docs: fix Mercure support with Docker hardened images

[dunglas]

Prevents errors like this one when using Mercure: php-1 | Error: loading initial config: loading new config: loading frankenphp app module: provision frankenphp: failed to provision caddy http: loading http app module: provision http: server srv0: setting up route handlers: route 2: loading handler modules: position 2: loading module 'mercure': provision http.handlers.mercure: provision http.handlers.mercure.bolt: "": invalid transport: open /data/caddy/mercure.db: permission denied

[Copilot]

Pull request overview

Updates the hardened/distroless Dockerfile example in the Docker documentation to copy Caddy’s writable directories differently, aiming to ensure the Caddy state/config paths are present and owned correctly when running as nonroot.

Changes:

• Adjusts the distroless example to COPY /data and /config from the builder stage (instead of only /data/caddy and /config/caddy).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this doc, other Dockerfile examples (e.g., the rootless ones above) refer specifically to /config/caddy and /data/caddy. Switching this hardened/distroless example to COPY ... /config and COPY ... /data is less precise and may confuse readers about which paths Caddy actually uses (it still stores state under $XDG_{CONFIG,DATA}_HOME/caddy). Consider reverting to copying only the caddy subdirectories, or update the surrounding comment text to explain why the entire base dirs are copied here (e.g., to ensure /config and /data themselves are owned by nonroot).

[henderkes]

I don't understand how this fixes the error. Does the nonroot user not have execute permissions on /data?