feat: anubis support

.env.sample

@@ -28,9 +28,6 @@ LETS_ENCRYPT_ENV=production
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 
-# Self managed Wordpress for automatic updates
-#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
-
 #WORDPRESS_DEBUG=true
 
 ## Additional extensions
@@ -84,6 +81,7 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
+
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
@@ -94,3 +92,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"
+
+# Anubis
+#COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"

README.md

@@ -77,3 +77,9 @@ Below are the instructions for the local relay.
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
 [cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+
+## Protect Wordpress from scrapers with Anubis
+
+Uncomment the Anubis compose file from the `.env` file and re-deploy the
+app.  Don't forget to actually [enable Anubis on the Traefik app
+too](https://recipes.coopcloud.tech/traefik)!

abra.sh

@@ -2,7 +2,7 @@ export PHP_UPLOADS_CONF_VERSION=v4
 export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v3
+export HTACCESS_CONF_VERSION=v2
 export USERS_CONF_VERSION=v1
 
 wp() {
@@ -31,6 +31,8 @@ core_install(){
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+    wp "plugin install --activate disable-update-notifications"
+    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
@@ -38,20 +40,7 @@ core_install(){
         wp "option set default_role subscriber"
     fi
     wp "theme auto-updates enable --all"
-    wp 'plugin auto-updates enable --all' || true
-}
-
-enable_auto_updates(){
-  wp plugin deactivate disable-update-notifications --allow-root
-  wp plugin uninstall disable-update-notifications --allow-root
-  wp option delete disable_notification_setting --allow-root
-  wp plugin auto-updates enable --all --allow-root
-  wp theme auto-updates enable --all --allow-root
-}
-
-disable_auto_updates(){
-  wp "plugin install --activate disable-update-notifications"
-  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
+    wp 'plugin auto-updates enable --all' || exit 0
 }
 
 set_authentik(){

compose.anubis.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+services:
+  app:
+    deploy:
+      labels:
+      - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname,anubis"

compose.selfmanaged.yml

@@ -1,21 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    image: "wordpress:latest"
-    volumes:
-      - "wordpress:/var/www/html/"
-    environment:
-      WORDPRESS_CONFIG_EXTRA: |
-        define( 'AUTOMATIC_UPDATER_DISABLED', false );
-        define( 'WP_AUTO_UPDATE_CORE', true );
-        define( 'FS_METHOD', 'direct' );
-        ${WORDPRESS_CONFIG_EXTRA}
-
-  ftp:
-    volumes:
-      - "wordpress:/home/ftp_user/"
-
-volumes:
-  wordpress:

htaccess.tmpl

@@ -1,15 +1,3 @@
-# Protect sensitive files from direct access
-<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
-    Require all denied
-</FilesMatch>
-
-# Prevent PHP execution in uploads directory
-<Directory /var/www/html/wp-content/uploads>
-    <FilesMatch "\.(?i:php|phtml|phar)$">
-        Require all denied
-    </FilesMatch>
-</Directory>
-
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress