Run Drone on master branch

Add .drone.yml
2020-09-25 02:31:25 +02:00 · 2020-09-25 02:26:38 +02:00
14 changed files with 160 additions and 329 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,32 +3,17 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: decentral1se/drone-stack:19.03.8
    settings:
-      host: swarm-test.autonomic.zone
+      compose: compose.yml
-      stack: wordpress
+      host: ssh://swarm-test.autonomic.zone:222
-      generate_secrets: true
+      stack_name: wordpress
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
    environment:
      DOMAIN: wordpress.swarm-test.autonomic.zone
      STACK_NAME: wordpress
      LETS_ENCRYPT_ENV: production
-      SECRET_DB_PASSWORD_VERSION: v1
+      DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      DB_ROOT_PASSWORD_VERSION: v1
      PHP_UPLOADS_CONF_VERSION: v1
      ENTRYPOINT_CONF_VERSION: v1
 trigger:
  branch:
    - master
 ---
 kind: pipeline
 name: recipe release
 steps:
  - name: release a new version
    image: thecoopcloud/drone-abra:latest
    settings:
      command: recipe wordpress release
      deploy_key:
        from_secret: abra_bot_deploy_key
--- a/.env.sample
+++ b/.env.sample
@ -1,37 +0,0 @@
 TYPE=wordpress
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
 LETS_ENCRYPT_ENV=production
 ## Additional extensions
 #PHP_EXTENSIONS="calendar"
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
 # Multisite
 #WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );"
 # Multisite phase 2 (see README)
 # WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true); define('SUBDOMAIN_INSTALL', true); define('DOMAIN_CURRENT_SITE', '${DOMAIN}'); define('PATH_CURRENT_SITE', '/');	define('SITE_ID_CURRENT_SITE', 1); define('BLOG_ID_CURRENT_SITE', 1); define('FORCE_SSL_ADMIN', true ); define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 # Local SMTP relay
 #COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
 #SMTP_HOST="postfix_relay_app"
 #MAIL_FROM="wordpress@example.com"
 # Remote SMTP relay
 #COMPOSE_FILE="compose.yml:compose.mailrelay.yml:compose.smtp.yml"
 #SMTP_HOST="mail.example.com"
 #MAIL_FROM="wordpress@example.com"
 #SMTP_PORT=587
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
--- a/.envrc.sample
+++ b/.envrc.sample
@ -0,0 +1,28 @@
 export DOMAIN=wordpress.example.com
 export STACK_NAME=wordpress
 export LETS_ENCRYPT_ENV=production
 export DB_ROOT_PASSWORD_VERSION=v1
 export DB_PASSWORD_VERSION=v1
 # Multisite
 #export WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );"
 # Multisite phase 2 (see README)
 #export WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );\
 #	define('MULTISITE', true);\
 #	define('SUBDOMAIN_INSTALL', true);\
 #	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
 #	define('PATH_CURRENT_SITE', '/');\
 #	define('SITE_ID_CURRENT_SITE', 1);\
 #	define('BLOG_ID_CURRENT_SITE', 1);\
 #	define('FORCE_SSL_ADMIN', true );\
 #	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 # Backups
 #export COMPOSE_FILE="compose.yml:compose.backup.yml"
--- a/README.md
+++ b/README.md
@ -1,72 +1,49 @@
-# Wordpress
+# wordpress
 [![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/wordpress/status.svg)](https://drone.autonomic.zone/coop-cloud/wordpress)
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- metadata -->
 * **Category**: Apps
 * **Status**: 3, stable
 * **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
 * **SSO**: No
 <!-- endmetadata -->
 ## Basic usage
 1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`coop-cloud/traefik`][cc-traefik]
+2. Deploy [`compose-stacks/traefik`][compose-traefik]
-3. `abra app new wordpress --secrets` (optionally with `--pass` if you'd like
+3. `cp .envrc.sample .envrc`
-   to save secrets in `pass`)
+4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
 4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
   your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `direnv allow` (or `. .envrc`)
-6. Open the configured domain in your browser to finish set-up
+6. Generate secrets:
-7. `abra app YOURAPPDOMAIN run app chown www-data:www-data /var/www/html/wp-content` to fix
+   ```
   abra secret_generate db_password v1
   abra secret_generate db_root_password v1
   ```
 7. `abra deploy`
 8. Open the configured domain in your browser to finish set-up
 9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
   file permissions (see #3)
 ## Running WP-CLI
 `abra app cmd YOURAPPDOMAIN app wp -- core check-update --major`
 ## Network (Multi-site)
 _(Only tested using subdomains)_
 1. Set up as above
-2. `abra app YOURAPPDOMAIN config`, and uncomment the first `# Multisite` section
+2. Uncomment the first `# Multisite` section in `.envrc`
-3. `abra app YOURAPPDOMAIN deploy`
+3. `direnv allow` (or re-run `source .envrc`)
-4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+4. `abra deploy`
-5. Don't worry about the suggested file changes
+5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-6. `abra app YOURAPPDOMAIN config` again - comment out the first `# Multisite`
+6. Don't worry about the suggested file changes
-   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
+7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
-   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
+   `# Multisite phase 2` section
-7. `abra app YOURAPPDOMAIN deploy`
+8. `direnv allow` (or re-run `source .envrc`)
 9. `abra deploy`
 10. FIXME setting up SSL / routing
 ## Installing a custom theme
-`abra app YOURAPPDOMAIN cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
 ## Email
 There is a local or remote SMTP relay configuration available.
 * **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
 * **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
 Below are the instructions for the local relay.
 1. Deploy [`postfix-relay`][cc-postfix-relay]
 2. `abra app YOURAPPDOMAIN config`, and uncomment the email lines; change
   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
 3. `abra app YOURAPPDOMAIN deploy`
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+
 ## Backups
 1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
 2. `direnv allow`
 3. `abra deploy`
--- a/abra.sh
+++ b/abra.sh
@ -1,86 +0,0 @@
 export PHP_UPLOADS_CONF_VERSION=v3
 export ENTRYPOINT_CONF_VERSION=v3
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v3
 wp() {
  /usr/local/bin/wp $@
 }
 fix_mysql() {
  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
 }
 sub_wp() {
  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
  if [ -z "$CONTAINER" ]; then
    error "Can't find a container for ${STACK_NAME}_app"
    exit
  fi
  debug "Using Container ID ${CONTAINER}"
  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
  # volume for /var/www/html -- this used to work fine using --volumes-from
  # because the actual MySQL password was inserted into the generated
  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
  # from the environment, which requires Docker secrets to work, which only work
  # in swarm services (not one-off `docker run` commands). Defining a `cli`
  # service in compose.yml almost works, but there's no volumes_from: in Compose
  # V3, and without it then the `cli` service can't access Wordpress core.
  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
  warning "Slowly looking up MySQL password..."
  silence
  abra__service_="app"
  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
  unsilence
  # shellcheck disable=SC2154,SC2086
  docker run -it \
 	--volumes-from "$CONTAINER" \
 	--network "container:$CONTAINER" \
 	-u xfs:xfs \
    -e WORDPRESS_DB_HOST=db \
    -e WORDPRESS_DB_USER=wordpress \
    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
    -e WORDPRESS_DB_NAME=wordpress \
    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
 	wordpress:cli wp ${abra__args_[*]}
 }
 abra_backup_app() {
  _abra_backup_dir "app:/var/www/html/wp-content"
 }
 abra_backup_db() {
  _abra_backup_mysql "db" "wordpress"
 }
 abra_backup() {
  abra_backup_app && abra_backup_db
 }
 abra_restore_app() {
  # shellcheck disable=SC2034
  {
 	abra__src_="-"
 	abra__dst_="app:/var/www/html/"
  }
  zcat "$@" | sub_app_cp
  success "Restored 'app'"
 }
 abra_restore_db() {
  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
  # got this far..
  # shellcheck disable=SC2034
  abra___no_tty="true"
  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
  success "Restored 'db'"
 }
--- a/borgmatic.yml
+++ b/borgmatic.yml
@ -0,0 +1,36 @@
 location:
  source_directories:
    - /var/www/html/wp-content
  repositories:
    - {{ env "BORGBASE_REPO" }}
 storage:
  compression: auto,zstd
  encryption_passphrase: {{ secret "backup_bot_password" }}
  archive_name_format: "{hostname}-{now}"
  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
 retention:
  keep_daily: 3
  keep_weekly: 4
  keep_monthly: 12
  keep_yearly: 2
  prefix: "{hostname}-"
 consistency:
  checks:
    - disabled
  check_last: 3
  prefix: "{hostname}-"
 hooks:
  before_backup:
    - echo "`date` - Starting backup"
  after_backup:
    - echo "`date` - Finished backup"
  mysql_databases:
    - name: {{ env "DB_TABLE" }}
      hostname: {{ env "DB_HOST" }}
      port: 3306
      username: {{ env "DB_USER" }}
      password: {{ secret "db_password" }}
--- a/compose.backup.yml
+++ b/compose.backup.yml
@ -0,0 +1,47 @@
 ---
 version: "3.8"
 services:
  backupbot:
    image: "decentral1se/backup-bot:0.0.1"
    networks:
      - backend
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    secrets:
      - source: backup_bot_ssh_key
        mode: 0400
      - backup_bot_password
      - db_password
    configs:
      - source: borgmatic_config_yml
        target: /etc/borgmatic/config.yaml
    environment:
      - BORGBASE_REPO="g067e243@g067e243.repo.borgbase.com:repo"
      - DB_HOST=mariadb
      - DB_TABLE=wordpress
      - DB_USER=wordpress
    deploy:
      mode: replicated
      replicas: 0
      labels:
        - "swarm.cronjob.enable=true"
        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
      restart_policy:
        condition: none
    networks:
      - backend
 configs:
  borgmatic_config_yml:
    name: borgmatic_config_yml_v7
    file: borgmatic.yml
    template_driver: golang
 secrets:
  backup_bot_ssh_key:
    name: backup_bot_ssh_key_v1
    external: true
  backup_bot_password:
    name: backup_bot_password_v1
    external: true
--- a/compose.mailrelay.yml
+++ b/compose.mailrelay.yml
@ -1,26 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    entrypoint: /docker-entrypoint.mailrelay.sh
    environment:
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT:-25}
      - MAIL_FROM=${MAIL_FROM}
    configs:
      - source: mstmp_conf
        target: /etc/msmtprc
      - source: entrypoint_mailrelay_conf
        target: /docker-entrypoint.mailrelay.sh
        mode: 0555
 configs:
  mstmp_conf:
    name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
    file: msmtp.conf.tmpl
    template_driver: golang
  entrypoint_mailrelay_conf:
    name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
    file: entrypoint.mailrelay.sh.tmpl
    template_driver: golang
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -1,18 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - smtp_password
    environment:
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT:-25}
      - SMTP_AUTH=${SMTP_AUTH}
      - SMTP_TLS=${SMTP_TLS}
      - MAIL_FROM=${MAIL_FROM}
 secrets:
  smtp_password:
    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -2,39 +2,21 @@
 version: "3.8"
 services:
-  app:
+  wordpress:
-    image: "wordpress:6.1.1"
+    image: "wordpress:5.5.1"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
      - backend
      - proxy
    environment:
-      - PAGER=more
+      - WORDPRESS_DB_HOST=mariadb
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
      - WORDPRESS_DB_NAME=wordpress
      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
      - WORDPRESS_TABLE_PREFIX
      - PHP_EXTENSIONS
    secrets:
      - db_password
    configs:
      - source: php_uploads_conf
        target: /usr/local/etc/php/conf.d/uploads.ini
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
    entrypoint: /docker-entrypoint.sh
    depends_on:
      - db
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    deploy:
      update_config:
        failure_action: rollback
@ -44,18 +26,15 @@ services:
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`ch.${DOMAIN}`, `${DOMAIN}`)"
        # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
+        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "coop-cloud.${STACK_NAME}.version=2.1.0+6.1.1"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/var/www/html"
-  db:
+  mariadb:
-    image: "mariadb:10.8"
+    image: "mariadb:10.5"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
@ -68,15 +47,10 @@ services:
    secrets:
      - db_password
      - db_root_password
    deploy:
      labels:
        backupbot.backup: "true"
        backupbot.backup.path: "/tmp/dump.sql.gz"
        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /tmp/dump.sql.gz'"
 networks:
  backend:
    driver: overlay
  proxy:
    external: true
@ -84,19 +58,11 @@ volumes:
  mariadb:
  wordpress_content:
 secrets:
  db_root_password:
    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
 configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  php_uploads_conf:
    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
    file: uploads.ini
--- a/entrypoint.mailrelay.sh.tmpl
+++ b/entrypoint.mailrelay.sh.tmpl
@ -1,7 +0,0 @@
 #!/bin/bash
 apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
 /docker-entrypoint.sh
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -1,16 +0,0 @@
 #!/bin/bash
 {{ if (env "PHP_EXTENSIONS") }}
 docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 {{ end }}
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 if [ -n "$@" ]; then
 	"$@"
 fi
 # Upstream ENTRYPOINT
 # https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
 /usr/local/bin/docker-entrypoint.sh apache2-foreground
--- a/msmtp.conf.tmpl
+++ b/msmtp.conf.tmpl
@ -1,15 +0,0 @@
 account default
 host {{ env "SMTP_HOST" }}
 from {{ env "MAIL_FROM" }}
 user {{ env "MAIL_FROM" }}
 port {{ env "SMTP_PORT" }}
 {{ if eq (env "SMTP_AUTH") "on" }}
 auth {{ env "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"
 {{ end }}
 {{ if eq (env "SMTP_TLS") "on" }}
 tls {{ env "SMTP_TLS" }}
 tls_trust_file /etc/ssl/certs/ca-certificates.crt
 {{ end }}
--- a/uploads.ini
+++ b/uploads.ini
@ -1,3 +0,0 @@
 file_uploads = On
 upload_max_filesize = 256M
 post_max_size = 256M
Author	SHA1	Message	Date
3wc	278cf74b5f	Run Drone on master branch	2020-09-25 02:31:25 +02:00
3wc	308b7e4811	Add .drone.yml	2020-09-25 02:26:38 +02:00