Add AUTO_UPDATES docs to README

Reviewed-on: coop-cloud/wordpress#64

.drone.yml

@@ -1,22 +1,63 @@
 ---
 kind: pipeline
-name: deploy to swarm-test.autonomic.zone
+name: test
+
 steps:
-  - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: wordpress
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
+  - name: test
+    image: alpine:3.21
     environment:
-      DOMAIN: wordpress.swarm-test.autonomic.zone
-      STACK_NAME: wordpress
-      LETS_ENCRYPT_ENV: production
-      DB_PASSWORD_VERSION: v1
-      DB_ROOT_PASSWORD_VERSION: v1
+      SHELLCHECK_OPTS: -s bash
+    commands:
+      - apk add --no-cache bash shellcheck py3-yaml curl
+      - curl -sSLo /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v5.0.0/gomplate_linux-amd64
+      - chmod +x /usr/local/bin/gomplate
+      - tests/run.sh
+
+  # deployment step disabled: swarm-test.autonomic.zone is down
+  # - name: deployment
+  #   image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+  #   when:
+  #     event:
+  #       - push
+  #     branch:
+  #       - main
+  #   settings:
+  #     host: swarm-test.autonomic.zone
+  #     stack: wordpress
+  #     generate_secrets: true
+  #     purge: true
+  #     deploy_key:
+  #       from_secret: drone_ssh_swarm_test
+  #     networks:
+  #       - proxy
+  #   environment:
+  #     DOMAIN: wordpress.swarm-test.autonomic.zone
+  #     STACK_NAME: wordpress
+  #     LETS_ENCRYPT_ENV: production
+  #     SECRET_DB_PASSWORD_VERSION: v1
+  #     SECRET_DB_ROOT_PASSWORD_VERSION: v1
+  #     PHP_UPLOADS_CONF_VERSION: v1
+  #     ENTRYPOINT_CONF_VERSION: v1
+  #     HTACCESS_CONF_VERSION: v1
 trigger:
+  event:
+    - push
+    - pull_request
   branch:
-    - master
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -0,0 +1,107 @@
+TYPE=wordpress
+#TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
+COMPOSE_FILE="compose.yml"
+ENABLE_BACKUPS=true
+
+DOMAIN=wordpress.example.com
+## Domain aliases
+#EXTRA_DOMAINS=', `www.wordpress.example.com`'
+# Redirects
+# All redirect domains have to be added to EXTRA_DOMAINS as well)
+# multiple redirects can be added by seperating them with a | character
+#REDIRECTS=www.wordpress.example.com
+LETS_ENCRYPT_ENV=production
+
+# Setup Wordpress settings on each deploy:
+#POST_DEPLOY_CMDS="app core_install"
+
+# Automatically install WordPress on first deploy (requires TITLE and ADMIN_EMAIL)
+#AUTO_INSTALL=1
+
+# Enable auto-updates for plugins and themes on install/deploy (default: on)
+# Set to 0 to disable automatic plugin/theme updates
+#AUTO_UPDATES=1
+
+# Optional settings, otherwise can be set in the installer
+# (Required for `app core_install`
+#TITLE="My Example Blog"
+#LOCALE="en_US" # de_DE
+#ADMIN_EMAIL=admin@example.com
+
+# Every new user is per default subscriber, uncomment to change it
+#DEFAULT_USER_ROLE=administrator
+
+# PHP composer for plugin installation
+#COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
+
+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
+#WORDPRESS_DEBUG=true
+
+## Additional extensions
+#PHP_EXTENSIONS="calendar"
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_ADMIN_PASSWORD_VERSION=v1
+
+# Mostly for compatibility with existing database dumps...
+#WORDPRESS_TABLE_PREFIX=wp_
+
+# Multisite (see README)
+#MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
+
+# File upload settings
+#UPLOAD_MAX_SIZE=256M
+#UPLOAD_MAX_TIME=30
+
+# Local SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
+#SMTP_HOST="postfix_relay_app"
+#MAIL_FROM="wordpress@example.com"
+
+# Remote SMTP relay
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#MAIL_FROM="wordpress@example.com"
+#SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
+#SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
+#SMTP_PORT=587
+#SMTP_AUTH=on
+#SMTP_TLS=on
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
+# Authentik SSO
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#AUTHENTIK_DOMAIN=authentik.example.com
+#SECRET_AUTHENTIK_SECRET_VERSION=v1
+#SECRET_AUTHENTIK_ID_VERSION=v1
+#LOGIN_TYPE='auto'
+
+# Matrix .well-known redirect
+#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+#MATRIX_DOMAIN=matrix.example.com
+
+# Allow remote connections to db
+# 🚩🚩 dangerous, use only for development sites!
+#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
+
+# Wide-open CORS
+# 🚩🚩 dangerous, use only for development sites!
+#CORS_ALLOW_ALL=1
+
+# Disable the WordPress web installer (useful when migrating/importing a DB dump)
+#DISABLE_WEB_INSTALLER=1
+
+# FTP
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
+#SECRET_FTP_PASS_VERSION=v1
+# You can use a Port between 2220-2225
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"

.envrc.sample

@@ -1,38 +0,0 @@
-export DOMAIN=wordpress.example.com
-## Domain aliases
-#export EXTRA_DOMAINS=', `www.wordpress.example.com`'
-
-export STACK_NAME=wordpress
-export LETS_ENCRYPT_ENV=production
-
-export DB_ROOT_PASSWORD_VERSION=v1
-export DB_PASSWORD_VERSION=v1
-
-# Multisite
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );"
-
-# Multisite phase 2 (see README)
-#export WORDPRESS_CONFIG_EXTRA="\
-#	define('WP_CACHE', false);\
-#	define('WP_ALLOW_MULTISITE', true );\
-#	define('MULTISITE', true);\
-#	define('SUBDOMAIN_INSTALL', true);\
-#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
-#	define('PATH_CURRENT_SITE', '/');\
-#	define('SITE_ID_CURRENT_SITE', 1);\
-#	define('BLOG_ID_CURRENT_SITE', 1);\
-#	define('FORCE_SSL_ADMIN', true );\
-#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
-
-# Backups
-#export COMPOSE_FILE="compose.yml:compose.backup.yml"
-
-# SMTP
-#export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
-#export SMTP_HOST="postfix_relay_app"
-#export MAIL_FROM="wordpress@example.com"
-#
-#export MSMTP_CONF_VERSION=v1
-#export ENTRYPOINT_MAILRELAY_CONF_VERSION=v1

.gitignore

@@ -1 +1,22 @@
+# direnv
 /.envrc
+
+# Environment files (may contain secrets)
+.env
+
+# Logs
+*.log
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Editor/IDE
+*.swp
+*.swo
+*~
+*.bak
+.idea/
+.vscode/
+.project
+.classpath

README.md

@@ -1,59 +1,158 @@
-# wordpress
+# Wordpress
 
-[![Build Status](https://drone.autonomic.zone/api/badges/compose-stacks/wordpress/status.svg)](https://drone.autonomic.zone/compose-stacks/wordpress)
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
 
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
-1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`compose-stacks/traefik`][compose-traefik]
-3. `cp .envrc.sample .envrc`
-4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `direnv allow` (or `. .envrc`)
-6. Generate secrets:
-   ```
-   abra secret_generate db_password v1
-   abra secret_generate db_root_password v1
-   ```
-7. `abra deploy`
-8. Open the configured domain in your browser to finish set-up
-9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
-   file permissions (see #3)
+<!-- metadata -->
 
-## Network (Multi-site)
+* **Category**: Apps
+* **Status**: 4
+* **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: 3
+* **Tests**: 2
+* **SSO**: 2
 
-_(Only tested using subdomains)_
+<!-- endmetadata -->
 
-1. Set up as above
-2. Uncomment the first `# Multisite` section in `.envrc`
-3. `direnv allow` (or re-run `source .envrc`)
-4. `abra deploy`
-5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-6. Don't worry about the suggested file changes
-7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
-   `# Multisite phase 2` section
-8. `direnv allow` (or re-run `source .envrc`)
-9. `abra deploy`
-10. FIXME setting up SSL / routing
+## Quick start
 
-## Installing a custom theme
+* `abra app new wordpress`
+* `abra app config <app-name>`
+* `abra app secret generate -a <app-name>`
+* `abra app deploy <app-name>`
+* `abra app cmd <app-name> app core_install`
 
-`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+### Admin password
 
-## Backups
+By default, WordPress generates a random admin password during `core_install` and prints it
+to the command output. To set a known password managed as a Docker secret:
 
-1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
-2. `direnv allow`
-3. `abra deploy`
+1. Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` in your app config
+2. `abra app secret generate -a <app-name>` (creates a random password)
+3. `abra app deploy <app-name>`
+4. `abra app cmd <app-name> app core_install`
+
+The password is stored in `<app-name>_admin_password_v1` — you can view it with
+`abra app secret show <app-name> admin_password`.
+
+### Auto-install on first deploy
+
+To skip the manual `abra app cmd ... core_install` step, enable auto-install:
+
+1. Set `AUTO_INSTALL=1` in your app config
+2. Uncomment `TITLE` and `ADMIN_EMAIL` (also `LOCALE` if needed)
+3. (Optional) Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` and run `abra app secret generate`
+4. `abra app deploy <app-name>`
+
+On first deploy, the container will wait for the database, then automatically run
+`wp core install` and configure the site. It only runs once — subsequent deploys detect
+WordPress is already installed and skip.
+
+### Plugin and theme auto-updates
+
+By default, plugin and theme auto-updates are enabled during install and deploy.
+To disable this:
+
+1. Set `AUTO_UPDATES=0` in your app config
+2. `abra app deploy <app-name>`
+
+This affects `abra app cmd <app-name> app core_install`, `abra app cmd <app-name> app update`,
+and the `AUTO_INSTALL` background process.
+
+## Disable the web installer
+
+When migrating a site (importing a DB dump from an existing install), the web-based
+WordPress installer at `wp-admin/install.php` is a security risk — someone could
+accidentally run it and overwrite your data. To block it:
+
+1. Set `DISABLE_WEB_INSTALLER=1` in your app config
+2. `abra app deploy <app-name>`
+
+Apache inside the container will deny all requests to `wp-admin/install.php`. The CLI-based
+`abra app cmd <app-name> app core_install` still works unaffected.
 
 ## Email
 
-1. Deploy `postfix-relay`
-2. Edit `.envrc` and uncomment the email lines; change `MAIL_FROM` to make sure
-   the domain is the same as `postfix-relay`'s `$DOMAIN` or in its
-   `$EXTRA_SENDER_DOMAINS`
-3. `direnv allow` (or `source .envrc`)
-7. `abra deploy`
+There is a local or remote SMTP relay configuration available.
+
+* **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
+* **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
+
+Below are the instructions for the local relay.
+
+1. Deploy [`postfix-relay`][cc-postfix-relay]
+2. `abra app config <app-name>`, and uncomment the email lines; change
+   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
+   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
+3. `abra app deploy <app-name>`
+
+## WP-CLI
+
+You can either run using `abra app cmd`:
+```bash
+abra app cmd <app-name> app wp -- core check-update --major
+```
+
+Or by entering the app shell:
+1. `abra app run <app-name> app bash`
+2. `su -s /bin/bash www-data -c "wp core check-update --major"`
+
+## Network (Multi-site)
+
+1. Set up as above
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+3. `abra app deploy <app-name>`
+4. Log into the WordPress admin dashboard, go to **Tools → Network Setup**
+5. Don't worry about the suggested file changes
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+7. `abra app deploy <app-name>`
+
+## Installing a custom theme
+
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Authentik Integration
+
+Configure the following envs via `abra app config <app-name>`:
+```bash
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
+## Tests
+
+Run the full test suite for this repository:
+
+```sh
+bash tests/run.sh
+```
+
+### Prerequisites
+
+The test suite uses several tools. Install them with your equivalent of:
+
+```sh
+brew install shellcheck gomplate
+```
+Some tests skip gracefully if their dependencies are missing.
+
+## Migrate from a non-Co-op Cloud WordPress install
+
+Make a `.tar.gz` backup of the site's `wp-content` dir and a `.sql.gz` backup of the database.
+
+1. `abra app wp.example.com restore app wp-content.tar.gz`
+2. `abra app wp.example.com restore db wordpress.sql.gz`
+
+Lastly, if there's a domain name change, run a search and replace:
+`abra app wp.example.com wp "search-replace https://old.example.com https://wp.example.com"`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
+[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/postfix-relay

abra.sh

@@ -0,0 +1,120 @@
+export PHP_UPLOADS_CONF_VERSION=v4
+export ENTRYPOINT_CONF_VERSION=v10
+export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
+export MSMTP_CONF_VERSION=v4
+export HTACCESS_CONF_VERSION=v3
+export USERS_CONF_VERSION=v1
+
+wp() {
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $*"
+}
+
+update() {
+    wp "core update-db"
+    wp "plugin update --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "plugin auto-updates enable --all"
+    fi
+    wp "theme update --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+    fi
+    wp "language core update"
+    wp "language plugin update --all"
+    wp "language theme update --all"
+}
+
+core_install(){
+    ADMIN=admin
+    if [ -n "$AUTHENTIK_DOMAIN" ]
+    then
+        ADMIN=akadmin
+    fi
+    chown www-data:www-data -R /var/www/html/wp-content
+    ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+    ADMIN_PASS_ARG=""
+    if [ -n "$ADMIN_PASSWORD" ]; then
+        ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+    fi
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
+    wp "language core install $LOCALE"
+    wp "site switch-language $LOCALE"
+    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+    if [ -n "$DEFAULT_USER_ROLE" ]
+    then
+        wp "option set default_role $DEFAULT_USER_ROLE"
+    else
+        wp "option set default_role subscriber"
+    fi
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+        wp 'plugin auto-updates enable --all' || true
+    fi
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
+}
+
+set_authentik(){
+    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    if [ -z $LOGIN_TYPE ]
+    then
+        LOGIN_TYPE='button'
+    fi
+    wp "user create akadmin admin@example.com --role=administrator"
+    wp "plugin install --activate daggerhart-openid-connect-generic"
+    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
+    wp "option update --format=json openid_connect_generic_settings '
+    {
+        \"login_type\":\"$LOGIN_TYPE\",
+        \"client_id\":\"$AUTHENTIK_ID\",
+        \"client_secret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"email profile openid\",
+        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
+        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
+        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
+        \"acr_values\":\"\",
+        \"identity_key\":\"preferred_username\",
+        \"no_sslverify\":\"0\",
+        \"http_request_timeout\":\"30\",
+        \"enforce_privacy\":\"0\",
+        \"alternate_redirect_uri\":\"1\",
+        \"nickname_key\":\"preferred_username\",
+        \"email_format\":\"{email}\",
+        \"displayname_format\":\"\",
+        \"identify_with_username\":\"1\",
+        \"state_time_limit\":\"\",
+        \"token_refresh_enable\":\"1\",
+        \"link_existing_users\":\"1\",
+        \"create_if_does_not_exist\":\"1\",
+        \"redirect_user_back\":\"0\",
+        \"redirect_on_logout\":\"1\",
+        \"enable_logging\":\"0\",
+        \"log_limit\":\"1000\"
+    }'"
+    wp "rewrite flush"
+    wp "cache flush"
+
+}
+
+fix_mysql() {
+  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
+}
+
+show_plugins() {
+  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
+}

alaconnect.yml

@@ -0,0 +1,16 @@
+authentik:
+    uncomment:
+        - compose.authentik.yml
+        - AUTHENTIK_DOMAIN
+        - SECRET_AUTHENTIK_SECRET_VERSION
+        - SECRET_AUTHENTIK_ID_VERSION
+        - LOGIN_TYPE
+    inital-hooks:
+        - app set_authentik
+    shared_secrets:
+        wordpress_secret: authentik_secret
+        wordpress_id: authentik_id
+matrix:
+    uncomment:
+        - compose.matrix.yml
+        - MATRIX_DOMAIN

backup.d/NOTES.md

@@ -1,3 +0,0 @@
-# Notes
-
-- The only thing different between [fr_singlesite_wordpress.yml](./fr_singlesite_wordpress.yml) and [fr_microsites_wordpress.yml](./fr_microsites_wordpress.yml) is the `BORGBASE_REPO` environment variable and the `backup_bot_singlesite_passwd_v1`/`backup_bot_multisite_passwd_v1` secret. These are the two details which are needed for Borgmatic to know how to differentiate between each repository on the Borgbase side (where our backups are stored). Sooo, there could most definitely be a reduction in boilerplate here but I was just moving super fast and wanted to get the backup work done.

backup.d/borgmatic.yml

@@ -1,36 +0,0 @@
-location:
-  source_directories:
-    - /var/www/html/wp-content
-  repositories:
-    - {{ env "BORGBASE_REPO" }}
-
-storage:
-  compression: auto,zstd
-  encryption_passphrase: {{ secret "backup_bot_password" }}
-  archive_name_format: "{hostname}-{now}"
-  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
-
-retention:
-  keep_daily: 3
-  keep_weekly: 4
-  keep_monthly: 12
-  keep_yearly: 2
-  prefix: "{hostname}-"
-
-consistency:
-  checks:
-    - disabled
-  check_last: 3
-  prefix: "{hostname}-"
-
-hooks:
-  before_backup:
-    - echo "`date` - Starting backup"
-  after_backup:
-    - echo "`date` - Finished backup"
-  mysql_databases:
-    - name: {{ env "DB_TABLE" }}
-      hostname: {{ env "DB_HOST" }}
-      port: 3306
-      username: {{ env "DB_USER" }}
-      password: {{ secret "db_password" }}

backup.d/fr_microsites_wordpress.yml

@@ -1,47 +0,0 @@
----
-version: "3.8"
-
-services:
-  backupbot:
-    image: "decentral1se/backup-bot:latest"
-    networks:
-      - backend
-    volumes:
-      - "wordpress_content:/var/www/html/wp-content/"
-    secrets:
-      - source: backup_bot_ssh_key
-        mode: 0400
-      - backup_bot_password
-      - db_password
-    configs:
-      - source: borgmatic_config_yml
-        target: /etc/borgmatic/config.yaml
-    environment:
-      - BORGBASE_REPO="bp5oj726@bp5oj726.repo.borgbase.com:repo"
-      - DB_HOST=mariadb
-      - DB_TABLE=wordpress
-      - DB_USER=wordpress
-    deploy:
-      mode: replicated
-      replicas: 0
-      labels:
-        - "swarm.cronjob.enable=true"
-        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
-      restart_policy:
-        condition: none
-    networks:
-      - backend
-
-configs:
-  borgmatic_config_yml:
-    name: borgmatic_config_yml_v1
-    file: backup.d/borgmatic.yml
-    template_driver: golang
-
-secrets:
-  backup_bot_ssh_key:
-    name: backup_bot_ssh_key_v1
-    external: true
-  backup_bot_password:
-    name: backup_bot_multisite_passwd_v1
-    external: true

backup.d/fr_singlesite_wordpress.yml

@@ -1,47 +0,0 @@
----
-version: "3.8"
-
-services:
-  backupbot:
-    image: "decentral1se/backup-bot:latest"
-    networks:
-      - backend
-    volumes:
-      - "wordpress_content:/var/www/html/wp-content/"
-    secrets:
-      - source: backup_bot_ssh_key
-        mode: 0400
-      - backup_bot_password
-      - db_password
-    configs:
-      - source: borgmatic_config_yml
-        target: /etc/borgmatic/config.yaml
-    environment:
-      - BORGBASE_REPO="l32s99em@l32s99em.repo.borgbase.com:repo"
-      - DB_HOST=mariadb
-      - DB_TABLE=wordpress
-      - DB_USER=wordpress
-    deploy:
-      mode: replicated
-      replicas: 0
-      labels:
-        - "swarm.cronjob.enable=true"
-        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
-      restart_policy:
-        condition: none
-    networks:
-      - backend
-
-configs:
-  borgmatic_config_yml:
-    name: borgmatic_config_yml_v1
-    file: backup.d/borgmatic.yml
-    template_driver: golang
-
-secrets:
-  backup_bot_ssh_key:
-    name: backup_bot_ssh_key_v1
-    external: true
-  backup_bot_password:
-    name: backup_bot_singlesite_passwd_v1
-    external: true

compose.abra.yml

@@ -1,65 +0,0 @@
-# #############################################################################
-# NOTE(decentral1se): this is a test compose.yml to test abra based deployments
-# #############################################################################
-
----
-version: "3.8"
-
-services:
-  wordpress:
-    image: "wordpress:5.5.1"
-    networks:
-      - backend
-      - proxy
-    environment:
-      - WORDPRESS_DB_HOST=mariadb
-      - WORDPRESS_DB_USER=wordpress
-      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-      - WORDPRESS_DB_NAME=wordpress
-    secrets:
-      - db_password
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.routers.${NAME}.tls=true"
-        - "traefik.http.services.${NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${NAME}.tls.certresolver=production"
-        - "traefik.http.routers.${NAME}.entrypoints=web-secure"
-
-  mariadb:
-    image: "mariadb:10.5"
-    volumes:
-      - "mariadb:/var/lib/mysql"
-    networks:
-      - backend
-    environment:
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-      - MYSQL_DATABASE=wordpress
-      - MYSQL_USER=wordpress
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-    secrets:
-      - db_password
-      - db_root_password
-
-networks:
-  backend:
-    driver: overlay
-  proxy:
-    external: true
-
-volumes:
-  mariadb:
-  wordpress_content:
-
-secrets:
-  db_root_password:
-    external: true
-    name: ${DB_ROOT_PASSWD}
-  db_password:
-    external: true
-    name: ${DB_PASSWD}

compose.authentik.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
+  authentik_id:
+    external: true
+    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.composer.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "composer:/var/www/html/composer"
+    environment:
+      - ENABLE_COMPOSER=1
+      - COMPOSER=composer/composer.json
+      - COMPOSER_VENDOR_DIR=composer/vendor
+
+volumes:
+  composer:

compose.ftp-2220.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2220:22

compose.ftp-2221.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2221:22

compose.ftp-2222.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2222:22

compose.ftp-2223.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2223:22

compose.ftp-2224.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2224:22

compose.ftp-2225.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    ports:
+      - 2220:22

compose.ftp.yml

@@ -0,0 +1,24 @@
+---
+version: "3.8"
+
+services:
+  ftp:
+    image: atmoz/sftp:alpine
+    secrets:
+      - ftp_pass
+    volumes:
+      - "wordpress_content:/home/ftp_user/wp-content"
+    configs:
+      - source: users_conf
+        target: /etc/sftp/users.conf
+
+secrets:
+  ftp_pass:
+    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
+    external: true
+
+configs:
+  users_conf:
+    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
+    file: users.conf.tmpl
+    template_driver: golang

compose.mailrelay.yml

@@ -1,31 +1,26 @@
 ---
 version: "3.8"
- 
+
 services:
   app:
-    entrypoint: /docker-entrypoint.sh
+    entrypoint: /docker-entrypoint.mailrelay.sh
     environment:
       - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT:-25}
       - MAIL_FROM=${MAIL_FROM}
-    networks:
-      - mail
     configs:
       - source: mstmp_conf
         target: /etc/msmtprc
-      - source: entrypoint_conf
-        target: /docker-entrypoint.sh
+      - source: entrypoint_mailrelay_conf
+        target: /docker-entrypoint.mailrelay.sh
         mode: 0555
 
-networks:
-  mail:
-    external: true
-
 configs:
   mstmp_conf:
     name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
     file: msmtp.conf.tmpl
     template_driver: golang
-  entrypoint_conf:
+  entrypoint_mailrelay_conf:
     name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
     file: entrypoint.mailrelay.sh.tmpl
     template_driver: golang

compose.matrix.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"

compose.public-db.yml

@@ -0,0 +1,9 @@
+---
+version: "3.8"
+
+services:
+  db:
+    ports:
+      - target: 3306
+        published: 3306
+        mode: host

compose.selfmanaged.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:7.0.0"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:

compose.smtp.yml

@@ -0,0 +1,19 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST
+      - SMTP_PORT=${SMTP_PORT:-25}
+      - SMTP_AUTH
+      - SMTP_TLS
+      - MAIL_FROM
+      - SMTP_OVERRIDE_FROM
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.yml

@@ -3,20 +3,42 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:5.5.1"
+    image: "wordpress:7.0.0"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
       - backend
       - proxy
     environment:
-      - WORDPRESS_DB_HOST=db
-      - WORDPRESS_DB_USER=wordpress
-      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-      - WORDPRESS_DB_NAME=wordpress
-      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
+      WORDPRESS_CONFIG_EXTRA: |
+            define( 'AUTOMATIC_UPDATER_DISABLED', false );
+            define( 'WP_AUTO_UPDATE_CORE', false );
+            ${WORDPRESS_CONFIG_EXTRA}
+      PAGER: more
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: wordpress
+      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
+      WORDPRESS_DB_NAME: wordpress
+      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
+      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
+      CORS_ALLOW_ALL:
+      DISABLE_WEB_INSTALLER:
+      AUTO_INSTALL:
+      AUTO_UPDATES:
+      COMPOSER:
+      SECRET_ADMIN_PASSWORD_VERSION:
     secrets:
       - db_password
+      - admin_password
+    configs:
+      - source: php_uploads_conf
+        target: /usr/local/etc/php/conf.d/uploads.ini
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: htaccess_conf
+        target: /var/www/html/.htaccess
+    entrypoint: /docker-entrypoint.sh
     depends_on:
       - db
     healthcheck:
@@ -31,18 +53,24 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
+        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
 
   db:
-    image: "mariadb:10.5"
+    image: "mariadb:12.3"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -55,10 +83,15 @@ services:
     secrets:
       - db_password
       - db_root_password
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
+        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
+        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 
 networks:
   backend:
-    driver: overlay
   proxy:
     external: true
 
@@ -69,7 +102,24 @@ volumes:
 secrets:
   db_root_password:
     external: true
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  php_uploads_conf:
+    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
+    file: uploads.ini.tmpl
+    template_driver: golang
+  htaccess_conf:
+    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
+    file: htaccess.tmpl
+    template_driver: golang

entrypoint.mailrelay.sh.tmpl

@@ -4,6 +4,4 @@ apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm
 
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
 
-# Upstream ENTRYPOINT
-# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
-/usr/local/bin/docker-entrypoint.sh apache2-foreground "$@"
+/docker-entrypoint.sh

entrypoint.sh.tmpl

@@ -0,0 +1,131 @@
+#!/bin/bash
+
+{{ if (getenv "PHP_EXTENSIONS") }}
+docker-php-ext-install {{ getenv "PHP_EXTENSIONS" }}
+{{ end }}
+
+curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+chmod +x /usr/local/bin/wp
+
+{{ if eq (getenv "ENABLE_COMPOSER") "1" }}
+mkdir -p /var/www/.composer
+chown www-data:www-data /var/www/.composer /var/www/html/composer
+
+curl https://getcomposer.org/installer -o /tmp/composer-setup.php
+php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
+php /tmp/composer-setup.php
+rm /tmp/composer-setup.php
+
+mv /var/www/html/composer.phar /usr/local/bin/composer
+{{ end }}
+
+{{ if eq (getenv "CORS_ALLOW_ALL") "1" }}
+a2enmod headers
+sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
+{{ end }}
+
+{{ if eq (getenv "DISABLE_WEB_INSTALLER") "1" }}
+cat > /etc/apache2/conf-enabled/disable-installer.conf <<'EOF'
+<LocationMatch "^/wp-admin/install\.php">
+    Require all denied
+</LocationMatch>
+EOF
+{{ end }}
+
+{{ if eq (getenv "MULTISITE") "enable" }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('WP_CACHE', false);
+define('WP_ALLOW_MULTISITE', true );"
+{{ end }}
+
+{{ if or (eq (getenv "MULTISITE") "subdomain") (eq (getenv "MULTISITE") "subfolder") }}
+export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', true);
+define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+define('FORCE_SSL_ADMIN', true );
+define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+{{ end }}
+
+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+fi
+
+chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
+
+{{ if eq (getenv "AUTO_INSTALL") "1" }}
+(
+  DOMAIN="{{ getenv "DOMAIN" }}"
+  TITLE="{{ getenv "TITLE" }}"
+  ADMIN_EMAIL="{{ getenv "ADMIN_EMAIL" }}"
+  LOCALE="{{ getenv "LOCALE" }}"
+  DEFAULT_USER_ROLE="{{ getenv "DEFAULT_USER_ROLE" }}"
+  AUTO_UPDATES="{{ getenv "AUTO_UPDATES" }}"
+
+  # Wait for wp-config.php (created by upstream entrypoint)
+  for _ in $(seq 1 30); do
+    if [ -f /var/www/html/wp-config.php ]; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Wait for DB to be reachable
+  for _ in $(seq 1 60); do
+    if su -p www-data -s /bin/bash -c "/usr/local/bin/wp db check" 2>/dev/null; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Skip if already installed or required vars missing
+  if su -p www-data -s /bin/bash -c "/usr/local/bin/wp core is-installed" 2>/dev/null; then
+    exit 0
+  fi
+  if [ -z "$TITLE" ] || [ -z "$ADMIN_EMAIL" ]; then
+    exit 0
+  fi
+
+  ADMIN="admin"
+  ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+  ADMIN_PASS_ARG=""
+  if [ -n "$ADMIN_PASSWORD" ]; then
+    ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+  fi
+
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
+  if [ -n "$LOCALE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp language core install $LOCALE"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp site switch-language $LOCALE"
+  fi
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+  if [ -n "$DEFAULT_USER_ROLE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role $DEFAULT_USER_ROLE"
+  else
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role subscriber"
+  fi
+  if [ "$AUTO_UPDATES" != "0" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp theme auto-updates enable --all"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp plugin auto-updates enable --all" || true
+  fi
+) &
+{{ end }}
+
+if [ $# -gt 0 ]; then
+	"$@"
+fi
+
+# Upstream ENTRYPOINT
+# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
+/usr/local/bin/docker-entrypoint.sh apache2-foreground

htaccess.tmpl

@@ -0,0 +1,62 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
+{{ if eq (getenv "MULTISITE") "" -}}
+# BEGIN WordPress
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+
+# END WordPress
+{{- end -}}
+
+{{- if eq (getenv "MULTISITE") "subfolder" -}}
+# BEGIN WordPress Multisite
+# Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
+RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end -}}
+
+{{- if eq (getenv "MULTISITE") "subdomain" -}}
+# BEGIN WordPress Multisite
+# Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
+
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+
+# add a trailing slash to /wp-admin
+RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
+
+RewriteCond %{REQUEST_FILENAME} -f [OR]
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule ^ - [L]
+RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
+RewriteRule ^(.*\.php)$ $1 [L]
+RewriteRule . index.php [L]
+
+# END WordPress Multisite
+{{- end }}

msmtp.conf.tmpl

@@ -1,3 +1,19 @@
 account default
-host {{ env "SMTP_HOST" }}
-from {{ env "MAIL_FROM" }}
+host {{ getenv "SMTP_HOST" }}
+from {{ getenv "MAIL_FROM" }}
+user {{ or (getenv "SMTP_USER") (getenv "MAIL_FROM") }}
+port {{ getenv "SMTP_PORT" }}
+
+{{ if eq (getenv "SMTP_OVERRIDE_FROM") "on" }}
+set_from_header on
+{{ end }}
+
+{{ if eq (getenv "SMTP_AUTH") "on" }}
+auth {{ getenv "SMTP_AUTH" }}
+passwordeval "cat /run/secrets/smtp_password"
+{{ end }}
+
+{{ if eq (getenv "SMTP_TLS") "on" }}
+tls {{ getenv "SMTP_TLS" }}
+tls_trust_file /etc/ssl/certs/ca-certificates.crt
+{{ end }}

package.yml

@@ -1,17 +0,0 @@
----
-name: Wordpress
-description: Open source software you can use to create a beautiful website, blog, or app
-arguments:
-  name:
-    description: The name of your Wordpress application
-    example: my-cool-project
-  domain:
-    description: The domain name where your Wordpress will be available on the web
-    example: my-cool-project.com
-secrets:
-  db_passwd:
-    description: The normal user database password
-    length: 8
-  db_root_passwd:
-    description: The root user database password
-    length: 8

release/2.10.0+6.5.5

@@ -0,0 +1 @@
+Adds redirects and alakazam integration

release/2.13.2+6.7.1

@@ -0,0 +1 @@
+Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.17.1+6.9.0

@@ -0,0 +1 @@
+Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.

release/2.4.0+6.3.0

@@ -0,0 +1 @@
+The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.

release/2.7.0+6.4.2

@@ -0,0 +1 @@
+Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.

release/3.0.0+7.0.0

@@ -0,0 +1,6 @@
+- WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
+- MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
+- ENTRYPOINT_CONF_VERSION bumped to v9
+- Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
+- Breaking: WordPress 7.0 introduces new AI features and admin theme changes
+- Backup database and files before upgrading

renovate.json

@@ -1,6 +1,37 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended"
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["(^|/)compose[^/]*\\.yml$"],
+      "matchStrings": [
+        "image:\\s*\"wordpress:(?<currentValue>[^\"]+)\"",
+        "image:\\s*\"mariadb:(?<currentValue>[^\"]+)\""
+      ],
+      "datasourceTemplate": "docker",
+      "lookupNameTemplate": "{{{packageName}}}"
+    },
+    {
+      "fileMatch": ["(^|/)\\.drone\\.yml$"],
+      "matchStrings": [
+        "gomplate/releases/download/v(?<currentValue>[\\d.]+)/gomplate_linux-amd64"
+      ],
+      "datasourceTemplate": "github-releases",
+      "lookupNameTemplate": "hairyhenderson/gomplate"
+    }
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["wordpress"],
+      "enabled": true
+    },
+    {
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["mariadb"],
+      "enabled": true
+    }
   ]
 }

tests/fixtures/composer.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+ENABLE_COMPOSER=1

tests/fixtures/cors.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+CORS_ALLOW_ALL=1

tests/fixtures/default.env

@@ -0,0 +1 @@
+DOMAIN=wordpress.example.com

tests/fixtures/multisite-enable.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=enable

tests/fixtures/multisite-subdomain.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=subdomain

tests/fixtures/multisite-subfolder.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+MULTISITE=subfolder

tests/fixtures/php-extensions.env

@@ -0,0 +1,2 @@
+DOMAIN=wordpress.example.com
+PHP_EXTENSIONS=calendar

tests/fixtures/smtp-full.env

@@ -0,0 +1,8 @@
+DOMAIN=wordpress.example.com
+SMTP_HOST=mail.example.com
+SMTP_PORT=587
+MAIL_FROM=wordpress@example.com
+SMTP_USER=relay@example.com
+SMTP_AUTH=on
+SMTP_TLS=on
+SMTP_OVERRIDE_FROM=on

tests/fixtures/upload-sizes.env

@@ -0,0 +1,3 @@
+DOMAIN=wordpress.example.com
+UPLOAD_MAX_SIZE=512M
+UPLOAD_MAX_TIME=60

tests/run.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+# Root of the project directory
+ROOT="$(dirname "$(realpath "$0")")"
+
+echo "==================================="
+echo "  WordPress Recipe Test Suite"
+echo "==================================="
+echo ""
+
+# Collect all compose files for YAML validation
+COMPOSE_FILES=()
+while IFS= read -r f; do
+    COMPOSE_FILES+=("$f")
+done < <(find "$ROOT/.." -maxdepth 1 -name 'compose*.yml' | sort)
+
+# Collect all tmpl files for shellcheck (only those with bash content)
+SHELL_TMPL_FILES=()
+while IFS= read -r f; do
+    SHELL_TMPL_FILES+=("$f")
+done < <(find "$ROOT/.." -maxdepth 1 -name '*.sh.tmpl' | sort)
+
+# Track total failures across all test suites
+failures=0
+
+# Validate YAML syntax of all compose files
+echo "========================================================================"
+"$ROOT/test_yaml.sh" "${COMPOSE_FILES[@]}" || failures=$((failures + 1))
+echo ""
+
+# Lint shell scripts inside Go templates (after stripping template tags)
+echo "========================================================================"
+"$ROOT/test_shell.sh" "${SHELL_TMPL_FILES[@]}" || failures=$((failures + 1))
+echo ""
+
+# Render templates with fixture env files and verify expected output
+echo "========================================================================"
+"$ROOT/test_templates.sh" || failures=$((failures + 1))
+echo ""
+
+# Validate compose files against the Docker Compose specification
+echo "========================================================================"
+"$ROOT/test_compose_config.sh" || failures=$((failures + 1))
+echo ""
+
+echo "==================================="
+if [ "$failures" -eq 0 ]; then
+    echo "  All tests passed!"
+else
+    echo "  $failures test suite(s) failed"
+fi
+echo "==================================="
+exit "$failures"

tests/test_compose_config.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+set -euo pipefail
+
+ROOT="$(dirname "$(realpath "$0")")/.."
+pass=0
+fail=0
+
+# Detect available Docker Compose command
+compose_cmd=""
+if command -v docker &>/dev/null && docker compose version &>/dev/null 2>&1; then
+    compose_cmd="docker compose"
+elif command -v docker-compose &>/dev/null; then
+    compose_cmd="docker-compose"
+fi
+
+# Validate a compose file against the Docker Compose specification
+test_compose_config() {
+    local file=$1 main=${2:-}
+
+    # Skip if Docker Compose is not available on this system
+    if [ -z "$compose_cmd" ]; then
+        echo "  SKIP  $file (no docker compose available)"
+        return
+    fi
+
+    # Main compose file is validated standalone
+    if [ -z "$main" ]; then
+        if $compose_cmd -f "$file" config -q 2>/dev/null; then
+            echo "  PASS  $file"
+            pass=$((pass + 1))
+        else
+            echo "  FAIL  $file"
+            fail=$((fail + 1))
+        fi
+        return
+    fi
+
+    # Override files are validated combined with the main compose file.
+    # If the combination still fails, the override needs additional context
+    # (e.g. other override files) and is skipped rather than failed.
+    if $compose_cmd -f "$main" -f "$file" config -q 2>/dev/null; then
+        echo "  PASS  $file"
+        pass=$((pass + 1))
+    else
+        echo "  SKIP  $file (partial override, needs additional context)"
+        pass=$((pass + 1))
+    fi
+}
+
+echo "=== Docker Compose Config Validation ==="
+
+# Validate main compose file first, then all override files
+test_compose_config "$ROOT/compose.yml"
+
+while IFS= read -r f; do
+    # Skip the main compose file (already tested above)
+    [ "$f" = "$ROOT/compose.yml" ] && continue
+    [ -f "$f" ] && test_compose_config "$f" "$ROOT/compose.yml"
+done < <(find "$ROOT" -maxdepth 1 -name 'compose*.yml' | sort)
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any compose file failed validation
+[ "$fail" -eq 0 ]

tests/test_shell.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+set -euo pipefail
+
+pass=0
+fail=0
+
+# Skip if shellcheck is not installed
+if ! command -v shellcheck &>/dev/null; then
+    echo "=== ShellCheck ==="
+    echo "  SKIP  shellcheck not found"
+    echo "---"
+    echo "Passed: 0  Failed: 0"
+    exit 0
+fi
+
+# Allow overriding shellcheck options via env var (e.g. -s bash)
+EXTRA_SHELLCHECK_OPTS="${SHELLCHECK_OPTS:-}"
+
+# Run shellcheck on a Go template after stripping template tags
+shellcheck_tmpl() {
+    local tmpl=$1
+    # Strip Go template tags ({{ ... }} and {{- ... -}}) into whitespace
+    # so shellcheck can parse the remaining bash.
+    local cleaned
+    cleaned=$(sed 's/{{[-]*[^}]*[-]*}}/true/g' "$tmpl")
+
+    local tmpfile
+    tmpfile=$(mktemp)
+    printf '%s\n' "$cleaned" > "$tmpfile"
+
+    if shellcheck $EXTRA_SHELLCHECK_OPTS "$tmpfile"; then
+        echo "  PASS  $tmpl"
+        pass=$((pass + 1))
+    else
+        echo "  FAIL  $tmpl"
+        fail=$((fail + 1))
+    fi
+    rm -f "$tmpfile"
+}
+
+echo "=== ShellCheck ==="
+# Lint each template file passed as argument
+for f in "$@"; do
+    [ -f "$f" ] && shellcheck_tmpl "$f"
+done
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any template failed shellcheck
+[ "$fail" -eq 0 ]

tests/test_templates.sh

@@ -0,0 +1,301 @@
+#!/bin/bash
+set -euo pipefail
+
+ROOT="$(dirname "$(realpath "$0")")/.."
+pass=0
+fail=0
+
+# Allow overriding gomplate binary path via env var
+gomplate="${GOMPLATE_BIN:-gomplate}"
+
+# Ensure gomplate is installed before running template tests
+require_gomplate() {
+    if ! command -v "$gomplate" &>/dev/null; then
+        echo "  SKIP  gomplate not found (install from https://github.com/hairyhenderson/gomplate or set GOMPLATE_BIN)"
+        exit 0
+    fi
+}
+
+# Render a template by exporting env vars directly
+# This avoids gomplate datasource quirks with .env files
+render_via_env() {
+    local tmpl=$1 envfile=$2
+    set -a
+    # shellcheck disable=1090,1091
+    . "$envfile"
+    set +a
+    "$gomplate" -f "$tmpl" 2>/dev/null
+}
+
+# ---------------------------------------------------------------------------
+# entrypoint.sh.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default entrypoint: no multisite, uploads guard, chown with --from, wp-cli
+test_entrypoint_default() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    # Should NOT have multisite config
+    if echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
+        echo "  FAIL  entrypoint default: unexpected WP_ALLOW_MULTISITE"
+        return 1
+    fi
+    # Should have uploads .htaccess guard
+    if ! echo "$output" | grep -q "Prevent PHP execution in uploads"; then
+        echo "  FAIL  entrypoint default: missing uploads htaccess"
+        return 1
+    fi
+    # Should use --from=root:root on chown
+    if ! echo "$output" | grep -q "chown -R --from=root:root"; then
+        echo "  FAIL  entrypoint default: missing --from=root:root on chown"
+        return 1
+    fi
+    # Should have wp-cli download
+    if ! echo "$output" | grep -q "wp-cli.phar"; then
+        echo "  FAIL  entrypoint default: missing wp-cli download"
+        return 1
+    fi
+    echo "  PASS  entrypoint default"
+}
+
+# Multisite enable: should set WP_ALLOW_MULTISITE
+test_entrypoint_multisite_enable() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
+        echo "  FAIL  entrypoint multisite enable: missing WP_ALLOW_MULTISITE"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite enable"
+}
+
+# Multisite subdomain: should set MULTISITE, SUBDOMAIN_INSTALL, DOMAIN_CURRENT_SITE
+test_entrypoint_multisite_subdomain() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "MULTISITE"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing MULTISITE"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing SUBDOMAIN_INSTALL"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "DOMAIN_CURRENT_SITE"; then
+        echo "  FAIL  entrypoint multisite subdomain: missing DOMAIN_CURRENT_SITE"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite subdomain"
+}
+
+# Multisite subfolder: should set MULTISITE but not SUBDOMAIN_INSTALL
+test_entrypoint_multisite_subfolder() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "MULTISITE"; then
+        echo "  FAIL  entrypoint multisite subfolder: missing MULTISITE"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
+        echo "  FAIL  entrypoint multisite subfolder: missing SUBDOMAIN_INSTALL"
+        return 1
+    fi
+    echo "  PASS  entrypoint multisite subfolder"
+}
+
+# CORS: should enable Apache headers module and set Access-Control-Allow-Origin
+test_entrypoint_cors() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "a2enmod headers"; then
+        echo "  FAIL  entrypoint CORS: missing a2enmod headers"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "Access-Control-Allow-Origin"; then
+        echo "  FAIL  entrypoint CORS: missing Access-Control-Allow-Origin"
+        return 1
+    fi
+    echo "  PASS  entrypoint CORS"
+}
+
+# PHP extensions: should install additional PHP extensions like calendar
+test_entrypoint_php_extensions() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "docker-php-ext-install calendar"; then
+        echo "  FAIL  entrypoint PHP extensions: missing docker-php-ext-install calendar"
+        return 1
+    fi
+    echo "  PASS  entrypoint PHP extensions"
+}
+
+# Composer: should download Composer via getcomposer.org
+test_entrypoint_composer() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "getcomposer.org"; then
+        echo "  FAIL  entrypoint composer: missing composer download"
+        return 1
+    fi
+    echo "  PASS  entrypoint composer"
+}
+
+# ---------------------------------------------------------------------------
+# htaccess.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default htaccess: standard WordPress rewrite rule, no multisite section
+test_htaccess_default() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "htaccess.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "RewriteRule . /index.php"; then
+        echo "  FAIL  htaccess default: missing standard rewrite rule"
+        return 1
+    fi
+    if echo "$output" | grep -q "WordPress Multisite"; then
+        echo "  FAIL  htaccess default: unexpected multisite section"
+        return 1
+    fi
+    echo "  PASS  htaccess default"
+}
+
+# Multisite htaccess: multisite section present, no standard rewrite rule
+test_htaccess_multisite() {
+    local envfile=$1 mode=$2
+    local output
+    output=$(render_via_env "htaccess.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "WordPress Multisite"; then
+        echo "  FAIL  htaccess multisite $mode: missing multisite section"
+        return 1
+    fi
+    if echo "$output" | grep -q "^RewriteRule . /index.php"; then
+        echo "  FAIL  htaccess multisite $mode: has non-multisite rewrite rule"
+        return 1
+    fi
+    echo "  PASS  htaccess multisite $mode"
+}
+
+# ---------------------------------------------------------------------------
+# uploads.ini.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Default uploads config: 256M upload limit, 30s execution time
+test_uploads_default() {
+    local output
+    output=$(render_via_env "uploads.ini.tmpl" "tests/fixtures/default.env")
+
+    if ! echo "$output" | grep -q "upload_max_filesize = 256M"; then
+        echo "  FAIL  uploads default: expected 256M upload_max_filesize"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "max_execution_time = 30"; then
+        echo "  FAIL  uploads default: expected 30 max_execution_time"
+        return 1
+    fi
+    echo "  PASS  uploads default"
+}
+
+# Custom uploads config: 512M upload limit, 60s execution time
+test_uploads_custom() {
+    local envfile=$1
+    local output
+    output=$(render_via_env "uploads.ini.tmpl" "$envfile")
+
+    if ! echo "$output" | grep -q "upload_max_filesize = 512M"; then
+        echo "  FAIL  uploads custom: expected 512M"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "max_execution_time = 60"; then
+        echo "  FAIL  uploads custom: expected 60"
+        return 1
+    fi
+    echo "  PASS  uploads custom"
+}
+
+# ---------------------------------------------------------------------------
+# msmtp.conf.tmpl tests
+# ---------------------------------------------------------------------------
+
+# Full SMTP config: host, from, auth, passwordeval, TLS, set_from_header
+test_msmtp_default() {
+    local output
+    output=$(render_via_env "msmtp.conf.tmpl" "tests/fixtures/smtp-full.env")
+
+    if ! echo "$output" | grep -q "host mail.example.com"; then
+        echo "  FAIL  msmtp default: missing host"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "from wordpress@example.com"; then
+        echo "  FAIL  msmtp default: missing from"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "auth on"; then
+        echo "  FAIL  msmtp default: missing auth"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "passwordeval"; then
+        echo "  FAIL  msmtp default: missing passwordeval"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "tls on"; then
+        echo "  FAIL  msmtp default: missing tls"
+        return 1
+    fi
+    if ! echo "$output" | grep -q "set_from_header on"; then
+        echo "  FAIL  msmtp default: missing set_from_header"
+        return 1
+    fi
+    echo "  PASS  msmtp full config"
+}
+
+# ---------------------------------------------------------------------------
+# Run all template tests
+# ---------------------------------------------------------------------------
+echo "=== Template Rendering Tests ==="
+
+cd "$ROOT"
+
+echo "--- entrypoint.sh.tmpl ---"
+require_gomplate
+
+test_entrypoint_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_enable "tests/fixtures/multisite-enable.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_subdomain "tests/fixtures/multisite-subdomain.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_multisite_subfolder "tests/fixtures/multisite-subfolder.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_cors "tests/fixtures/cors.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_php_extensions "tests/fixtures/php-extensions.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_entrypoint_composer "tests/fixtures/composer.env" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- htaccess.tmpl ---"
+test_htaccess_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
+test_htaccess_multisite "tests/fixtures/multisite-subfolder.env" "subfolder" && pass=$((pass+1)) || fail=$((fail+1))
+test_htaccess_multisite "tests/fixtures/multisite-subdomain.env" "subdomain" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- uploads.ini.tmpl ---"
+test_uploads_default && pass=$((pass+1)) || fail=$((fail+1))
+test_uploads_custom "tests/fixtures/upload-sizes.env" && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "--- msmtp.conf.tmpl ---"
+test_msmtp_default && pass=$((pass+1)) || fail=$((fail+1))
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any template test failed
+[ "$fail" -eq 0 ]

tests/test_yaml.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+set -euo pipefail
+
+pass=0
+fail=0
+
+# Detect available YAML checker: prefer yamllint, fall back to PyYAML
+checker=""
+if command -v yamllint &>/dev/null; then
+    checker=yamllint
+elif python3 -c "import yaml" 2>/dev/null; then
+    checker=python
+fi
+
+# Validate a single YAML file using the available checker
+test_yaml() {
+    local file=$1
+
+    # yamllint provides richer output; PyYAML just checks parseability
+    case "$checker" in
+        yamllint)
+            if yamllint -d "{extends: relaxed, rules: {line-length: disable}}" "$file"; then
+                echo "  PASS  $file"
+                pass=$((pass+1))
+            else
+                echo "  FAIL  $file"
+                fail=$((fail+1))
+            fi
+            ;;
+        python)
+            if python3 -c "
+import yaml, sys
+with open('$file') as f:
+    yaml.safe_load(f)
+" 2>/dev/null; then
+                echo "  PASS  $file"
+                pass=$((pass+1))
+            else
+                echo "  FAIL  $file"
+                fail=$((fail+1))
+            fi
+            ;;
+        # Skip silently if no YAML checker is installed
+        *)
+            echo "  SKIP  $file (no yamllint or PyYAML)"
+            pass=$((pass+1))
+            ;;
+    esac
+}
+
+echo "=== YAML Validation ==="
+# Test each compose file passed as argument
+for f in "$@"; do
+    [ -f "$f" ] && test_yaml "$f"
+done
+
+echo "---"
+echo "Passed: $pass  Failed: $fail"
+# Exit with failure if any file failed validation
+[ "$fail" -eq 0 ]

uploads.ini.tmpl

@@ -0,0 +1,11 @@
+{{- $upload_max_size := "256M" -}}
+{{- if ne (getenv "UPLOAD_MAX_SIZE") "" }}{{ $upload_max_size = getenv "UPLOAD_MAX_SIZE" }}{{ end -}}
+{{- $upload_max_time := "30" -}}
+{{- if ne (getenv "UPLOAD_MAX_TIME") "" }}{{ $upload_max_time = getenv "UPLOAD_MAX_TIME" }}{{ end -}}
+
+file_uploads = On
+upload_max_filesize = {{ $upload_max_size }}
+post_max_size = {{ $upload_max_size }}
+memory_limit = {{ $upload_max_size }}
+max_execution_time = {{ $upload_max_time }}
+max_input_time = {{ $upload_max_time }}

users.conf.tmpl

@@ -0,0 +1 @@
+ftp_user:{{ secret "ftp_pass" }}:33:33