I work on a podman container for postfix + dovecot. On my host, the encrypt keys (including the private key) are stored in /etc/letsencrypt/live/xxxxx.xxx/, and these keys have to be used by both postfix and dovecot.
However the "/etc/letsencrypt/live" folder is only accessible by root, so that when I share the /etc/letsencrypt folder using the -v option, the container has no access to the live folder. Of course, if I do awful things like chmod 777 on the /etc/letsencrypt/live folder everything is ok. But of course it is not a good way for that.
I wanted to know what I should do to avoid this chmod 777 while working with a rootless container. Can I map the volume using root ? (and if so is it a good idea ?) Should I play with groups on the host (= a group called like "encrypters", that may contain only root and the user that runs the container ?) Or a root process that performs copies of the keys ?
I also have seen the "--secret" option for podman I did not understad If it would solve my problem. Please also notice that the "let's encrypt" keys are re-generated sometimes because they have a 1 month lifetime.
If there is some guideline somewhere about this topic please show me.
My host is ubuntu 22.04, and the podman version is 3.4.4. I don't use SE linux for now.
Thanks a lot,