Run Drone on master branch

Add .drone.yml
2020-09-25 02:31:25 +02:00 · 2020-09-25 02:26:38 +02:00
31 changed files with 169 additions and 657 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,41 +3,17 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/drone-stack:19.03.8
    settings:
-      host: swarm-test.autonomic.zone
+      compose: compose.yml
-      stack: wordpress
+      host: ssh://swarm-test.autonomic.zone:222
-      generate_secrets: true
+      stack_name: wordpress
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
      networks:
        - proxy
    environment:
      DOMAIN: wordpress.swarm-test.autonomic.zone
      STACK_NAME: wordpress
      LETS_ENCRYPT_ENV: production
-      SECRET_DB_PASSWORD_VERSION: v1
+      DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      DB_ROOT_PASSWORD_VERSION: v1
      PHP_UPLOADS_CONF_VERSION: v1
      ENTRYPOINT_CONF_VERSION: v1
      HTACCESS_CONF_VERSION: v1
 trigger:
  branch:
-    - main
+    - master
 ---
 kind: pipeline
 name: generate recipe catalogue
 steps:
  - name: release a new version
    image: plugins/downstream
    settings:
      server: https://build.coopcloud.tech
      token:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,90 +0,0 @@
 TYPE=wordpress
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
 ENABLE_BACKUPS=true
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
 # Redirects
 # All redirect domains have to be added to EXTRA_DOMAINS as well)
 # multiple redirects can be added by seperating them with a | character
 #REDIRECTS=www.wordpress.example.com
 LETS_ENCRYPT_ENV=production
 # Setup Wordpress settings on each deploy:
 #POST_DEPLOY_CMDS="app core_install"
 # Optional settings, otherwise can be set in the installer
 # (Required for `app core_install`
 #TITLE="My Example Blog"
 #LOCALE="en_US" # de_DE
 #ADMIN_EMAIL=admin@example.com
 # Every new user is per default subscriber, uncomment to change it
 #DEFAULT_USER_ROLE=administrator
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 #WORDPRESS_DEBUG=true
 ## Additional extensions
 #PHP_EXTENSIONS="calendar"
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
 # Multisite (see README)
 #MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
 # File upload settings
 #UPLOAD_MAX_SIZE=256M
 #UPLOAD_MAX_TIME=30
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
 #SMTP_HOST="postfix_relay_app"
 #MAIL_FROM="wordpress@example.com"
 # Remote SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
 #SMTP_HOST="mail.example.com"
 #MAIL_FROM="wordpress@example.com"
 #SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
 #SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
 #SMTP_PORT=587
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
 # Authentik SSO
 #COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 #AUTHENTIK_DOMAIN=authentik.example.com
 #SECRET_AUTHENTIK_SECRET_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
 #COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
 # Wide-open CORS
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
 # You can use a Port between 2220-2225
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"
--- a/.envrc.sample
+++ b/.envrc.sample
@ -0,0 +1,28 @@
 export DOMAIN=wordpress.example.com
 export STACK_NAME=wordpress
 export LETS_ENCRYPT_ENV=production
 export DB_ROOT_PASSWORD_VERSION=v1
 export DB_PASSWORD_VERSION=v1
 # Multisite
 #export WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );"
 # Multisite phase 2 (see README)
 #export WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );\
 #	define('MULTISITE', true);\
 #	define('SUBDOMAIN_INSTALL', true);\
 #	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
 #	define('PATH_CURRENT_SITE', '/');\
 #	define('SITE_ID_CURRENT_SITE', 1);\
 #	define('BLOG_ID_CURRENT_SITE', 1);\
 #	define('FORCE_SSL_ADMIN', true );\
 #	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 # Backups
 #export COMPOSE_FILE="compose.yml:compose.backup.yml"
--- a/README.md
+++ b/README.md
@ -1,79 +1,49 @@
-# Wordpress
+# wordpress
 [![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
-<!-- metadata -->
+1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`compose-stacks/traefik`][compose-traefik]
 3. `cp .envrc.sample .envrc`
 4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
   your Docker swarm box
 5. `direnv allow` (or `. .envrc`)
 6. Generate secrets:
   ```
   abra secret_generate db_password v1
   abra secret_generate db_root_password v1
   ```
-* **Category**: Apps
+7. `abra deploy`
-* **Status**: 4
+8. Open the configured domain in your browser to finish set-up
-* **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
+9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
-* **Healthcheck**: Yes
+   file permissions (see #3)
 * **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
 * **SSO**: No
 <!-- endmetadata -->
 ## Quick start
 * `abra app new wordpress`
 * `abra app config <app-name>`
 * `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> app core_install`
 ### Authentik Integration
 `abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 AUTHENTIK_DOMAIN=authentik.example.com
 AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
 AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
 ```
 `abra app cmd <app-name> app set_authentik`
 ## Running WP-CLI
 `abra app cmd <app-name> app wp -- core check-update --major`
 ## Network (Multi-site)
 _(Only tested using subdomains)_
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+2. Uncomment the first `# Multisite` section in `.envrc`
-3. `abra app deploy <app-name>`
+3. `direnv allow` (or re-run `source .envrc`)
-4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+4. `abra deploy`
-5. Don't worry about the suggested file changes
+5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+6. Don't worry about the suggested file changes
-7. `abra app deploy <app-name>`
+7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
   `# Multisite phase 2` section
 8. `direnv allow` (or re-run `source .envrc`)
 9. `abra deploy`
 10. FIXME setting up SSL / routing
 ## Installing a custom theme
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
 ## Email
 There is a local or remote SMTP relay configuration available.
 * **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
 * **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
 Below are the instructions for the local relay.
 1. Deploy [`postfix-relay`][cc-postfix-relay]
 2. `abra app config <app-name>`, and uncomment the email lines; change
   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
 3. `abra app deploy <app-name>`
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+
 ## Backups
 1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
 2. `direnv allow`
 3. `abra deploy`
--- a/abra.sh
+++ b/abra.sh
@ -1,96 +0,0 @@
 export PHP_UPLOADS_CONF_VERSION=v4
 export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v2
 export USERS_CONF_VERSION=v1
 wp() {
    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
 }
 update() {
    wp "core update-db"
    wp "plugin update --all"
    wp "plugin auto-updates enable --all"
    wp "theme update --all"
    wp "theme auto-updates enable --all"
    wp "language core update"
    wp "language plugin update --all"
    wp "language theme update --all"
 }
 core_install(){
    ADMIN=admin
    if [ -n "$AUTHENTIK_DOMAIN" ]
    then
        ADMIN=akadmin
    fi
    chown www-data:www-data -R /var/www/html/wp-content
    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
    wp "language core install $LOCALE"
    wp "site switch-language $LOCALE"
    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
    wp "plugin install --activate disable-update-notifications"
    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
    if [ -n "$DEFAULT_USER_ROLE" ]
    then
        wp "option set default_role $DEFAULT_USER_ROLE"
    else
        wp "option set default_role subscriber"
    fi
    wp "theme auto-updates enable --all"
    wp 'plugin auto-updates enable --all' || exit 0
 }
 set_authentik(){
    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
    if [ -z $LOGIN_TYPE ]
    then
        LOGIN_TYPE='button'
    fi
    wp "user create akadmin admin@example.com --role=administrator"
    wp "plugin install --activate daggerhart-openid-connect-generic"
    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
    wp "option update --format=json openid_connect_generic_settings '
    {
        \"login_type\":\"$LOGIN_TYPE\",
        \"client_id\":\"$AUTHENTIK_ID\",
        \"client_secret\":\"$AUTHENTIK_SECRET\",
        \"scope\":\"email profile openid\",
        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
        \"acr_values\":\"\",
        \"identity_key\":\"preferred_username\",
        \"no_sslverify\":\"0\",
        \"http_request_timeout\":\"30\",
        \"enforce_privacy\":\"0\",
        \"alternate_redirect_uri\":\"1\",
        \"nickname_key\":\"preferred_username\",
        \"email_format\":\"{email}\",
        \"displayname_format\":\"\",
        \"identify_with_username\":\"1\",
        \"state_time_limit\":\"\",
        \"token_refresh_enable\":\"1\",
        \"link_existing_users\":\"1\",
        \"create_if_does_not_exist\":\"1\",
        \"redirect_user_back\":\"0\",
        \"redirect_on_logout\":\"1\",
        \"enable_logging\":\"0\",
        \"log_limit\":\"1000\"
    }'"
    wp "rewrite flush"
    wp "cache flush"
 }
 fix_mysql() {
  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
 }
 show_plugins() {
  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,12 +0,0 @@
 authentik:
    uncomment:
        - compose.authentik.yml
        - AUTHENTIK_DOMAIN
        - SECRET_AUTHENTIK_SECRET_VERSION
        - SECRET_AUTHENTIK_ID_VERSION
        - LOGIN_TYPE
    inital-hooks:
        - app set_authentik
    shared_secrets:
        wordpress_secret: authentik_secret
        wordpress_id: authentik_id
--- a/borgmatic.yml
+++ b/borgmatic.yml
@ -0,0 +1,36 @@
 location:
  source_directories:
    - /var/www/html/wp-content
  repositories:
    - {{ env "BORGBASE_REPO" }}
 storage:
  compression: auto,zstd
  encryption_passphrase: {{ secret "backup_bot_password" }}
  archive_name_format: "{hostname}-{now}"
  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
 retention:
  keep_daily: 3
  keep_weekly: 4
  keep_monthly: 12
  keep_yearly: 2
  prefix: "{hostname}-"
 consistency:
  checks:
    - disabled
  check_last: 3
  prefix: "{hostname}-"
 hooks:
  before_backup:
    - echo "`date` - Starting backup"
  after_backup:
    - echo "`date` - Finished backup"
  mysql_databases:
    - name: {{ env "DB_TABLE" }}
      hostname: {{ env "DB_HOST" }}
      port: 3306
      username: {{ env "DB_USER" }}
      password: {{ secret "db_password" }}
--- a/compose.authentik.yml
+++ b/compose.authentik.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - authentik_secret
      - authentik_id
 secrets:
  authentik_secret:
    external: true
    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
  authentik_id:
    external: true
    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}
--- a/compose.backup.yml
+++ b/compose.backup.yml
@ -0,0 +1,47 @@
 ---
 version: "3.8"
 services:
  backupbot:
    image: "decentral1se/backup-bot:0.0.1"
    networks:
      - backend
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    secrets:
      - source: backup_bot_ssh_key
        mode: 0400
      - backup_bot_password
      - db_password
    configs:
      - source: borgmatic_config_yml
        target: /etc/borgmatic/config.yaml
    environment:
      - BORGBASE_REPO="g067e243@g067e243.repo.borgbase.com:repo"
      - DB_HOST=mariadb
      - DB_TABLE=wordpress
      - DB_USER=wordpress
    deploy:
      mode: replicated
      replicas: 0
      labels:
        - "swarm.cronjob.enable=true"
        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
      restart_policy:
        condition: none
    networks:
      - backend
 configs:
  borgmatic_config_yml:
    name: borgmatic_config_yml_v7
    file: borgmatic.yml
    template_driver: golang
 secrets:
  backup_bot_ssh_key:
    name: backup_bot_ssh_key_v1
    external: true
  backup_bot_password:
    name: backup_bot_password_v1
    external: true
--- a/compose.composer.yml
+++ b/compose.composer.yml
@ -1,14 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    volumes:
      - "composer:/var/www/html/composer"
    environment:
      - ENABLE_COMPOSER=1
      - COMPOSER=composer/composer.json
      - COMPOSER_VENDOR_DIR=composer/vendor
 volumes:
  composer:
--- a/compose.ftp-2220.yml
+++ b/compose.ftp-2220.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2220:22
--- a/compose.ftp-2221.yml
+++ b/compose.ftp-2221.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2221:22
--- a/compose.ftp-2222.yml
+++ b/compose.ftp-2222.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2222:22
--- a/compose.ftp-2223.yml
+++ b/compose.ftp-2223.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2223:22
--- a/compose.ftp-2224.yml
+++ b/compose.ftp-2224.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2224:22
--- a/compose.ftp-2225.yml
+++ b/compose.ftp-2225.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
        - 2220:22
--- a/compose.ftp.yml
+++ b/compose.ftp.yml
@ -1,24 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    image: atmoz/sftp
    secrets:
      - ftp_pass
    volumes:
      - "wordpress_content:/home/ftp_user/wp-content"
    configs:
      - source: users_conf
        target: /etc/sftp/users.conf
 secrets:
  ftp_pass:
    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
    external: true
 configs:
  users_conf:
    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
    file: users.conf.tmpl
    template_driver: golang
--- a/compose.mailrelay.yml
+++ b/compose.mailrelay.yml
@ -1,26 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    entrypoint: /docker-entrypoint.mailrelay.sh
    environment:
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT:-25}
      - MAIL_FROM=${MAIL_FROM}
    configs:
      - source: mstmp_conf
        target: /etc/msmtprc
      - source: entrypoint_mailrelay_conf
        target: /docker-entrypoint.mailrelay.sh
        mode: 0555
 configs:
  mstmp_conf:
    name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
    file: msmtp.conf.tmpl
    template_driver: golang
  entrypoint_mailrelay_conf:
    name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
    file: entrypoint.mailrelay.sh.tmpl
    template_driver: golang
--- a/compose.public-db.yml
+++ b/compose.public-db.yml
@ -1,9 +0,0 @@
 ---
 version: "3.8"
 services:
  db:
    ports:
      - target: 3306
        published: 3306
        mode: host
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -1,19 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    secrets:
      - smtp_password
    environment:
      - SMTP_HOST
      - SMTP_PORT=${SMTP_PORT:-25}
      - SMTP_AUTH
      - SMTP_TLS
      - MAIL_FROM
      - SMTP_OVERRIDE_FROM
 secrets:
  smtp_password:
    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -2,46 +2,21 @@
 version: "3.8"
 services:
-  app:
+  wordpress:
-    image: "wordpress:6.8.1"
+    image: "wordpress:5.5.1"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
      - backend
      - proxy
    environment:
-      WORDPRESS_CONFIG_EXTRA: |
+      - WORDPRESS_DB_HOST=mariadb
-            define( 'AUTOMATIC_UPDATER_DISABLED', false );
+      - WORDPRESS_DB_USER=wordpress
-            define( 'WP_AUTO_UPDATE_CORE', false );
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-            ${WORDPRESS_CONFIG_EXTRA}
+      - WORDPRESS_DB_NAME=wordpress
-      PAGER: more
+      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
      CORS_ALLOW_ALL:
      COMPOSER:
    secrets:
      - db_password
    configs:
      - source: php_uploads_conf
        target: /usr/local/etc/php/conf.d/uploads.ini
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
      - source: htaccess_conf
        target: /var/www/html/.htaccess
    entrypoint: /docker-entrypoint.sh
    depends_on:
      - db
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    deploy:
      update_config:
        failure_action: rollback
@ -51,21 +26,15 @@ services:
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`ch.${DOMAIN}`, `${DOMAIN}`)"
        # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
+        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "coop-cloud.${STACK_NAME}.version=2.16.0+6.8.1"
-  db:
+  mariadb:
-    image: "mariadb:11.7"
+    image: "mariadb:10.5"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
@ -78,15 +47,10 @@ services:
    secrets:
      - db_password
      - db_root_password
    deploy:
      labels:
        backupbot.backup: "${ENABLE_BACKUPS:-true}"
        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 networks:
  backend:
    driver: overlay
  proxy:
    external: true
@ -94,24 +58,11 @@ volumes:
  mariadb:
  wordpress_content:
 secrets:
  db_root_password:
    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${DB_ROOT_PASSWORD_VERSION}
 configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  php_uploads_conf:
    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
    file: uploads.ini.tmpl
    template_driver: golang
  htaccess_conf:
    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
    file: htaccess.tmpl
    template_driver: golang
--- a/entrypoint.mailrelay.sh.tmpl
+++ b/entrypoint.mailrelay.sh.tmpl
@ -1,7 +0,0 @@
 #!/bin/bash
 apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
 /docker-entrypoint.sh
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -1,51 +0,0 @@
 #!/bin/bash
 {{ if (env "PHP_EXTENSIONS") }}
 docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 {{ end }}
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 {{ if eq (env "ENABLE_COMPOSER") "1" }}
 mkdir -p /var/www/.composer
 chown www-data:www-data /var/www/.composer /var/www/html/composer
 curl https://getcomposer.org/installer -o /tmp/composer-setup.php
 php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
 php /tmp/composer-setup.php
 rm /tmp/composer-setup.php
 mv /var/www/html/composer.phar /usr/local/bin/composer
 {{ end }}
 {{ if eq (env "CORS_ALLOW_ALL") "1" }}
 a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 {{ if eq (env "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
 define('WP_ALLOW_MULTISITE', true );"
 {{ end }}
 {{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('MULTISITE', true);
 define('SUBDOMAIN_INSTALL', true);
 define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
 define('PATH_CURRENT_SITE', '/');
 define('SITE_ID_CURRENT_SITE', 1);
 define('BLOG_ID_CURRENT_SITE', 1);
 define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 if [ -n "$@" ]; then
 	"$@"
 fi
 # Upstream ENTRYPOINT
 # https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
 /usr/local/bin/docker-entrypoint.sh apache2-foreground
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -1,57 +0,0 @@
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress
 {{- end -}}
 {{- if eq (env "MULTISITE") "subfolder" -}}
 # BEGIN WordPress Multisite
 # Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 # add a trailing slash to /wp-admin
 RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
 RewriteCond %{REQUEST_FILENAME} -f [OR]
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^ - [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
 RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end -}}
 {{- if eq (env "MULTISITE") "subdomain" -}}
 # BEGIN WordPress Multisite
 # Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 # add a trailing slash to /wp-admin
 RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
 RewriteCond %{REQUEST_FILENAME} -f [OR]
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^ - [L]
 RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
 RewriteRule ^(.*\.php)$ $1 [L]
 RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end }}
--- a/msmtp.conf.tmpl
+++ b/msmtp.conf.tmpl
@ -1,19 +0,0 @@
 account default
 host {{ env "SMTP_HOST" }}
 from {{ env "MAIL_FROM" }}
 user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
 port {{ env "SMTP_PORT" }}
 {{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
 set_from_header on
 {{ end }}
 {{ if eq (env "SMTP_AUTH") "on" }}
 auth {{ env "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"
 {{ end }}
 {{ if eq (env "SMTP_TLS") "on" }}
 tls {{ env "SMTP_TLS" }}
 tls_trust_file /etc/ssl/certs/ca-certificates.crt
 {{ end }}
--- a/release/2.10.0+6.5.5
+++ b/release/2.10.0+6.5.5
@ -1 +0,0 @@
 Adds redirects and alakazam integration
--- a/release/2.13.2+6.7.1
+++ b/release/2.13.2+6.7.1
@ -1 +0,0 @@
 Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.
--- a/release/2.4.0+6.3.0
+++ b/release/2.4.0+6.3.0
@ -1 +0,0 @@
 The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.
--- a/release/2.7.0+6.4.2
+++ b/release/2.7.0+6.4.2
@ -1 +0,0 @@
 Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.
--- a/uploads.ini.tmpl
+++ b/uploads.ini.tmpl
@ -1,11 +0,0 @@
 {{ $upload_max_size := "256M" }}
 {{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
 {{ $upload_max_time := "30" }}
 {{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
 file_uploads = On
 upload_max_filesize =  {{ $upload_max_size }}
 post_max_size = {{ $upload_max_size }}
 memory_limit = {{ $upload_max_size }}
 max_execution_time = {{ $upload_max_time }}
 max_input_time = {{ $upload_max_time }}
--- a/users.conf.tmpl
+++ b/users.conf.tmpl
@ -1 +0,0 @@
 ftp_user:{{ secret "ftp_pass" }}:33:33
Author	SHA1	Message	Date
3wc	278cf74b5f	Run Drone on master branch	2020-09-25 02:31:25 +02:00
3wc	308b7e4811	Add .drone.yml	2020-09-25 02:26:38 +02:00
		`@ -1 +0,0 @@`
			`Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.`
		`@ -1 +0,0 @@`
			`The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.`
		`@ -1 +0,0 @@`
			Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.