fix: detect Docker socket GID for container permissions

The Docker socket group varies by host (e.g., GID 1001 on WSL2).
Hardcoding group_add: ["0"] doesn't work when the socket is owned
by a different group. The installer now detects the socket GID at
install time via stat. The main docker-compose.yml uses a
configurable DOCKER_GID env var (defaults to 0).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.env.example

@@ -36,6 +36,9 @@ VENDOR_SEED_ENABLED=false
 # VENDOR_USER=vendor
 # VENDOR_PASS=change_me
 
+# Docker socket GID (run: stat -c '%g' /var/run/docker.sock)
+# DOCKER_GID=0
+
 # Docker images (override for custom registries)
 # TRAEFIK_IMAGE=gitea.siegeln.net/cameleer/cameleer-traefik
 # POSTGRES_IMAGE=gitea.siegeln.net/cameleer/cameleer-postgres

docker-compose.yml

@@ -138,7 +138,7 @@ services:
       - traefik.http.routers.saas.tls=true
       - traefik.http.services.saas.loadbalancer.server.port=8080
     group_add:
-      - "0"
+      - "${DOCKER_GID:-0}"
     networks:
       - cameleer
 

installer/install.sh

@@ -649,6 +649,7 @@ TENANT_ORG_NAME=${TENANT_ORG_NAME:-}
 
 # Docker
 DOCKER_SOCKET=${DOCKER_SOCKET}
+DOCKER_GID=$(stat -c '%g' "${DOCKER_SOCKET}" 2>/dev/null || echo "0")
 
 # Provisioning images
 CAMELEER_SAAS_PROVISIONING_SERVERIMAGE=${REGISTRY}/cameleer3-server:${VERSION}
@@ -881,11 +882,16 @@ EOF
     echo "      - ${MONITORING_NETWORK}" >> "$f"
   fi
 
-  cat >> "$f" << 'EOF'
+  # Detect Docker socket GID for container access
+  local docker_gid
+  docker_gid=$(stat -c '%g' "${DOCKER_SOCKET:-/var/run/docker.sock}" 2>/dev/null || echo "0")
+  cat >> "$f" << EOF
     group_add:
-      - "0"
+      - "${docker_gid}"
 
 volumes:
+EOF
+  cat >> "$f" << 'EOF'
   pgdata:
   chdata:
   certs: