Add AUTO_UPDATES docs to README

Reviewed-on: coop-cloud/wordpress#64

.env.sample

@@ -16,6 +16,13 @@ LETS_ENCRYPT_ENV=production
 # Setup Wordpress settings on each deploy:
 #POST_DEPLOY_CMDS="app core_install"
 
+# Automatically install WordPress on first deploy (requires TITLE and ADMIN_EMAIL)
+#AUTO_INSTALL=1
+
+# Enable auto-updates for plugins and themes on install/deploy (default: on)
+# Set to 0 to disable automatic plugin/theme updates
+#AUTO_UPDATES=1
+
 # Optional settings, otherwise can be set in the installer
 # (Required for `app core_install`
 #TITLE="My Example Blog"
@@ -38,6 +45,7 @@ LETS_ENCRYPT_ENV=production
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_ADMIN_PASSWORD_VERSION=v1
 
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
@@ -84,6 +92,9 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
+# Disable the WordPress web installer (useful when migrating/importing a DB dump)
+#DISABLE_WEB_INSTALLER=1
+
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1

README.md

@@ -13,51 +13,66 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 * **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
-* **SSO**: No
+* **SSO**: 2
 
 <!-- endmetadata -->
 
-
 ## Quick start
 
-
 * `abra app new wordpress`
 * `abra app config <app-name>`
 * `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> app core_install`
 
-### Authentik Integration
+### Admin password
 
+By default, WordPress generates a random admin password during `core_install` and prints it
+to the command output. To set a known password managed as a Docker secret:
 
-`abra app config <app-name>` 
+1. Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` in your app config
-Configure the following envs:
+2. `abra app secret generate -a <app-name>` (creates a random password)
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-AUTHENTIK_DOMAIN=authentik.example.com
-AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
-AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
-```
-
-`abra app cmd <app-name> app set_authentik`
-
-## Running WP-CLI
-
-`abra app cmd <app-name> app wp -- core check-update --major`
-
-## Network (Multi-site)
-
-1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
 3. `abra app deploy <app-name>`
-4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+4. `abra app cmd <app-name> app core_install`
-5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
-7. `abra app deploy <app-name>`
 
-## Installing a custom theme
+The password is stored in `<app-name>_admin_password_v1` — you can view it with
+`abra app secret show <app-name> admin_password`.
 
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+### Auto-install on first deploy
+
+To skip the manual `abra app cmd ... core_install` step, enable auto-install:
+
+1. Set `AUTO_INSTALL=1` in your app config
+2. Uncomment `TITLE` and `ADMIN_EMAIL` (also `LOCALE` if needed)
+3. (Optional) Uncomment `SECRET_ADMIN_PASSWORD_VERSION=v1` and run `abra app secret generate`
+4. `abra app deploy <app-name>`
+
+On first deploy, the container will wait for the database, then automatically run
+`wp core install` and configure the site. It only runs once — subsequent deploys detect
+WordPress is already installed and skip.
+
+### Plugin and theme auto-updates
+
+By default, plugin and theme auto-updates are enabled during install and deploy.
+To disable this:
+
+1. Set `AUTO_UPDATES=0` in your app config
+2. `abra app deploy <app-name>`
+
+This affects `abra app cmd <app-name> app core_install`, `abra app cmd <app-name> app update`,
+and the `AUTO_INSTALL` background process.
+
+## Disable the web installer
+
+When migrating a site (importing a DB dump from an existing install), the web-based
+WordPress installer at `wp-admin/install.php` is a security risk — someone could
+accidentally run it and overwrite your data. To block it:
+
+1. Set `DISABLE_WEB_INSTALLER=1` in your app config
+2. `abra app deploy <app-name>`
+
+Apache inside the container will deny all requests to `wp-admin/install.php`. The CLI-based
+`abra app cmd <app-name> app core_install` still works unaffected.
 
 ## Email
 
@@ -74,9 +89,46 @@ Below are the instructions for the local relay.
    `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
 3. `abra app deploy <app-name>`
 
+## WP-CLI
+
+You can either run using `abra app cmd`:
+```bash
+abra app cmd <app-name> app wp -- core check-update --major
+```
+
+Or by entering the app shell:
+1. `abra app run <app-name> app bash`
+2. `su -s /bin/bash www-data -c "wp core check-update --major"`
+
+## Network (Multi-site)
+
+1. Set up as above
+2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+3. `abra app deploy <app-name>`
+4. Log into the WordPress admin dashboard, go to **Tools → Network Setup**
+5. Don't worry about the suggested file changes
+6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+7. `abra app deploy <app-name>`
+
+## Installing a custom theme
+
+`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Authentik Integration
+
+Configure the following envs via `abra app config <app-name>`:
+```bash
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
+
 ## Tests
 
-Run the full test suite:
+Run the full test suite for this repository:
 
 ```sh
 bash tests/run.sh
@@ -91,11 +143,9 @@ brew install shellcheck gomplate
 ```
 Some tests skip gracefully if their dependencies are missing.
 
-[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
+## Migrate from a non-Co-op Cloud WordPress install
 
-## Migrate from a non-Co-op Cloud Wordpress install
+Make a `.tar.gz` backup of the site's `wp-content` dir and a `.sql.gz` backup of the database.
-
-Make a .tar.gz backup of the site's wp-content dir and an .sql.gz backup of the database.
 
 1. `abra app wp.example.com restore app wp-content.tar.gz`
 2. `abra app wp.example.com restore db wordpress.sql.gz`
@@ -103,5 +153,6 @@ Make a .tar.gz backup of the site's wp-content dir and an .sql.gz backup of the
 Lastly, if there's a domain name change, run a search and replace:
 `abra app wp.example.com wp "search-replace https://old.example.com https://wp.example.com"`
 
+[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/postfix-relay

abra.sh

@@ -1,20 +1,24 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v9
+export ENTRYPOINT_CONF_VERSION=v10
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1
 
 wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $*"
 }
 
 update() {
     wp "core update-db"
     wp "plugin update --all"
-    wp "plugin auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "plugin auto-updates enable --all"
+    fi
     wp "theme update --all"
-    wp "theme auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
+        wp "theme auto-updates enable --all"
+    fi
     wp "language core update"
     wp "language plugin update --all"
     wp "language theme update --all"
@@ -27,7 +31,12 @@ core_install(){
         ADMIN=akadmin
     fi
     chown www-data:www-data -R /var/www/html/wp-content
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+    ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+    ADMIN_PASS_ARG=""
+    if [ -n "$ADMIN_PASSWORD" ]; then
+        ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+    fi
+    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
@@ -37,8 +46,10 @@ core_install(){
     else
         wp "option set default_role subscriber"
     fi
-    wp "theme auto-updates enable --all"
+    if [ "$AUTO_UPDATES" != "0" ]; then
-    wp 'plugin auto-updates enable --all' || true
+        wp "theme auto-updates enable --all"
+        wp 'plugin auto-updates enable --all' || true
+    fi
 }
 
 enable_auto_updates(){

compose.yml

@@ -22,9 +22,14 @@ services:
       WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
       PHP_EXTENSIONS: ${PHP_EXTENSIONS}
       CORS_ALLOW_ALL:
+      DISABLE_WEB_INSTALLER:
+      AUTO_INSTALL:
+      AUTO_UPDATES:
       COMPOSER:
+      SECRET_ADMIN_PASSWORD_VERSION:
     secrets:
       - db_password
+      - admin_password
     configs:
       - source: php_uploads_conf
         target: /usr/local/etc/php/conf.d/uploads.ini
@@ -101,6 +106,9 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
 
 configs:
   entrypoint_conf:

entrypoint.sh.tmpl

@@ -24,6 +24,14 @@ a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 
+{{ if eq (getenv "DISABLE_WEB_INSTALLER") "1" }}
+cat > /etc/apache2/conf-enabled/disable-installer.conf <<'EOF'
+<LocationMatch "^/wp-admin/install\.php">
+    Require all denied
+</LocationMatch>
+EOF
+{{ end }}
+
 {{ if eq (getenv "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
@@ -56,6 +64,64 @@ fi
 
 chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
 
+{{ if eq (getenv "AUTO_INSTALL") "1" }}
+(
+  DOMAIN="{{ getenv "DOMAIN" }}"
+  TITLE="{{ getenv "TITLE" }}"
+  ADMIN_EMAIL="{{ getenv "ADMIN_EMAIL" }}"
+  LOCALE="{{ getenv "LOCALE" }}"
+  DEFAULT_USER_ROLE="{{ getenv "DEFAULT_USER_ROLE" }}"
+  AUTO_UPDATES="{{ getenv "AUTO_UPDATES" }}"
+
+  # Wait for wp-config.php (created by upstream entrypoint)
+  for _ in $(seq 1 30); do
+    if [ -f /var/www/html/wp-config.php ]; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Wait for DB to be reachable
+  for _ in $(seq 1 60); do
+    if su -p www-data -s /bin/bash -c "/usr/local/bin/wp db check" 2>/dev/null; then
+      break
+    fi
+    sleep 2
+  done
+
+  # Skip if already installed or required vars missing
+  if su -p www-data -s /bin/bash -c "/usr/local/bin/wp core is-installed" 2>/dev/null; then
+    exit 0
+  fi
+  if [ -z "$TITLE" ] || [ -z "$ADMIN_EMAIL" ]; then
+    exit 0
+  fi
+
+  ADMIN="admin"
+  ADMIN_PASSWORD=$(cat /run/secrets/admin_password 2>/dev/null | xargs || true)
+  ADMIN_PASS_ARG=""
+  if [ -n "$ADMIN_PASSWORD" ]; then
+    ADMIN_PASS_ARG="--admin_password=$ADMIN_PASSWORD"
+  fi
+
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email $ADMIN_PASS_ARG"
+  if [ -n "$LOCALE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp language core install $LOCALE"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp site switch-language $LOCALE"
+  fi
+  su -p www-data -s /bin/bash -c "/usr/local/bin/wp rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+  if [ -n "$DEFAULT_USER_ROLE" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role $DEFAULT_USER_ROLE"
+  else
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp option set default_role subscriber"
+  fi
+  if [ "$AUTO_UPDATES" != "0" ]; then
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp theme auto-updates enable --all"
+    su -p www-data -s /bin/bash -c "/usr/local/bin/wp plugin auto-updates enable --all" || true
+  fi
+) &
+{{ end }}
+
 if [ $# -gt 0 ]; then
 	"$@"
 fi