build: allow users to set the umask easily (#5407)

This adds an easy way for users  to set a UMASK in the container.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

docs/content/en/integration/deployment/docker.md

@@ -18,6 +18,44 @@ The [Docker] container is deployed with the following image names:
 * [docker.io/authelia/authelia](https://hub.docker.com/r/authelia/authelia)
 * [ghcr.io/authelia/authelia](https://github.com/authelia/authelia/pkgs/container/authelia)
 
+## Get Started
+
+It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
+[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
+bootstrapping *Authelia*.
+
+## Container
+
+### Environment Variables
+
+Several environment variables apply specifically to the official container. This table documents them. It is important
+to note these environment variables are specific to the container and have no effect on the *Authelia* daemon itself and
+this section is not meant to document the daemon environment variables.
+
+| Name  | Default |                                             Usage                                             |
+|:-----:|:-------:|:---------------------------------------------------------------------------------------------:|
+| PUID  |    0    | If the container is running as UID 0, it will drop privileges to this UID via the entrypoint  |
+| PGID  |    0    | If the container is running as UID 0, it will drop privileges to this GID via the entrypoint  |
+| UMASK |   N/A   | If set the container will run with the provided UMASK by running the `umask ${UMASK}` command |
+
+### Permission Context
+
+By default the container runs as the configured [Docker] daemon user. Users can control this behaviour in several ways.
+
+The first and recommended way is instructing the [Docker] daemon to run the *Authelia* container as another user. See
+the [docker run] or [Docker Compose file reference documentation](https://docs.docker.com/compose/compose-file/05-services/#user)
+for more information. The best part of this method is the process will never have privileged access, and the only
+negative is the user must manually configure the filesystem permissions correctly.
+
+The second method is by using the environment variables listed above. The downside to this method is that the entrypoint
+itself will run as UID 0 (root). The advantage is the container will automatically set owner and permissions on the
+filesystem correctly.
+
+The last method which is beyond our documentation or support is using the
+[user namespace](https://docs.docker.com/engine/security/userns-remap/) facility [Docker] provides.
+
+[docker run]: https://docs.docker.com/engine/reference/commandline/run/
+
 ## Docker Compose
 
 We provide two main [Docker Compose] examples which can be utilized to help test *Authelia* or can be adapted into your
@@ -27,12 +65,6 @@ existing [Docker Compose].
 * [Bundle: lite](#lite)
 * [Bundle: local](#local)
 
-### Get Started
-
-It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
-[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
-bootstrapping *Authelia*.
-
 ### Standalone Example
 
 The following examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or

entrypoint.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+[[ ! -z ${UMASK} ]] && umask ${UMASK}
+
 if [[ ! -z ${1} ]] && [[ ${1} != "--config" ]]; then
   exec "$@"
 elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then
@@ -7,4 +9,4 @@ elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then
 else
   chown -R ${PUID}:${PGID} /config
   exec su-exec ${PUID}:${PGID} authelia "$@"
-fi
+fi