Commented out broken deploy (server spun down)

Reviewed-on: #57

.drone.yml

@@ -1,30 +1,30 @@
----
+# ---
-kind: pipeline
+# kind: pipeline
-name: deploy to swarm-test.autonomic.zone
+# name: deploy to swarm-test.autonomic.zone
-steps:
+# steps:
-  - name: deployment
+#   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+#     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
+#     settings:
-      host: swarm-test.autonomic.zone
+#       host: swarm-test.autonomic.zone
-      stack: wordpress
+#       stack: wordpress
-      generate_secrets: true
+#       generate_secrets: true
-      purge: true
+#       purge: true
-      deploy_key:
+#       deploy_key:
-        from_secret: drone_ssh_swarm_test
+#         from_secret: drone_ssh_swarm_test
-      networks:
+#       networks:
-        - proxy
+#         - proxy
-    environment:
+#     environment:
-      DOMAIN: wordpress.swarm-test.autonomic.zone
+#       DOMAIN: wordpress.swarm-test.autonomic.zone
-      STACK_NAME: wordpress
+#       STACK_NAME: wordpress
-      LETS_ENCRYPT_ENV: production
+#       LETS_ENCRYPT_ENV: production
-      SECRET_DB_PASSWORD_VERSION: v1
+#       SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+#       SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      PHP_UPLOADS_CONF_VERSION: v1
+#       PHP_UPLOADS_CONF_VERSION: v1
-      ENTRYPOINT_CONF_VERSION: v1
+#       ENTRYPOINT_CONF_VERSION: v1
-      HTACCESS_CONF_VERSION: v1
+#       HTACCESS_CONF_VERSION: v1
-trigger:
+# trigger:
-  branch:
+#   branch:
-    - main
+#     - main
 ---
 kind: pipeline
 name: generate recipe catalogue

.env.sample

@@ -28,6 +28,9 @@ LETS_ENCRYPT_ENV=production
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 
+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
 #WORDPRESS_DEBUG=true
 
 ## Additional extensions
@@ -81,7 +84,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
-
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
@@ -92,6 +94,3 @@ SECRET_DB_PASSWORD_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"
-
-# Anubis
-#COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"

README.md

@@ -77,9 +77,3 @@ Below are the instructions for the local relay.
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
 [cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
-
-## Protect Wordpress from scrapers with Anubis
-
-Uncomment the Anubis compose file from the `.env` file and re-deploy the
-app.  Don't forget to actually [enable Anubis on the Traefik app
-too](https://recipes.coopcloud.tech/traefik)!

abra.sh

@@ -1,8 +1,8 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v7
+export ENTRYPOINT_CONF_VERSION=v9
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1
 
 wp() {
@@ -31,8 +31,6 @@ core_install(){
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
@@ -40,7 +38,20 @@ core_install(){
         wp "option set default_role subscriber"
     fi
     wp "theme auto-updates enable --all"
-    wp 'plugin auto-updates enable --all' || exit 0
+    wp 'plugin auto-updates enable --all' || true
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }
 
 set_authentik(){

compose.anubis.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-services:
-  app:
-    deploy:
-      labels:
-      - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname,anubis"

compose.selfmanaged.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:7.0.0"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.9.4"
+    image: "wordpress:7.0.0"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -62,10 +62,10 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=2.19.1+6.9.4"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
 
   db:
-    image: "mariadb:12.2"
+    image: "mariadb:12.3"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:

entrypoint.sh.tmpl

@@ -42,6 +42,20 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 
+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+fi
+
+chown -R www-data:www-data /var/www/html/wp-content/uploads/
+
 if [ -n "$@" ]; then
 	"$@"
 fi

htaccess.tmpl

@@ -1,3 +1,8 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
 

release/3.0.0+7.0.0

@@ -0,0 +1,6 @@
+- WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
+- MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
+- ENTRYPOINT_CONF_VERSION bumped to v9
+- Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
+- Breaking: WordPress 7.0 introduces new AI features and admin theme changes
+- Backup database and files before upgrading