restricts ownership changes to files still owned by root (e.g., from the image build). On subsequent restarts, files already owned by www-data are skipped entirely, avoiding a full recursive write cycle.

Reviewed-on: #57

.drone.yml

@@ -37,7 +37,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,7 +1,8 @@
 TYPE=wordpress
-TIMEOUT=300
+#TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
+ENABLE_BACKUPS=true
 
 DOMAIN=wordpress.example.com
 ## Domain aliases
@@ -27,6 +28,9 @@ LETS_ENCRYPT_ENV=production
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 
+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
 #WORDPRESS_DEBUG=true
 
 ## Additional extensions
@@ -41,6 +45,10 @@ SECRET_DB_PASSWORD_VERSION=v1
 # Multisite (see README)
 #MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
 
+# File upload settings
+#UPLOAD_MAX_SIZE=256M
+#UPLOAD_MAX_TIME=30
+
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
 #SMTP_HOST="postfix_relay_app"
@@ -64,6 +72,10 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 
+# Matrix .well-known redirect
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_DOMAIN=matrix.example.com
+
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
 #COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
@@ -72,8 +84,13 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
-
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
-#USERS_CONF_VERSION=v1
+# You can use a Port between 2220-2225
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"

.gitignore

@@ -1 +1,22 @@
+# direnv
 /.envrc
+
+# Environment files (may contain secrets)
+.env
+
+# Logs
+*.log
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Editor/IDE
+*.swp
+*.swo
+*~
+*.bak
+.idea/
+.vscode/
+.project
+.classpath

abra.sh

@@ -1,8 +1,9 @@
-export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v7
+export PHP_UPLOADS_CONF_VERSION=v4
+export ENTRYPOINT_CONF_VERSION=v8
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
+export USERS_CONF_VERSION=v1
 
 wp() {
     su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
@@ -30,8 +31,6 @@ core_install(){
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
@@ -39,7 +38,20 @@ core_install(){
         wp "option set default_role subscriber"
     fi
     wp "theme auto-updates enable --all"
-    wp 'plugin auto-updates enable --all' || exit 0
+    wp 'plugin auto-updates enable --all' || true
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }
 
 set_authentik(){
@@ -62,6 +74,8 @@ set_authentik(){
         \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
         \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
+        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
         \"acr_values\":\"\",
         \"identity_key\":\"preferred_username\",
         \"no_sslverify\":\"0\",

alaconnect.yml

@@ -10,3 +10,7 @@ authentik:
     shared_secrets:
         wordpress_secret: authentik_secret
         wordpress_id: authentik_id
+matrix:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_DOMAIN

compose.ftp-2220.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp-2221.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2221:22

compose.ftp-2222.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2222:22

compose.ftp-2223.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2223:22

compose.ftp-2224.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2224:22

compose.ftp-2225.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp.yml

@@ -3,11 +3,9 @@ version: "3.8"
 
 services:
   ftp:
-    image: atmoz/sftp
+    image: atmoz/sftp:alpine
     secrets:
       - ftp_pass
-    ports:
-        - 2222:22
     volumes:
       - "wordpress_content:/home/ftp_user/wp-content"
     configs:

compose.matrix.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"

compose.selfmanaged.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:latest"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.6.1"
+    image: "wordpress:6.9.4"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -48,7 +48,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
@@ -61,13 +61,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html"
-        - "coop-cloud.${STACK_NAME}.version=2.12.0+6.6.1"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=2.19.2+6.9.4"
 
   db:
-    image: "mariadb:11.4"
+    image: "mariadb:12.2"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -82,12 +80,10 @@ services:
       - db_root_password
     deploy:
       labels:
-        backupbot.backup: "true"
-        backupbot.backup.pre-hook: "sh -c 'mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz'"
-        backupbot.backup.path: "/var/lib/mysql/dump.sql.gz"
-        backupbot.backup.post-hook: "rm -f /var/lib/mysql/dump.sql.gz"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql'"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
+        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
+        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 
 networks:
   backend:
@@ -113,7 +109,8 @@ configs:
     template_driver: golang
   php_uploads_conf:
     name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini
+    file: uploads.ini.tmpl
+    template_driver: golang
   htaccess_conf:
     name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
     file: htaccess.tmpl

entrypoint.sh.tmpl

@@ -42,6 +42,20 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 
+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+fi
+
+chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
+
 if [ -n "$@" ]; then
 	"$@"
 fi

htaccess.tmpl

@@ -1,3 +1,8 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
 

release/2.13.2+6.7.1

@@ -0,0 +1 @@
+Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.17.1+6.9.0

@@ -0,0 +1 @@
+Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.

renovate.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended"
   ]
 }

uploads.ini

@@ -1,3 +0,0 @@
-file_uploads = On
-upload_max_filesize = 256M
-post_max_size = 256M

uploads.ini.tmpl

@@ -0,0 +1,11 @@
+{{ $upload_max_size := "256M" }}
+{{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
+{{ $upload_max_time := "30" }}
+{{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
+
+file_uploads = On
+upload_max_filesize =  {{ $upload_max_size }}
+post_max_size = {{ $upload_max_size }}
+memory_limit = {{ $upload_max_size }}
+max_execution_time = {{ $upload_max_time }}
+max_input_time = {{ $upload_max_time }}