chore: publish 2.16.0+6.8.1 release

Co-authored-by: Steven Sting
Reviewed-on: #44
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: wordpress
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: wordpress.swarm-test.autonomic.zone
+      STACK_NAME: wordpress
+      LETS_ENCRYPT_ENV: production
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      PHP_UPLOADS_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
+      HTACCESS_CONF_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -0,0 +1,90 @@
+TYPE=wordpress
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
+COMPOSE_FILE="compose.yml"
+ENABLE_BACKUPS=true
+
+DOMAIN=wordpress.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.wordpress.example.com`'
+# Redirects
+# All redirect domains have to be added to EXTRA_DOMAINS as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.wordpress.example.com
+LETS_ENCRYPT_ENV=production
+
+# Setup Wordpress settings on each deploy:
+#POST_DEPLOY_CMDS="app core_install"
+
+# Optional settings, otherwise can be set in the installer
+# (Required for `app core_install`
+#TITLE="My Example Blog"
+#LOCALE="en_US" # de_DE
+#ADMIN_EMAIL=admin@example.com
+
+# Every new user is per default subscriber, uncomment to change it
+#DEFAULT_USER_ROLE=administrator
+
+# PHP composer for plugin installation
+#COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
+
+#WORDPRESS_DEBUG=true
+
+## Additional extensions
+#PHP_EXTENSIONS="calendar"
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+
+# Mostly for compatibility with existing database dumps...
+#WORDPRESS_TABLE_PREFIX=wp_
+
+# Multisite (see README)
+#MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
+
+# File upload settings
+#UPLOAD_MAX_SIZE=256M
+#UPLOAD_MAX_TIME=30
+
+# Local SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
+#SMTP_HOST="postfix_relay_app"
+#MAIL_FROM="wordpress@example.com"
+
+# Remote SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#MAIL_FROM="wordpress@example.com"
+#SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
+#SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
+#SMTP_PORT=587
+#SMTP_AUTH=on
+#SMTP_TLS=on
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
+# Authentik SSO
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#AUTHENTIK_DOMAIN=authentik.example.com
+#SECRET_AUTHENTIK_SECRET_VERSION=v1
+#SECRET_AUTHENTIK_ID_VERSION=v1
+#LOGIN_TYPE='auto'
+
+# Allow remote connections to db
+# 🚩🚩 dangerous, use only for development sites!
+#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
+
+# Wide-open CORS
+# 🚩🚩 dangerous, use only for development sites!
+#CORS_ALLOW_ALL=1
+
+
+# FTP
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
+#SECRET_FTP_PASS_VERSION=v1
+# You can use a Port between 2220-2225
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"

.envrc.sample

@@ -1,28 +0,0 @@
-export DOMAIN=wordpress.example.com
-
-export STACK_NAME=wordpress
-export LETS_ENCRYPT_ENV=production
-
-export DB_ROOT_PASSWORD_VERSION=v1
-export DB_PASSWORD_VERSION=v1
-
-# Multisite
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );"
-
-# Multisite phase 2 (see README)
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );\
-#	define('MULTISITE', true);\
-#	define('SUBDOMAIN_INSTALL', true);\
-#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
-#	define('PATH_CURRENT_SITE', '/');\
-#	define('SITE_ID_CURRENT_SITE', 1);\
-#	define('BLOG_ID_CURRENT_SITE', 1);\
-#	define('FORCE_SSL_ADMIN', true );\
-#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
-
-# Backups
-#export COMPOSE_FILE="compose.yml:compose.backup.yml"

README.md

@@ -1,49 +1,79 @@
-# wordpress
+# Wordpress
+
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
 
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
-1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`compose-stacks/traefik`][compose-traefik]
-3. `cp .envrc.sample .envrc`
-4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `direnv allow` (or `. .envrc`)
-6. Generate secrets:
-   ```
-   abra secret_generate db_password v1
-   abra secret_generate db_root_password v1
-   ```
+<!-- metadata -->
 
-7. `abra deploy`
-8. Open the configured domain in your browser to finish set-up
-9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
-   file permissions (see #3)
+* **Category**: Apps
+* **Status**: 4
+* **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: 3
+* **Tests**: 2
+* **SSO**: No
+
+<!-- endmetadata -->
+
+
+## Quick start
+
+
+* `abra app new wordpress`
+* `abra app config <app-name>`
+* `abra app secret generate -a <app-name>`
+* `abra app deploy <app-name>`
+* `abra app cmd <app-name> app core_install`
+
+### Authentik Integration
+
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
+## Running WP-CLI
+
+`abra app cmd <app-name> app wp -- core check-update --major`
 
 ## Network (Multi-site)
 
-_(Only tested using subdomains)_
-
 1. Set up as above
-2. Uncomment the first `# Multisite` section in `.envrc`
-3. `direnv allow` (or re-run `source .envrc`)
-4. `abra deploy`
-5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-6. Don't worry about the suggested file changes
-7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
-   `# Multisite phase 2` section
-8. `direnv allow` (or re-run `source .envrc`)
-9. `abra deploy`
-10. FIXME setting up SSL / routing
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+3. `abra app deploy <app-name>`
+4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+5. Don't worry about the suggested file changes
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+7. `abra app deploy <app-name>`
 
 ## Installing a custom theme
 
-`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Email
+
+There is a local or remote SMTP relay configuration available.
+
+* **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
+* **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
+
+Below are the instructions for the local relay.
+
+1. Deploy [`postfix-relay`][cc-postfix-relay]
+2. `abra app config <app-name>`, and uncomment the email lines; change
+   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
+   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
+3. `abra app deploy <app-name>`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
-
-## Backups
-
-1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
-2. `direnv allow`
-3. `abra deploy`
+[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -0,0 +1,96 @@
+export PHP_UPLOADS_CONF_VERSION=v4
+export ENTRYPOINT_CONF_VERSION=v7
+export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
+export MSMTP_CONF_VERSION=v4
+export HTACCESS_CONF_VERSION=v2
+export USERS_CONF_VERSION=v1
+
+wp() {
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
+}
+
+update() {
+    wp "core update-db"
+    wp "plugin update --all"
+    wp "plugin auto-updates enable --all"
+    wp "theme update --all"
+    wp "theme auto-updates enable --all"
+    wp "language core update"
+    wp "language plugin update --all"
+    wp "language theme update --all"
+}
+
+core_install(){
+    ADMIN=admin
+    if [ -n "$AUTHENTIK_DOMAIN" ]
+    then
+        ADMIN=akadmin
+    fi
+    chown www-data:www-data -R /var/www/html/wp-content
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+    wp "language core install $LOCALE"
+    wp "site switch-language $LOCALE"
+    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+    wp "plugin install --activate disable-update-notifications"
+    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
+    if [ -n "$DEFAULT_USER_ROLE" ]
+    then
+        wp "option set default_role $DEFAULT_USER_ROLE"
+    else
+        wp "option set default_role subscriber"
+    fi
+    wp "theme auto-updates enable --all"
+    wp 'plugin auto-updates enable --all' || exit 0
+}
+
+set_authentik(){
+    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    if [ -z $LOGIN_TYPE ]
+    then
+        LOGIN_TYPE='button'
+    fi
+    wp "user create akadmin admin@example.com --role=administrator"
+    wp "plugin install --activate daggerhart-openid-connect-generic"
+    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
+    wp "option update --format=json openid_connect_generic_settings '
+    {
+        \"login_type\":\"$LOGIN_TYPE\",
+        \"client_id\":\"$AUTHENTIK_ID\",
+        \"client_secret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"email profile openid\",
+        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"acr_values\":\"\",
+        \"identity_key\":\"preferred_username\",
+        \"no_sslverify\":\"0\",
+        \"http_request_timeout\":\"30\",
+        \"enforce_privacy\":\"0\",
+        \"alternate_redirect_uri\":\"1\",
+        \"nickname_key\":\"preferred_username\",
+        \"email_format\":\"{email}\",
+        \"displayname_format\":\"\",
+        \"identify_with_username\":\"1\",
+        \"state_time_limit\":\"\",
+        \"token_refresh_enable\":\"1\",
+        \"link_existing_users\":\"1\",
+        \"create_if_does_not_exist\":\"1\",
+        \"redirect_user_back\":\"0\",
+        \"redirect_on_logout\":\"1\",
+        \"enable_logging\":\"0\",
+        \"log_limit\":\"1000\"
+    }'"
+    wp "rewrite flush"
+    wp "cache flush"
+
+}
+
+fix_mysql() {
+  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
+}
+
+show_plugins() {
+  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
+}

alaconnect.yml

@@ -0,0 +1,12 @@
+authentik:
+    uncomment:
+        - compose.authentik.yml
+        - AUTHENTIK_DOMAIN
+        - SECRET_AUTHENTIK_SECRET_VERSION
+        - SECRET_AUTHENTIK_ID_VERSION
+        - LOGIN_TYPE
+    inital-hooks:
+        - app set_authentik
+    shared_secrets:
+        wordpress_secret: authentik_secret
+        wordpress_id: authentik_id

borgmatic.yml

@@ -1,36 +0,0 @@
-location:
-  source_directories:
-    - /var/www/html/wp-content
-  repositories:
-    - {{ env "BORGBASE_REPO" }}
-
-storage:
-  compression: auto,zstd
-  encryption_passphrase: {{ secret "backup_bot_password" }}
-  archive_name_format: "{hostname}-{now}"
-  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
-
-retention:
-  keep_daily: 3
-  keep_weekly: 4
-  keep_monthly: 12
-  keep_yearly: 2
-  prefix: "{hostname}-"
-
-consistency:
-  checks:
-    - disabled
-  check_last: 3
-  prefix: "{hostname}-"
-
-hooks:
-  before_backup:
-    - echo "`date` - Starting backup"
-  after_backup:
-    - echo "`date` - Finished backup"
-  mysql_databases:
-    - name: {{ env "DB_TABLE" }}
-      hostname: {{ env "DB_HOST" }}
-      port: 3306
-      username: {{ env "DB_USER" }}
-      password: {{ secret "db_password" }}

compose.authentik.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
+  authentik_id:
+    external: true
+    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.backup.yml

@@ -1,47 +0,0 @@
----
-version: "3.8"
-
-services:
-  backupbot:
-    image: "decentral1se/backup-bot:0.0.1"
-    networks:
-      - backend
-    volumes:
-      - "wordpress_content:/var/www/html/wp-content/"
-    secrets:
-      - source: backup_bot_ssh_key
-        mode: 0400
-      - backup_bot_password
-      - db_password
-    configs:
-      - source: borgmatic_config_yml
-        target: /etc/borgmatic/config.yaml
-    environment:
-      - BORGBASE_REPO="g067e243@g067e243.repo.borgbase.com:repo"
-      - DB_HOST=mariadb
-      - DB_TABLE=wordpress
-      - DB_USER=wordpress
-    deploy:
-      mode: replicated
-      replicas: 0
-      labels:
-        - "swarm.cronjob.enable=true"
-        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
-      restart_policy:
-        condition: none
-    networks:
-      - backend
-
-configs:
-  borgmatic_config_yml:
-    name: borgmatic_config_yml_v7
-    file: borgmatic.yml
-    template_driver: golang
-
-secrets:
-  backup_bot_ssh_key:
-    name: backup_bot_ssh_key_v1
-    external: true
-  backup_bot_password:
-    name: backup_bot_password_v1
-    external: true

compose.composer.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "composer:/var/www/html/composer"
+    environment:
+      - ENABLE_COMPOSER=1
+      - COMPOSER=composer/composer.json
+      - COMPOSER_VENDOR_DIR=composer/vendor
+
+volumes:
+  composer:

compose.ftp-2220.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp-2221.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2221:22

compose.ftp-2222.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2222:22

compose.ftp-2223.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2223:22

compose.ftp-2224.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2224:22

compose.ftp-2225.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp.yml

@@ -0,0 +1,24 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    image: atmoz/sftp
+    secrets:
+      - ftp_pass
+    volumes:
+      - "wordpress_content:/home/ftp_user/wp-content"
+    configs:
+      - source: users_conf
+        target: /etc/sftp/users.conf
+
+secrets:
+  ftp_pass:
+    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
+    external: true
+
+configs:
+  users_conf:
+    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
+    file: users.conf.tmpl
+    template_driver: golang

compose.mailrelay.yml

@@ -0,0 +1,26 @@
+---
+version: "3.8"
+
+services:
+  app:
+    entrypoint: /docker-entrypoint.mailrelay.sh
+    environment:
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT:-25}
+      - MAIL_FROM=${MAIL_FROM}
+    configs:
+      - source: mstmp_conf
+        target: /etc/msmtprc
+      - source: entrypoint_mailrelay_conf
+        target: /docker-entrypoint.mailrelay.sh
+        mode: 0555
+
+configs:
+  mstmp_conf:
+    name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
+    file: msmtp.conf.tmpl
+    template_driver: golang
+  entrypoint_mailrelay_conf:
+    name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
+    file: entrypoint.mailrelay.sh.tmpl
+    template_driver: golang

compose.public-db.yml

@@ -0,0 +1,9 @@
+---
+version: "3.8"
+
+services:
+  db:
+    ports:
+      - target: 3306
+        published: 3306
+        mode: host

compose.smtp.yml

@@ -0,0 +1,19 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST
+      - SMTP_PORT=${SMTP_PORT:-25}
+      - SMTP_AUTH
+      - SMTP_TLS
+      - MAIL_FROM
+      - SMTP_OVERRIDE_FROM
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.yml

@@ -2,21 +2,46 @@
 version: "3.8"
 
 services:
-  wordpress:
-    image: "wordpress:5.5.1"
+  app:
+    image: "wordpress:6.8.1"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
       - backend
       - proxy
     environment:
-      - WORDPRESS_DB_HOST=mariadb
-      - WORDPRESS_DB_USER=wordpress
-      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-      - WORDPRESS_DB_NAME=wordpress
-      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
+      WORDPRESS_CONFIG_EXTRA: |
+            define( 'AUTOMATIC_UPDATER_DISABLED', false );
+            define( 'WP_AUTO_UPDATE_CORE', false );
+            ${WORDPRESS_CONFIG_EXTRA}
+      PAGER: more
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: wordpress
+      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
+      WORDPRESS_DB_NAME: wordpress
+      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
+      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
+      CORS_ALLOW_ALL:
+      COMPOSER:
     secrets:
       - db_password
+    configs:
+      - source: php_uploads_conf
+        target: /usr/local/etc/php/conf.d/uploads.ini
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: htaccess_conf
+        target: /var/www/html/.htaccess
+    entrypoint: /docker-entrypoint.sh
+    depends_on:
+      - db
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
     deploy:
       update_config:
         failure_action: rollback
@@ -26,15 +51,21 @@ services:
         - "traefik.docker.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`ch.${DOMAIN}`, `${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
+        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=2.16.0+6.8.1"
 
-  mariadb:
-    image: "mariadb:10.5"
+  db:
+    image: "mariadb:11.7"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -47,10 +78,15 @@ services:
     secrets:
       - db_password
       - db_root_password
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
+        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
+        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 
 networks:
   backend:
-    driver: overlay
   proxy:
     external: true
 
@@ -58,11 +94,24 @@ volumes:
   mariadb:
   wordpress_content:
 
-
 secrets:
   db_root_password:
     external: true
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  php_uploads_conf:
+    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
+    file: uploads.ini.tmpl
+    template_driver: golang
+  htaccess_conf:
+    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
+    file: htaccess.tmpl
+    template_driver: golang

entrypoint.mailrelay.sh.tmpl

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
+
+echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
+
+/docker-entrypoint.sh

entrypoint.sh.tmpl

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+{{ if (env "PHP_EXTENSIONS") }}
+docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
+{{ end }}
+
+curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+chmod +x /usr/local/bin/wp
+
+{{ if eq (env "ENABLE_COMPOSER") "1" }}
+mkdir -p /var/www/.composer
+chown www-data:www-data /var/www/.composer /var/www/html/composer
+
+curl https://getcomposer.org/installer -o /tmp/composer-setup.php
+php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
+php /tmp/composer-setup.php
+rm /tmp/composer-setup.php
+
+mv /var/www/html/composer.phar /usr/local/bin/composer
+{{ end }}
+
+{{ if eq (env "CORS_ALLOW_ALL") "1" }}
+a2enmod headers
+sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
+{{ end }}
+
+{{ if eq (env "MULTISITE") "enable" }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('WP_CACHE', false);
+define('WP_ALLOW_MULTISITE', true );"
+{{ end }}
+
+{{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', true);
+define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+define('FORCE_SSL_ADMIN', true );
+define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+{{ end }}
+
+if [ -n "$@" ]; then
+	"$@"
+fi
+
+# Upstream ENTRYPOINT
+# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
+/usr/local/bin/docker-entrypoint.sh apache2-foreground

htaccess.tmpl

@@ -0,0 +1,57 @@
+{{ if eq (env "MULTISITE") "" -}}
+# BEGIN WordPress
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+
+# END WordPress
+{{- end -}}
+
+{{- if eq (env "MULTISITE") "subfolder" -}}
+# BEGIN WordPress Multisite
+# Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end -}}
+
+{{- if eq (env "MULTISITE") "subdomain" -}}
+# BEGIN WordPress Multisite
+# Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
+RewriteRule ^(.*\.php)$ $1 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end }}

msmtp.conf.tmpl

@@ -0,0 +1,19 @@
+account default
+host {{ env "SMTP_HOST" }}
+from {{ env "MAIL_FROM" }}
+user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
+port {{ env "SMTP_PORT" }}
+
+{{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
+set_from_header on
+{{ end }}
+
+{{ if eq (env "SMTP_AUTH") "on" }}
+auth {{ env "SMTP_AUTH" }}
+passwordeval "cat /run/secrets/smtp_password"
+{{ end }}
+
+{{ if eq (env "SMTP_TLS") "on" }}
+tls {{ env "SMTP_TLS" }}
+tls_trust_file /etc/ssl/certs/ca-certificates.crt
+{{ end }}

release/2.10.0+6.5.5

@@ -0,0 +1 @@
+Adds redirects and alakazam integration

release/2.13.2+6.7.1

@@ -0,0 +1 @@
+Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.4.0+6.3.0

@@ -0,0 +1 @@
+The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.

release/2.7.0+6.4.2

@@ -0,0 +1 @@
+Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.

uploads.ini.tmpl

@@ -0,0 +1,11 @@
+{{ $upload_max_size := "256M" }}
+{{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
+{{ $upload_max_time := "30" }}
+{{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
+
+file_uploads = On
+upload_max_filesize =  {{ $upload_max_size }}
+post_max_size = {{ $upload_max_size }}
+memory_limit = {{ $upload_max_size }}
+max_execution_time = {{ $upload_max_time }}
+max_input_time = {{ $upload_max_time }}

users.conf.tmpl

@@ -0,0 +1 @@
+ftp_user:{{ secret "ftp_pass" }}:33:33