WIP: optional SSH connection

.drone.yml

@@ -3,7 +3,7 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: wordpress
@@ -11,8 +11,6 @@ steps:
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
     environment:
       DOMAIN: wordpress.swarm-test.autonomic.zone
       STACK_NAME: wordpress
@@ -26,17 +24,11 @@ trigger:
     - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
   - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
     settings:
-      server: https://build.coopcloud.tech
+      command: recipe wordpress release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,24 +1,12 @@
 TYPE=wordpress
-TIMEOUT=300
-ENABLE_AUTO_UPDATE=true
-COMPOSE_FILE="compose.yml"
-
-# Setup Wordpress settings on each deploy:
-#POST_DEPLOY_CMDS="app core_install"
 
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
 LETS_ENCRYPT_ENV=production
 
-TITLE="My Example Blog"
+# Necessary for optional features, leave this alone:
-LOCALE="en_US" # de_DE
+COMPOSE_FILE="compose.yml"
-ADMIN_EMAIL=admin@example.com
-
-# Every new user is per default subscriber, uncomment to change it
-#DEFAULT_USER_ROLE=administrator
-
-#WORDPRESS_DEBUG=true
 
 ## Additional extensions
 #PHP_EXTENSIONS="calendar"
@@ -26,8 +14,9 @@ ADMIN_EMAIL=admin@example.com
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 
-# Mostly for compatibility with existing database dumps...
+# SSH access
-#WORDPRESS_TABLE_PREFIX=wp_
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ssh.yml"
+#SSH_PUBLIC_KEY=<your pubkey here>
 
 # Multisite
 #WORDPRESS_CONFIG_EXTRA="\
@@ -35,7 +24,17 @@ SECRET_DB_PASSWORD_VERSION=v1
 #	define('WP_ALLOW_MULTISITE', true );"
 
 # Multisite phase 2 (see README)
-# WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true); define('SUBDOMAIN_INSTALL', true); define('DOMAIN_CURRENT_SITE', '${DOMAIN}'); define('PATH_CURRENT_SITE', '/');	define('SITE_ID_CURRENT_SITE', 1); define('BLOG_ID_CURRENT_SITE', 1); define('FORCE_SSL_ADMIN', true ); define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+#WORDPRESS_CONFIG_EXTRA="\
+#	define('WP_CACHE', false);\
+#	define('WP_ALLOW_MULTISITE', true );\
+#	define('MULTISITE', true);\
+#	define('SUBDOMAIN_INSTALL', true);\
+#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
+#	define('PATH_CURRENT_SITE', '/');\
+#	define('SITE_ID_CURRENT_SITE', 1);\
+#	define('BLOG_ID_CURRENT_SITE', 1);\
+#	define('FORCE_SSL_ADMIN', true );\
+#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
@@ -50,9 +49,3 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-# AUTHENTIK_DOMAIN=authentik.example.com
-# SECRET_AUTHENTIK_SECRET_VERSION=v1
-# SECRET_AUTHENTIK_ID_VERSION=v1
-# LOGIN_TYPE='auto'

README.md

@@ -1,6 +1,6 @@
 # Wordpress
 
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/wordpress/status.svg)](https://drone.autonomic.zone/coop-cloud/wordpress)
 
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
@@ -17,51 +17,43 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
 <!-- endmetadata -->
 
+## Basic usage
 
-## Quick start
+1. Set up Docker Swarm and [`abra`][abra]
-
+2. Deploy [`coop-cloud/traefik`][cc-traefik]
-
+3. `abra app new wordpress --secrets` (optionally with `--pass` if you'd like
-* `abra app new wordpress`
+   to save secrets in `pass`)
-* `abra app config <app-name>`
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-* `abra app secret generate -a <app-name>`
+   your Docker swarm box
-* `abra app deploy <app-name>`
+5. `abra app YOURAPPDOMAIN deploy`
-* `abra app cmd <app-name> app core_install`
+6. Open the configured domain in your browser to finish set-up
-
+7. `abra app YOURAPPDOMAIN run app chown www-data:www-data /var/www/html/wp-content` to fix
-### Authentik Integration
+   file permissions (see #3)
-
-
-`abra app config <app-name>` 
-Configure the following envs:
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-AUTHENTIK_DOMAIN=authentik.example.com
-AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
-AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
-```
-
-`abra app cmd <app-name> app set_authentik`
 
 ## Running WP-CLI
 
-`abra app cmd <app-name> app wp -- core check-update --major`
+`abra app YOURAPPDOMAIN wp 'core check-update --major'`
+
+(the WP-CLI arguments need to be quoted, because of how `abra` handles
+command-line arguments)
 
 ## Network (Multi-site)
 
 _(Only tested using subdomains)_
 
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment the first `# Multisite` section
+2. `abra app YOURAPPDOMAIN config`, and uncomment the first `# Multisite` section
-3. `abra app deploy <app-name>`
+3. `abra app YOURAPPDOMAIN deploy`
 4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
 5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again - comment out the first `# Multisite`
+6. `abra app YOURAPPDOMAIN config` again - comment out the first `# Multisite`
    section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
    your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
-7. `abra app deploy <app-name>`
+7. `abra app YOURAPPDOMAIN deploy`
 
 ## Installing a custom theme
 
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra app YOURAPPDOMAIN cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
 
 ## Email
 
@@ -73,10 +65,10 @@ There is a local or remote SMTP relay configuration available.
 Below are the instructions for the local relay.
 
 1. Deploy [`postfix-relay`][cc-postfix-relay]
-2. `abra app config <app-name>`, and uncomment the email lines; change
+2. `abra app YOURAPPDOMAIN config`, and uncomment the email lines; change
    `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
    `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
-3. `abra app deploy <app-name>`
+3. `abra app YOURAPPDOMAIN deploy`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -1,81 +1,8 @@
 export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v3
+export ENTRYPOINT_CONF_VERSION=v2
-export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
+export ENTRYPOINT_MAILRELAY_CONF_VERSION=v1
 export MSMTP_CONF_VERSION=v3
 
-wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
-}
-
-core_install(){
-    ADMIN=admin
-    if [ -n "$AUTHENTIK_DOMAIN" ]
-    then
-        ADMIN=akadmin
-    fi
-    chown www-data:www-data -R /var/www/html/wp-content
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
-    wp "language core install $LOCALE"
-    wp "site switch-language $LOCALE"
-    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp 'option update dwcun_setting on' 
-    if [ -n "$DEFAULT_USER_ROLE" ]
-    then
-        wp "option set default_role $DEFAULT_USER_ROLE"
-    else
-        wp "option set default_role subscriber"
-    fi
-    wp 'plugin auto-updates enable --all' || exit 0
-}
-
-set_authentik(){
-    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
-    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
-    if [ -z $LOGIN_TYPE ]
-    then
-        LOGIN_TYPE='button'
-    fi
-    wp "user create akadmin admin@example.com --role=administrator"
-    wp "plugin install --activate daggerhart-openid-connect-generic"
-    wp "option update --format=json openid_connect_generic_settings '
-    {
-        \"login_type\":\"$LOGIN_TYPE\",
-        \"client_id\":\"$AUTHENTIK_ID\",
-        \"client_secret\":\"$AUTHENTIK_SECRET\",
-        \"scope\":\"email profile openid\",
-        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
-        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
-        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
-        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
-        \"acr_values\":\"\",
-        \"identity_key\":\"preferred_username\",
-        \"no_sslverify\":\"0\",
-        \"http_request_timeout\":\"30\",
-        \"enforce_privacy\":\"0\",
-        \"alternate_redirect_uri\":\"1\",
-        \"nickname_key\":\"preferred_username\",
-        \"email_format\":\"{email}\",
-        \"displayname_format\":\"\",
-        \"identify_with_username\":\"1\",
-        \"state_time_limit\":\"\",
-        \"token_refresh_enable\":\"1\",
-        \"link_existing_users\":\"1\",
-        \"create_if_does_not_exist\":\"1\",
-        \"redirect_user_back\":\"0\",
-        \"redirect_on_logout\":\"1\",
-        \"enable_logging\":\"0\",
-        \"log_limit\":\"1000\"
-    }'"
-    wp "rewrite flush"
-    wp "cache flush"
-
-}
-
-fix_mysql() {
-  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
-}
-
 sub_wp() {
   CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
   if [ -z "$CONTAINER" ]; then

compose.authentik.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  app:
-    secrets:
-      - authentik_secret
-      - authentik_id
-
-secrets:
-  authentik_secret:
-    external: true
-    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
-  authentik_id:
-    external: true
-    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.mailrelay.yml

@@ -6,7 +6,6 @@ services:
     entrypoint: /docker-entrypoint.mailrelay.sh
     environment:
       - SMTP_HOST=${SMTP_HOST}
-      - SMTP_PORT=${SMTP_PORT:-25}
       - MAIL_FROM=${MAIL_FROM}
     configs:
       - source: mstmp_conf

compose.ssh.yml

@@ -0,0 +1,27 @@
+---
+version: "3.8"
+
+services:
+  ssh:
+    image: lscr.io/linuxserver/openssh-server
+    environment:
+      - PUID=33
+      - PGID=33
+      - PUBLIC_KEY=${SSH_PUBLIC_KEY}
+      - USER_NAME=wordpress
+      - PASSWORD_ACCESS=false
+    networks:
+      - proxy
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
+        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=2222"
+
+networks:
+  proxy:
+    external: true

compose.yml

@@ -3,24 +3,19 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.3.0"
+    image: "wordpress:5.8.1"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
       - backend
       - proxy
     environment:
-      WORDPRESS_CONFIG_EXTRA: |
+      - WORDPRESS_DB_HOST=db
-            define( 'AUTOMATIC_UPDATER_DISABLED', false );
+      - WORDPRESS_DB_USER=wordpress
-            define( 'WP_AUTO_UPDATE_CORE', false );
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-            ${WORDPRESS_CONFIG_EXTRA}
+      - WORDPRESS_DB_NAME=wordpress
-      PAGER: more
+      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
-      WORDPRESS_DB_HOST: db
+      - PHP_EXTENSIONS
-      WORDPRESS_DB_USER: wordpress
-      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
-      WORDPRESS_DB_NAME: wordpress
-      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
-      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
     secrets:
       - db_password
     configs:
@@ -53,13 +48,10 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+5.8.1"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html"
-        - "coop-cloud.${STACK_NAME}.version=2.4.1+6.3.0"
 
   db:
-    image: "mariadb:11.0"
+    image: "mariadb:10.6"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -72,14 +64,6 @@ services:
     secrets:
       - db_password
       - db_root_password
-    deploy:
-      labels:
-        backupbot.backup: "true"
-        backupbot.backup.path: "/tmp/dump.sql.gz"
-        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /tmp/dump.sql.gz'"
-        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
 
 networks:
   backend:

entrypoint.mailrelay.sh.tmpl

@@ -3,5 +3,3 @@
 apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
 
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
-
-/docker-entrypoint.sh

entrypoint.sh.tmpl

@@ -4,9 +4,6 @@
 docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 {{ end }}
 
-curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
-chmod +x /usr/local/bin/wp
-
 if [ -n "$@" ]; then
 	"$@"
 fi

release/next

@@ -1 +0,0 @@
-The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.