Enhance Certbot Docker setup with user/group ID configuration and debug options

- Added new environment variables `DEBUG`, `PUID`, and `PGID` to allow customization of user and group IDs for running Certbot.
- Updated `entrypoint.sh` to handle UID/GID configuration and added debug logging capabilities.
- Modified `Dockerfile` to install necessary packages and create a non-privileged user/group based on provided IDs.
- Enhanced `README.md` to document new environment variables.
- Updated VSCode settings to include new terms for spell checking.

This commit improves the flexibility and security of the Certbot container by allowing it to run under specified user/group IDs and providing debug information when needed.

Author: jaydrogers

.vscode/settings.json

@@ -2,6 +2,8 @@
   "cSpell.words": [
     "CERTBOT",
     "certonly",
-    "letsencrypt"
+    "letsencrypt",
+    "PGID",
+    "PUID"
   ]
 }

README.md

@@ -41,6 +41,9 @@ The following environment variables can be used to customize the Certbot contain
 | `CERTBOT_EMAIL`        | Email address for Let's Encrypt notifications                       | - |
 | `CERTBOT_KEY_TYPE`     | Type of private key to generate                                     | `ecdsa` |
 | `CLOUDFLARE_API_TOKEN` | Cloudflare API token for DNS authentication                         | - |
+| `DEBUG`                | Enable debug mode (prints more information to the console)            | `false`                    |
+| `PUID`                 | The user ID to run certbot as                                       | `0`                    |
+| `PGID`                 | The group ID to run certbot as                                        | `0`                    |
 | `RENEWAL_INTERVAL`     | Interval between certificate renewal checks                         | 43200 seconds (12 hours) |
 | `REPLACE_SYMLINKS`     | Replaces symlinks with direct copies of the files they reference (required for Windows) | `false`                    |
 

src/Dockerfile

@@ -2,14 +2,31 @@
 # check=skip=SecretsUsedInArgOrEnv
 FROM certbot/dns-cloudflare:latest
 
+ARG CERTBOT_USER=certbot
+ARG CERTBOT_GROUP=certbot
+ARG CERTBOT_UID=9999
+ARG CERTBOT_GID=9999
+
 ENV CERTBOT_DOMAINS="" \
     CERTBOT_EMAIL="" \
     CERTBOT_KEY_TYPE="ecdsa" \
     CLOUDFLARE_API_TOKEN="" \
-    RENEWAL_INTERVAL=43200
+    DEBUG=false \
+    PUID=0 \
+    PGID=0 \
+    RENEWAL_INTERVAL=43200 \
+    REPLACE_SYMLINKS=false
 
 COPY --chmod=700 entrypoint.sh /entrypoint.sh
 
+RUN apk update && \
+    apk add --no-cache shadow su-exec && \
+    addgroup -g "${CERTBOT_GID}" "${CERTBOT_GROUP}" && \
+    adduser -u "${CERTBOT_UID}" -G "${CERTBOT_GROUP}" -D -H "${CERTBOT_USER}" && \
+    mkdir -p /var/log/letsencrypt && \
+    chown 700 /var/log/letsencrypt && \
+    rm -rf /var/cache/apk/*
+
 ENTRYPOINT ["/entrypoint.sh"]
 
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \

src/entrypoint.sh

@@ -1,4 +1,13 @@
 #!/bin/sh
+set -e
+default_uid=0
+default_gid=0
+default_unprivileged_user=certbot
+default_unprivileged_group=certbot
+
+if [ "$DEBUG" = "true" ]; then
+    set -x
+fi
 
 ################################################################################
 # Functions
@@ -9,6 +18,41 @@ cleanup() {
     exit 0
 }
 
+debug_print() {
+    if [ "$DEBUG" = "true" ]; then
+        echo "$1"
+    fi
+}
+
+configure_uid_and_gid() {
+    debug_print "Preparing environment for $PUID:$PGID..."
+    
+    # Handle existing user with the same UID
+    if id -u "${PUID}" >/dev/null 2>&1; then
+        old_user=$(id -nu "${PUID}")
+        debug_print "UID ${PUID} already exists for user ${old_user}. Moving to a new UID."
+        usermod -u "999${PUID}" "${old_user}"
+    fi
+
+    # Handle existing group with the same GID
+    if getent group "${PGID}" >/dev/null 2>&1; then
+        old_group=$(getent group "${PGID}" | cut -d: -f1)
+        debug_print "GID ${PGID} already exists for group ${old_group}. Moving to a new GID."
+        groupmod -g "999${PGID}" "${old_group}"
+    fi
+
+    # Change UID and GID of  run_as user and group
+    usermod -u "${PUID}" "${default_unprivileged_user}" 2>&1 >/dev/null || echo "Error changing user ID."
+    groupmod -g "${PGID}" "${default_unprivileged_user}" 2>&1 >/dev/null || echo "Error changing group ID."
+
+    # Ensure the correct permissions are set for all required directories
+    chown -R "${default_unprivileged_user}:${default_unprivileged_group}" \
+        /etc/letsencrypt \
+        /var/lib/letsencrypt \
+        /var/log/letsencrypt \
+        /opt/certbot
+}
+
 configure_windows_file_permissions() {
     # Permissions must be created after volumes have been mounted; otherwise, windows file system permissions will override
     # the permissions set within the container.
@@ -40,8 +84,28 @@ replace_symlinks() {
     done
 }
 
+is_default_privileges() {
+    [ "${PUID:-$default_uid}" = "$default_uid" ] && [ "${PGID:-$default_gid}" = "$default_gid" ]
+}
+
 run_certbot() {
-    certbot certonly \
+    # Ensure the log directory is set to 700
+    chmod 700 /var/log/letsencrypt
+    chown "${PUID}:${PGID}" /var/log/letsencrypt
+
+    if is_default_privileges; then
+        certbot_cmd="certbot"
+    else
+        certbot_cmd="su-exec ${default_unprivileged_user} certbot"
+    fi
+
+    debug_print "Running certbot with command: $certbot_cmd"
+
+    # Add -v flag if DEBUG is enabled
+    debug_flag=""
+    [ "$DEBUG" = "true" ] && debug_flag="-v"
+
+    $certbot_cmd $debug_flag certonly \
         --dns-cloudflare \
         --dns-cloudflare-credentials /cloudflare.ini \
         -d "$CERTBOT_DOMAINS" \
@@ -79,6 +143,10 @@ trap cleanup TERM INT
 
 validate_environment_variables
 
+if ! is_default_privileges; then
+    configure_uid_and_gid
+fi
+
 if [ "$REPLACE_SYMLINKS" = "true" ]; then
     configure_windows_file_permissions
 fi
@@ -110,32 +178,44 @@ echo "-----------------------------------------------------------"
 # Create Cloudflare configuration file
 echo "dns_cloudflare_api_token = $CLOUDFLARE_API_TOKEN" > /cloudflare.ini
 chmod 600 /cloudflare.ini
+if ! is_default_privileges; then
+    chown "${PUID}:${PGID}" /cloudflare.ini
+fi
 
-# Run certbot initially to get the certificates
-run_certbot
-
-# Infinite loop to keep the container running and periodically check for renewals
-while true; do
-    # POSIX-compliant way to show next run time
-    current_timestamp=$(date +%s)
-    next_timestamp=$((current_timestamp + RENEWAL_INTERVAL))
-    next_run=$(date -r "$next_timestamp" '+%Y-%m-%d %H:%M:%S %z' 2>/dev/null || date '+%Y-%m-%d %H:%M:%S %z')
-    echo "Next certificate renewal check will be at ${next_run}"
-
-    # Store PID of sleep process and wait for it
-    sleep "$RENEWAL_INTERVAL" & 
-    sleep_pid=$!
-    wait $sleep_pid
-    wait_status=$?
-
-    # Check if we received a signal (more portable check)
-    case $wait_status in
-        0) : ;; # Normal exit
-        *) cleanup ;;
-    esac
-
-    if ! run_certbot; then
-        echo "Error: Certificate renewal failed. Exiting."
-        exit 1
+# Check if a command was passed to the container
+if [ $# -gt 0 ]; then
+    if is_default_privileges; then
+        exec "$@"
+    else
+        exec su-exec "${default_unprivileged_user}" "$@"
     fi
-done
+else
+    # Run certbot initially to get the certificates
+    run_certbot
+
+    # Infinite loop to keep the container running and periodically check for renewals
+    while true; do
+        # POSIX-compliant way to show next run time
+        current_timestamp=$(date +%s)
+        next_timestamp=$((current_timestamp + RENEWAL_INTERVAL))
+        next_run=$(date -r "$next_timestamp" '+%Y-%m-%d %H:%M:%S %z' 2>/dev/null || date '+%Y-%m-%d %H:%M:%S %z')
+        echo "Next certificate renewal check will be at ${next_run}"
+
+        # Store PID of sleep process and wait for it
+        sleep "$RENEWAL_INTERVAL" & 
+        sleep_pid=$!
+        wait $sleep_pid
+        wait_status=$?
+
+        # Check if we received a signal (more portable check)
+        case $wait_status in
+            0) : ;; # Normal exit
+            *) cleanup ;;
+        esac
+
+        if ! run_certbot; then
+            echo "Error: Certificate renewal failed. Exiting."
+            exit 1
+        fi
+    done
+fi