restricts ownership changes to files still owned by root (e.g., from the image build). On subsequent restarts, files already owned by www-data are skipped entirely, avoiding a full recursive write cycle.

Reviewed-on: coop-cloud/wordpress#57

.drone.yml

@@ -21,9 +21,10 @@ steps:
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       PHP_UPLOADS_CONF_VERSION: v1
       ENTRYPOINT_CONF_VERSION: v1
+      HTACCESS_CONF_VERSION: v1
 trigger:
   branch:
-    - master
+    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
@@ -36,7 +37,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,23 +1,36 @@
 TYPE=wordpress
-TIMEOUT=300
+#TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
-
-# Setup Wordpress settings on each deploy:
-#POST_DEPLOY_CMDS="app core_install"
+ENABLE_BACKUPS=true
 
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
+# Redirects
+# All redirect domains have to be added to EXTRA_DOMAINS as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.wordpress.example.com
 LETS_ENCRYPT_ENV=production
 
-TITLE="My Example Blog"
-LOCALE="en_US" # de_DE
-ADMIN_EMAIL=admin@example.com
+# Setup Wordpress settings on each deploy:
+#POST_DEPLOY_CMDS="app core_install"
+
+# Optional settings, otherwise can be set in the installer
+# (Required for `app core_install`
+#TITLE="My Example Blog"
+#LOCALE="en_US" # de_DE
+#ADMIN_EMAIL=admin@example.com
 
 # Every new user is per default subscriber, uncomment to change it
 #DEFAULT_USER_ROLE=administrator
 
+# PHP composer for plugin installation
+#COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
+
+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
 #WORDPRESS_DEBUG=true
 
 ## Additional extensions
@@ -29,13 +42,12 @@ SECRET_DB_PASSWORD_VERSION=v1
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
 
-# Multisite
-#WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );"
+# Multisite (see README)
+#MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
 
-# Multisite phase 2 (see README)
-# WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true); define('SUBDOMAIN_INSTALL', true); define('DOMAIN_CURRENT_SITE', '${DOMAIN}'); define('PATH_CURRENT_SITE', '/');	define('SITE_ID_CURRENT_SITE', 1); define('BLOG_ID_CURRENT_SITE', 1); define('FORCE_SSL_ADMIN', true ); define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+# File upload settings
+#UPLOAD_MAX_SIZE=256M
+#UPLOAD_MAX_TIME=30
 
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
@@ -43,16 +55,42 @@ SECRET_DB_PASSWORD_VERSION=v1
 #MAIL_FROM="wordpress@example.com"
 
 # Remote SMTP relay
-#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
 #SMTP_HOST="mail.example.com"
 #MAIL_FROM="wordpress@example.com"
+#SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
+#SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
 #SMTP_PORT=587
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-# AUTHENTIK_DOMAIN=authentik.example.com
-# SECRET_AUTHENTIK_SECRET_VERSION=v1
-# SECRET_AUTHENTIK_ID_VERSION=v1
-# LOGIN_TYPE='auto'
+# Authentik SSO
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#AUTHENTIK_DOMAIN=authentik.example.com
+#SECRET_AUTHENTIK_SECRET_VERSION=v1
+#SECRET_AUTHENTIK_ID_VERSION=v1
+#LOGIN_TYPE='auto'
+
+# Matrix .well-known redirect
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_DOMAIN=matrix.example.com
+
+# Allow remote connections to db
+# 🚩🚩 dangerous, use only for development sites!
+#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
+
+# Wide-open CORS
+# 🚩🚩 dangerous, use only for development sites!
+#CORS_ALLOW_ALL=1
+
+# FTP
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
+#SECRET_FTP_PASS_VERSION=v1
+# You can use a Port between 2220-2225
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"

.gitignore

@@ -1 +1,22 @@
+# direnv
 /.envrc
+
+# Environment files (may contain secrets)
+.env
+
+# Logs
+*.log
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Editor/IDE
+*.swp
+*.swo
+*~
+*.bak
+.idea/
+.vscode/
+.project
+.classpath

README.md

@@ -7,7 +7,7 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 3, stable
+* **Status**: 4
 * **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
@@ -47,16 +47,12 @@ AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authen
 
 ## Network (Multi-site)
 
-_(Only tested using subdomains)_
-
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment the first `# Multisite` section
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
 3. `abra app deploy <app-name>`
 4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
 5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again - comment out the first `# Multisite`
-   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
-   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
 7. `abra app deploy <app-name>`
 
 ## Installing a custom theme

abra.sh

@@ -1,12 +1,25 @@
-export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v3
+export PHP_UPLOADS_CONF_VERSION=v4
+export ENTRYPOINT_CONF_VERSION=v8
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
-export MSMTP_CONF_VERSION=v3
+export MSMTP_CONF_VERSION=v4
+export HTACCESS_CONF_VERSION=v3
+export USERS_CONF_VERSION=v1
 
 wp() {
     su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
 }
 
+update() {
+    wp "core update-db"
+    wp "plugin update --all"
+    wp "plugin auto-updates enable --all"
+    wp "theme update --all"
+    wp "theme auto-updates enable --all"
+    wp "language core update"
+    wp "language plugin update --all"
+    wp "language theme update --all"
+}
+
 core_install(){
     ADMIN=admin
     if [ -n "$AUTHENTIK_DOMAIN" ]
@@ -18,15 +31,27 @@ core_install(){
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp 'option update dwcun_setting on' 
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
     else
         wp "option set default_role subscriber"
     fi
-    wp 'plugin auto-updates enable --all' || exit 0
+    wp "theme auto-updates enable --all"
+    wp 'plugin auto-updates enable --all' || true
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }
 
 set_authentik(){
@@ -38,6 +63,7 @@ set_authentik(){
     fi
     wp "user create akadmin admin@example.com --role=administrator"
     wp "plugin install --activate daggerhart-openid-connect-generic"
+    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
     wp "option update --format=json openid_connect_generic_settings '
     {
         \"login_type\":\"$LOGIN_TYPE\",
@@ -48,6 +74,8 @@ set_authentik(){
         \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
         \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
+        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
         \"acr_values\":\"\",
         \"identity_key\":\"preferred_username\",
         \"no_sslverify\":\"0\",
@@ -76,76 +104,6 @@ fix_mysql() {
   echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
 }
 
-sub_wp() {
-  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
-  if [ -z "$CONTAINER" ]; then
-    error "Can't find a container for ${STACK_NAME}_app"
-    exit
-  fi
-  debug "Using Container ID ${CONTAINER}"
-
-  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
-  # volume for /var/www/html -- this used to work fine using --volumes-from
-  # because the actual MySQL password was inserted into the generated
-  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
-  # from the environment, which requires Docker secrets to work, which only work
-  # in swarm services (not one-off `docker run` commands). Defining a `cli`
-  # service in compose.yml almost works, but there's no volumes_from: in Compose
-  # V3, and without it then the `cli` service can't access Wordpress core.
-  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
-  warning "Slowly looking up MySQL password..."
-  silence
-  abra__service_="app"
-  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
-  unsilence
-
-  # shellcheck disable=SC2154,SC2086
-  docker run -it \
-	--volumes-from "$CONTAINER" \
-	--network "container:$CONTAINER" \
-	-u xfs:xfs \
-    -e WORDPRESS_DB_HOST=db \
-    -e WORDPRESS_DB_USER=wordpress \
-    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
-    -e WORDPRESS_DB_NAME=wordpress \
-    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
-	wordpress:cli wp ${abra__args_[*]}
-}
-
-abra_backup_app() {
-  _abra_backup_dir "app:/var/www/html/wp-content"
-}
-
-abra_backup_db() {
-  _abra_backup_mysql "db" "wordpress"
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}
-
-abra_restore_app() {
-  # shellcheck disable=SC2034
-  {
-	abra__src_="-"
-	abra__dst_="app:/var/www/html/"
-  }
-
-  zcat "$@" | sub_app_cp
-
-  success "Restored 'app'"
-}
-
-abra_restore_db() {
-  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-  # got this far..
-
-  # shellcheck disable=SC2034
-  abra___no_tty="true"
-
-  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
-
-  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
-
-  success "Restored 'db'"
+show_plugins() {
+  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
 }

alaconnect.yml

@@ -0,0 +1,16 @@
+authentik:
+    uncomment:
+        - compose.authentik.yml
+        - AUTHENTIK_DOMAIN
+        - SECRET_AUTHENTIK_SECRET_VERSION
+        - SECRET_AUTHENTIK_ID_VERSION
+        - LOGIN_TYPE
+    inital-hooks:
+        - app set_authentik
+    shared_secrets:
+        wordpress_secret: authentik_secret
+        wordpress_id: authentik_id
+matrix:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_DOMAIN

compose.composer.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "composer:/var/www/html/composer"
+    environment:
+      - ENABLE_COMPOSER=1
+      - COMPOSER=composer/composer.json
+      - COMPOSER_VENDOR_DIR=composer/vendor
+
+volumes:
+  composer:

compose.ftp-2220.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp-2221.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2221:22

compose.ftp-2222.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2222:22

compose.ftp-2223.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2223:22

compose.ftp-2224.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2224:22

compose.ftp-2225.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+        - 2220:22

compose.ftp.yml

@@ -0,0 +1,24 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    image: atmoz/sftp:alpine
+    secrets:
+      - ftp_pass
+    volumes:
+      - "wordpress_content:/home/ftp_user/wp-content"
+    configs:
+      - source: users_conf
+        target: /etc/sftp/users.conf
+
+secrets:
+  ftp_pass:
+    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
+    external: true
+
+configs:
+  users_conf:
+    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
+    file: users.conf.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"

compose.public-db.yml

@@ -0,0 +1,9 @@
+---
+version: "3.8"
+
+services:
+  db:
+    ports:
+      - target: 3306
+        published: 3306
+        mode: host

compose.selfmanaged.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:latest"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:

compose.smtp.yml

@@ -6,11 +6,12 @@ services:
     secrets:
       - smtp_password
     environment:
-      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_HOST
       - SMTP_PORT=${SMTP_PORT:-25}
-      - SMTP_AUTH=${SMTP_AUTH}
-      - SMTP_TLS=${SMTP_TLS}
-      - MAIL_FROM=${MAIL_FROM}
+      - SMTP_AUTH
+      - SMTP_TLS
+      - MAIL_FROM
+      - SMTP_OVERRIDE_FROM
 
 secrets:
   smtp_password:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.3.0"
+    image: "wordpress:6.9.4"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -21,6 +21,8 @@ services:
       WORDPRESS_DB_NAME: wordpress
       WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
       PHP_EXTENSIONS: ${PHP_EXTENSIONS}
+      CORS_ALLOW_ALL:
+      COMPOSER:
     secrets:
       - db_password
     configs:
@@ -29,6 +31,8 @@ services:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
+      - source: htaccess_conf
+        target: /var/www/html/.htaccess
     entrypoint: /docker-entrypoint.sh
     depends_on:
       - db
@@ -44,7 +48,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
@@ -53,13 +57,15 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html"
-        - "coop-cloud.${STACK_NAME}.version=2.4.1+6.3.0"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=2.19.2+6.9.4"
 
   db:
-    image: "mariadb:11.0"
+    image: "mariadb:12.2"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -74,12 +80,10 @@ services:
       - db_root_password
     deploy:
       labels:
-        backupbot.backup: "true"
-        backupbot.backup.path: "/tmp/dump.sql.gz"
-        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /tmp/dump.sql.gz'"
-        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
+        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
+        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 
 networks:
   backend:
@@ -105,4 +109,9 @@ configs:
     template_driver: golang
   php_uploads_conf:
     name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini
+    file: uploads.ini.tmpl
+    template_driver: golang
+  htaccess_conf:
+    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
+    file: htaccess.tmpl
+    template_driver: golang

entrypoint.sh.tmpl

@@ -7,6 +7,55 @@ docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 
+{{ if eq (env "ENABLE_COMPOSER") "1" }}
+mkdir -p /var/www/.composer
+chown www-data:www-data /var/www/.composer /var/www/html/composer
+
+curl https://getcomposer.org/installer -o /tmp/composer-setup.php
+php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
+php /tmp/composer-setup.php
+rm /tmp/composer-setup.php
+
+mv /var/www/html/composer.phar /usr/local/bin/composer
+{{ end }}
+
+{{ if eq (env "CORS_ALLOW_ALL") "1" }}
+a2enmod headers
+sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
+{{ end }}
+
+{{ if eq (env "MULTISITE") "enable" }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('WP_CACHE', false);
+define('WP_ALLOW_MULTISITE', true );"
+{{ end }}
+
+{{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', true);
+define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+define('FORCE_SSL_ADMIN', true );
+define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+{{ end }}
+
+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+fi
+
+chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
+
 if [ -n "$@" ]; then
 	"$@"
 fi

htaccess.tmpl

@@ -0,0 +1,62 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
+{{ if eq (env "MULTISITE") "" -}}
+# BEGIN WordPress
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+
+# END WordPress
+{{- end -}}
+
+{{- if eq (env "MULTISITE") "subfolder" -}}
+# BEGIN WordPress Multisite
+# Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end -}}
+
+{{- if eq (env "MULTISITE") "subdomain" -}}
+# BEGIN WordPress Multisite
+# Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
+RewriteRule ^(.*\.php)$ $1 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end }}

msmtp.conf.tmpl

@@ -1,9 +1,13 @@
 account default
 host {{ env "SMTP_HOST" }}
 from {{ env "MAIL_FROM" }}
-user {{ env "MAIL_FROM" }}
+user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
 port {{ env "SMTP_PORT" }}
 
+{{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
+set_from_header on
+{{ end }}
+
 {{ if eq (env "SMTP_AUTH") "on" }}
 auth {{ env "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"

release/2.10.0+6.5.5

@@ -0,0 +1 @@
+Adds redirects and alakazam integration

release/2.13.2+6.7.1

@@ -0,0 +1 @@
+Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.17.1+6.9.0

@@ -0,0 +1 @@
+Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.

release/2.7.0+6.4.2

@@ -0,0 +1 @@
+Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.

renovate.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended"
   ]
 }

uploads.ini

@@ -1,3 +0,0 @@
-file_uploads = On
-upload_max_filesize = 256M
-post_max_size = 256M

uploads.ini.tmpl

@@ -0,0 +1,11 @@
+{{ $upload_max_size := "256M" }}
+{{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
+{{ $upload_max_time := "30" }}
+{{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
+
+file_uploads = On
+upload_max_filesize =  {{ $upload_max_size }}
+post_max_size = {{ $upload_max_size }}
+memory_limit = {{ $upload_max_size }}
+max_execution_time = {{ $upload_max_time }}
+max_input_time = {{ $upload_max_time }}

users.conf.tmpl

@@ -0,0 +1 @@
+ftp_user:{{ secret "ftp_pass" }}:33:33