harden htaccess

.drone.yml

@@ -1,48 +1,28 @@
 ---
 kind: pipeline
-name: test
+name: deploy to swarm-test.autonomic.zone
-
 steps:
-  - name: test
+  - name: deployment
-    image: alpine:3.21
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: wordpress
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
     environment:
-      SHELLCHECK_OPTS: -s bash
+      DOMAIN: wordpress.swarm-test.autonomic.zone
-    commands:
+      STACK_NAME: wordpress
-      - apk add --no-cache bash shellcheck py3-yaml curl
+      LETS_ENCRYPT_ENV: production
-      - curl -sSLo /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v5.0.0/gomplate_linux-amd64
+      SECRET_DB_PASSWORD_VERSION: v1
-      - chmod +x /usr/local/bin/gomplate
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      - tests/run.sh
+      PHP_UPLOADS_CONF_VERSION: v1
-
+      ENTRYPOINT_CONF_VERSION: v1
-  # deployment step disabled: swarm-test.autonomic.zone is down
+      HTACCESS_CONF_VERSION: v1
-  # - name: deployment
-  #   image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-  #   when:
-  #     event:
-  #       - push
-  #     branch:
-  #       - main
-  #   settings:
-  #     host: swarm-test.autonomic.zone
-  #     stack: wordpress
-  #     generate_secrets: true
-  #     purge: true
-  #     deploy_key:
-  #       from_secret: drone_ssh_swarm_test
-  #     networks:
-  #       - proxy
-  #   environment:
-  #     DOMAIN: wordpress.swarm-test.autonomic.zone
-  #     STACK_NAME: wordpress
-  #     LETS_ENCRYPT_ENV: production
-  #     SECRET_DB_PASSWORD_VERSION: v1
-  #     SECRET_DB_ROOT_PASSWORD_VERSION: v1
-  #     PHP_UPLOADS_CONF_VERSION: v1
-  #     ENTRYPOINT_CONF_VERSION: v1
-  #     HTACCESS_CONF_VERSION: v1
 trigger:
-  event:
-    - push
-    - pull_request
   branch:
     - main
 ---

.gitignore

@@ -1,22 +1 @@
-# direnv
 /.envrc
-
-# Environment files (may contain secrets)
-.env
-
-# Logs
-*.log
-
-# OS metadata
-.DS_Store
-Thumbs.db
-
-# Editor/IDE
-*.swp
-*.swo
-*~
-*.bak
-.idea/
-.vscode/
-.project
-.classpath

README.md

@@ -13,18 +13,52 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 * **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
-* **SSO**: 2
+* **SSO**: No
 
 <!-- endmetadata -->
 
+
 ## Quick start
 
+
 * `abra app new wordpress`
 * `abra app config <app-name>`
 * `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> app core_install`
 
+### Authentik Integration
+
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
+## Running WP-CLI
+
+`abra app cmd <app-name> app wp -- core check-update --major`
+
+## Network (Multi-site)
+
+1. Set up as above
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+3. `abra app deploy <app-name>`
+4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+5. Don't worry about the suggested file changes
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+7. `abra app deploy <app-name>`
+
+## Installing a custom theme
+
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
 ## Email
 
 There is a local or remote SMTP relay configuration available.
@@ -40,70 +74,6 @@ Below are the instructions for the local relay.
    `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
 3. `abra app deploy <app-name>`
 
-## WP-CLI
-
-You can either run using `abra app cmd`:
-```bash
-abra app cmd <app-name> app wp -- core check-update --major
-```
-
-Or by entering the app shell:
-1. `abra app run <app-name> app bash`
-2. `su -s /bin/bash www-data -c "wp core check-update --major"`
-
-## Network (Multi-site)
-
-1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
-3. `abra app deploy <app-name>`
-4. Log into the WordPress admin dashboard, go to **Tools → Network Setup**
-5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
-7. `abra app deploy <app-name>`
-
-## Installing a custom theme
-
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
-
-## Authentik Integration
-
-Configure the following envs via `abra app config <app-name>`:
-```bash
-COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-AUTHENTIK_DOMAIN=authentik.example.com
-AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
-AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
-```
-
-`abra app cmd <app-name> app set_authentik`
-
-## Tests
-
-Run the full test suite for this repository:
-
-```sh
-bash tests/run.sh
-```
-
-### Prerequisites
-
-The test suite uses several tools. Install them with your equivalent of:
-
-```sh
-brew install shellcheck gomplate
-```
-Some tests skip gracefully if their dependencies are missing.
-
-## Migrate from a non-Co-op Cloud WordPress install
-
-Make a `.tar.gz` backup of the site's `wp-content` dir and a `.sql.gz` backup of the database.
-
-1. `abra app wp.example.com restore app wp-content.tar.gz`
-2. `abra app wp.example.com restore db wordpress.sql.gz`
-
-Lastly, if there's a domain name change, run a search and replace:
-`abra app wp.example.com wp "search-replace https://old.example.com https://wp.example.com"`
-
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/postfix-relay
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -1,12 +1,12 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v9
+export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1
 
 wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $*"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
 }
 
 update() {
@@ -42,11 +42,11 @@ core_install(){
 }
 
 enable_auto_updates(){
-  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp plugin deactivate disable-update-notifications --allow-root
-  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp plugin uninstall disable-update-notifications --allow-root
-  wp "option delete disable_notification_setting --allow-root"
+  wp option delete disable_notification_setting --allow-root
-  wp "plugin auto-updates enable --all --allow-root"
+  wp plugin auto-updates enable --all --allow-root
-  wp "theme auto-updates enable --all --allow-root"
+  wp theme auto-updates enable --all --allow-root
 }
 
 disable_auto_updates(){

compose.ftp-2220.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2220:22
+        - 2220:22

compose.ftp-2221.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2221:22
+        - 2221:22

compose.ftp-2222.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2222:22
+        - 2222:22

compose.ftp-2223.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2223:22
+        - 2223:22

compose.ftp-2224.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2224:22
+        - 2224:22

compose.ftp-2225.yml

@@ -4,4 +4,4 @@ version: "3.8"
 services:
   ftp:
     ports:
-      - 2220:22
+        - 2220:22

compose.selfmanaged.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:7.0.0"
+    image: "wordpress:latest"
     volumes:
       - "wordpress:/var/www/html/"
     environment:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:7.0.0"
+    image: "wordpress:6.9.4"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -62,10 +62,10 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
+        - "coop-cloud.${STACK_NAME}.version=2.19.1+6.9.4"
 
   db:
-    image: "mariadb:12.3"
+    image: "mariadb:12.2"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:

entrypoint.sh.tmpl

@@ -1,13 +1,13 @@
 #!/bin/bash
 
-{{ if (getenv "PHP_EXTENSIONS") }}
+{{ if (env "PHP_EXTENSIONS") }}
-docker-php-ext-install {{ getenv "PHP_EXTENSIONS" }}
+docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 {{ end }}
 
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 
-{{ if eq (getenv "ENABLE_COMPOSER") "1" }}
+{{ if eq (env "ENABLE_COMPOSER") "1" }}
 mkdir -p /var/www/.composer
 chown www-data:www-data /var/www/.composer /var/www/html/composer
 
@@ -19,18 +19,18 @@ rm /tmp/composer-setup.php
 mv /var/www/html/composer.phar /usr/local/bin/composer
 {{ end }}
 
-{{ if eq (getenv "CORS_ALLOW_ALL") "1" }}
+{{ if eq (env "CORS_ALLOW_ALL") "1" }}
 a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 
-{{ if eq (getenv "MULTISITE") "enable" }}
+{{ if eq (env "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
 define('WP_ALLOW_MULTISITE', true );"
 {{ end }}
 
-{{ if or (eq (getenv "MULTISITE") "subdomain") (eq (getenv "MULTISITE") "subfolder") }}
+{{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('MULTISITE', true);
 define('SUBDOMAIN_INSTALL', true);
@@ -42,21 +42,7 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 
-
+if [ -n "$@" ]; then
-UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
-if [ ! -f "$UPLOADS_HTACCESS" ]; then
-    mkdir -p /var/www/html/wp-content/uploads
-    cat > "$UPLOADS_HTACCESS" <<'EOF'
-# Prevent PHP execution in uploads directory
-<FilesMatch "\.(?i:php|phtml|phar)$">
-    Require all denied
-</FilesMatch>
-EOF
-fi
-
-chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
-
-if [ $# -gt 0 ]; then
 	"$@"
 fi
 

htaccess.tmpl

@@ -3,7 +3,14 @@
     Require all denied
 </FilesMatch>
 
-{{ if eq (getenv "MULTISITE") "" -}}
+# Prevent PHP execution in uploads directory
+<Directory /var/www/html/wp-content/uploads>
+    <FilesMatch "\.(?i:php|phtml|phar)$">
+        Require all denied
+    </FilesMatch>
+</Directory>
+
+{{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
 
 RewriteEngine On
@@ -17,7 +24,7 @@ RewriteRule . /index.php [L]
 # END WordPress
 {{- end -}}
 
-{{- if eq (getenv "MULTISITE") "subfolder" -}}
+{{- if eq (env "MULTISITE") "subfolder" -}}
 # BEGIN WordPress Multisite
 # Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
 
@@ -39,7 +46,7 @@ RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end -}}
 
-{{- if eq (getenv "MULTISITE") "subdomain" -}}
+{{- if eq (env "MULTISITE") "subdomain" -}}
 # BEGIN WordPress Multisite
 # Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
 

msmtp.conf.tmpl

@@ -1,19 +1,19 @@
 account default
-host {{ getenv "SMTP_HOST" }}
+host {{ env "SMTP_HOST" }}
-from {{ getenv "MAIL_FROM" }}
+from {{ env "MAIL_FROM" }}
-user {{ or (getenv "SMTP_USER") (getenv "MAIL_FROM") }}
+user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
-port {{ getenv "SMTP_PORT" }}
+port {{ env "SMTP_PORT" }}
 
-{{ if eq (getenv "SMTP_OVERRIDE_FROM") "on" }}
+{{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
 set_from_header on
 {{ end }}
 
-{{ if eq (getenv "SMTP_AUTH") "on" }}
+{{ if eq (env "SMTP_AUTH") "on" }}
-auth {{ getenv "SMTP_AUTH" }}
+auth {{ env "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"
 {{ end }}
 
-{{ if eq (getenv "SMTP_TLS") "on" }}
+{{ if eq (env "SMTP_TLS") "on" }}
-tls {{ getenv "SMTP_TLS" }}
+tls {{ env "SMTP_TLS" }}
 tls_trust_file /etc/ssl/certs/ca-certificates.crt
 {{ end }}

release/3.0.0+7.0.0

@@ -1,6 +0,0 @@
-- WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
-- MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
-- ENTRYPOINT_CONF_VERSION bumped to v9
-- Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
-- Breaking: WordPress 7.0 introduces new AI features and admin theme changes
-- Backup database and files before upgrading

renovate.json

@@ -2,36 +2,5 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended"
-  ],
-  "regexManagers": [
-    {
-      "fileMatch": ["(^|/)compose[^/]*\\.yml$"],
-      "matchStrings": [
-        "image:\\s*\"wordpress:(?<currentValue>[^\"]+)\"",
-        "image:\\s*\"mariadb:(?<currentValue>[^\"]+)\""
-      ],
-      "datasourceTemplate": "docker",
-      "lookupNameTemplate": "{{{packageName}}}"
-    },
-    {
-      "fileMatch": ["(^|/)\\.drone\\.yml$"],
-      "matchStrings": [
-        "gomplate/releases/download/v(?<currentValue>[\\d.]+)/gomplate_linux-amd64"
-      ],
-      "datasourceTemplate": "github-releases",
-      "lookupNameTemplate": "hairyhenderson/gomplate"
-    }
-  ],
-  "packageRules": [
-    {
-      "matchDatasources": ["docker"],
-      "matchPackageNames": ["wordpress"],
-      "enabled": true
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchPackageNames": ["mariadb"],
-      "enabled": true
-    }
   ]
 }

tests/fixtures/composer.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-ENABLE_COMPOSER=1

tests/fixtures/cors.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-CORS_ALLOW_ALL=1

tests/fixtures/default.env

@@ -1 +0,0 @@
-DOMAIN=wordpress.example.com

tests/fixtures/multisite-enable.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=enable

tests/fixtures/multisite-subdomain.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=subdomain

tests/fixtures/multisite-subfolder.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=subfolder

tests/fixtures/php-extensions.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-PHP_EXTENSIONS=calendar

tests/fixtures/smtp-full.env

@@ -1,8 +0,0 @@
-DOMAIN=wordpress.example.com
-SMTP_HOST=mail.example.com
-SMTP_PORT=587
-MAIL_FROM=wordpress@example.com
-SMTP_USER=relay@example.com
-SMTP_AUTH=on
-SMTP_TLS=on
-SMTP_OVERRIDE_FROM=on

tests/fixtures/upload-sizes.env

@@ -1,3 +0,0 @@
-DOMAIN=wordpress.example.com
-UPLOAD_MAX_SIZE=512M
-UPLOAD_MAX_TIME=60

tests/run.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-# Root of the project directory
-ROOT="$(dirname "$(realpath "$0")")"
-
-echo "==================================="
-echo "  WordPress Recipe Test Suite"
-echo "==================================="
-echo ""
-
-# Collect all compose files for YAML validation
-COMPOSE_FILES=()
-while IFS= read -r f; do
-    COMPOSE_FILES+=("$f")
-done < <(find "$ROOT/.." -maxdepth 1 -name 'compose*.yml' | sort)
-
-# Collect all tmpl files for shellcheck (only those with bash content)
-SHELL_TMPL_FILES=()
-while IFS= read -r f; do
-    SHELL_TMPL_FILES+=("$f")
-done < <(find "$ROOT/.." -maxdepth 1 -name '*.sh.tmpl' | sort)
-
-# Track total failures across all test suites
-failures=0
-
-# Validate YAML syntax of all compose files
-echo "========================================================================"
-"$ROOT/test_yaml.sh" "${COMPOSE_FILES[@]}" || failures=$((failures + 1))
-echo ""
-
-# Lint shell scripts inside Go templates (after stripping template tags)
-echo "========================================================================"
-"$ROOT/test_shell.sh" "${SHELL_TMPL_FILES[@]}" || failures=$((failures + 1))
-echo ""
-
-# Render templates with fixture env files and verify expected output
-echo "========================================================================"
-"$ROOT/test_templates.sh" || failures=$((failures + 1))
-echo ""
-
-# Validate compose files against the Docker Compose specification
-echo "========================================================================"
-"$ROOT/test_compose_config.sh" || failures=$((failures + 1))
-echo ""
-
-echo "==================================="
-if [ "$failures" -eq 0 ]; then
-    echo "  All tests passed!"
-else
-    echo "  $failures test suite(s) failed"
-fi
-echo "==================================="
-exit "$failures"

tests/test_compose_config.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-ROOT="$(dirname "$(realpath "$0")")/.."
-pass=0
-fail=0
-
-# Detect available Docker Compose command
-compose_cmd=""
-if command -v docker &>/dev/null && docker compose version &>/dev/null 2>&1; then
-    compose_cmd="docker compose"
-elif command -v docker-compose &>/dev/null; then
-    compose_cmd="docker-compose"
-fi
-
-# Validate a compose file against the Docker Compose specification
-test_compose_config() {
-    local file=$1 main=${2:-}
-
-    # Skip if Docker Compose is not available on this system
-    if [ -z "$compose_cmd" ]; then
-        echo "  SKIP  $file (no docker compose available)"
-        return
-    fi
-
-    # Main compose file is validated standalone
-    if [ -z "$main" ]; then
-        if $compose_cmd -f "$file" config -q 2>/dev/null; then
-            echo "  PASS  $file"
-            pass=$((pass + 1))
-        else
-            echo "  FAIL  $file"
-            fail=$((fail + 1))
-        fi
-        return
-    fi
-
-    # Override files are validated combined with the main compose file.
-    # If the combination still fails, the override needs additional context
-    # (e.g. other override files) and is skipped rather than failed.
-    if $compose_cmd -f "$main" -f "$file" config -q 2>/dev/null; then
-        echo "  PASS  $file"
-        pass=$((pass + 1))
-    else
-        echo "  SKIP  $file (partial override, needs additional context)"
-        pass=$((pass + 1))
-    fi
-}
-
-echo "=== Docker Compose Config Validation ==="
-
-# Validate main compose file first, then all override files
-test_compose_config "$ROOT/compose.yml"
-
-while IFS= read -r f; do
-    # Skip the main compose file (already tested above)
-    [ "$f" = "$ROOT/compose.yml" ] && continue
-    [ -f "$f" ] && test_compose_config "$f" "$ROOT/compose.yml"
-done < <(find "$ROOT" -maxdepth 1 -name 'compose*.yml' | sort)
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-# Exit with failure if any compose file failed validation
-[ "$fail" -eq 0 ]

tests/test_shell.sh

@@ -1,50 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-pass=0
-fail=0
-
-# Skip if shellcheck is not installed
-if ! command -v shellcheck &>/dev/null; then
-    echo "=== ShellCheck ==="
-    echo "  SKIP  shellcheck not found"
-    echo "---"
-    echo "Passed: 0  Failed: 0"
-    exit 0
-fi
-
-# Allow overriding shellcheck options via env var (e.g. -s bash)
-EXTRA_SHELLCHECK_OPTS="${SHELLCHECK_OPTS:-}"
-
-# Run shellcheck on a Go template after stripping template tags
-shellcheck_tmpl() {
-    local tmpl=$1
-    # Strip Go template tags ({{ ... }} and {{- ... -}}) into whitespace
-    # so shellcheck can parse the remaining bash.
-    local cleaned
-    cleaned=$(sed 's/{{[-]*[^}]*[-]*}}/true/g' "$tmpl")
-
-    local tmpfile
-    tmpfile=$(mktemp)
-    printf '%s\n' "$cleaned" > "$tmpfile"
-
-    if shellcheck $EXTRA_SHELLCHECK_OPTS "$tmpfile"; then
-        echo "  PASS  $tmpl"
-        pass=$((pass + 1))
-    else
-        echo "  FAIL  $tmpl"
-        fail=$((fail + 1))
-    fi
-    rm -f "$tmpfile"
-}
-
-echo "=== ShellCheck ==="
-# Lint each template file passed as argument
-for f in "$@"; do
-    [ -f "$f" ] && shellcheck_tmpl "$f"
-done
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-# Exit with failure if any template failed shellcheck
-[ "$fail" -eq 0 ]

tests/test_templates.sh

@@ -1,301 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-ROOT="$(dirname "$(realpath "$0")")/.."
-pass=0
-fail=0
-
-# Allow overriding gomplate binary path via env var
-gomplate="${GOMPLATE_BIN:-gomplate}"
-
-# Ensure gomplate is installed before running template tests
-require_gomplate() {
-    if ! command -v "$gomplate" &>/dev/null; then
-        echo "  SKIP  gomplate not found (install from https://github.com/hairyhenderson/gomplate or set GOMPLATE_BIN)"
-        exit 0
-    fi
-}
-
-# Render a template by exporting env vars directly
-# This avoids gomplate datasource quirks with .env files
-render_via_env() {
-    local tmpl=$1 envfile=$2
-    set -a
-    # shellcheck disable=1090,1091
-    . "$envfile"
-    set +a
-    "$gomplate" -f "$tmpl" 2>/dev/null
-}
-
-# ---------------------------------------------------------------------------
-# entrypoint.sh.tmpl tests
-# ---------------------------------------------------------------------------
-
-# Default entrypoint: no multisite, uploads guard, chown with --from, wp-cli
-test_entrypoint_default() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    # Should NOT have multisite config
-    if echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
-        echo "  FAIL  entrypoint default: unexpected WP_ALLOW_MULTISITE"
-        return 1
-    fi
-    # Should have uploads .htaccess guard
-    if ! echo "$output" | grep -q "Prevent PHP execution in uploads"; then
-        echo "  FAIL  entrypoint default: missing uploads htaccess"
-        return 1
-    fi
-    # Should use --from=root:root on chown
-    if ! echo "$output" | grep -q "chown -R --from=root:root"; then
-        echo "  FAIL  entrypoint default: missing --from=root:root on chown"
-        return 1
-    fi
-    # Should have wp-cli download
-    if ! echo "$output" | grep -q "wp-cli.phar"; then
-        echo "  FAIL  entrypoint default: missing wp-cli download"
-        return 1
-    fi
-    echo "  PASS  entrypoint default"
-}
-
-# Multisite enable: should set WP_ALLOW_MULTISITE
-test_entrypoint_multisite_enable() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
-        echo "  FAIL  entrypoint multisite enable: missing WP_ALLOW_MULTISITE"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite enable"
-}
-
-# Multisite subdomain: should set MULTISITE, SUBDOMAIN_INSTALL, DOMAIN_CURRENT_SITE
-test_entrypoint_multisite_subdomain() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "MULTISITE"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing MULTISITE"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing SUBDOMAIN_INSTALL"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "DOMAIN_CURRENT_SITE"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing DOMAIN_CURRENT_SITE"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite subdomain"
-}
-
-# Multisite subfolder: should set MULTISITE but not SUBDOMAIN_INSTALL
-test_entrypoint_multisite_subfolder() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "MULTISITE"; then
-        echo "  FAIL  entrypoint multisite subfolder: missing MULTISITE"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
-        echo "  FAIL  entrypoint multisite subfolder: missing SUBDOMAIN_INSTALL"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite subfolder"
-}
-
-# CORS: should enable Apache headers module and set Access-Control-Allow-Origin
-test_entrypoint_cors() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "a2enmod headers"; then
-        echo "  FAIL  entrypoint CORS: missing a2enmod headers"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "Access-Control-Allow-Origin"; then
-        echo "  FAIL  entrypoint CORS: missing Access-Control-Allow-Origin"
-        return 1
-    fi
-    echo "  PASS  entrypoint CORS"
-}
-
-# PHP extensions: should install additional PHP extensions like calendar
-test_entrypoint_php_extensions() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "docker-php-ext-install calendar"; then
-        echo "  FAIL  entrypoint PHP extensions: missing docker-php-ext-install calendar"
-        return 1
-    fi
-    echo "  PASS  entrypoint PHP extensions"
-}
-
-# Composer: should download Composer via getcomposer.org
-test_entrypoint_composer() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "getcomposer.org"; then
-        echo "  FAIL  entrypoint composer: missing composer download"
-        return 1
-    fi
-    echo "  PASS  entrypoint composer"
-}
-
-# ---------------------------------------------------------------------------
-# htaccess.tmpl tests
-# ---------------------------------------------------------------------------
-
-# Default htaccess: standard WordPress rewrite rule, no multisite section
-test_htaccess_default() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "htaccess.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "RewriteRule . /index.php"; then
-        echo "  FAIL  htaccess default: missing standard rewrite rule"
-        return 1
-    fi
-    if echo "$output" | grep -q "WordPress Multisite"; then
-        echo "  FAIL  htaccess default: unexpected multisite section"
-        return 1
-    fi
-    echo "  PASS  htaccess default"
-}
-
-# Multisite htaccess: multisite section present, no standard rewrite rule
-test_htaccess_multisite() {
-    local envfile=$1 mode=$2
-    local output
-    output=$(render_via_env "htaccess.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "WordPress Multisite"; then
-        echo "  FAIL  htaccess multisite $mode: missing multisite section"
-        return 1
-    fi
-    if echo "$output" | grep -q "^RewriteRule . /index.php"; then
-        echo "  FAIL  htaccess multisite $mode: has non-multisite rewrite rule"
-        return 1
-    fi
-    echo "  PASS  htaccess multisite $mode"
-}
-
-# ---------------------------------------------------------------------------
-# uploads.ini.tmpl tests
-# ---------------------------------------------------------------------------
-
-# Default uploads config: 256M upload limit, 30s execution time
-test_uploads_default() {
-    local output
-    output=$(render_via_env "uploads.ini.tmpl" "tests/fixtures/default.env")
-
-    if ! echo "$output" | grep -q "upload_max_filesize = 256M"; then
-        echo "  FAIL  uploads default: expected 256M upload_max_filesize"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "max_execution_time = 30"; then
-        echo "  FAIL  uploads default: expected 30 max_execution_time"
-        return 1
-    fi
-    echo "  PASS  uploads default"
-}
-
-# Custom uploads config: 512M upload limit, 60s execution time
-test_uploads_custom() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "uploads.ini.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "upload_max_filesize = 512M"; then
-        echo "  FAIL  uploads custom: expected 512M"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "max_execution_time = 60"; then
-        echo "  FAIL  uploads custom: expected 60"
-        return 1
-    fi
-    echo "  PASS  uploads custom"
-}
-
-# ---------------------------------------------------------------------------
-# msmtp.conf.tmpl tests
-# ---------------------------------------------------------------------------
-
-# Full SMTP config: host, from, auth, passwordeval, TLS, set_from_header
-test_msmtp_default() {
-    local output
-    output=$(render_via_env "msmtp.conf.tmpl" "tests/fixtures/smtp-full.env")
-
-    if ! echo "$output" | grep -q "host mail.example.com"; then
-        echo "  FAIL  msmtp default: missing host"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "from wordpress@example.com"; then
-        echo "  FAIL  msmtp default: missing from"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "auth on"; then
-        echo "  FAIL  msmtp default: missing auth"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "passwordeval"; then
-        echo "  FAIL  msmtp default: missing passwordeval"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "tls on"; then
-        echo "  FAIL  msmtp default: missing tls"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "set_from_header on"; then
-        echo "  FAIL  msmtp default: missing set_from_header"
-        return 1
-    fi
-    echo "  PASS  msmtp full config"
-}
-
-# ---------------------------------------------------------------------------
-# Run all template tests
-# ---------------------------------------------------------------------------
-echo "=== Template Rendering Tests ==="
-
-cd "$ROOT"
-
-echo "--- entrypoint.sh.tmpl ---"
-require_gomplate
-
-test_entrypoint_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_enable "tests/fixtures/multisite-enable.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_subdomain "tests/fixtures/multisite-subdomain.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_subfolder "tests/fixtures/multisite-subfolder.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_cors "tests/fixtures/cors.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_php_extensions "tests/fixtures/php-extensions.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_composer "tests/fixtures/composer.env" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- htaccess.tmpl ---"
-test_htaccess_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_htaccess_multisite "tests/fixtures/multisite-subfolder.env" "subfolder" && pass=$((pass+1)) || fail=$((fail+1))
-test_htaccess_multisite "tests/fixtures/multisite-subdomain.env" "subdomain" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- uploads.ini.tmpl ---"
-test_uploads_default && pass=$((pass+1)) || fail=$((fail+1))
-test_uploads_custom "tests/fixtures/upload-sizes.env" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- msmtp.conf.tmpl ---"
-test_msmtp_default && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-# Exit with failure if any template test failed
-[ "$fail" -eq 0 ]

tests/test_yaml.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-pass=0
-fail=0
-
-# Detect available YAML checker: prefer yamllint, fall back to PyYAML
-checker=""
-if command -v yamllint &>/dev/null; then
-    checker=yamllint
-elif python3 -c "import yaml" 2>/dev/null; then
-    checker=python
-fi
-
-# Validate a single YAML file using the available checker
-test_yaml() {
-    local file=$1
-
-    # yamllint provides richer output; PyYAML just checks parseability
-    case "$checker" in
-        yamllint)
-            if yamllint -d "{extends: relaxed, rules: {line-length: disable}}" "$file"; then
-                echo "  PASS  $file"
-                pass=$((pass+1))
-            else
-                echo "  FAIL  $file"
-                fail=$((fail+1))
-            fi
-            ;;
-        python)
-            if python3 -c "
-import yaml, sys
-with open('$file') as f:
-    yaml.safe_load(f)
-" 2>/dev/null; then
-                echo "  PASS  $file"
-                pass=$((pass+1))
-            else
-                echo "  FAIL  $file"
-                fail=$((fail+1))
-            fi
-            ;;
-        # Skip silently if no YAML checker is installed
-        *)
-            echo "  SKIP  $file (no yamllint or PyYAML)"
-            pass=$((pass+1))
-            ;;
-    esac
-}
-
-echo "=== YAML Validation ==="
-# Test each compose file passed as argument
-for f in "$@"; do
-    [ -f "$f" ] && test_yaml "$f"
-done
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-# Exit with failure if any file failed validation
-[ "$fail" -eq 0 ]

uploads.ini.tmpl

@@ -1,10 +1,10 @@
-{{- $upload_max_size := "256M" -}}
+{{ $upload_max_size := "256M" }}
-{{- if ne (getenv "UPLOAD_MAX_SIZE") "" }}{{ $upload_max_size = getenv "UPLOAD_MAX_SIZE" }}{{ end -}}
+{{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
-{{- $upload_max_time := "30" -}}
+{{ $upload_max_time := "30" }}
-{{- if ne (getenv "UPLOAD_MAX_TIME") "" }}{{ $upload_max_time = getenv "UPLOAD_MAX_TIME" }}{{ end -}}
+{{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
 
 file_uploads = On
-upload_max_filesize = {{ $upload_max_size }}
+upload_max_filesize =  {{ $upload_max_size }}
 post_max_size = {{ $upload_max_size }}
 memory_limit = {{ $upload_max_size }}
 max_execution_time = {{ $upload_max_time }}