From cd0f4f967905e0adb06d96049a3ce11c6308fcc2 Mon Sep 17 00:00:00 2001
From: 3wc <3wc@doesthisthing.work>
Date: Sun, 19 Dec 2021 22:58:03 +0200
Subject: [PATCH] Add secrets, DB_PREFIX, remove nginx.conf

---
 .env.sample |  5 +++++
 compose.yml | 43 ++++++++++++++++++++++++++++---------------
 nginx.conf  | 48 ------------------------------------------------
 3 files changed, 33 insertions(+), 63 deletions(-)
 delete mode 100644 nginx.conf

diff --git a/.env.sample b/.env.sample
index a47dce9..50f68f6 100644
--- a/.env.sample
+++ b/.env.sample
@@ -5,3 +5,8 @@ DOMAIN=wordpress-bedrock.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress-bedrock.example.com`'
 LETS_ENCRYPT_ENV=production
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+
+# DB_PREFIX=wp_
diff --git a/compose.yml b/compose.yml
index 0964702..d1ce472 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,16 +3,15 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:alpine
+    image: "thecoopcloud/nginx:1.21.4-bedrock"
     working_dir: /app
     volumes:
       - wordpress:/app:cached
     networks:
       - proxy
       - backend
-    configs:
-      - source: nginx_conf
-        target: /etc/nginx/conf.d/default.conf
+    environment:
+      - STACK_NAME
     deploy:
       restart_policy:
         condition: on-failure
@@ -22,10 +21,10 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html"
+        # note(3wc): no explicit EXTRA_DOMAINS redirect needed, wordpress does
+        # it for us
     # healthcheck:
     #   test: ["CMD", "curl", "-f", "http://localhost"]
     #   interval: 30s
@@ -36,10 +35,12 @@ services:
   php:
     image: "thecoopcloud/wordpress:5.8.2-php7.4-fpm-bedrock"
     working_dir: /app
+    secrets:
+      - db_password
     environment:
       - DB_NAME=wordpress
       - DB_USER=wordpress
-      - DB_PASSWORD=wordpress
+      - DB_PASSWORD_FILE=/run/secrets/db_password
       - DB_HOST=db
       - WP_ENV=production
       - WP_HOME=https://${DOMAIN}
@@ -57,12 +58,21 @@ services:
     volumes:
       - "mariadb:/var/lib/mysql"
     environment:
-      - MYSQL_ROOT_PASSWORD=wordpress
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
       - MYSQL_DATABASE=wordpress
       - MYSQL_USER=wordpress
-      - MYSQL_PASSWORD=wordpress
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
     networks:
       - backend
+    secrets:
+      - db_password
+      - db_root_password
+    deploy:
+      labels:
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/tmp/dump.sql.gz"
+        - "backupbot.backup.post-hook=rm -f /tmp/dump.sql.gz"
+        - "backupbot.backup.pre-hook=mysqldump -u root -p`cat /run/secrets/db_root_password` wordpress | gzip > /tmp/dump.sql.gz"
 
 networks:
   proxy:
@@ -73,7 +83,10 @@ volumes:
   wordpress:
   mariadb:
     
-configs:
-  nginx_conf:
-    name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
-    file: nginx.conf
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
diff --git a/nginx.conf b/nginx.conf
deleted file mode 100644
index 51e7c87..0000000
--- a/nginx.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-server { 
-  listen 80 default_server;
-  listen [::]:80 default_server;
-
-  server_name _;
-
-  client_max_body_size 128M;
-
-  gzip on;
-  gzip_proxied any;
-  gzip_types text/plain text/xml text/css application/x-javascript;
-  gzip_vary on;
-  gzip_disable "MSIE [1-6]\.(?!.*SV1)";
-
-  sendfile on;
-  sendfile_max_chunk 512k;
-
-  root /app/web;
-
-  access_log off;
-
-  location / {
-    include /etc/nginx/mime.types;
-
-    root /app/web;
-    index index.html index.htm index.php;
-
-    try_files $uri $uri/ /index.php?q=$uri&$args;
-  }
-
-  location ~ .php$ {
-    include fastcgi.conf;
-
-    fastcgi_read_timeout 300;
-    fastcgi_pass php:9000;
-
-    fastcgi_index index.php;
-    fastcgi_param SCRIPT_FILENAME /app/web/$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_script_name;
-
-    # fastcgi_param PHP_VALUE "error_log=/var/log/nginx/application_php_errors.log";
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
-
-    include fastcgi_params;
-  }
-}
-