Flip USER back to nginx before docker expose/cmd

If an attacker finds a zero-day exploit in Nginx 1.27, they would theoretically have root access inside the container. I can mitigate this by switching to the nginx user (which comes built-in) before the CMD.