Add AUTO_UPDATES docs to README

.env.sample

@@ -16,6 +16,13 @@ LETS_ENCRYPT_ENV=production
 # Setup Wordpress settings on each deploy:
 #POST_DEPLOY_CMDS="app core_install"
 
+# Automatically install WordPress on first deploy (requires TITLE and ADMIN_EMAIL)
+#AUTO_INSTALL=1
+
+# Enable auto-updates for plugins and themes on install/deploy (default: on)
+# Set to 0 to disable automatic plugin/theme updates
+#AUTO_UPDATES=1
+
 # Optional settings, otherwise can be set in the installer
 # (Required for `app core_install`
 #TITLE="My Example Blog"
@@ -38,6 +45,7 @@ LETS_ENCRYPT_ENV=production
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_ADMIN_PASSWORD_VERSION=v1
 
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
@@ -84,6 +92,9 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
+# Disable the WordPress web installer (useful when migrating/importing a DB dump)
+#DISABLE_WEB_INSTALLER=1
+
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1

README.md

@@ -25,6 +25,55 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> app core_install`
 
+### Admin password
+
+By default, WordPress generates a random admin password during `core_install` and prints it
+to the command output. To set a known password managed as a Docker secret:
+
+1. Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` in your app config
+2. `abra app secret generate -a <app-name>` (creates a random password)
+3. `abra app deploy <app-name>`
+4. `abra app cmd <app-name> app core_install`
+
+The password is stored in `<app-name>_admin_password_v1` — you can view it with
+`abra app secret show <app-name> admin_password`.
+
+### Auto-install on first deploy
+
+To skip the manual `abra app cmd ... core_install` step, enable auto-install:
+
+1. Set `AUTO_INSTALL=1` in your app config
+2. Uncomment `TITLE` and `ADMIN_EMAIL` (also `LOCALE` if needed)
+3. (Optional) Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` and run `abra app secret generate`
+4. `abra app deploy <app-name>`
+
+On first deploy, the container will wait for the database, then automatically run
+`wp core install` and configure the site. It only runs once — subsequent deploys detect
+WordPress is already installed and skip.
+
+### Plugin and theme auto-updates
+
+By default, plugin and theme auto-updates are enabled during install and deploy.
+To disable this:
+
+1. Set `AUTO_UPDATES=0` in your app config
+2. `abra app deploy <app-name>`
+
+This affects `abra app cmd <app-name> app core_install`, `abra app cmd <app-name> app update`,
+and the `AUTO_INSTALL` background process.
+
+## Disable the web installer
+
+When migrating a site (importing a DB dump from an existing install), the web-based
+WordPress installer at `wp-admin/install.php` is a security risk — someone could
+accidentally run it and overwrite your data. To block it:
+
+1. Set `DISABLE_WEB_INSTALLER=1` in your app config
+2. `abra app deploy <app-name>`
+
+Apache inside the container will deny all requests to `wp-admin/install.php`. The CLI-based
+`abra app cmd <app-name> app core_install` still works unaffected.
+
 ## Email
 
 There is a local or remote SMTP relay configuration available.

abra.sh

@@ -1,5 +1,5 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v9
+export ENTRYPOINT_CONF_VERSION=v10
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v3
@@ -12,9 +12,13 @@ wp() {
 update() {
     wp "core update-db"
     wp "plugin update --all"
-    wp "plugin auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "plugin auto-updates enable --all"
+    fi
     wp "theme update --all"
-    wp "theme auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+    fi
     wp "language core update"
     wp "language plugin update --all"
     wp "language theme update --all"
@@ -27,7 +31,12 @@ core_install(){
         ADMIN=akadmin
     fi
     chown www-data:www-data -R /var/www/html/wp-content
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+    ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+    ADMIN_PASS_ARG=""
+    if [ -n "$ADMIN_PASSWORD" ]; then
+        ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+    fi
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
@@ -37,8 +46,10 @@ core_install(){
     else
         wp "option set default_role subscriber"
     fi
-    wp "theme auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
-    wp 'plugin auto-updates enable --all' || true
+        wp "theme auto-updates enable --all"
+        wp 'plugin auto-updates enable --all' || true
+    fi
 }
 
 enable_auto_updates(){

compose.yml

@@ -22,9 +22,14 @@ services:
       WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
       PHP_EXTENSIONS: ${PHP_EXTENSIONS}
       CORS_ALLOW_ALL:
+      DISABLE_WEB_INSTALLER:
+      AUTO_INSTALL:
+      AUTO_UPDATES:
       COMPOSER:
+      SECRET_ADMIN_PASSWORD_VERSION:
     secrets:
       - db_password
+      - admin_password
     configs:
       - source: php_uploads_conf
         target: /usr/local/etc/php/conf.d/uploads.ini
@@ -101,6 +106,9 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
 
 configs:
   entrypoint_conf:

entrypoint.sh.tmpl

@@ -24,6 +24,14 @@ a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 
+{{ if eq (getenv "DISABLE_WEB_INSTALLER") "1" }}
+cat > /etc/apache2/conf-enabled/disable-installer.conf <<'EOF'
+<LocationMatch "^/wp-admin/install\.php">
+    Require all denied
+</LocationMatch>
+EOF
+{{ end }}
+
 {{ if eq (getenv "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
@@ -56,6 +64,64 @@ fi
 
 chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
 
+{{ if eq (getenv "AUTO_INSTALL") "1" }}
+(
+  DOMAIN="{{ getenv "DOMAIN" }}"
+  TITLE="{{ getenv "TITLE" }}"
+  ADMIN_EMAIL="{{ getenv "ADMIN_EMAIL" }}"
+  LOCALE="{{ getenv "LOCALE" }}"
+  DEFAULT_USER_ROLE="{{ getenv "DEFAULT_USER_ROLE" }}"
+  AUTO_UPDATES="{{ getenv "AUTO_UPDATES" }}"
+
+  # Wait for wp-config.php (created by upstream entrypoint)
+  for _ in $(seq 1 30); do
+    if [ -f /var/www/html/wp-config.php ]; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Wait for DB to be reachable
+  for _ in $(seq 1 60); do
+    if su -p www-data -s /bin/bash -c "/usr/local/bin/wp db check" 2>/dev/null; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Skip if already installed or required vars missing
+  if su -p www-data -s /bin/bash -c "/usr/local/bin/wp core is-installed" 2>/dev/null; then
+    exit 0
+  fi
+  if [ -z "$TITLE" ] || [ -z "$ADMIN_EMAIL" ]; then
+    exit 0
+  fi
+
+  ADMIN="admin"
+  ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+  ADMIN_PASS_ARG=""
+  if [ -n "$ADMIN_PASSWORD" ]; then
+    ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+  fi
+
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
+  if [ -n "$LOCALE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp language core install $LOCALE"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp site switch-language $LOCALE"
+  fi
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+  if [ -n "$DEFAULT_USER_ROLE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role $DEFAULT_USER_ROLE"
+  else
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role subscriber"
+  fi
+  if [ "$AUTO_UPDATES" != "0" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp theme auto-updates enable --all"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp plugin auto-updates enable --all" || true
+  fi
+) &
+{{ end }}
+
 if [ $# -gt 0 ]; then
 	"$@"
 fi