fix: use alpine with docker-cli for cert-dumper sidecar

[weby-homelab]

Updates cert-dumper to use alpine with docker-cli to resolve missing docker CLI issue during post-hook execution.

[gemini-code-assist]

Code Review

This pull request replaces the pre-built traefik-certs-dumper image with an Alpine-based implementation that downloads the binary at runtime. Feedback identifies critical issues including security risks from unverified downloads, potential reliability failures due to external network dependencies, architecture lock-in to amd64, and improper signal handling. It is recommended to use a custom Dockerfile to handle these dependencies securely and efficiently.

[gemini-code-assist]

The current entrypoint implementation introduces several issues:

1. Security & Reliability: Downloading a binary at runtime without checksum verification is a security risk. It also makes container startup dependent on external network and repository availability.
2. Architecture Lock-in: Hardcoding the amd64 binary URL breaks support for other architectures (e.g., ARM64). The original image was multi-arch.
3. Signal Handling: The final command should use exec so that traefik-certs-dumper runs as PID 1 and correctly handles termination signals (SIGTERM).

Recommendation: Use a Dockerfile to build a custom image. This is the standard way to add dependencies like docker-cli while maintaining immutability and security. If you must use this inline approach, at least add exec to the final command to ensure proper signal propagation.

    entrypoint: /bin/sh -c 'apk add --no-cache docker-cli curl && curl -L https://github.com/ldez/traefik-certs-dumper/releases/download/v2.10.0/traefik-certs-dumper_v2.10.0_linux_amd64.tar.gz | tar xz && mv traefik-certs-dumper /usr/bin/ && exec traefik-certs-dumper file --version v2 --watch --source /traefik/acme.json --dest /ssl --post-hook "docker exec dms-core postfix reload && docker exec dms-core dovecot reload"'