chore: publish 2.5.2+6.3.0 release

.drone.yml

@@ -1,51 +1,29 @@
 ---
 kind: pipeline
-name: test and deploy to swarm-test.autonomic.zone
-
+name: deploy to swarm-test.autonomic.zone
 steps:
-  - name: test
-    image: alpine:3.21
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: wordpress
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
     environment:
-      SHELLCHECK_OPTS: -s bash
-    commands:
-      - apk add --no-cache bash shellcheck py3-pip py3-yaml curl
-      - pip3 install --break-system-packages yamllint 2>/dev/null || true
-      - curl -sSLo /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/latest/download/gomplate_linux-amd64
-      - chmod +x /usr/local/bin/gomplate
-      - tests/run.sh
-
-  # deployment step disabled: swarm-test.autonomic.zone is down
-  # - name: deployment
-  #   image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-  #   when:
-  #     event:
-  #       - push
-  #     branch:
-  #       - main
-  #   settings:
-  #     host: swarm-test.autonomic.zone
-  #     stack: wordpress
-  #     generate_secrets: true
-  #     purge: true
-  #     deploy_key:
-  #       from_secret: drone_ssh_swarm_test
-  #     networks:
-  #       - proxy
-  #   environment:
-  #     DOMAIN: wordpress.swarm-test.autonomic.zone
-  #     STACK_NAME: wordpress
-  #     LETS_ENCRYPT_ENV: production
-  #     SECRET_DB_PASSWORD_VERSION: v1
-  #     SECRET_DB_ROOT_PASSWORD_VERSION: v1
-  #     PHP_UPLOADS_CONF_VERSION: v1
-  #     ENTRYPOINT_CONF_VERSION: v1
-  #     HTACCESS_CONF_VERSION: v1
+      DOMAIN: wordpress.swarm-test.autonomic.zone
+      STACK_NAME: wordpress
+      LETS_ENCRYPT_ENV: production
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      PHP_UPLOADS_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
 trigger:
-  event:
-    - push
-    - pull_request
   branch:
-    - main
+    - master
 ---
 kind: pipeline
 name: generate recipe catalogue
@@ -58,7 +36,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,16 +1,11 @@
 TYPE=wordpress
-#TIMEOUT=300
+TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
-ENABLE_BACKUPS=true
 
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
-# Redirects
-# All redirect domains have to be added to EXTRA_DOMAINS as well)
-# multiple redirects can be added by seperating them with a | character
-#REDIRECTS=www.wordpress.example.com
 LETS_ENCRYPT_ENV=production
 
 # Setup Wordpress settings on each deploy:
@@ -25,11 +20,8 @@ LETS_ENCRYPT_ENV=production
 # Every new user is per default subscriber, uncomment to change it
 #DEFAULT_USER_ROLE=administrator
 
-# PHP composer for plugin installation
-#COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
-
-# Self managed Wordpress for automatic updates
-#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+# Uncomment to install PHP Composer
+#COMPOSER=1
 
 #WORDPRESS_DEBUG=true
 
@@ -42,12 +34,13 @@ SECRET_DB_PASSWORD_VERSION=v1
 # Mostly for compatibility with existing database dumps...
 #WORDPRESS_TABLE_PREFIX=wp_
 
-# Multisite (see README)
-#MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
+# Multisite
+#WORDPRESS_CONFIG_EXTRA="\
+#define('WP_CACHE', false);\
+#define('WP_ALLOW_MULTISITE', true );"
 
-# File upload settings
-#UPLOAD_MAX_SIZE=256M
-#UPLOAD_MAX_TIME=30
+# Multisite phase 2 (see README)
+#WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true); define('SUBDOMAIN_INSTALL', true); define('DOMAIN_CURRENT_SITE', '${DOMAIN}'); define('PATH_CURRENT_SITE', '/');	define('SITE_ID_CURRENT_SITE', 1); define('BLOG_ID_CURRENT_SITE', 1); define('FORCE_SSL_ADMIN', true ); define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
@@ -55,7 +48,7 @@ SECRET_DB_PASSWORD_VERSION=v1
 #MAIL_FROM="wordpress@example.com"
 
 # Remote SMTP relay
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_HOST="mail.example.com"
 #MAIL_FROM="wordpress@example.com"
 #SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
@@ -72,10 +65,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 
-# Matrix .well-known redirect
-#COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
-#MATRIX_DOMAIN=matrix.example.com
-
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
 #COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
@@ -84,13 +73,8 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 
+
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
-# You can use a Port between 2220-2225
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
-#COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"
+#USERS_CONF_VERSION=v1

.gitignore

@@ -1,22 +1 @@
-# direnv
 /.envrc
-
-# Environment files (may contain secrets)
-.env
-
-# Logs
-*.log
-
-# OS metadata
-.DS_Store
-Thumbs.db
-
-# Editor/IDE
-*.swp
-*.swo
-*~
-*.bak
-.idea/
-.vscode/
-.project
-.classpath

README.md

@@ -7,7 +7,7 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 4
+* **Status**: 3, stable
 * **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
@@ -47,12 +47,16 @@ AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authen
 
 ## Network (Multi-site)
 
+_(Only tested using subdomains)_
+
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+2. `abra app config <app-name>`, and uncomment the first `# Multisite` section
 3. `abra app deploy <app-name>`
 4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
 5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+6. `abra app config <app-name>` again - comment out the first `# Multisite`
+   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
+   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
 7. `abra app deploy <app-name>`
 
 ## Installing a custom theme

abra.sh

@@ -1,25 +1,12 @@
-export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v8
+export PHP_UPLOADS_CONF_VERSION=v3
+export ENTRYPOINT_CONF_VERSION=v5
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v3
-export USERS_CONF_VERSION=v1
 
 wp() {
     su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
 }
 
-update() {
-    wp "core update-db"
-    wp "plugin update --all"
-    wp "plugin auto-updates enable --all"
-    wp "theme update --all"
-    wp "theme auto-updates enable --all"
-    wp "language core update"
-    wp "language plugin update --all"
-    wp "language theme update --all"
-}
-
 core_install(){
     ADMIN=admin
     if [ -n "$AUTHENTIK_DOMAIN" ]
@@ -31,27 +18,15 @@ core_install(){
     wp "language core install $LOCALE"
     wp "site switch-language $LOCALE"
     wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+    wp "plugin install --activate disable-update-notifications"
+    wp 'option update dwcun_setting on' 
     if [ -n "$DEFAULT_USER_ROLE" ]
     then
         wp "option set default_role $DEFAULT_USER_ROLE"
     else
         wp "option set default_role subscriber"
     fi
-    wp "theme auto-updates enable --all"
-    wp 'plugin auto-updates enable --all' || true
-}
-
-enable_auto_updates(){
-  wp "plugin deactivate disable-update-notifications --allow-root"
-  wp "plugin uninstall disable-update-notifications --allow-root"
-  wp "option delete disable_notification_setting --allow-root"
-  wp "plugin auto-updates enable --all --allow-root"
-  wp "theme auto-updates enable --all --allow-root"
-}
-
-disable_auto_updates(){
-  wp "plugin install --activate disable-update-notifications"
-  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
+    wp 'plugin auto-updates enable --all' || exit 0
 }
 
 set_authentik(){
@@ -63,7 +38,6 @@ set_authentik(){
     fi
     wp "user create akadmin admin@example.com --role=administrator"
     wp "plugin install --activate daggerhart-openid-connect-generic"
-    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
     wp "option update --format=json openid_connect_generic_settings '
     {
         \"login_type\":\"$LOGIN_TYPE\",
@@ -74,8 +48,6 @@ set_authentik(){
         \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
         \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
-        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
-        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
         \"acr_values\":\"\",
         \"identity_key\":\"preferred_username\",
         \"no_sslverify\":\"0\",
@@ -104,6 +76,76 @@ fix_mysql() {
   echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
 }
 
-show_plugins() {
-  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
+sub_wp() {
+  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
+  if [ -z "$CONTAINER" ]; then
+    error "Can't find a container for ${STACK_NAME}_app"
+    exit
+  fi
+  debug "Using Container ID ${CONTAINER}"
+
+  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
+  # volume for /var/www/html -- this used to work fine using --volumes-from
+  # because the actual MySQL password was inserted into the generated
+  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
+  # from the environment, which requires Docker secrets to work, which only work
+  # in swarm services (not one-off `docker run` commands). Defining a `cli`
+  # service in compose.yml almost works, but there's no volumes_from: in Compose
+  # V3, and without it then the `cli` service can't access Wordpress core.
+  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
+  warning "Slowly looking up MySQL password..."
+  silence
+  abra__service_="app"
+  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
+  unsilence
+
+  # shellcheck disable=SC2154,SC2086
+  docker run -it \
+	--volumes-from "$CONTAINER" \
+	--network "container:$CONTAINER" \
+	-u xfs:xfs \
+    -e WORDPRESS_DB_HOST=db \
+    -e WORDPRESS_DB_USER=wordpress \
+    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
+    -e WORDPRESS_DB_NAME=wordpress \
+    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
+	wordpress:cli wp ${abra__args_[*]}
+}
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/www/html/wp-content"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "wordpress"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}
+
+abra_restore_app() {
+  # shellcheck disable=SC2034
+  {
+	abra__src_="-"
+	abra__dst_="app:/var/www/html/"
+  }
+
+  zcat "$@" | sub_app_cp
+
+  success "Restored 'app'"
+}
+
+abra_restore_db() {
+  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
+  # got this far..
+
+  # shellcheck disable=SC2034
+  abra___no_tty="true"
+
+  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
+
+  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
+
+  success "Restored 'db'"
 }

alaconnect.yml

@@ -1,16 +0,0 @@
-authentik:
-    uncomment:
-        - compose.authentik.yml
-        - AUTHENTIK_DOMAIN
-        - SECRET_AUTHENTIK_SECRET_VERSION
-        - SECRET_AUTHENTIK_ID_VERSION
-        - LOGIN_TYPE
-    inital-hooks:
-        - app set_authentik
-    shared_secrets:
-        wordpress_secret: authentik_secret
-        wordpress_id: authentik_id
-matrix:
-    uncomment:
-        - compose.matrix.yml
-        - MATRIX_DOMAIN

compose.composer.yml

@@ -1,14 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    volumes:
-      - "composer:/var/www/html/composer"
-    environment:
-      - ENABLE_COMPOSER=1
-      - COMPOSER=composer/composer.json
-      - COMPOSER_VENDOR_DIR=composer/vendor
-
-volumes:
-  composer:

compose.ftp-2220.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2220:22

compose.ftp-2221.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2221:22

compose.ftp-2222.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2222:22

compose.ftp-2223.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2223:22

compose.ftp-2224.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2224:22

compose.ftp-2225.yml

@@ -1,7 +0,0 @@
----
-version: "3.8"
-
-services:
-  ftp:
-    ports:
-        - 2220:22

compose.ftp.yml

@@ -3,9 +3,11 @@ version: "3.8"
 
 services:
   ftp:
-    image: atmoz/sftp:alpine
+    image: atmoz/sftp
     secrets:
       - ftp_pass
+    ports:
+        - 2222:22
     volumes:
       - "wordpress_content:/home/ftp_user/wp-content"
     configs:

compose.matrix.yml

@@ -1,10 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    deploy:
-      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"

compose.selfmanaged.yml

@@ -1,21 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    image: "wordpress:latest"
-    volumes:
-      - "wordpress:/var/www/html/"
-    environment:
-      WORDPRESS_CONFIG_EXTRA: |
-        define( 'AUTOMATIC_UPDATER_DISABLED', false );
-        define( 'WP_AUTO_UPDATE_CORE', true );
-        define( 'FS_METHOD', 'direct' );
-        ${WORDPRESS_CONFIG_EXTRA}
-
-  ftp:
-    volumes:
-      - "wordpress:/home/ftp_user/"
-
-volumes:
-  wordpress:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.9.4"
+    image: "wordpress:6.3.0"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
@@ -31,8 +31,6 @@ services:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
-      - source: htaccess_conf
-        target: /var/www/html/.htaccess
     entrypoint: /docker-entrypoint.sh
     depends_on:
       - db
@@ -48,7 +46,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.swarm.network=proxy"
+        - "traefik.docker.network=proxy"
         - "traefik.http.routers.${STACK_NAME}.tls=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
@@ -57,15 +55,13 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=2.19.2+6.9.4"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html"
+        - "coop-cloud.${STACK_NAME}.version=2.5.2+6.3.0"
 
   db:
-    image: "mariadb:12.2"
+    image: "mariadb:11.0"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -80,10 +76,11 @@ services:
       - db_root_password
     deploy:
       labels:
-        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup: "true"
         backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
-        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
-        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
+        backupbot.backup.post-hook: "rm -f /var/lib/mysql/dump.sql.gz"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dbdump.sql && rm -f /var/lib/mysql/dbdump.sql'"
 
 networks:
   backend:
@@ -109,9 +106,4 @@ configs:
     template_driver: golang
   php_uploads_conf:
     name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini.tmpl
-    template_driver: golang
-  htaccess_conf:
-    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
-    file: htaccess.tmpl
-    template_driver: golang
+    file: uploads.ini

entrypoint.sh.tmpl

@@ -7,9 +7,9 @@ docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 chmod +x /usr/local/bin/wp
 
-{{ if eq (env "ENABLE_COMPOSER") "1" }}
+{{ if eq (env "COMPOSER") "1" }}
 mkdir -p /var/www/.composer
-chown www-data:www-data /var/www/.composer /var/www/html/composer
+chown www-data:www-data /var/www/.composer
 
 curl https://getcomposer.org/installer -o /tmp/composer-setup.php
 php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
@@ -24,38 +24,6 @@ a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 
-{{ if eq (env "MULTISITE") "enable" }}
-export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
-define('WP_CACHE', false);
-define('WP_ALLOW_MULTISITE', true );"
-{{ end }}
-
-{{ if or (eq (env "MULTISITE") "subdomain") (eq (env "MULTISITE") "subfolder") }}
-export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
-define('MULTISITE', true);
-define('SUBDOMAIN_INSTALL', true);
-define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
-define('PATH_CURRENT_SITE', '/');
-define('SITE_ID_CURRENT_SITE', 1);
-define('BLOG_ID_CURRENT_SITE', 1);
-define('FORCE_SSL_ADMIN', true );
-define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
-{{ end }}
-
-
-UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
-if [ ! -f "$UPLOADS_HTACCESS" ]; then
-    mkdir -p /var/www/html/wp-content/uploads
-    cat > "$UPLOADS_HTACCESS" <<'EOF'
-# Prevent PHP execution in uploads directory
-<FilesMatch "\.(?i:php|phtml|phar)$">
-    Require all denied
-</FilesMatch>
-EOF
-fi
-
-chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
-
 if [ -n "$@" ]; then
 	"$@"
 fi

htaccess.tmpl

@@ -1,62 +0,0 @@
-# Protect sensitive files from direct access
-<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
-    Require all denied
-</FilesMatch>
-
-{{ if eq (env "MULTISITE") "" -}}
-# BEGIN WordPress
-
-RewriteEngine On
-RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-RewriteBase /
-RewriteRule ^index\.php$ - [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteCond %{REQUEST_FILENAME} !-d
-RewriteRule . /index.php [L]
-
-# END WordPress
-{{- end -}}
-
-{{- if eq (env "MULTISITE") "subfolder" -}}
-# BEGIN WordPress Multisite
-# Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
-
-RewriteEngine On
-RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-RewriteBase /
-RewriteRule ^index\.php$ - [L]
-
-# add a trailing slash to /wp-admin
-RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
-
-RewriteCond %{REQUEST_FILENAME} -f [OR]
-RewriteCond %{REQUEST_FILENAME} -d
-RewriteRule ^ - [L]
-RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
-RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
-RewriteRule . index.php [L]
-
-# END WordPress Multisite
-{{- end -}}
-
-{{- if eq (env "MULTISITE") "subdomain" -}}
-# BEGIN WordPress Multisite
-# Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
-
-RewriteEngine On
-RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-RewriteBase /
-RewriteRule ^index\.php$ - [L]
-
-# add a trailing slash to /wp-admin
-RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
-
-RewriteCond %{REQUEST_FILENAME} -f [OR]
-RewriteCond %{REQUEST_FILENAME} -d
-RewriteRule ^ - [L]
-RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
-RewriteRule ^(.*\.php)$ $1 [L]
-RewriteRule . index.php [L]
-
-# END WordPress Multisite
-{{- end }}

release/2.10.0+6.5.5

@@ -1 +0,0 @@
-Adds redirects and alakazam integration

release/2.13.2+6.7.1

@@ -1 +0,0 @@
-Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.

release/2.17.1+6.9.0

@@ -1 +0,0 @@
-Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.

release/2.4.0+6.3.0

@@ -1 +0,0 @@
-The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.

release/2.7.0+6.4.2

@@ -1 +0,0 @@
-Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.

renovate.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:base"
   ]
 }

tests/fixtures/composer.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-ENABLE_COMPOSER=1

tests/fixtures/cors.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-CORS_ALLOW_ALL=1

tests/fixtures/default.env

@@ -1 +0,0 @@
-DOMAIN=wordpress.example.com

tests/fixtures/multisite-enable.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=enable

tests/fixtures/multisite-subdomain.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=subdomain

tests/fixtures/multisite-subfolder.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-MULTISITE=subfolder

tests/fixtures/php-extensions.env

@@ -1,2 +0,0 @@
-DOMAIN=wordpress.example.com
-PHP_EXTENSIONS=calendar

tests/fixtures/smtp-full.env

@@ -1,8 +0,0 @@
-DOMAIN=wordpress.example.com
-SMTP_HOST=mail.example.com
-SMTP_PORT=587
-MAIL_FROM=wordpress@example.com
-SMTP_USER=relay@example.com
-SMTP_AUTH=on
-SMTP_TLS=on
-SMTP_OVERRIDE_FROM=on

tests/fixtures/upload-sizes.env

@@ -1,3 +0,0 @@
-DOMAIN=wordpress.example.com
-UPLOAD_MAX_SIZE=512M
-UPLOAD_MAX_TIME=60

tests/run.sh

@@ -1,49 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-ROOT="$(dirname "$(realpath "$0")")"
-
-echo "==================================="
-echo "  WordPress Recipe Test Suite"
-echo "==================================="
-echo ""
-
-# Collect all compose files
-COMPOSE_FILES=()
-while IFS= read -r f; do
-    COMPOSE_FILES+=("$f")
-done < <(find "$ROOT/.." -maxdepth 1 -name 'compose*.yml' | sort)
-
-# Collect all tmpl files with bash content
-SHELL_TMPL_FILES=()
-while IFS= read -r f; do
-    SHELL_TMPL_FILES+=("$f")
-done < <(find "$ROOT/.." -maxdepth 1 -name '*.tmpl' | sort)
-
-TMPL_FILES=()
-while IFS= read -r f; do
-    TMPL_FILES+=("$f")
-done < <(find "$ROOT/.." -maxdepth 1 -name '*.tmpl' | sort)
-
-failures=0
-
-echo "========================================================================"
-"$ROOT/test_yaml.sh" "${COMPOSE_FILES[@]}" || failures=$((failures + 1))
-echo ""
-
-echo "========================================================================"
-"$ROOT/test_shell.sh" "${SHELL_TMPL_FILES[@]}" || failures=$((failures + 1))
-echo ""
-
-echo "========================================================================"
-"$ROOT/test_templates.sh" || failures=$((failures + 1))
-echo ""
-
-echo "==================================="
-if [ "$failures" -eq 0 ]; then
-    echo "  All tests passed!"
-else
-    echo "  $failures test suite(s) failed"
-fi
-echo "==================================="
-exit "$failures"

tests/test_shell.sh

@@ -1,37 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-pass=0
-fail=0
-
-EXTRA_SHELLCHECK_OPTS="${SHELLCHECK_OPTS:-}"
-
-shellcheck_tmpl() {
-    local tmpl=$1
-    # Strip Go template tags ({{ ... }} and {{- ... -}}) into whitespace
-    # so shellcheck can parse the remaining bash.
-    local cleaned
-    cleaned=$(sed 's/{{[-]*[^}]*[-]*}}/true/g' "$tmpl")
-
-    local tmpfile
-    tmpfile=$(mktemp)
-    printf '%s\n' "$cleaned" > "$tmpfile"
-
-    if shellcheck $EXTRA_SHELLCHECK_OPTS "$tmpfile"; then
-        echo "  PASS  $tmpl"
-        pass=$((pass + 1))
-    else
-        echo "  FAIL  $tmpl"
-        fail=$((fail + 1))
-    fi
-    rm -f "$tmpfile"
-}
-
-echo "=== ShellCheck ==="
-for f in "$@"; do
-    [ -f "$f" ] && shellcheck_tmpl "$f"
-done
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-[ "$fail" -eq 0 ]

tests/test_templates.sh

@@ -1,278 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-ROOT="$(dirname "$(realpath "$0")")/.."
-pass=0
-fail=0
-
-gomplate="${GOMPLATE_BIN:-gomplate}"
-
-require_gomplate() {
-    if ! command -v "$gomplate" &>/dev/null; then
-        echo "gomplate not found. Install it from https://github.com/hairyhenderson/gomplate"
-        echo "or set GOMPLATE_BIN env var."
-        exit 1
-    fi
-}
-
-render() {
-    local tmpl=$1 envfile=$2
-    "$gomplate" \
-        --template t="$tmpl" \
-        --context "_=fmt:%s" \
-        --datasource "env=env://?$envfile" \
-        -f "$tmpl" 2>/dev/null
-}
-
-# Render by exporting env vars directly (avoids gomplate datasource quirks)
-render_via_env() {
-    local tmpl=$1 envfile=$2
-    # shellcheck disable=2046
-    env $(xargs < "$envfile") "$gomplate" -f "$tmpl" 2>/dev/null
-}
-
-# --- entrypoint.sh.tmpl tests ---
-test_entrypoint_default() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    # Should NOT have multisite config
-    if echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
-        echo "  FAIL  entrypoint default: unexpected WP_ALLOW_MULTISITE"
-        return 1
-    fi
-    # Should have uploads .htaccess guard
-    if ! echo "$output" | grep -q "Prevent PHP execution in uploads"; then
-        echo "  FAIL  entrypoint default: missing uploads htaccess"
-        return 1
-    fi
-    # Should use --from=root:root on chown
-    if ! echo "$output" | grep -q "chown -R --from=root:root"; then
-        echo "  FAIL  entrypoint default: missing --from=root:root on chown"
-        return 1
-    fi
-    # Should have wp-cli download
-    if ! echo "$output" | grep -q "wp-cli.phar"; then
-        echo "  FAIL  entrypoint default: missing wp-cli download"
-        return 1
-    fi
-    echo "  PASS  entrypoint default"
-}
-
-test_entrypoint_multisite_enable() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
-        echo "  FAIL  entrypoint multisite enable: missing WP_ALLOW_MULTISITE"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite enable"
-}
-
-test_entrypoint_multisite_subdomain() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "MULTISITE"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing MULTISITE"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing SUBDOMAIN_INSTALL"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "DOMAIN_CURRENT_SITE"; then
-        echo "  FAIL  entrypoint multisite subdomain: missing DOMAIN_CURRENT_SITE"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite subdomain"
-}
-
-test_entrypoint_multisite_subfolder() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "MULTISITE"; then
-        echo "  FAIL  entrypoint multisite subfolder: missing MULTISITE"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
-        echo "  FAIL  entrypoint multisite subfolder: missing SUBDOMAIN_INSTALL"
-        return 1
-    fi
-    echo "  PASS  entrypoint multisite subfolder"
-}
-
-test_entrypoint_cors() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "a2enmod headers"; then
-        echo "  FAIL  entrypoint CORS: missing a2enmod headers"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "Access-Control-Allow-Origin"; then
-        echo "  FAIL  entrypoint CORS: missing Access-Control-Allow-Origin"
-        return 1
-    fi
-    echo "  PASS  entrypoint CORS"
-}
-
-test_entrypoint_php_extensions() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "docker-php-ext-install calendar"; then
-        echo "  FAIL  entrypoint PHP extensions: missing docker-php-ext-install calendar"
-        return 1
-    fi
-    echo "  PASS  entrypoint PHP extensions"
-}
-
-test_entrypoint_composer() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "getcomposer.org"; then
-        echo "  FAIL  entrypoint composer: missing composer download"
-        return 1
-    fi
-    echo "  PASS  entrypoint composer"
-}
-
-# --- htaccess.tmpl tests ---
-test_htaccess_default() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "htaccess.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "RewriteRule . /index.php"; then
-        echo "  FAIL  htaccess default: missing standard rewrite rule"
-        return 1
-    fi
-    if echo "$output" | grep -q "WordPress Multisite"; then
-        echo "  FAIL  htaccess default: unexpected multisite section"
-        return 1
-    fi
-    echo "  PASS  htaccess default"
-}
-
-test_htaccess_multisite() {
-    local envfile=$1 mode=$2
-    local output
-    output=$(render_via_env "htaccess.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "WordPress Multisite"; then
-        echo "  FAIL  htaccess multisite $mode: missing multisite section"
-        return 1
-    fi
-    if echo "$output" | grep -q "^RewriteRule . /index.php"; then
-        echo "  FAIL  htaccess multisite $mode: has non-multisite rewrite rule"
-        return 1
-    fi
-    echo "  PASS  htaccess multisite $mode"
-}
-
-# --- uploads.ini.tmpl tests ---
-test_uploads_default() {
-    local output
-    output=$(render_via_env "uploads.ini.tmpl" "tests/fixtures/default.env")
-
-    if ! echo "$output" | grep -q "upload_max_filesize = 256M"; then
-        echo "  FAIL  uploads default: expected 256M upload_max_filesize"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "max_execution_time = 30"; then
-        echo "  FAIL  uploads default: expected 30 max_execution_time"
-        return 1
-    fi
-    echo "  PASS  uploads default"
-}
-
-test_uploads_custom() {
-    local envfile=$1
-    local output
-    output=$(render_via_env "uploads.ini.tmpl" "$envfile")
-
-    if ! echo "$output" | grep -q "upload_max_filesize = 512M"; then
-        echo "  FAIL  uploads custom: expected 512M"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "max_execution_time = 60"; then
-        echo "  FAIL  uploads custom: expected 60"
-        return 1
-    fi
-    echo "  PASS  uploads custom"
-}
-
-# --- msmtp.conf.tmpl tests ---
-test_msmtp_default() {
-    local output
-    output=$(render_via_env "msmtp.conf.tmpl" "tests/fixtures/smtp-full.env")
-
-    if ! echo "$output" | grep -q "host mail.example.com"; then
-        echo "  FAIL  msmtp default: missing host"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "from wordpress@example.com"; then
-        echo "  FAIL  msmtp default: missing from"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "auth on"; then
-        echo "  FAIL  msmtp default: missing auth"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "passwordeval"; then
-        echo "  FAIL  msmtp default: missing passwordeval"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "tls on"; then
-        echo "  FAIL  msmtp default: missing tls"
-        return 1
-    fi
-    if ! echo "$output" | grep -q "set_from_header on"; then
-        echo "  FAIL  msmtp default: missing set_from_header"
-        return 1
-    fi
-    echo "  PASS  msmtp full config"
-}
-
-# --- Run all template tests ---
-echo "=== Template Rendering Tests ==="
-
-cd "$ROOT"
-
-echo "--- entrypoint.sh.tmpl ---"
-require_gomplate
-
-test_entrypoint_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_enable "tests/fixtures/multisite-enable.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_subdomain "tests/fixtures/multisite-subdomain.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_multisite_subfolder "tests/fixtures/multisite-subfolder.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_cors "tests/fixtures/cors.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_php_extensions "tests/fixtures/php-extensions.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_entrypoint_composer "tests/fixtures/composer.env" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- htaccess.tmpl ---"
-test_htaccess_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
-test_htaccess_multisite "tests/fixtures/multisite-subfolder.env" "subfolder" && pass=$((pass+1)) || fail=$((fail+1))
-test_htaccess_multisite "tests/fixtures/multisite-subdomain.env" "subdomain" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- uploads.ini.tmpl ---"
-test_uploads_default && pass=$((pass+1)) || fail=$((fail+1))
-test_uploads_custom "tests/fixtures/upload-sizes.env" && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "--- msmtp.conf.tmpl ---"
-test_msmtp_default && pass=$((pass+1)) || fail=$((fail+1))
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-[ "$fail" -eq 0 ]

tests/test_yaml.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-pass=0
-fail=0
-
-checker=""
-if command -v yamllint &>/dev/null; then
-    checker=yamllint
-elif python3 -c "import yaml" 2>/dev/null; then
-    checker=python
-fi
-
-test_yaml() {
-    local file=$1
-
-    case "$checker" in
-        yamllint)
-            if yamllint -d "{extends: relaxed, rules: {line-length: disable}}" "$file"; then
-                echo "  PASS  $file"
-                pass=$((pass+1))
-            else
-                echo "  FAIL  $file"
-                fail=$((fail+1))
-            fi
-            ;;
-        python)
-            if python3 -c "
-import yaml, sys
-with open('$file') as f:
-    yaml.safe_load(f)
-" 2>/dev/null; then
-                echo "  PASS  $file"
-                pass=$((pass+1))
-            else
-                echo "  FAIL  $file"
-                fail=$((fail+1))
-            fi
-            ;;
-        *)
-            echo "  SKIP  $file (no yamllint or PyYAML)"
-            pass=$((pass+1))
-            ;;
-    esac
-}
-
-echo "=== YAML Validation ==="
-for f in "$@"; do
-    [ -f "$f" ] && test_yaml "$f"
-done
-
-echo "---"
-echo "Passed: $pass  Failed: $fail"
-[ "$fail" -eq 0 ]

uploads.ini

@@ -0,0 +1,3 @@
+file_uploads = On
+upload_max_filesize = 256M
+post_max_size = 256M

uploads.ini.tmpl

@@ -1,11 +0,0 @@
-{{ $upload_max_size := "256M" }}
-{{ if ne (env "UPLOAD_MAX_SIZE") "" }} {{ $upload_max_size = env "UPLOAD_MAX_SIZE" }} {{ end }}
-{{ $upload_max_time := "30" }}
-{{ if ne (env "UPLOAD_MAX_TIME") "" }} {{ $upload_max_time = env "UPLOAD_MAX_TIME" }} {{ end }}
-
-file_uploads = On
-upload_max_filesize =  {{ $upload_max_size }}
-post_max_size = {{ $upload_max_size }}
-memory_limit = {{ $upload_max_size }}
-max_execution_time = {{ $upload_max_time }}
-max_input_time = {{ $upload_max_time }}