[enh] container: custom certificates (#5238)

Let container instance administrators to add custom certificates:

  https://docs.searxng.org/admin/installation-docker.html#custom-certificates

Closes https://github.com/searxng/searxng/issues/5206

container/base-builder.yml

@@ -16,6 +16,7 @@ work-dir: /usr/local/searxng/
 
 environment:
   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  SSL_CERT_DIR: /etc/ssl/certs
   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
   HISTFILE: /dev/null
 

container/base.yml

@@ -3,6 +3,7 @@ contents:
     - https://dl-cdn.alpinelinux.org/alpine/edge/main
   packages:
     - alpine-baselayout
+    - ca-certificates
     - ca-certificates-bundle
     - musl-locales
     - musl-locales-lang
@@ -27,6 +28,7 @@ accounts:
 
 environment:
   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  SSL_CERT_DIR: /etc/ssl/certs
   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
   HISTFILE: /dev/null
   CONFIG_PATH: /etc/searxng

container/entrypoint.sh

@@ -127,4 +127,6 @@ volume_handler "$DATA_PATH"
 # Check for files
 config_handler "$SEARXNG_SETTINGS_PATH" "/usr/local/searxng/searx/settings.yml"
 
+update-ca-certificates
+
 exec /usr/local/searxng/.venv/bin/granian searx.webapp:app

docs/admin/installation-docker.rst

@@ -165,6 +165,17 @@ Container internal paths (don't modify unless you know what you're doing):
 - ``$SEARXNG_SETTINGS_PATH``: Path to the SearXNG settings file (default: ``$CONFIG_PATH/settings.yml``)
 - ``$DATA_PATH``: Path to the SearXNG data directory (default: ``/var/cache/searxng``)
 
+.. _Container custom certificates:
+
+Custom certificates
+===================
+
+You can mount ``/usr/local/share/ca-certificates/`` folder to add/remove
+additional certificates as needed.
+
+They will be available on container (re)start or when running
+``update-ca-certificates`` in the container shell.
+
 .. _Container custom images:
 
 Custom images