we are also currently working on images for various cloud providers. We tend unify the convention we use for production systems and the layout we are coming with is as follow:
- user pydio with no sudo right / no direct ssh access.
- working folder is set to
- we have added a
/opt/pydio folder that contains a bin subfolder with binaries and specific scripts, some ReadMe and the Eulas + a conf folder for spdecific launch time configuration
- we use a sysadmin user with full sudo permissions for administrative tasks.
Lately, as @zayn explained, we are experiencing with adding on specific sudo right to pydio user so that we can add this line in our systemd service file, and thus avoid having to manually do the setcap when updating the app:
ExecStartPre=/usr/bin/sudo /sbin/setcap 'cap_net_bind_service=+ep' /opt/pydio/bin/cells
You can also find a similar layout in our docker images.
This said, we would greatly appreciate feedback on the subject: do not hesitate to share your thoughts, ideas, critics: we would be glad to enhance things in the next releases.
We know we also have to then improve the documentation on this, but it is a long process (a.k.a PR are welcomed if you have ideas to enhance the docs … everything is opensource on github,   so feelfree to help)