Use readonly_rootfs and reduced ephemeral_disk

acme-to-vault.nomad.hcl

@@ -9,6 +9,10 @@ job [[ .acme.job_name | toJSON ]] {
       mode = "bridge"
     }
 
+    ephemeral_disk {
+      size = 101
+    }
+
     service {
       name = "[[ .acme.job_name ]][[ .env.suffix ]]"
       port = 8787
@@ -29,6 +33,8 @@ job [[ .acme.job_name | toJSON ]] {
 
       config {
         image = [[ .acme.image | toJSON ]]
+        readonly_rootfs = true
+        pids_limit = 20
       }
 
       vault {

deps/common

@@ -1 +1 @@
-Subproject commit 026777bd644b84396138f1c3e940c93d1f78b563
+Subproject commit 31af38020d602f57674da408a8e628dba0c7c1af

images/acme-to-vault/root/usr/local/bin/acme-to-vault.sh

@@ -66,9 +66,9 @@ main
 # If a cron expression is defined, run a cron daemon
 if [ -n "${ACME_CRON}" -a -z "${ACME_CRON_RUNNING:-}" ]; then
   echo "Running using cron with expression ${ACME_CRON}"
-  cat <<_EOF > /tmp/crontab
+  cat <<_EOF > /dev/shm/crontab
   ${ACME_CRON} /usr/local/bin/acme-to-vault.sh
 _EOF
   export ACME_CRON_RUNNING=true
-  supercronic /tmp/crontab
+  supercronic /dev/shm/crontab
 fi

variables.yml

@@ -5,7 +5,7 @@ acme:
   job_name: acme-to-vault
 
   # The Docker image to use
-  image: danielberteaud/acme-to-vault:20230903-1
+  image: danielberteaud/acme-to-vault:23.09-1
 
   # If a cron expression is defined, the service will stay running and renew certs.
   # If an empty string, the container will exit after running once