chown results from the CPAN

Catalyst-Plugin-OpenIDConnect
view release on metacpan or search on metacpan
```ini
[Unit]
Description=OpenID Connect Provider
After=network.target

[Service]
Type=simple
User=www-data
WorkingDirectory=/opt/oidc
ExecStart=/usr/bin/perl app.pl
Restart=always
RestartSec=10

# Limit resources
LimitNOFILE=65535
LimitNPROC=32768

# Security
PrivateTmp=yes
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/opt/oidc/logs /opt/oidc/var

[Install]
WantedBy=multi-user.target
```

Enable and start:

```bash
sudo systemctl daemon-reload
sudo systemctl enable oidc-catalyst
sudo systemctl start oidc-catalyst
```

## Docker Deployment

### Dockerfile

```dockerfile
FROM perl:5.32

WORKDIR /app

# Install dependencies
COPY cpanfile .
RUN apt-get update && apt-get install -y openssl && \
    cpanm -n --installdeps .

# Copy application
COPY . .

# Generate keys (or mount from volume)
RUN mkdir -p /app/keys && \
    openssl genrsa -out /app/keys/private.pem 2048 && \
    openssl rsa -in /app/keys/private.pem -pubout -out /app/keys/public.pem

# Create non-root user
RUN useradd -m -u 1000 catalyst && \
    chown -R catalyst:catalyst /app

USER catalyst

EXPOSE 5000

CMD ["perl", "app.pl"]
```

### Docker Compose

The example below includes a Redis service for multi-process deployments (e.g.
when running multiple `oidc` replicas or using a FastCGI-based server).

```yaml
version: '3.8'

services:
  oidc:
    build: .
    ports:
      - "5000:5000"
    environment:
      CATALYST_HOME: /app
      CATALYST_ENV: production
      REDIS_URL: redis:6379
      REDIS_PASSWORD: "${REDIS_PASSWORD}"
    volumes:
      - ./keys:/app/keys:ro
      - ./logs:/app/logs
    restart: unless-stopped
    depends_on:
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:5000/.well-known/openid-configuration"]
      interval: 30s
      timeout: 10s
      retries: 3

  redis:
    image: redis:7-alpine
    command: >
      redis-server
      --requirepass "${REDIS_PASSWORD}"
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
      --appendonly yes
    volumes:
      - redis_data:/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  nginx:
    image: nginx:alpine
    ports:
      - "443:443"
( run in 0.468 second using v1.01-cache-2.11-cpan-71847e10f99 )