letsencrypt: Use dedicated user for ACME process

This improves security and ensures that files end up under a consistent
set of UID and GID values.

config/service/letsencrypt/Containerfile

@@ -1 +1,9 @@
 FROM docker.io/goacme/lego:v4.4.0
+
+RUN addgroup --system --gid 10000 letsencrypt
+RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
+
+RUN apk --no-cache --no-progress add gosu
+COPY container/run-lego /run-lego
+
+ENTRYPOINT ["/run-lego"]

config/service/letsencrypt/container/run-lego

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Correct permissions where needed.
+chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
+
+# Run ACME verification with parameters given.
+gosu letsencrypt /usr/bin/lego "$@"