The linked repo. I mostly agree with you that most of this should be in containers; I should have been more clear to what part of your comment I was addressing.
In regards to docker worldview, this project currently doesn't follow best practices.
And while I agree mostly with this statement:
> Surely all the complexity should be inside the container
The caveat being that complexity should be split up into separate concerns. Otherwise there's little difference between the host and container aside from an extra layer of abstraction.
For example, this repo should probably be split into several containers: cert management should probably be its own container, which a shared volume for certs); php should be rolled into its own container, and php files should reside there; logging shouldn't be handled at the container level; firewall concerns (namely fail2ban) probably should be handled at by the host, or in a container with appropriate permissions; etc
In regards to docker worldview, this project currently doesn't follow best practices.
And while I agree mostly with this statement:
> Surely all the complexity should be inside the container
The caveat being that complexity should be split up into separate concerns. Otherwise there's little difference between the host and container aside from an extra layer of abstraction.
For example, this repo should probably be split into several containers: cert management should probably be its own container, which a shared volume for certs); php should be rolled into its own container, and php files should reside there; logging shouldn't be handled at the container level; firewall concerns (namely fail2ban) probably should be handled at by the host, or in a container with appropriate permissions; etc