---
version: "3.8"

services:
  app:
    image: "wordpress:6.5.3"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
      - backend
      - proxy
    environment:
      WORDPRESS_CONFIG_EXTRA: |
            define( 'AUTOMATIC_UPDATER_DISABLED', false );
            define( 'WP_AUTO_UPDATE_CORE', false );
            ${WORDPRESS_CONFIG_EXTRA}
      PAGER: more
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
      CORS_ALLOW_ALL:
      COMPOSER:
    secrets:
      - db_password
    configs:
      - source: php_uploads_conf
        target: /usr/local/etc/php/conf.d/uploads.ini
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
      - source: htaccess_conf
        target: /var/www/html/.htaccess
    entrypoint: /docker-entrypoint.sh
    depends_on:
      - db
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        # 3wc: this rule works for routing, but not for generating certificates
        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/var/www/html"
        - "coop-cloud.${STACK_NAME}.version=2.9.1+6.5.3"

  db:
    image: "mariadb:11.3"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
      - backend
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
    secrets:
      - db_password
      - db_root_password
    deploy:
      labels:
        backupbot.backup: "true"
        backupbot.backup.pre-hook: "sh -c 'mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz'"
        backupbot.backup.path: "/var/lib/mysql/dump.sql.gz"
        backupbot.backup.post-hook: "rm -f /var/lib/mysql/dump.sql.gz"
        backupbot.restore: "true"
        backupbot.restore.post-hook: "sh -c 'gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql'"

networks:
  backend:
  proxy:
    external: true

volumes:
  mariadb:
  wordpress_content:

secrets:
  db_root_password:
    external: true
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}

configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  php_uploads_conf:
    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
    file: uploads.ini
  htaccess_conf:
    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
    file: htaccess.tmpl
    template_driver: golang