From c30b7310aaf5f5a2742c596e52da9019b78f200b Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 20 Feb 2020 22:00:14 +0000
Subject: [PATCH] Add support for PUID/PGID and create necessary directories in
 /snikket

This is useful when e.g. mounting an existing directory instead of a
docker-managed volume.
---
 ansible/files/certbot.cron |  9 +++++----
 ansible/tasks/certs.yml    | 12 +++++++++++-
 docker/entrypoint.sh       | 24 ++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/ansible/files/certbot.cron b/ansible/files/certbot.cron
index f7e4de0..a8a52c7 100644
--- a/ansible/files/certbot.cron
+++ b/ansible/files/certbot.cron
@@ -1,12 +1,13 @@
 #!/bin/sh
 
-certbot certonly -n --webroot --webroot-path /var/www \
+su letsencrypt -- -c "certbot certonly -n --webroot --webroot-path /var/www \
   --cert-path /etc/ssl/certbot \
   --keep $SNIKKET_CERTBOT_OPTIONS \
-  --agree-tos --email "$SNIKKET_ADMIN_EMAIL" --expand \
+  --agree-tos --email \"$SNIKKET_ADMIN_EMAIL\" --expand \
   --allow-subset-of-names \
   --config-dir /snikket/letsencrypt \
-  --domain "$SNIKKET_DOMAIN" --domain "share.$SNIKKET_DOMAIN" \
-  --domain "groups.$SNIKKET_DOMAIN"
+  --domain \"$SNIKKET_DOMAIN\" --domain \"share.$SNIKKET_DOMAIN\" \
+  --domain \"groups.$SNIKKET_DOMAIN\"
+  "
 
 prosodyctl --root cert import /snikket/letsencrypt/live
diff --git a/ansible/tasks/certs.yml b/ansible/tasks/certs.yml
index e48a0e3..4be0862 100644
--- a/ansible/tasks/certs.yml
+++ b/ansible/tasks/certs.yml
@@ -13,4 +13,14 @@
   copy:
     src: ../files/certbot.cron
     dest: /etc/cron.daily/certbot
-    mode: 0550
+    mode: 0555
+- name: Create letsencrypt group
+  group:
+    name: letsencrypt
+    system: yes
+- name: Create letsencrypt user
+  user:
+    name: letsencrypt
+    group: letsencrypt
+    system: yes
+    home: /snikket/letsencrypt
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 0d9f9fe..da3895d 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -15,4 +15,28 @@ echo "from snikket@$SNIKKET_DOMAIN" >> /etc/msmtprc
 
 unset SNIKKET_SMTP_URL
 
+PUID=${PUID:=$(stat -c %u /snikket)}
+PGID=${PGID:=$(stat -c %g /snikket)}
+
+if [ "$PUID" != 0 ] && [ "$PGID" != 0 ]; then
+	usermod  -o -u "$PUID" prosody
+	groupmod -o -g "$PGID" prosody
+
+	usermod  -o -u "$PUID" letsencrypt
+	groupmod -o -g "$PGID" letsencrypt
+fi
+
+if ! test -d /snikket/prosody; then
+	install -o prosody -g prosody -m 750 -d /snikket/prosody;
+fi
+
+chown -R prosody:prosody /var/spool/anacron /var/run/prosody /snikket/prosody /etc/prosody
+
+if ! test -d /snikket/letsencrypt; then
+	install -o letsencrypt -g letsencrypt -m 750 -d /snikket/letsencrypt;
+fi
+
+install -o letsencrypt -g letsencrypt -m 750 -d /var/lib/letsencrypt;
+install -o letsencrypt -g letsencrypt -m 750 -d /var/log/letsencrypt;
+
 exec supervisord -c /etc/supervisor/supervisord.conf