From d5d75b39951f3dc227119e404eb42189ab0a29e1 Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Wed, 22 Sep 2021 21:21:21 +0100
Subject: [PATCH] letsencrypt: Use dedicated user for ACME process

This improves security and ensures that files end up under a consistent
set of UID and GID values.
---
 config/service/letsencrypt/Containerfile      | 8 ++++++++
 config/service/letsencrypt/container/run-lego | 7 +++++++
 2 files changed, 15 insertions(+)
 create mode 100755 config/service/letsencrypt/container/run-lego

diff --git a/config/service/letsencrypt/Containerfile b/config/service/letsencrypt/Containerfile
index 705222f..6f24a11 100644
--- a/config/service/letsencrypt/Containerfile
+++ b/config/service/letsencrypt/Containerfile
@@ -1 +1,9 @@
 FROM docker.io/goacme/lego:v4.4.0
+
+RUN addgroup --system --gid 10000 letsencrypt
+RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
+
+RUN apk --no-cache --no-progress add gosu
+COPY container/run-lego /run-lego
+
+ENTRYPOINT ["/run-lego"]
diff --git a/config/service/letsencrypt/container/run-lego b/config/service/letsencrypt/container/run-lego
new file mode 100755
index 0000000..5dfc875
--- /dev/null
+++ b/config/service/letsencrypt/container/run-lego
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Correct permissions where needed.
+chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
+
+# Run ACME verification with parameters given.
+gosu letsencrypt /usr/bin/lego "$@"