod +x /etc/cont-init.d/*
 
 COPY --from=builder /app/target/release/yanpm-agent ./yanpm-agent
 
-RUN chown -R app:app /app/yanpm-agent \
-  && chmod +x /app/yanpm-agent \
-  && chown app:app /app
+RUN chmod +x /app/yanpm-agent
 
 # s6-overlay provides /init as the init process
 ENTRYPOINT ["/init"]