[uponcoffee]

It violates a lot of principles of using containers. There's no separation of concerns here, builds aren't reproducible, it hijacks logging for its own setup, appears to allow RCE of php files on another host in the event it is compromised (does it make sense to store/bundle php files in this container if it's not meant to handle php?)... Etc

[andybak]

Sorry - I'm not clear what the referent of the word "it" is here? You mean Bunkerized is violating these principles? Or the approach the gp suggests?

[uponcoffee]

The linked repo. I mostly agree with you that most of this should be in containers; I should have been more clear to what part of your comment I was addressing.

In regards to docker worldview, this project currently doesn't follow best practices.

And while I agree mostly with this statement:

> Surely all the complexity should be inside the container

The caveat being that complexity should be split up into separate concerns. Otherwise there's little difference between the host and container aside from an extra layer of abstraction.

For example, this repo should probably be split into several containers: cert management should probably be its own container, which a shared volume for certs); php should be rolled into its own container, and php files should reside there; logging shouldn't be handled at the container level; firewall concerns (namely fail2ban) probably should be handled at by the host, or in a container with appropriate permissions; etc