Add secrets, DB_PREFIX, remove nginx.conf

2021-12-19 22:58:03 +02:00 · 2021-12-19 22:58:03 +02:00 · cd0f4f9679
parent d7aa3f3436
commit cd0f4f9679
3 changed files with 33 additions and 63 deletions
--- a/.env.sample
+++ b/.env.sample
@ -5,3 +5,8 @@ DOMAIN=wordpress-bedrock.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress-bedrock.example.com`'
 LETS_ENCRYPT_ENV=production
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+
+# DB_PREFIX=wp_
--- a/compose.yml
+++ b/compose.yml
@ -3,16 +3,15 @@ version: "3.8"

 services:
  app:
-    image: nginx:alpine
+    image: "thecoopcloud/nginx:1.21.4-bedrock"
    working_dir: /app
    volumes:
      - wordpress:/app:cached
    networks:
      - proxy
      - backend
-    configs:
-      - source: nginx_conf
-        target: /etc/nginx/conf.d/default.conf
+    environment:
+      - STACK_NAME
    deploy:
      restart_policy:
        condition: on-failure
@ -22,10 +21,10 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html"
+        # note(3wc): no explicit EXTRA_DOMAINS redirect needed, wordpress does
+        # it for us
    # healthcheck:
    #   test: ["CMD", "curl", "-f", "http://localhost"]
    #   interval: 30s
@ -36,10 +35,12 @@ services:
  php:
    image: "thecoopcloud/wordpress:5.8.2-php7.4-fpm-bedrock"
    working_dir: /app
+    secrets:
+      - db_password
    environment:
      - DB_NAME=wordpress
      - DB_USER=wordpress
-      - DB_PASSWORD=wordpress
+      - DB_PASSWORD_FILE=/run/secrets/db_password
      - DB_HOST=db
      - WP_ENV=production
      - WP_HOME=https://${DOMAIN}
@ -57,12 +58,21 @@ services:
    volumes:
      - "mariadb:/var/lib/mysql"
    environment:
-      - MYSQL_ROOT_PASSWORD=wordpress
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
-      - MYSQL_PASSWORD=wordpress
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
    networks:
      - backend
+    secrets:
+      - db_password
+      - db_root_password
+    deploy:
+      labels:
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/tmp/dump.sql.gz"
+        - "backupbot.backup.post-hook=rm -f /tmp/dump.sql.gz"
+        - "backupbot.backup.pre-hook=mysqldump -u root -p`cat /run/secrets/db_root_password` wordpress | gzip > /tmp/dump.sql.gz"

 networks:
  proxy:
@ -73,7 +83,10 @@ volumes:
  wordpress:
  mariadb:
    
-configs:
-  nginx_conf:
-    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
-    file: nginx.conf
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
--- a/nginx.conf
+++ b/nginx.conf
@ -1,48 +0,0 @@
-server { 
-  listen 80 default_server;
-  listen [::]:80 default_server;
-
-  server_name _;
-
-  client_max_body_size 128M;
-
-  gzip on;
-  gzip_proxied any;
-  gzip_types text/plain text/xml text/css application/x-javascript;
-  gzip_vary on;
-  gzip_disable "MSIE [1-6]\.(?!.*SV1)";
-
-  sendfile on;
-  sendfile_max_chunk 512k;
-
-  root /app/web;
-
-  access_log off;
-
-  location / {
-    include /etc/nginx/mime.types;
-
-    root /app/web;
-    index index.html index.htm index.php;
-
-    try_files $uri $uri/ /index.php?q=$uri&$args;
-  }
-
-  location ~ .php$ {
-    include fastcgi.conf;
-
-    fastcgi_read_timeout 300;
-    fastcgi_pass php:9000;
-
-    fastcgi_index index.php;
-    fastcgi_param SCRIPT_FILENAME /app/web/$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_script_name;
-
-    # fastcgi_param PHP_VALUE "error_log=/var/log/nginx/application_php_errors.log";
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
-
-    include fastcgi_params;
-  }
-}
-