WIP: optional SSH connection

[ci skip]

.drone.yml

@@ -3,17 +3,32 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/drone-stack:19.03.8
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
-      compose: compose.yml
-      host: ssh://swarm-test.autonomic.zone:222
-      stack_name: wordpress
+      host: swarm-test.autonomic.zone
+      stack: wordpress
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
     environment:
       DOMAIN: wordpress.swarm-test.autonomic.zone
       STACK_NAME: wordpress
       LETS_ENCRYPT_ENV: production
-      DB_PASSWORD_VERSION: v1
-      DB_ROOT_PASSWORD_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      PHP_UPLOADS_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
 trigger:
   branch:
     - master
+---
+kind: pipeline
+name: recipe release
+steps:
+  - name: release a new version
+    image: thecoopcloud/drone-abra:latest
+    settings:
+      command: recipe wordpress release
+      deploy_key:
+        from_secret: abra_bot_deploy_key

.env.sample

@@ -0,0 +1,51 @@
+TYPE=wordpress
+
+DOMAIN=wordpress.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.wordpress.example.com`'
+LETS_ENCRYPT_ENV=production
+
+# Necessary for optional features, leave this alone:
+COMPOSE_FILE="compose.yml"
+
+## Additional extensions
+#PHP_EXTENSIONS="calendar"
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+
+# SSH access
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ssh.yml"
+#SSH_PUBLIC_KEY=<your pubkey here>
+
+# Multisite
+#WORDPRESS_CONFIG_EXTRA="\
+#	define('WP_CACHE', false);\
+#	define('WP_ALLOW_MULTISITE', true );"
+
+# Multisite phase 2 (see README)
+#WORDPRESS_CONFIG_EXTRA="\
+#	define('WP_CACHE', false);\
+#	define('WP_ALLOW_MULTISITE', true );\
+#	define('MULTISITE', true);\
+#	define('SUBDOMAIN_INSTALL', true);\
+#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
+#	define('PATH_CURRENT_SITE', '/');\
+#	define('SITE_ID_CURRENT_SITE', 1);\
+#	define('BLOG_ID_CURRENT_SITE', 1);\
+#	define('FORCE_SSL_ADMIN', true );\
+#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+
+# Local SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
+#SMTP_HOST="postfix_relay_app"
+#MAIL_FROM="wordpress@example.com"
+
+# Remote SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#MAIL_FROM="wordpress@example.com"
+#SMTP_PORT=587
+#SMTP_AUTH=on
+#SMTP_TLS=on
+#SECRET_SMTP_PASSWORD_VERSION=v1

.envrc.sample

@@ -1,28 +0,0 @@
-export DOMAIN=wordpress.example.com
-
-export STACK_NAME=wordpress
-export LETS_ENCRYPT_ENV=production
-
-export DB_ROOT_PASSWORD_VERSION=v1
-export DB_PASSWORD_VERSION=v1
-
-# Multisite
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );"
-
-# Multisite phase 2 (see README)
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );\
-#	define('MULTISITE', true);\
-#	define('SUBDOMAIN_INSTALL', true);\
-#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
-#	define('PATH_CURRENT_SITE', '/');\
-#	define('SITE_ID_CURRENT_SITE', 1);\
-#	define('BLOG_ID_CURRENT_SITE', 1);\
-#	define('FORCE_SSL_ADMIN', true );\
-#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
-
-# Backups
-#export COMPOSE_FILE="compose.yml:compose.backup.yml"

README.md

@@ -1,49 +1,75 @@
-# wordpress
+# Wordpress
+
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/wordpress/status.svg)](https://drone.autonomic.zone/coop-cloud/wordpress)
 
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
-1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`compose-stacks/traefik`][compose-traefik]
-3. `cp .envrc.sample .envrc`
-4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `direnv allow` (or `. .envrc`)
-6. Generate secrets:
-   ```
-   abra secret_generate db_password v1
-   abra secret_generate db_root_password v1
-   ```
+<!-- metadata -->
 
-7. `abra deploy`
-8. Open the configured domain in your browser to finish set-up
-9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
+* **Category**: Apps
+* **Status**: 3, stable
+* **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: 3
+* **Tests**: 2
+* **SSO**: No
+
+<!-- endmetadata -->
+
+## Basic usage
+
+1. Set up Docker Swarm and [`abra`][abra]
+2. Deploy [`coop-cloud/traefik`][cc-traefik]
+3. `abra app new wordpress --secrets` (optionally with `--pass` if you'd like
+   to save secrets in `pass`)
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+   your Docker swarm box
+5. `abra app YOURAPPDOMAIN deploy`
+6. Open the configured domain in your browser to finish set-up
+7. `abra app YOURAPPDOMAIN run app chown www-data:www-data /var/www/html/wp-content` to fix
    file permissions (see #3)
 
+## Running WP-CLI
+
+`abra app YOURAPPDOMAIN wp 'core check-update --major'`
+
+(the WP-CLI arguments need to be quoted, because of how `abra` handles
+command-line arguments)
+
 ## Network (Multi-site)
 
 _(Only tested using subdomains)_
 
 1. Set up as above
-2. Uncomment the first `# Multisite` section in `.envrc`
-3. `direnv allow` (or re-run `source .envrc`)
-4. `abra deploy`
-5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-6. Don't worry about the suggested file changes
-7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
-   `# Multisite phase 2` section
-8. `direnv allow` (or re-run `source .envrc`)
-9. `abra deploy`
-10. FIXME setting up SSL / routing
+2. `abra app YOURAPPDOMAIN config`, and uncomment the first `# Multisite` section
+3. `abra app YOURAPPDOMAIN deploy`
+4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+5. Don't worry about the suggested file changes
+6. `abra app YOURAPPDOMAIN config` again - comment out the first `# Multisite`
+   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
+   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
+7. `abra app YOURAPPDOMAIN deploy`
 
 ## Installing a custom theme
 
-`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra app YOURAPPDOMAIN cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Email
+
+There is a local or remote SMTP relay configuration available.
+
+* **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
+* **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
+
+Below are the instructions for the local relay.
+
+1. Deploy [`postfix-relay`][cc-postfix-relay]
+2. `abra app YOURAPPDOMAIN config`, and uncomment the email lines; change
+   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
+   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
+3. `abra app YOURAPPDOMAIN deploy`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
-
-## Backups
-
-1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
-2. `direnv allow`
-3. `abra deploy`
+[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -0,0 +1,78 @@
+export PHP_UPLOADS_CONF_VERSION=v3
+export ENTRYPOINT_CONF_VERSION=v2
+export ENTRYPOINT_MAILRELAY_CONF_VERSION=v1
+export MSMTP_CONF_VERSION=v3
+
+sub_wp() {
+  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
+  if [ -z "$CONTAINER" ]; then
+    error "Can't find a container for ${STACK_NAME}_app"
+    exit
+  fi
+  debug "Using Container ID ${CONTAINER}"
+
+  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
+  # volume for /var/www/html -- this used to work fine using --volumes-from
+  # because the actual MySQL password was inserted into the generated
+  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
+  # from the environment, which requires Docker secrets to work, which only work
+  # in swarm services (not one-off `docker run` commands). Defining a `cli`
+  # service in compose.yml almost works, but there's no volumes_from: in Compose
+  # V3, and without it then the `cli` service can't access Wordpress core.
+  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
+  warning "Slowly looking up MySQL password..."
+  silence
+  abra__service_="app"
+  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
+  unsilence
+
+  # shellcheck disable=SC2154,SC2086
+  docker run -it \
+	--volumes-from "$CONTAINER" \
+	--network "container:$CONTAINER" \
+	-u xfs:xfs \
+    -e WORDPRESS_DB_HOST=db \
+    -e WORDPRESS_DB_USER=wordpress \
+    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
+    -e WORDPRESS_DB_NAME=wordpress \
+    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
+	wordpress:cli wp ${abra__args_[*]}
+}
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/www/html/wp-content"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "wordpress"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}
+
+abra_restore_app() {
+  # shellcheck disable=SC2034
+  {
+	abra__src_="-"
+	abra__dst_="app:/var/www/html/"
+  }
+
+  zcat "$@" | sub_app_cp
+
+  success "Restored 'app'"
+}
+
+abra_restore_db() {
+  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
+  # got this far..
+
+  # shellcheck disable=SC2034
+  abra___no_tty="true"
+
+  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
+
+  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
+
+  success "Restored 'db'"
+}

borgmatic.yml

@@ -1,36 +0,0 @@
-location:
-  source_directories:
-    - /var/www/html/wp-content
-  repositories:
-    - {{ env "BORGBASE_REPO" }}
-
-storage:
-  compression: auto,zstd
-  encryption_passphrase: {{ secret "backup_bot_password" }}
-  archive_name_format: "{hostname}-{now}"
-  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
-
-retention:
-  keep_daily: 3
-  keep_weekly: 4
-  keep_monthly: 12
-  keep_yearly: 2
-  prefix: "{hostname}-"
-
-consistency:
-  checks:
-    - disabled
-  check_last: 3
-  prefix: "{hostname}-"
-
-hooks:
-  before_backup:
-    - echo "`date` - Starting backup"
-  after_backup:
-    - echo "`date` - Finished backup"
-  mysql_databases:
-    - name: {{ env "DB_TABLE" }}
-      hostname: {{ env "DB_HOST" }}
-      port: 3306
-      username: {{ env "DB_USER" }}
-      password: {{ secret "db_password" }}

compose.backup.yml

@@ -1,47 +0,0 @@
----
-version: "3.8"
-
-services:
-  backupbot:
-    image: "decentral1se/backup-bot:0.0.1"
-    networks:
-      - backend
-    volumes:
-      - "wordpress_content:/var/www/html/wp-content/"
-    secrets:
-      - source: backup_bot_ssh_key
-        mode: 0400
-      - backup_bot_password
-      - db_password
-    configs:
-      - source: borgmatic_config_yml
-        target: /etc/borgmatic/config.yaml
-    environment:
-      - BORGBASE_REPO="g067e243@g067e243.repo.borgbase.com:repo"
-      - DB_HOST=mariadb
-      - DB_TABLE=wordpress
-      - DB_USER=wordpress
-    deploy:
-      mode: replicated
-      replicas: 0
-      labels:
-        - "swarm.cronjob.enable=true"
-        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
-      restart_policy:
-        condition: none
-    networks:
-      - backend
-
-configs:
-  borgmatic_config_yml:
-    name: borgmatic_config_yml_v7
-    file: borgmatic.yml
-    template_driver: golang
-
-secrets:
-  backup_bot_ssh_key:
-    name: backup_bot_ssh_key_v1
-    external: true
-  backup_bot_password:
-    name: backup_bot_password_v1
-    external: true

compose.mailrelay.yml

@@ -0,0 +1,25 @@
+---
+version: "3.8"
+
+services:
+  app:
+    entrypoint: /docker-entrypoint.mailrelay.sh
+    environment:
+      - SMTP_HOST=${SMTP_HOST}
+      - MAIL_FROM=${MAIL_FROM}
+    configs:
+      - source: mstmp_conf
+        target: /etc/msmtprc
+      - source: entrypoint_mailrelay_conf
+        target: /docker-entrypoint.mailrelay.sh
+        mode: 0555
+
+configs:
+  mstmp_conf:
+    name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
+    file: msmtp.conf.tmpl
+    template_driver: golang
+  entrypoint_mailrelay_conf:
+    name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
+    file: entrypoint.mailrelay.sh.tmpl
+    template_driver: golang

compose.smtp.yml

@@ -0,0 +1,18 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT:-25}
+      - SMTP_AUTH=${SMTP_AUTH}
+      - SMTP_TLS=${SMTP_TLS}
+      - MAIL_FROM=${MAIL_FROM}
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.ssh.yml

@@ -0,0 +1,27 @@
+---
+version: "3.8"
+
+services:
+  ssh:
+    image: lscr.io/linuxserver/openssh-server
+    environment:
+      - PUID=33
+      - PGID=33
+      - PUBLIC_KEY=${SSH_PUBLIC_KEY}
+      - USER_NAME=wordpress
+      - PASSWORD_ACCESS=false
+    networks:
+      - proxy
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
+        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=2222"
+
+networks:
+  proxy:
+    external: true

compose.yml

@@ -2,21 +2,37 @@
 version: "3.8"
 
 services:
-  wordpress:
-    image: "wordpress:5.5.1"
+  app:
+    image: "wordpress:5.8.1"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
       - backend
       - proxy
     environment:
-      - WORDPRESS_DB_HOST=mariadb
+      - WORDPRESS_DB_HOST=db
       - WORDPRESS_DB_USER=wordpress
       - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
       - WORDPRESS_DB_NAME=wordpress
       - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
+      - PHP_EXTENSIONS
     secrets:
       - db_password
+    configs:
+      - source: php_uploads_conf
+        target: /usr/local/etc/php/conf.d/uploads.ini
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    depends_on:
+      - db
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
     deploy:
       update_config:
         failure_action: rollback
@@ -26,15 +42,16 @@ services:
         - "traefik.docker.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`ch.${DOMAIN}`, `${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
+        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+5.8.1"
 
-  mariadb:
-    image: "mariadb:10.5"
+  db:
+    image: "mariadb:10.6"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -50,7 +67,6 @@ services:
 
 networks:
   backend:
-    driver: overlay
   proxy:
     external: true
 
@@ -58,11 +74,19 @@ volumes:
   mariadb:
   wordpress_content:
 
-
 secrets:
   db_root_password:
     external: true
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  php_uploads_conf:
+    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
+    file: uploads.ini

entrypoint.mailrelay.sh.tmpl

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
+
+echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini

entrypoint.sh.tmpl

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+{{ if (env "PHP_EXTENSIONS") }}
+docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
+{{ end }}
+
+if [ -n "$@" ]; then
+	"$@"
+fi
+
+# Upstream ENTRYPOINT
+# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
+/usr/local/bin/docker-entrypoint.sh apache2-foreground

msmtp.conf.tmpl

@@ -0,0 +1,15 @@
+account default
+host {{ env "SMTP_HOST" }}
+from {{ env "MAIL_FROM" }}
+user {{ env "MAIL_FROM" }}
+port {{ env "SMTP_PORT" }}
+
+{{ if eq (env "SMTP_AUTH") "on" }}
+auth {{ env "SMTP_AUTH" }}
+passwordeval "cat /run/secrets/smtp_password"
+{{ end }}
+
+{{ if eq (env "SMTP_TLS") "on" }}
+tls {{ env "SMTP_TLS" }}
+tls_trust_file /etc/ssl/certs/ca-certificates.crt
+{{ end }}

uploads.ini

@@ -0,0 +1,3 @@
+file_uploads = On
+upload_max_filesize = 256M
+post_max_size = 256M