Add AUTO_UPDATES docs to README

Reviewed-on: coop-cloud/wordpress#64

.drone.yml

@@ -1,29 +1,50 @@
 ---
 kind: pipeline
-name: deploy to swarm-test.autonomic.zone
+name: test
+
 steps:
-  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: wordpress
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
+  - name: test
+    image: alpine:3.21
     environment:
-      DOMAIN: wordpress.swarm-test.autonomic.zone
-      STACK_NAME: wordpress
-      LETS_ENCRYPT_ENV: production
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      PHP_UPLOADS_CONF_VERSION: v1
-      ENTRYPOINT_CONF_VERSION: v1
+      SHELLCHECK_OPTS: -s bash
+    commands:
+      - apk add --no-cache bash shellcheck py3-yaml curl
+      - curl -sSLo /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v5.0.0/gomplate_linux-amd64
+      - chmod +x /usr/local/bin/gomplate
+      - tests/run.sh
+
+  # deployment step disabled: swarm-test.autonomic.zone is down
+  # - name: deployment
+  #   image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+  #   when:
+  #     event:
+  #       - push
+  #     branch:
+  #       - main
+  #   settings:
+  #     host: swarm-test.autonomic.zone
+  #     stack: wordpress
+  #     generate_secrets: true
+  #     purge: true
+  #     deploy_key:
+  #       from_secret: drone_ssh_swarm_test
+  #     networks:
+  #       - proxy
+  #   environment:
+  #     DOMAIN: wordpress.swarm-test.autonomic.zone
+  #     STACK_NAME: wordpress
+  #     LETS_ENCRYPT_ENV: production
+  #     SECRET_DB_PASSWORD_VERSION: v1
+  #     SECRET_DB_ROOT_PASSWORD_VERSION: v1
+  #     PHP_UPLOADS_CONF_VERSION: v1
+  #     ENTRYPOINT_CONF_VERSION: v1
+  #     HTACCESS_CONF_VERSION: v1
 trigger:
+  event:
+    - push
+    - pull_request
   branch:
-    - master
+    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
@@ -36,7 +57,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,16 +1,28 @@
 TYPE=wordpress
-TIMEOUT=300
+#TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
+ENABLE_BACKUPS=true
 
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
+# Redirects
+# All redirect domains have to be added to EXTRA_DOMAINS as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.wordpress.example.com
 LETS_ENCRYPT_ENV=production
 
 # Setup Wordpress settings on each deploy:
 #POST_DEPLOY_CMDS="app core_install"
 
+# Automatically install WordPress on first deploy (requires TITLE and ADMIN_EMAIL)
+#AUTO_INSTALL=1
+
+# Enable auto-updates for plugins and themes on install/deploy (default: on)
+# Set to 0 to disable automatic plugin/theme updates
+#AUTO_UPDATES=1
+
 # Optional settings, otherwise can be set in the installer
 # (Required for `app core_install`
 #TITLE="My Example Blog"
@@ -23,6 +35,9 @@ LETS_ENCRYPT_ENV=production
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 
+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
 #WORDPRESS_DEBUG=true
 
 ## Additional extensions
@@ -30,6 +45,7 @@ LETS_ENCRYPT_ENV=production
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_ADMIN_PASSWORD_VERSION=v1
 
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
@@ -37,6 +53,10 @@ SECRET_DB_PASSWORD_VERSION=v1
 # Multisite (see README)
 #MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
 
+# File upload settings
+#UPLOAD_MAX_SIZE=256M
+#UPLOAD_MAX_TIME=30
+
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
 #SMTP_HOST="postfix_relay_app"
@@ -60,6 +80,10 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 
+# Matrix .well-known redirect
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_DOMAIN=matrix.example.com
+
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
 #COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
@@ -67,3 +91,17 @@ SECRET_DB_PASSWORD_VERSION=v1
 # Wide-open CORS
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
+
+# Disable the WordPress web installer (useful when migrating/importing a DB dump)
+#DISABLE_WEB_INSTALLER=1
+
+# FTP
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
+#SECRET_FTP_PASS_VERSION=v1
+# You can use a Port between 2220-2225
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"

.gitignore

@@ -1 +1,22 @@
+# direnv
 /.envrc
+
+# Environment files (may contain secrets)
+.env
+
+# Logs
+*.log
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Editor/IDE
+*.swp
+*.swo
+*~
+*.bak
+.idea/
+.vscode/
+.project
+.classpath

README.md

@@ -7,57 +7,72 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 3, stable
+* **Status**: 4
 * **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
-* **SSO**: No
+* **SSO**: 2
 
 <!-- endmetadata -->
 
-
 ## Quick start
 
-
 * `abra app new wordpress`
 * `abra app config <app-name>`
 * `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> app core_install`
 
-### Authentik Integration
+### Admin password
 
+By default, WordPress generates a random admin password during `core_install` and prints it
+to the command output. To set a known password managed as a Docker secret:
 
-`abra app config <app-name>` 
-Configure the following envs:
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-AUTHENTIK_DOMAIN=authentik.example.com
-AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
-AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
-```
-
-`abra app cmd <app-name> app set_authentik`
-
-## Running WP-CLI
-
-`abra app cmd <app-name> app wp -- core check-update --major`
-
-## Network (Multi-site)
-
-1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+1. Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` in your app config
+2. `abra app secret generate -a <app-name>` (creates a random password)
 3. `abra app deploy <app-name>`
-4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
-7. `abra app deploy <app-name>`
+4. `abra app cmd <app-name> app core_install`
 
-## Installing a custom theme
+The password is stored in `<app-name>_admin_password_v1` — you can view it with
+`abra app secret show <app-name> admin_password`.
 
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+### Auto-install on first deploy
+
+To skip the manual `abra app cmd ... core_install` step, enable auto-install:
+
+1. Set `AUTO_INSTALL=1` in your app config
+2. Uncomment `TITLE` and `ADMIN_EMAIL` (also `LOCALE` if needed)
+3. (Optional) Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` and run `abra app secret generate`
+4. `abra app deploy <app-name>`
+
+On first deploy, the container will wait for the database, then automatically run
+`wp core install` and configure the site. It only runs once — subsequent deploys detect
+WordPress is already installed and skip.
+
+### Plugin and theme auto-updates
+
+By default, plugin and theme auto-updates are enabled during install and deploy.
+To disable this:
+
+1. Set `AUTO_UPDATES=0` in your app config
+2. `abra app deploy <app-name>`
+
+This affects `abra app cmd <app-name> app core_install`, `abra app cmd <app-name> app update`,
+and the `AUTO_INSTALL` background process.
+
+## Disable the web installer
+
+When migrating a site (importing a DB dump from an existing install), the web-based
+WordPress installer at `wp-admin/install.php` is a security risk — someone could
+accidentally run it and overwrite your data. To block it:
+
+1. Set `DISABLE_WEB_INSTALLER=1` in your app config
+2. `abra app deploy <app-name>`
+
+Apache inside the container will deny all requests to `wp-admin/install.php`. The CLI-based
+`abra app cmd <app-name> app core_install` still works unaffected.
 
 ## Email
 
@@ -74,6 +89,70 @@ Below are the instructions for the local relay.
    `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
 3. `abra app deploy <app-name>`
 
+## WP-CLI
+
+You can either run using `abra app cmd`:
+```bash
+abra app cmd <app-name> app wp -- core check-update --major
+```
+
+Or by entering the app shell:
+1. `abra app run <app-name> app bash`
+2. `su -s /bin/bash www-data -c "wp core check-update --major"`
+
+## Network (Multi-site)
+
+1. Set up as above
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+3. `abra app deploy <app-name>`
+4. Log into the WordPress admin dashboard, go to **Tools → Network Setup**
+5. Don't worry about the suggested file changes
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+7. `abra app deploy <app-name>`
+
+## Installing a custom theme
+
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Authentik Integration
+
+Configure the following envs via `abra app config <app-name>`:
+```bash
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
+## Tests
+
+Run the full test suite for this repository:
+
+```sh
+bash tests/run.sh
+```
+
+### Prerequisites
+
+The test suite uses several tools. Install them with your equivalent of:
+
+```sh
+brew install shellcheck gomplate
+```
+Some tests skip gracefully if their dependencies are missing.
+
+## Migrate from a non-Co-op Cloud WordPress install
+
+Make a `.tar.gz` backup of the site's `wp-content` dir and a `.sql.gz` backup of the database.
+
+1. `abra app wp.example.com restore app wp-content.tar.gz`
+2. `abra app wp.example.com restore db wordpress.sql.gz`
+
+Lastly, if there's a domain name change, run a search and replace:
+`abra app wp.example.com wp "search-replace https://old.example.com https://wp.example.com"`
+
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/postfix-relay

abra.sh

@@ -1,11 +1,27 @@
-export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v7
+export PHP_UPLOADS_CONF_VERSION=v4
+export ENTRYPOINT_CONF_VERSION=v10
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
+export USERS_CONF_VERSION=v1
 
 wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $*"
+}
+
+update() {
+    wp "core update-db"
+    wp "plugin update --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "plugin auto-updates enable --all"
+    fi
+    wp "theme update --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+    fi
+    wp "language core update"
+    wp "language plugin update --all"
+    wp "language theme update --all"
 }
 
 core_install(){
@@ -15,19 +31,38 @@ core_install(){
         ADMIN=akadmin
     fi
     chown www-data:www-data -R /var/www/html/wp-content
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+    ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+    ADMIN_PASS_ARG=""
+    if [ -n "$ADMIN_PASSWORD" ]; then
+        ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+    fi
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
     else
         wp "option set default_role subscriber"
     fi
-    wp 'plugin auto-updates enable --all' || exit 0
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+        wp 'plugin auto-updates enable --all' || true
+    fi
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }
 
 set_authentik(){
@@ -39,6 +74,7 @@ set_authentik(){
     fi
     wp "user create akadmin admin@example.com --role=administrator"
     wp "plugin install --activate daggerhart-openid-connect-generic"
+    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
     wp "option update --format=json openid_connect_generic_settings '
     {
         \"login_type\":\"$LOGIN_TYPE\",
@@ -49,6 +85,8 @@ set_authentik(){
         \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
         \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
+        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
         \"acr_values\":\"\",
         \"identity_key\":\"preferred_username\",
         \"no_sslverify\":\"0\",
@@ -76,3 +114,7 @@ set_authentik(){
 fix_mysql() {
   echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
 }
+
+show_plugins() {
+  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
+}

alaconnect.yml

@@ -0,0 +1,16 @@
+authentik:
+    uncomment:
+        - compose.authentik.yml
+        - AUTHENTIK_DOMAIN
+        - SECRET_AUTHENTIK_SECRET_VERSION
+        - SECRET_AUTHENTIK_ID_VERSION
+        - LOGIN_TYPE
+    inital-hooks:
+        - app set_authentik
+    shared_secrets:
+        wordpress_secret: authentik_secret
+        wordpress_id: authentik_id
+matrix:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_DOMAIN

compose.ftp-2220.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2220:22

compose.ftp-2221.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2221:22

compose.ftp-2222.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2222:22

compose.ftp-2223.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2223:22

compose.ftp-2224.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2224:22

compose.ftp-2225.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2220:22

compose.ftp.yml

@@ -0,0 +1,24 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    image: atmoz/sftp:alpine
+    secrets:
+      - ftp_pass
+    volumes:
+      - "wordpress_content:/home/ftp_user/wp-content"
+    configs:
+      - source: users_conf
+        target: /etc/sftp/users.conf
+
+secrets:
+  ftp_pass:
+    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
+    external: true
+
+configs:
+  users_conf:
+    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
+    file: users.conf.tmpl
+    template_driver: golang

compose.matrix.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"

compose.selfmanaged.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:7.0.0"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.4.2"
+    image: "wordpress:7.0.0"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -22,9 +22,14 @@ services:
       WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
       PHP_EXTENSIONS: ${PHP_EXTENSIONS}
       CORS_ALLOW_ALL:
+      DISABLE_WEB_INSTALLER:
+      AUTO_INSTALL:
+      AUTO_UPDATES:
       COMPOSER:
+      SECRET_ADMIN_PASSWORD_VERSION:
     secrets:
       - db_password
+      - admin_password
     configs:
       - source: php_uploads_conf
         target: /usr/local/etc/php/conf.d/uploads.ini
@@ -48,7 +53,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
@@ -57,13 +62,15 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html"
-        - "coop-cloud.${STACK_NAME}.version=2.7.2+6.4.2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
 
   db:
-    image: "mariadb:11.2"
+    image: "mariadb:12.3"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -78,12 +85,10 @@ services:
       - db_root_password
     deploy:
       labels:
-        backupbot.backup: "true"
-        backupbot.backup.pre-hook: "sh -c 'mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz'"
-        backupbot.backup.path: "/var/lib/mysql/dump.sql.gz"
-        backupbot.backup.post-hook: "rm -f /var/lib/mysql/dump.sql.gz"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql'"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
+        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
+        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 
 networks:
   backend:
@@ -101,6 +106,9 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
 
 configs:
   entrypoint_conf:
@@ -109,7 +117,8 @@ configs:
     template_driver: golang
   php_uploads_conf:
     name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini
+    file: uploads.ini.tmpl
+    template_driver: golang
   htaccess_conf:
     name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
     file: htaccess.tmpl

entrypoint.sh.tmpl

@@ -1,13 +1,13 @@
 #!/bin/bash
 
-{{ if (env "PHP_EXTENSIONS") }}
-docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
+{{ if (getenv "PHP_EXTENSIONS") }}
+docker-php-ext-install {{ getenv "PHP_EXTENSIONS" }}
 {{ end }}
 
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 
-{{ if eq (env "ENABLE_COMPOSER") "1" }}
+{{ if eq (getenv "ENABLE_COMPOSER") "1" }}
 mkdir -p /var/www/.composer
 chown www-data:www-data /var/www/.composer /var/www/html/composer
 
@@ -19,18 +19,26 @@ rm /tmp/composer-setup.php
 mv /var/www/html/composer.phar /usr/local/bin/composer
 {{ end }}
 
-{{ if eq (env "CORS_ALLOW_ALL") "1" }}
+{{ if eq (getenv "CORS_ALLOW_ALL") "1" }}
 a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 
-{{ if eq (env "MULTISITE") "enable" }}
+{{ if eq (getenv "DISABLE_WEB_INSTALLER") "1" }}
+cat > /etc/apache2/conf-enabled/disable-installer.conf <<'EOF'
+<LocationMatch "^/wp-admin/install\.php">
+    Require all denied
+</LocationMatch>
+EOF
+{{ end }}
+
+{{ if eq (getenv "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
 define('WP_ALLOW_MULTISITE', true );"
 {{ end }}
 
-{{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
+{{ if or (eq (getenv "MULTISITE") "subdomain") (eq (getenv "MULTISITE") "subfolder") }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('MULTISITE', true);
 define('SUBDOMAIN_INSTALL', true);
@@ -42,7 +50,79 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 
-if [ -n "$@" ]; then
+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+fi
+
+chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
+
+{{ if eq (getenv "AUTO_INSTALL") "1" }}
+(
+  DOMAIN="{{ getenv "DOMAIN" }}"
+  TITLE="{{ getenv "TITLE" }}"
+  ADMIN_EMAIL="{{ getenv "ADMIN_EMAIL" }}"
+  LOCALE="{{ getenv "LOCALE" }}"
+  DEFAULT_USER_ROLE="{{ getenv "DEFAULT_USER_ROLE" }}"
+  AUTO_UPDATES="{{ getenv "AUTO_UPDATES" }}"
+
+  # Wait for wp-config.php (created by upstream entrypoint)
+  for _ in $(seq 1 30); do
+    if [ -f /var/www/html/wp-config.php ]; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Wait for DB to be reachable
+  for _ in $(seq 1 60); do
+    if su -p www-data -s /bin/bash -c "/usr/local/bin/wp db check" 2>/dev/null; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Skip if already installed or required vars missing
+  if su -p www-data -s /bin/bash -c "/usr/local/bin/wp core is-installed" 2>/dev/null; then
+    exit 0
+  fi
+  if [ -z "$TITLE" ] || [ -z "$ADMIN_EMAIL" ]; then
+    exit 0
+  fi
+
+  ADMIN="admin"
+  ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+  ADMIN_PASS_ARG=""
+  if [ -n "$ADMIN_PASSWORD" ]; then
+    ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+  fi
+
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
+  if [ -n "$LOCALE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp language core install $LOCALE"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp site switch-language $LOCALE"
+  fi
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+  if [ -n "$DEFAULT_USER_ROLE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role $DEFAULT_USER_ROLE"
+  else
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role subscriber"
+  fi
+  if [ "$AUTO_UPDATES" != "0" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp theme auto-updates enable --all"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp plugin auto-updates enable --all" || true
+  fi
+) &
+{{ end }}
+
+if [ $# -gt 0 ]; then
 	"$@"
 fi
 

htaccess.tmpl

@@ -1,4 +1,9 @@
-{{ if eq (env "MULTISITE") "" -}}
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
+{{ if eq (getenv "MULTISITE") "" -}}
 # BEGIN WordPress
 
 RewriteEngine On
@@ -12,7 +17,7 @@ RewriteRule . /index.php [L]
 # END WordPress
 {{- end -}}
 
-{{- if eq (env "MULTISITE") "subfolder" -}}
+{{- if eq (getenv "MULTISITE") "subfolder" -}}
 # BEGIN WordPress Multisite
 # Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
 
@@ -34,7 +39,7 @@ RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end -}}
 
-{{- if eq (env "MULTISITE") "subdomain" -}}
+{{- if eq (getenv "MULTISITE") "subdomain" -}}
 # BEGIN WordPress Multisite
 # Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
 

msmtp.conf.tmpl

@@ -1,19 +1,19 @@
 account default
-host {{ env "SMTP_HOST" }}
-from {{ env "MAIL_FROM" }}
-user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
-port {{ env "SMTP_PORT" }}
+host {{ getenv "SMTP_HOST" }}
+from {{ getenv "MAIL_FROM" }}
+user {{ or (getenv "SMTP_USER") (getenv "MAIL_FROM") }}
+port {{ getenv "SMTP_PORT" }}
 
-{{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
+{{ if eq (getenv "SMTP_OVERRIDE_FROM") "on" }}
 set_from_header on
 {{ end }}
 
-{{ if eq (env "SMTP_AUTH") "on" }}
-auth {{ env "SMTP_AUTH" }}
+{{ if eq (getenv "SMTP_AUTH") "on" }}
+auth {{ getenv "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"
 {{ end }}
 
-{{ if eq (env "SMTP_TLS") "on" }}
-tls {{ env "SMTP_TLS" }}
+{{ if eq (getenv "SMTP_TLS") "on" }}
+tls {{ getenv "SMTP_TLS" }}
 tls_trust_file /etc/ssl/certs/ca-certificates.crt
 {{ end }}

release/2.10.0+6.5.5

@@ -0,0 +1 @@
+Adds redirects and alakazam integration

release/2.13.2+6.7.1

@@ -0,0 +1 @@
+Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.17.1+6.9.0

@@ -0,0 +1 @@
+Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.

release/3.0.0+7.0.0

@@ -0,0 +1,6 @@
+- WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
+- MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
+- ENTRYPOINT_CONF_VERSION bumped to v9
+- Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
+- Breaking: WordPress 7.0 introduces new AI features and admin theme changes
+- Backup database and files before upgrading

renovate.json

@@ -1,6 +1,37 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended"
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["(^|/)compose[^/]*\\.yml$"],
+      "matchStrings": [
+        "image:\\s*\"wordpress:(?<currentValue>[^\"]+)\"",
+        "image:\\s*\"mariadb:(?<currentValue>[^\"]+)\""
+      ],
+      "datasourceTemplate": "docker",
+      "lookupNameTemplate": "{{{packageName}}}"
+    },
+    {
+      "fileMatch": ["(^|/)\\.drone\\.yml$"],
+      "matchStrings": [
+        "gomplate/releases/download/v(?<currentValue>[\\d.]+)/gomplate_linux-amd64"
+      ],
+      "datasourceTemplate": "github-releases",
+      "lookupNameTemplate": "hairyhenderson/gomplate"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["wordpress"],
+      "enabled": true
+    },
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["mariadb"],
+      "enabled": true
+    }
   ]
 }

tests/fixtures/composer.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+ENABLE_COMPOSER=1

tests/fixtures/cors.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+CORS_ALLOW_ALL=1

tests/fixtures/default.env

@@ -0,0 +1 @@
+DOMAIN=wordpress.example.com

tests/fixtures/multisite-enable.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=enable

tests/fixtures/multisite-subdomain.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=subdomain

tests/fixtures/multisite-subfolder.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=subfolder

tests/fixtures/php-extensions.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+PHP_EXTENSIONS=calendar

tests/fixtures/smtp-full.env

@@ -0,0 +1,8 @@
+DOMAIN=wordpress.example.com
+SMTP_HOST=mail.example.com
+SMTP_PORT=587
+MAIL_FROM=wordpress@example.com
+SMTP_USER=relay@example.com
+SMTP_AUTH=on
+SMTP_TLS=on
+SMTP_OVERRIDE_FROM=on

tests/fixtures/upload-sizes.env

@@ -0,0 +1,3 @@
+DOMAIN=wordpress.example.com
+UPLOAD_MAX_SIZE=512M
+UPLOAD_MAX_TIME=60

tests/run.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+# Root of the project directory
+ROOT="$(dirname "$(realpath "$0")")"
+
+echo "==================================="
+echo "  WordPress Recipe Test Suite"
+echo "==================================="
+echo ""
+
+# Collect all compose files for YAML validation
+COMPOSE_FILES=()
+while IFS= read -r f; do
+    COMPOSE_FILES+=("$f")
+done < <(find "$ROOT/.." -maxdepth 1 -name 'compose*.yml' | sort)
+
+# Collect all tmpl files for shellcheck (only those with bash content)
+SHELL_TMPL_FILES=()
+while IFS= read -r f; do
+    SHELL_TMPL_FILES+=("$f")
+done < <(find "$ROOT/.." -maxdepth 1 -name '*.sh.tmpl' | sort)
+
+# Track total failures across all test suites
+failures=0
+
+# Validate YAML syntax of all compose files
+echo "========================================================================"
+"$ROOT/test_yaml.sh" "${COMPOSE_FILES[@]}" || failures=$((failures + 1))
+echo ""
+
+# Lint shell scripts inside Go templates (after stripping template tags)
+echo "========================================================================"
+"$ROOT/test_shell.sh" "${SHELL_TMPL_FILES[@]}" || failures=$((failures + 1))
+echo ""
+
+# Render templates with fixture env files and verify expected output
+echo "========================================================================"
+"$ROOT/test_templates.sh" || failures=$((failures + 1))
+echo ""
+
+# Validate compose files against the Docker Compose specification
+echo "========================================================================"
+"$ROOT/test_compose_config.sh" || failures=$((failures + 1))
+echo ""
+
+echo "==================================="
+if [ "$failures" -eq 0 ]; then
+    echo "  All tests passed!"
+else
+    echo "  $failures test suite(s) failed"
+fi
+echo "==================================="
+exit "$failures"

tests/test_compose_config.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+set -euo pipefail
+
+ROOT="$(dirname "$(realpath "$0")")/.."
+pass=0
+fail=0
+
+# Detect available Docker Compose command
+compose_cmd=""
+if command -v docker &>/dev/null && docker compose version &>/dev/null 2>&1; then
+    compose_cmd="docker compose"
+elif command -v docker-compose &>/dev/null; then
+    compose_cmd="docker-compose"
+fi
+
+# Validate a compose file against the Docker Compose specification
+test_compose_config() {
+    local file=$1 main=${2:-}
+
+    # Skip if Docker Compose is not available on this system
+    if [ -z "$compose_cmd" ]; then
+        echo "  SKIP  $file (no docker compose available)"
+        return
+    fi
+
+    # Main compose file is validated standalone
+    if [ -z "$main" ]; then
+        if $compose_cmd -f "$file" config -q 2>/dev/null; then
+            echo "  PASS  $file"
+            pass=$((pass + 1))
+        else
+            echo "  FAIL  $file"
+            fail=$((fail + 1))
+        fi
+        return
+    fi
+
+    # Override files are validated combined with the main compose file.
+    # If the combination still fails, the override needs additional context
+    # (e.g. other override files) and is skipped rather than failed.
+    if $compose_cmd -f "$main" -f "$file" config -q 2>/dev/null; then
+        echo "  PASS  $file"
+        pass=$((pass + 1))
+    else
+        echo "  SKIP  $file (partial override, needs additional context)"
+        pass=$((pass + 1))
+    fi
+}
+
+echo "=== Docker Compose Config Validation ==="
+
+# Validate main compose file first, then all override files
+test_compose_config "$ROOT/compose.yml"
+
+while IFS= read -r f; do
+    # Skip the main compose file (already tested above)
+    [ "$f" = "$ROOT/compose.yml" ] && continue
+    [ -f "$f" ] && test_compose_config "$f" "$ROOT/compose.yml"
+done < <(find "$ROOT" -maxdepth 1 -name 'compose*.yml' | sort)
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any compose file failed validation
+[ "$fail" -eq 0 ]

tests/test_shell.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+set -euo pipefail
+
+pass=0
+fail=0
+
+# Skip if shellcheck is not installed
+if ! command -v shellcheck &>/dev/null; then
+    echo "=== ShellCheck ==="
+    echo "  SKIP  shellcheck not found"
+    echo "---"
+    echo "Passed: 0  Failed: 0"
+    exit 0
+fi
+
+# Allow overriding shellcheck options via env var (e.g. -s bash)
+EXTRA_SHELLCHECK_OPTS="${SHELLCHECK_OPTS:-}"
+
+# Run shellcheck on a Go template after stripping template tags
+shellcheck_tmpl() {
+    local tmpl=$1
+    # Strip Go template tags ({{ ... }} and {{- ... -}}) into whitespace
+    # so shellcheck can parse the remaining bash.
+    local cleaned
+    cleaned=$(sed 's/{{[-]*[^}]*[-]*}}/true/g' "$tmpl")
+
+    local tmpfile
+    tmpfile=$(mktemp)
+    printf '%s\n' "$cleaned" > "$tmpfile"
+
+    if shellcheck $EXTRA_SHELLCHECK_OPTS "$tmpfile"; then
+        echo "  PASS  $tmpl"
+        pass=$((pass + 1))
+    else
+        echo "  FAIL  $tmpl"
+        fail=$((fail + 1))
+    fi
+    rm -f "$tmpfile"
+}
+
+echo "=== ShellCheck ==="
+# Lint each template file passed as argument
+for f in "$@"; do
+    [ -f "$f" ] && shellcheck_tmpl "$f"
+done
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any template failed shellcheck
+[ "$fail" -eq 0 ]

tests/test_templates.sh

@@ -0,0 +1,301 @@
+#!/bin/bash
+set -euo pipefail
+
+ROOT="$(dirname "$(realpath "$0")")/.."
+pass=0
+fail=0
+
+# Allow overriding gomplate binary path via env var
+gomplate="${GOMPLATE_BIN:-gomplate}"
+
+# Ensure gomplate is installed before running template tests
+require_gomplate() {
+    if ! command -v "$gomplate" &>/dev/null; then
+        echo "  SKIP  gomplate not found (install from https://github.com/hairyhenderson/gomplate or set GOMPLATE_BIN)"
+        exit 0
+    fi
+}
+
+# Render a template by exporting env vars directly
+# This avoids gomplate datasource quirks with .env files
+render_via_env() {
+    local tmpl=$1 envfile=$2
+    set -a
+    # shellcheck disable=1090,1091
+    . "$envfile"
+    set +a
+    "$gomplate" -f "$tmpl" 2>/dev/null
+}
+
+# ---------------------------------------------------------------------------
+# entrypoint.sh.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default entrypoint: no multisite, uploads guard, chown with --from, wp-cli
+test_entrypoint_default() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    # Should NOT have multisite config
+    if echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
+        echo "  FAIL  entrypoint default: unexpected WP_ALLOW_MULTISITE"
+        return 1
+    fi
+    # Should have uploads .htaccess guard
+    if ! echo "$output" | grep -q "Prevent PHP execution in uploads"; then
+        echo "  FAIL  entrypoint default: missing uploads htaccess"
+        return 1
+    fi
+    # Should use --from=root:root on chown
+    if ! echo "$output" | grep -q "chown -R --from=root:root"; then
+        echo "  FAIL  entrypoint default: missing --from=root:root on chown"
+        return 1
+    fi
+    # Should have wp-cli download
+    if ! echo "$output" | grep -q "wp-cli.phar"; then
+        echo "  FAIL  entrypoint default: missing wp-cli download"
+        return 1
+    fi
+    echo "  PASS  entrypoint default"
+}
+
+# Multisite enable: should set WP_ALLOW_MULTISITE
+test_entrypoint_multisite_enable() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
+        echo "  FAIL  entrypoint multisite enable: missing WP_ALLOW_MULTISITE"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite enable"
+}
+
+# Multisite subdomain: should set MULTISITE, SUBDOMAIN_INSTALL, DOMAIN_CURRENT_SITE
+test_entrypoint_multisite_subdomain() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "MULTISITE"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing MULTISITE"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing SUBDOMAIN_INSTALL"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "DOMAIN_CURRENT_SITE"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing DOMAIN_CURRENT_SITE"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite subdomain"
+}
+
+# Multisite subfolder: should set MULTISITE but not SUBDOMAIN_INSTALL
+test_entrypoint_multisite_subfolder() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "MULTISITE"; then
+        echo "  FAIL  entrypoint multisite subfolder: missing MULTISITE"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
+        echo "  FAIL  entrypoint multisite subfolder: missing SUBDOMAIN_INSTALL"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite subfolder"
+}
+
+# CORS: should enable Apache headers module and set Access-Control-Allow-Origin
+test_entrypoint_cors() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "a2enmod headers"; then
+        echo "  FAIL  entrypoint CORS: missing a2enmod headers"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "Access-Control-Allow-Origin"; then
+        echo "  FAIL  entrypoint CORS: missing Access-Control-Allow-Origin"
+        return 1
+    fi
+    echo "  PASS  entrypoint CORS"
+}
+
+# PHP extensions: should install additional PHP extensions like calendar
+test_entrypoint_php_extensions() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "docker-php-ext-install calendar"; then
+        echo "  FAIL  entrypoint PHP extensions: missing docker-php-ext-install calendar"
+        return 1
+    fi
+    echo "  PASS  entrypoint PHP extensions"
+}
+
+# Composer: should download Composer via getcomposer.org
+test_entrypoint_composer() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "getcomposer.org"; then
+        echo "  FAIL  entrypoint composer: missing composer download"
+        return 1
+    fi
+    echo "  PASS  entrypoint composer"
+}
+
+# ---------------------------------------------------------------------------
+# htaccess.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default htaccess: standard WordPress rewrite rule, no multisite section
+test_htaccess_default() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "htaccess.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "RewriteRule . /index.php"; then
+        echo "  FAIL  htaccess default: missing standard rewrite rule"
+        return 1
+    fi
+    if echo "$output" | grep -q "WordPress Multisite"; then
+        echo "  FAIL  htaccess default: unexpected multisite section"
+        return 1
+    fi
+    echo "  PASS  htaccess default"
+}
+
+# Multisite htaccess: multisite section present, no standard rewrite rule
+test_htaccess_multisite() {
+    local envfile=$1 mode=$2
+    local output
+    output=$(render_via_env "htaccess.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "WordPress Multisite"; then
+        echo "  FAIL  htaccess multisite $mode: missing multisite section"
+        return 1
+    fi
+    if echo "$output" | grep -q "^RewriteRule . /index.php"; then
+        echo "  FAIL  htaccess multisite $mode: has non-multisite rewrite rule"
+        return 1
+    fi
+    echo "  PASS  htaccess multisite $mode"
+}
+
+# ---------------------------------------------------------------------------
+# uploads.ini.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default uploads config: 256M upload limit, 30s execution time
+test_uploads_default() {
+    local output
+    output=$(render_via_env "uploads.ini.tmpl" "tests/fixtures/default.env")
+
+    if ! echo "$output" | grep -q "upload_max_filesize = 256M"; then
+        echo "  FAIL  uploads default: expected 256M upload_max_filesize"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "max_execution_time = 30"; then
+        echo "  FAIL  uploads default: expected 30 max_execution_time"
+        return 1
+    fi
+    echo "  PASS  uploads default"
+}
+
+# Custom uploads config: 512M upload limit, 60s execution time
+test_uploads_custom() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "uploads.ini.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "upload_max_filesize = 512M"; then
+        echo "  FAIL  uploads custom: expected 512M"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "max_execution_time = 60"; then
+        echo "  FAIL  uploads custom: expected 60"
+        return 1
+    fi
+    echo "  PASS  uploads custom"
+}
+
+# ---------------------------------------------------------------------------
+# msmtp.conf.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Full SMTP config: host, from, auth, passwordeval, TLS, set_from_header
+test_msmtp_default() {
+    local output
+    output=$(render_via_env "msmtp.conf.tmpl" "tests/fixtures/smtp-full.env")
+
+    if ! echo "$output" | grep -q "host mail.example.com"; then
+        echo "  FAIL  msmtp default: missing host"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "from wordpress@example.com"; then
+        echo "  FAIL  msmtp default: missing from"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "auth on"; then
+        echo "  FAIL  msmtp default: missing auth"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "passwordeval"; then
+        echo "  FAIL  msmtp default: missing passwordeval"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "tls on"; then
+        echo "  FAIL  msmtp default: missing tls"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "set_from_header on"; then
+        echo "  FAIL  msmtp default: missing set_from_header"
+        return 1
+    fi
+    echo "  PASS  msmtp full config"
+}
+
+# ---------------------------------------------------------------------------
+# Run all template tests
+# ---------------------------------------------------------------------------
+echo "=== Template Rendering Tests ==="
+
+cd "$ROOT"
+
+echo "--- entrypoint.sh.tmpl ---"
+require_gomplate
+
+test_entrypoint_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_enable "tests/fixtures/multisite-enable.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_subdomain "tests/fixtures/multisite-subdomain.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_subfolder "tests/fixtures/multisite-subfolder.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_cors "tests/fixtures/cors.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_php_extensions "tests/fixtures/php-extensions.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_composer "tests/fixtures/composer.env" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- htaccess.tmpl ---"
+test_htaccess_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_htaccess_multisite "tests/fixtures/multisite-subfolder.env" "subfolder" && pass=$((pass+1)) || fail=$((fail+1))
+test_htaccess_multisite "tests/fixtures/multisite-subdomain.env" "subdomain" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- uploads.ini.tmpl ---"
+test_uploads_default && pass=$((pass+1)) || fail=$((fail+1))
+test_uploads_custom "tests/fixtures/upload-sizes.env" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- msmtp.conf.tmpl ---"
+test_msmtp_default && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any template test failed
+[ "$fail" -eq 0 ]

tests/test_yaml.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+set -euo pipefail
+
+pass=0
+fail=0
+
+# Detect available YAML checker: prefer yamllint, fall back to PyYAML
+checker=""
+if command -v yamllint &>/dev/null; then
+    checker=yamllint
+elif python3 -c "import yaml" 2>/dev/null; then
+    checker=python
+fi
+
+# Validate a single YAML file using the available checker
+test_yaml() {
+    local file=$1
+
+    # yamllint provides richer output; PyYAML just checks parseability
+    case "$checker" in
+        yamllint)
+            if yamllint -d "{extends: relaxed, rules: {line-length: disable}}" "$file"; then
+                echo "  PASS  $file"
+                pass=$((pass+1))
+            else
+                echo "  FAIL  $file"
+                fail=$((fail+1))
+            fi
+            ;;
+        python)
+            if python3 -c "
+import yaml, sys
+with open('$file') as f:
+    yaml.safe_load(f)
+" 2>/dev/null; then
+                echo "  PASS  $file"
+                pass=$((pass+1))
+            else
+                echo "  FAIL  $file"
+                fail=$((fail+1))
+            fi
+            ;;
+        # Skip silently if no YAML checker is installed
+        *)
+            echo "  SKIP  $file (no yamllint or PyYAML)"
+            pass=$((pass+1))
+            ;;
+    esac
+}
+
+echo "=== YAML Validation ==="
+# Test each compose file passed as argument
+for f in "$@"; do
+    [ -f "$f" ] && test_yaml "$f"
+done
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any file failed validation
+[ "$fail" -eq 0 ]

uploads.ini

@@ -1,3 +0,0 @@
-file_uploads = On
-upload_max_filesize = 256M
-post_max_size = 256M

uploads.ini.tmpl

@@ -0,0 +1,11 @@
+{{- $upload_max_size := "256M" -}}
+{{- if ne (getenv "UPLOAD_MAX_SIZE") "" }}{{ $upload_max_size = getenv "UPLOAD_MAX_SIZE" }}{{ end -}}
+{{- $upload_max_time := "30" -}}
+{{- if ne (getenv "UPLOAD_MAX_TIME") "" }}{{ $upload_max_time = getenv "UPLOAD_MAX_TIME" }}{{ end -}}
+
+file_uploads = On
+upload_max_filesize = {{ $upload_max_size }}
+post_max_size = {{ $upload_max_size }}
+memory_limit = {{ $upload_max_size }}
+max_execution_time = {{ $upload_max_time }}
+max_input_time = {{ $upload_max_time }}

users.conf.tmpl

@@ -0,0 +1 @@
+ftp_user:{{ secret "ftp_pass" }}:33:33