Allow listening on privileged ports (below 1024) as non-root

This is done by running `setcap cap_net_bind_service=+ep` on the executable
in the build stage (doing it in the runtime stage creates an extra copy of
the executable that bloats the image). This only works when using the
BuildKit-based builder, since the `COPY` instruction doesn't copy
capabilities on the legacy builder.

docker/armv7/Dockerfile.buildkit

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for armhf architecture.
+# Install build dependencies for the armhf architecture
 RUN dpkg --add-architecture armhf \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:armhf \
+        gcc-arm-linux-gnueabihf \
         libc6-dev:armhf \
-        libpq5:armhf \
-        libpq-dev:armhf \
-        libmariadb3:armhf \
+        libcap2-bin \
         libmariadb-dev:armhf \
         libmariadb-dev-compat:armhf \
-        gcc-arm-linux-gnueabihf \
+        libmariadb3:armhf \
+        libpq-dev:armhf \
+        libpq5:armhf \
+        libssl-dev:armhf \
     #
     # Make sure cargo has the right target config
     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-gnueabihf/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +119,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*