WIP: optional SSH connection

2021-11-26 22:28:50 +02:00
50 changed files with 193 additions and 1225 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,63 +1,34 @@
 ---
 kind: pipeline
-name: test
+name: deploy to swarm-test.autonomic.zone
 steps:
-  - name: test
+  - name: deployment
-    image: alpine:3.21
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: wordpress
      generate_secrets: true
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
    environment:
-      SHELLCHECK_OPTS: -s bash
+      DOMAIN: wordpress.swarm-test.autonomic.zone
-    commands:
+      STACK_NAME: wordpress
-      - apk add --no-cache bash shellcheck py3-yaml curl
+      LETS_ENCRYPT_ENV: production
-      - curl -sSLo /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v5.0.0/gomplate_linux-amd64
+      SECRET_DB_PASSWORD_VERSION: v1
-      - chmod +x /usr/local/bin/gomplate
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      - tests/run.sh
+      PHP_UPLOADS_CONF_VERSION: v1
-
+      ENTRYPOINT_CONF_VERSION: v1
  # deployment step disabled: swarm-test.autonomic.zone is down
  # - name: deployment
  #   image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
  #   when:
  #     event:
  #       - push
  #     branch:
  #       - main
  #   settings:
  #     host: swarm-test.autonomic.zone
  #     stack: wordpress
  #     generate_secrets: true
  #     purge: true
  #     deploy_key:
  #       from_secret: drone_ssh_swarm_test
  #     networks:
  #       - proxy
  #   environment:
  #     DOMAIN: wordpress.swarm-test.autonomic.zone
  #     STACK_NAME: wordpress
  #     LETS_ENCRYPT_ENV: production
  #     SECRET_DB_PASSWORD_VERSION: v1
  #     SECRET_DB_ROOT_PASSWORD_VERSION: v1
  #     PHP_UPLOADS_CONF_VERSION: v1
  #     ENTRYPOINT_CONF_VERSION: v1
  #     HTACCESS_CONF_VERSION: v1
 trigger:
  event:
    - push
    - pull_request
  branch:
-    - main
+    - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
  - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
    settings:
-      server: https://build.coopcloud.tech
+      command: recipe wordpress release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
      fork: true
      repositories:
        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,37 +1,12 @@
 TYPE=wordpress
 #TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 COMPOSE_FILE="compose.yml"
 ENABLE_BACKUPS=true
 DOMAIN=wordpress.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wordpress.example.com`'
 # Redirects
 # All redirect domains have to be added to EXTRA_DOMAINS as well)
 # multiple redirects can be added by seperating them with a | character
 #REDIRECTS=www.wordpress.example.com
 LETS_ENCRYPT_ENV=production
-# Setup Wordpress settings on each deploy:
+# Necessary for optional features, leave this alone:
-#POST_DEPLOY_CMDS="app core_install"
+COMPOSE_FILE="compose.yml"
 # Optional settings, otherwise can be set in the installer
 # (Required for `app core_install`
 #TITLE="My Example Blog"
 #LOCALE="en_US" # de_DE
 #ADMIN_EMAIL=admin@example.com
 # Every new user is per default subscriber, uncomment to change it
 #DEFAULT_USER_ROLE=administrator
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"
 # Self managed Wordpress for automatic updates
 #COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
 #WORDPRESS_DEBUG=true
 ## Additional extensions
 #PHP_EXTENSIONS="calendar"
@ -39,15 +14,27 @@ LETS_ENCRYPT_ENV=production
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
-# Mostly for compatibility with existing database dumps...
+# SSH access
-#WORDPRESS_TABLE_PREFIX=wp_
+#COMPOSE_FILE="$COMPOSE_FILE:compose.ssh.yml"
 #SSH_PUBLIC_KEY=<your pubkey here>
-# Multisite (see README)
+# Multisite
-#MULTISITE=enable # either 'enable', 'subdomain' or 'subfolder'
+#WORDPRESS_CONFIG_EXTRA="\
 #	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );"
-# File upload settings
+# Multisite phase 2 (see README)
-#UPLOAD_MAX_SIZE=256M
+#WORDPRESS_CONFIG_EXTRA="\
-#UPLOAD_MAX_TIME=30
+#	define('WP_CACHE', false);\
 #	define('WP_ALLOW_MULTISITE', true );\
 #	define('MULTISITE', true);\
 #	define('SUBDOMAIN_INSTALL', true);\
 #	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
 #	define('PATH_CURRENT_SITE', '/');\
 #	define('SITE_ID_CURRENT_SITE', 1);\
 #	define('BLOG_ID_CURRENT_SITE', 1);\
 #	define('FORCE_SSL_ADMIN', true );\
 #	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 # Local SMTP relay
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
@ -55,42 +42,10 @@ SECRET_DB_PASSWORD_VERSION=v1
 #MAIL_FROM="wordpress@example.com"
 # Remote SMTP relay
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml:compose.smtp.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_HOST="mail.example.com"
 #MAIL_FROM="wordpress@example.com"
 #SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
 #SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
 #SMTP_PORT=587
 #SMTP_AUTH=on
 #SMTP_TLS=on
 #SECRET_SMTP_PASSWORD_VERSION=v1
 # Authentik SSO
 #COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 #AUTHENTIK_DOMAIN=authentik.example.com
 #SECRET_AUTHENTIK_SECRET_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 # Matrix .well-known redirect
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_DOMAIN=matrix.example.com
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
 #COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
 # Wide-open CORS
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
 # You can use a Port between 2220-2225
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2220.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2221.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2223.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2224.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2225.yml"
--- a/.gitignore
+++ b/.gitignore
@ -1,22 +1 @@
 # direnv
 /.envrc
 # Environment files (may contain secrets)
 .env
 # Logs
 *.log
 # OS metadata
 .DS_Store
 Thumbs.db
 # Editor/IDE
 *.swp
 *.swo
 *~
 *.bak
 .idea/
 .vscode/
 .project
 .classpath
--- a/README.md
+++ b/README.md
@ -1,13 +1,13 @@
 # Wordpress
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
+[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/wordpress/status.svg)](https://drone.autonomic.zone/coop-cloud/wordpress)
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: 4
+* **Status**: 3, stable
 * **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
@ -17,47 +17,43 @@ Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 <!-- endmetadata -->
 ## Basic usage
-## Quick start
+1. Set up Docker Swarm and [`abra`][abra]
-
+2. Deploy [`coop-cloud/traefik`][cc-traefik]
-
+3. `abra app new wordpress --secrets` (optionally with `--pass` if you'd like
-* `abra app new wordpress`
+   to save secrets in `pass`)
-* `abra app config <app-name>`
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-* `abra app secret generate -a <app-name>`
+   your Docker swarm box
-* `abra app deploy <app-name>`
+5. `abra app YOURAPPDOMAIN deploy`
-* `abra app cmd <app-name> app core_install`
+6. Open the configured domain in your browser to finish set-up
-
+7. `abra app YOURAPPDOMAIN run app chown www-data:www-data /var/www/html/wp-content` to fix
-### Authentik Integration
+   file permissions (see #3)
 `abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 AUTHENTIK_DOMAIN=authentik.example.com
 AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
 AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
 ```
 `abra app cmd <app-name> app set_authentik`
 ## Running WP-CLI
-`abra app cmd <app-name> app wp -- core check-update --major`
+`abra app YOURAPPDOMAIN wp 'core check-update --major'`
 (the WP-CLI arguments need to be quoted, because of how `abra` handles
 command-line arguments)
 ## Network (Multi-site)
 _(Only tested using subdomains)_
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment `#MULTISITE=enable`
+2. `abra app YOURAPPDOMAIN config`, and uncomment the first `# Multisite` section
-3. `abra app deploy <app-name>`
+3. `abra app YOURAPPDOMAIN deploy`
 4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
 5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again and set `MULTISITE` to either `subdomain` or `subfolder` depending on your setup.
+6. `abra app YOURAPPDOMAIN config` again - comment out the first `# Multisite`
-7. `abra app deploy <app-name>`
+   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
 7. `abra app YOURAPPDOMAIN deploy`
 ## Installing a custom theme
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra app YOURAPPDOMAIN cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
 ## Email
@ -69,39 +65,11 @@ There is a local or remote SMTP relay configuration available.
 Below are the instructions for the local relay.
 1. Deploy [`postfix-relay`][cc-postfix-relay]
-2. `abra app config <app-name>`, and uncomment the email lines; change
+2. `abra app YOURAPPDOMAIN config`, and uncomment the email lines; change
   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
-3. `abra app deploy <app-name>`
+3. `abra app YOURAPPDOMAIN deploy`
 ## Tests
 Run the full test suite:
 ```sh
 bash tests/run.sh
 ```
 ### Prerequisites
 The test suite uses several tools. Install them with your equivalent of:
 ```sh
 brew install shellcheck gomplate
 ```
 Some tests skip gracefully if their dependencies are missing.
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 ## Migrate from a non-Co-op Cloud Wordpress install
 Make a .tar.gz backup of the site's wp-content dir and an .sql.gz backup of the database.
 1. `abra app wp.example.com restore app wp-content.tar.gz`
 2. `abra app wp.example.com restore db wordpress.sql.gz`
 Lastly, if there's a domain name change, run a search and replace:
 `abra app wp.example.com wp "search-replace https://old.example.com https://wp.example.com"`
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
 [cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
--- a/abra.sh
+++ b/abra.sh
@ -1,109 +1,78 @@
-export PHP_UPLOADS_CONF_VERSION=v4
+export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v9
+export ENTRYPOINT_CONF_VERSION=v2
-export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
+export ENTRYPOINT_MAILRELAY_CONF_VERSION=v1
-export MSMTP_CONF_VERSION=v4
+export MSMTP_CONF_VERSION=v3
 export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1
-wp() {
+sub_wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
+  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
-}
+  if [ -z "$CONTAINER" ]; then
-
+    error "Can't find a container for ${STACK_NAME}_app"
-update() {
+    exit
    wp "core update-db"
    wp "plugin update --all"
    wp "plugin auto-updates enable --all"
    wp "theme update --all"
    wp "theme auto-updates enable --all"
    wp "language core update"
    wp "language plugin update --all"
    wp "language theme update --all"
 }
 core_install(){
    ADMIN=admin
    if [ -n "$AUTHENTIK_DOMAIN" ]
    then
        ADMIN=akadmin
  fi
-    chown www-data:www-data -R /var/www/html/wp-content
+  debug "Using Container ID ${CONTAINER}"
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
+
-    wp "language core install $LOCALE"
+  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
-    wp "site switch-language $LOCALE"
+  # volume for /var/www/html -- this used to work fine using --volumes-from
-    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
+  # because the actual MySQL password was inserted into the generated
-    if [ -n "$DEFAULT_USER_ROLE" ]
+  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
-    then
+  # from the environment, which requires Docker secrets to work, which only work
-        wp "option set default_role $DEFAULT_USER_ROLE"
+  # in swarm services (not one-off `docker run` commands). Defining a `cli`
-    else
+  # service in compose.yml almost works, but there's no volumes_from: in Compose
-        wp "option set default_role subscriber"
+  # V3, and without it then the `cli` service can't access Wordpress core.
-    fi
+  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
-    wp "theme auto-updates enable --all"
+  warning "Slowly looking up MySQL password..."
-    wp 'plugin auto-updates enable --all' || true
+  silence
  abra__service_="app"
  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
  unsilence
  # shellcheck disable=SC2154,SC2086
  docker run -it \
 	--volumes-from "$CONTAINER" \
 	--network "container:$CONTAINER" \
 	-u xfs:xfs \
    -e WORDPRESS_DB_HOST=db \
    -e WORDPRESS_DB_USER=wordpress \
    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
    -e WORDPRESS_DB_NAME=wordpress \
    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
 	wordpress:cli wp ${abra__args_[*]}
 }
-enable_auto_updates(){
+abra_backup_app() {
-  wp "plugin deactivate disable-update-notifications --allow-root"
+  _abra_backup_dir "app:/var/www/html/wp-content"
  wp "plugin uninstall disable-update-notifications --allow-root"
  wp "option delete disable_notification_setting --allow-root"
  wp "plugin auto-updates enable --all --allow-root"
  wp "theme auto-updates enable --all --allow-root"
 }
-disable_auto_updates(){
+abra_backup_db() {
-  wp "plugin install --activate disable-update-notifications"
+  _abra_backup_mysql "db" "wordpress"
  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }
-set_authentik(){
+abra_backup() {
-    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+  abra_backup_app && abra_backup_db
-    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+}
-    if [ -z $LOGIN_TYPE ]
+
-    then
+abra_restore_app() {
-        LOGIN_TYPE='button'
+  # shellcheck disable=SC2034
    fi
    wp "user create akadmin admin@example.com --role=administrator"
    wp "plugin install --activate daggerhart-openid-connect-generic"
    wp 'plugin auto-updates enable daggerhart-openid-connect-generic'
    wp "option update --format=json openid_connect_generic_settings '
  {
-        \"login_type\":\"$LOGIN_TYPE\",
+	abra__src_="-"
-        \"client_id\":\"$AUTHENTIK_ID\",
+	abra__dst_="app:/var/www/html/"
-        \"client_secret\":\"$AUTHENTIK_SECRET\",
+  }
        \"scope\":\"email profile openid\",
        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
        \"endpoint_jwks\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/jwks/\",
        \"issuer\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/\",
        \"acr_values\":\"\",
        \"identity_key\":\"preferred_username\",
        \"no_sslverify\":\"0\",
        \"http_request_timeout\":\"30\",
        \"enforce_privacy\":\"0\",
        \"alternate_redirect_uri\":\"1\",
        \"nickname_key\":\"preferred_username\",
        \"email_format\":\"{email}\",
        \"displayname_format\":\"\",
        \"identify_with_username\":\"1\",
        \"state_time_limit\":\"\",
        \"token_refresh_enable\":\"1\",
        \"link_existing_users\":\"1\",
        \"create_if_does_not_exist\":\"1\",
        \"redirect_user_back\":\"0\",
        \"redirect_on_logout\":\"1\",
        \"enable_logging\":\"0\",
        \"log_limit\":\"1000\"
    }'"
    wp "rewrite flush"
    wp "cache flush"
  zcat "$@" | sub_app_cp
  success "Restored 'app'"
 }
-fix_mysql() {
+abra_restore_db() {
-  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
+  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-}
+  # got this far..
-show_plugins() {
+  # shellcheck disable=SC2034
-  wp "plugin list --fields=name,status,wporg_status,version,update_version,auto_update,tested_up_to,wporg_last_updated"
+  abra___no_tty="true"
  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
  success "Restored 'db'"
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,16 +0,0 @@
 authentik:
    uncomment:
        - compose.authentik.yml
        - AUTHENTIK_DOMAIN
        - SECRET_AUTHENTIK_SECRET_VERSION
        - SECRET_AUTHENTIK_ID_VERSION
        - LOGIN_TYPE
    inital-hooks:
        - app set_authentik
    shared_secrets:
        wordpress_secret: authentik_secret
        wordpress_id: authentik_id
 matrix:
    uncomment:
        - compose.matrix.yml
        - MATRIX_DOMAIN
--- a/compose.authentik.yml
+++ b/compose.authentik.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - authentik_secret
      - authentik_id
 secrets:
  authentik_secret:
    external: true
    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
  authentik_id:
    external: true
    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}
--- a/compose.composer.yml
+++ b/compose.composer.yml
@ -1,14 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    volumes:
      - "composer:/var/www/html/composer"
    environment:
      - ENABLE_COMPOSER=1
      - COMPOSER=composer/composer.json
      - COMPOSER_VENDOR_DIR=composer/vendor
 volumes:
  composer:
--- a/compose.ftp-2220.yml
+++ b/compose.ftp-2220.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2220:22
--- a/compose.ftp-2221.yml
+++ b/compose.ftp-2221.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2221:22
--- a/compose.ftp-2222.yml
+++ b/compose.ftp-2222.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2222:22
--- a/compose.ftp-2223.yml
+++ b/compose.ftp-2223.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2223:22
--- a/compose.ftp-2224.yml
+++ b/compose.ftp-2224.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2224:22
--- a/compose.ftp-2225.yml
+++ b/compose.ftp-2225.yml
@ -1,7 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    ports:
      - 2220:22
--- a/compose.ftp.yml
+++ b/compose.ftp.yml
@ -1,24 +0,0 @@
 ---
 version: "3.8"
 services:
  ftp:
    image: atmoz/sftp:alpine
    secrets:
      - ftp_pass
    volumes:
      - "wordpress_content:/home/ftp_user/wp-content"
    configs:
      - source: users_conf
        target: /etc/sftp/users.conf
 secrets:
  ftp_pass:
    name: ${STACK_NAME}_ftp_pass_${SECRET_FTP_PASS_VERSION}
    external: true
 configs:
  users_conf:
    name: ${STACK_NAME}_users_conf_${USERS_CONF_VERSION}
    file: users.conf.tmpl
    template_driver: golang
--- a/compose.mailrelay.yml
+++ b/compose.mailrelay.yml
@ -6,7 +6,6 @@ services:
    entrypoint: /docker-entrypoint.mailrelay.sh
    environment:
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT:-25}
      - MAIL_FROM=${MAIL_FROM}
    configs:
      - source: mstmp_conf
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@ -1,10 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    deploy:
      labels:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect-matrix-well-known"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
--- a/compose.public-db.yml
+++ b/compose.public-db.yml
@ -1,9 +0,0 @@
 ---
 version: "3.8"
 services:
  db:
    ports:
      - target: 3306
        published: 3306
        mode: host
--- a/compose.selfmanaged.yml
+++ b/compose.selfmanaged.yml
@ -1,21 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    image: "wordpress:7.0.0"
    volumes:
      - "wordpress:/var/www/html/"
    environment:
      WORDPRESS_CONFIG_EXTRA: |
        define( 'AUTOMATIC_UPDATER_DISABLED', false );
        define( 'WP_AUTO_UPDATE_CORE', true );
        define( 'FS_METHOD', 'direct' );
        ${WORDPRESS_CONFIG_EXTRA}
  ftp:
    volumes:
      - "wordpress:/home/ftp_user/"
 volumes:
  wordpress:
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -6,12 +6,11 @@ services:
    secrets:
      - smtp_password
    environment:
-      - SMTP_HOST
+      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT:-25}
-      - SMTP_AUTH
+      - SMTP_AUTH=${SMTP_AUTH}
-      - SMTP_TLS
+      - SMTP_TLS=${SMTP_TLS}
-      - MAIL_FROM
+      - MAIL_FROM=${MAIL_FROM}
      - SMTP_OVERRIDE_FROM
 secrets:
  smtp_password:
--- a/compose.ssh.yml
+++ b/compose.ssh.yml
@ -0,0 +1,27 @@
 ---
 version: "3.8"
 services:
  ssh:
    image: lscr.io/linuxserver/openssh-server
    environment:
      - PUID=33
      - PGID=33
      - PUBLIC_KEY=${SSH_PUBLIC_KEY}
      - USER_NAME=wordpress
      - PASSWORD_ACCESS=false
    networks:
      - proxy
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=2222"
 networks:
  proxy:
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,26 +3,19 @@ version: "3.8"
 services:
  app:
-    image: "wordpress:7.0.0"
+    image: "wordpress:5.8.1"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
      - backend
      - proxy
    environment:
-      WORDPRESS_CONFIG_EXTRA: |
+      - WORDPRESS_DB_HOST=db
-            define( 'AUTOMATIC_UPDATER_DISABLED', false );
+      - WORDPRESS_DB_USER=wordpress
-            define( 'WP_AUTO_UPDATE_CORE', false );
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
-            ${WORDPRESS_CONFIG_EXTRA}
+      - WORDPRESS_DB_NAME=wordpress
-      PAGER: more
+      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
-      WORDPRESS_DB_HOST: db
+      - PHP_EXTENSIONS
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
      CORS_ALLOW_ALL:
      COMPOSER:
    secrets:
      - db_password
    configs:
@ -31,8 +24,6 @@ services:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
      - source: htaccess_conf
        target: /var/www/html/.htaccess
    entrypoint: /docker-entrypoint.sh
    depends_on:
      - db
@ -48,7 +39,7 @@ services:
        order: start-first
      labels:
        - "traefik.enable=true"
-        - "traefik.swarm.network=proxy"
+        - "traefik.docker.network=proxy"
        - "traefik.http.routers.${STACK_NAME}.tls=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
@ -57,15 +48,10 @@ services:
        #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+5.8.1"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://(${REDIRECTS})/(.*)"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
  db:
-    image: "mariadb:12.3"
+    image: "mariadb:10.6"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
@ -78,12 +64,6 @@ services:
    secrets:
      - db_password
      - db_root_password
    deploy:
      labels:
        backupbot.backup: "${ENABLE_BACKUPS:-true}"
        backupbot.backup.pre-hook: "mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz"
        backupbot.backup.volumes.mariadb.path: "dump.sql.gz"
        backupbot.restore.post-hook: "gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql"
 networks:
  backend:
@ -109,9 +89,4 @@ configs:
    template_driver: golang
  php_uploads_conf:
    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini.tmpl
+    file: uploads.ini
    template_driver: golang
  htaccess_conf:
    name: ${STACK_NAME}_htaccess_conf_${HTACCESS_CONF_VERSION}
    file: htaccess.tmpl
    template_driver: golang
--- a/entrypoint.mailrelay.sh.tmpl
+++ b/entrypoint.mailrelay.sh.tmpl
@ -3,5 +3,3 @@
 apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm -rf /var/lib/apt/lists/*
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
 /docker-entrypoint.sh
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -1,62 +1,10 @@
 #!/bin/bash
-{{ if (getenv "PHP_EXTENSIONS") }}
+{{ if (env "PHP_EXTENSIONS") }}
-docker-php-ext-install {{ getenv "PHP_EXTENSIONS" }}
+docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
 {{ end }}
-curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+if [ -n "$@" ]; then
 chmod +x /usr/local/bin/wp
 {{ if eq (getenv "ENABLE_COMPOSER") "1" }}
 mkdir -p /var/www/.composer
 chown www-data:www-data /var/www/.composer /var/www/html/composer
 curl https://getcomposer.org/installer -o /tmp/composer-setup.php
 php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
 php /tmp/composer-setup.php
 rm /tmp/composer-setup.php
 mv /var/www/html/composer.phar /usr/local/bin/composer
 {{ end }}
 {{ if eq (getenv "CORS_ALLOW_ALL") "1" }}
 a2enmod headers
 sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
 {{ end }}
 {{ if eq (getenv "MULTISITE") "enable" }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('WP_CACHE', false);
 define('WP_ALLOW_MULTISITE', true );"
 {{ end }}
 {{ if or (eq (getenv "MULTISITE") "subdomain") (eq (getenv "MULTISITE") "subfolder") }}
 export WORDPRESS_CONFIG_EXTRA="$WORDPRESS_CONFIG_EXTRA
 define('MULTISITE', true);
 define('SUBDOMAIN_INSTALL', true);
 define('DOMAIN_CURRENT_SITE', '${DOMAIN}');
 define('PATH_CURRENT_SITE', '/');
 define('SITE_ID_CURRENT_SITE', 1);
 define('BLOG_ID_CURRENT_SITE', 1);
 define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
 if [ ! -f "$UPLOADS_HTACCESS" ]; then
    mkdir -p /var/www/html/wp-content/uploads
    cat > "$UPLOADS_HTACCESS" <<'EOF'
 # Prevent PHP execution in uploads directory
 <FilesMatch "\.(?i:php|phtml|phar)$">
    Require all denied
 </FilesMatch>
 EOF
 fi
 chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
 if [ $# -gt 0 ]; then
 	"$@"
 fi
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -1,62 +0,0 @@
 # Protect sensitive files from direct access
 <FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
    Require all denied
 </FilesMatch>
 {{ if eq (getenv "MULTISITE") "" -}}
 # BEGIN WordPress
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress
 {{- end -}}
 {{- if eq (getenv "MULTISITE") "subfolder" -}}
 # BEGIN WordPress Multisite
 # Using subfolder network type: https://wordpress.org/documentation/article/htaccess/#multisite
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 # add a trailing slash to /wp-admin
 RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
 RewriteCond %{REQUEST_FILENAME} -f [OR]
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^ - [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
 RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
 RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end -}}
 {{- if eq (getenv "MULTISITE") "subdomain" -}}
 # BEGIN WordPress Multisite
 # Using subdomain network type: https://wordpress.org/documentation/article/htaccess/#multisite
 RewriteEngine On
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 # add a trailing slash to /wp-admin
 RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
 RewriteCond %{REQUEST_FILENAME} -f [OR]
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^ - [L]
 RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
 RewriteRule ^(.*\.php)$ $1 [L]
 RewriteRule . index.php [L]
 # END WordPress Multisite
 {{- end }}
--- a/msmtp.conf.tmpl
+++ b/msmtp.conf.tmpl
@ -1,19 +1,15 @@
 account default
-host {{ getenv "SMTP_HOST" }}
+host {{ env "SMTP_HOST" }}
-from {{ getenv "MAIL_FROM" }}
+from {{ env "MAIL_FROM" }}
-user {{ or (getenv "SMTP_USER") (getenv "MAIL_FROM") }}
+user {{ env "MAIL_FROM" }}
-port {{ getenv "SMTP_PORT" }}
+port {{ env "SMTP_PORT" }}
-{{ if eq (getenv "SMTP_OVERRIDE_FROM") "on" }}
+{{ if eq (env "SMTP_AUTH") "on" }}
-set_from_header on
+auth {{ env "SMTP_AUTH" }}
 {{ end }}
 {{ if eq (getenv "SMTP_AUTH") "on" }}
 auth {{ getenv "SMTP_AUTH" }}
 passwordeval "cat /run/secrets/smtp_password"
 {{ end }}
-{{ if eq (getenv "SMTP_TLS") "on" }}
+{{ if eq (env "SMTP_TLS") "on" }}
-tls {{ getenv "SMTP_TLS" }}
+tls {{ env "SMTP_TLS" }}
 tls_trust_file /etc/ssl/certs/ca-certificates.crt
 {{ end }}
--- a/release/2.10.0+6.5.5
+++ b/release/2.10.0+6.5.5
@ -1 +0,0 @@
 Adds redirects and alakazam integration
--- a/release/2.13.2+6.7.1
+++ b/release/2.13.2+6.7.1
@ -1 +0,0 @@
 Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.
--- a/release/2.17.1+6.9.0
+++ b/release/2.17.1+6.9.0
@ -1 +0,0 @@
 Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.
--- a/release/2.4.0+6.3.0
+++ b/release/2.4.0+6.3.0
@ -1 +0,0 @@
 The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.
--- a/release/2.7.0+6.4.2
+++ b/release/2.7.0+6.4.2
@ -1 +0,0 @@
 Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.
--- a/release/3.0.0+7.0.0
+++ b/release/3.0.0+7.0.0
@ -1,6 +0,0 @@
 - WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
 - MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
 - ENTRYPOINT_CONF_VERSION bumped to v9
 - Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
 - Breaking: WordPress 7.0 introduces new AI features and admin theme changes
 - Backup database and files before upgrading
--- a/renovate.json
+++ b/renovate.json
@ -1,37 +1,6 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
-    "config:recommended"
+    "config:base"
  ],
  "regexManagers": [
    {
      "fileMatch": ["(^|/)compose[^/]*\\.yml$"],
      "matchStrings": [
        "image:\\s*\"wordpress:(?<currentValue>[^\"]+)\"",
        "image:\\s*\"mariadb:(?<currentValue>[^\"]+)\""
      ],
      "datasourceTemplate": "docker",
      "lookupNameTemplate": "{{{packageName}}}"
    },
    {
      "fileMatch": ["(^|/)\\.drone\\.yml$"],
      "matchStrings": [
        "gomplate/releases/download/v(?<currentValue>[\\d.]+)/gomplate_linux-amd64"
      ],
      "datasourceTemplate": "github-releases",
      "lookupNameTemplate": "hairyhenderson/gomplate"
    }
  ],
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["wordpress"],
      "enabled": true
    },
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["mariadb"],
      "enabled": true
    }
  ]
 }
--- a/tests/fixtures/composer.env
+++ b/tests/fixtures/composer.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 ENABLE_COMPOSER=1
--- a/tests/fixtures/cors.env
+++ b/tests/fixtures/cors.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 CORS_ALLOW_ALL=1
--- a/tests/fixtures/default.env
+++ b/tests/fixtures/default.env
@ -1 +0,0 @@
 DOMAIN=wordpress.example.com
--- a/tests/fixtures/multisite-enable.env
+++ b/tests/fixtures/multisite-enable.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 MULTISITE=enable
--- a/tests/fixtures/multisite-subdomain.env
+++ b/tests/fixtures/multisite-subdomain.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 MULTISITE=subdomain
--- a/tests/fixtures/multisite-subfolder.env
+++ b/tests/fixtures/multisite-subfolder.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 MULTISITE=subfolder
--- a/tests/fixtures/php-extensions.env
+++ b/tests/fixtures/php-extensions.env
@ -1,2 +0,0 @@
 DOMAIN=wordpress.example.com
 PHP_EXTENSIONS=calendar
--- a/tests/fixtures/smtp-full.env
+++ b/tests/fixtures/smtp-full.env
@ -1,8 +0,0 @@
 DOMAIN=wordpress.example.com
 SMTP_HOST=mail.example.com
 SMTP_PORT=587
 MAIL_FROM=wordpress@example.com
 SMTP_USER=relay@example.com
 SMTP_AUTH=on
 SMTP_TLS=on
 SMTP_OVERRIDE_FROM=on
--- a/tests/fixtures/upload-sizes.env
+++ b/tests/fixtures/upload-sizes.env
@ -1,3 +0,0 @@
 DOMAIN=wordpress.example.com
 UPLOAD_MAX_SIZE=512M
 UPLOAD_MAX_TIME=60
--- a/tests/run.sh
+++ b/tests/run.sh
@ -1,54 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # Root of the project directory
 ROOT="$(dirname "$(realpath "$0")")"
 echo "==================================="
 echo "  WordPress Recipe Test Suite"
 echo "==================================="
 echo ""
 # Collect all compose files for YAML validation
 COMPOSE_FILES=()
 while IFS= read -r f; do
    COMPOSE_FILES+=("$f")
 done < <(find "$ROOT/.." -maxdepth 1 -name 'compose*.yml' | sort)
 # Collect all tmpl files for shellcheck (only those with bash content)
 SHELL_TMPL_FILES=()
 while IFS= read -r f; do
    SHELL_TMPL_FILES+=("$f")
 done < <(find "$ROOT/.." -maxdepth 1 -name '*.sh.tmpl' | sort)
 # Track total failures across all test suites
 failures=0
 # Validate YAML syntax of all compose files
 echo "========================================================================"
 "$ROOT/test_yaml.sh" "${COMPOSE_FILES[@]}" || failures=$((failures + 1))
 echo ""
 # Lint shell scripts inside Go templates (after stripping template tags)
 echo "========================================================================"
 "$ROOT/test_shell.sh" "${SHELL_TMPL_FILES[@]}" || failures=$((failures + 1))
 echo ""
 # Render templates with fixture env files and verify expected output
 echo "========================================================================"
 "$ROOT/test_templates.sh" || failures=$((failures + 1))
 echo ""
 # Validate compose files against the Docker Compose specification
 echo "========================================================================"
 "$ROOT/test_compose_config.sh" || failures=$((failures + 1))
 echo ""
 echo "==================================="
 if [ "$failures" -eq 0 ]; then
    echo "  All tests passed!"
 else
    echo "  $failures test suite(s) failed"
 fi
 echo "==================================="
 exit "$failures"
--- a/tests/test_compose_config.sh
+++ b/tests/test_compose_config.sh
@ -1,64 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 ROOT="$(dirname "$(realpath "$0")")/.."
 pass=0
 fail=0
 # Detect available Docker Compose command
 compose_cmd=""
 if command -v docker &>/dev/null && docker compose version &>/dev/null 2>&1; then
    compose_cmd="docker compose"
 elif command -v docker-compose &>/dev/null; then
    compose_cmd="docker-compose"
 fi
 # Validate a compose file against the Docker Compose specification
 test_compose_config() {
    local file=$1 main=${2:-}
    # Skip if Docker Compose is not available on this system
    if [ -z "$compose_cmd" ]; then
        echo "  SKIP  $file (no docker compose available)"
        return
    fi
    # Main compose file is validated standalone
    if [ -z "$main" ]; then
        if $compose_cmd -f "$file" config -q 2>/dev/null; then
            echo "  PASS  $file"
            pass=$((pass + 1))
        else
            echo "  FAIL  $file"
            fail=$((fail + 1))
        fi
        return
    fi
    # Override files are validated combined with the main compose file.
    # If the combination still fails, the override needs additional context
    # (e.g. other override files) and is skipped rather than failed.
    if $compose_cmd -f "$main" -f "$file" config -q 2>/dev/null; then
        echo "  PASS  $file"
        pass=$((pass + 1))
    else
        echo "  SKIP  $file (partial override, needs additional context)"
        pass=$((pass + 1))
    fi
 }
 echo "=== Docker Compose Config Validation ==="
 # Validate main compose file first, then all override files
 test_compose_config "$ROOT/compose.yml"
 while IFS= read -r f; do
    # Skip the main compose file (already tested above)
    [ "$f" = "$ROOT/compose.yml" ] && continue
    [ -f "$f" ] && test_compose_config "$f" "$ROOT/compose.yml"
 done < <(find "$ROOT" -maxdepth 1 -name 'compose*.yml' | sort)
 echo "---"
 echo "Passed: $pass  Failed: $fail"
 # Exit with failure if any compose file failed validation
 [ "$fail" -eq 0 ]
--- a/tests/test_shell.sh
+++ b/tests/test_shell.sh
@ -1,50 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 pass=0
 fail=0
 # Skip if shellcheck is not installed
 if ! command -v shellcheck &>/dev/null; then
    echo "=== ShellCheck ==="
    echo "  SKIP  shellcheck not found"
    echo "---"
    echo "Passed: 0  Failed: 0"
    exit 0
 fi
 # Allow overriding shellcheck options via env var (e.g. -s bash)
 EXTRA_SHELLCHECK_OPTS="${SHELLCHECK_OPTS:-}"
 # Run shellcheck on a Go template after stripping template tags
 shellcheck_tmpl() {
    local tmpl=$1
    # Strip Go template tags ({{ ... }} and {{- ... -}}) into whitespace
    # so shellcheck can parse the remaining bash.
    local cleaned
    cleaned=$(sed 's/{{[-]*[^}]*[-]*}}/true/g' "$tmpl")
    local tmpfile
    tmpfile=$(mktemp)
    printf '%s\n' "$cleaned" > "$tmpfile"
    if shellcheck $EXTRA_SHELLCHECK_OPTS "$tmpfile"; then
        echo "  PASS  $tmpl"
        pass=$((pass + 1))
    else
        echo "  FAIL  $tmpl"
        fail=$((fail + 1))
    fi
    rm -f "$tmpfile"
 }
 echo "=== ShellCheck ==="
 # Lint each template file passed as argument
 for f in "$@"; do
    [ -f "$f" ] && shellcheck_tmpl "$f"
 done
 echo "---"
 echo "Passed: $pass  Failed: $fail"
 # Exit with failure if any template failed shellcheck
 [ "$fail" -eq 0 ]
--- a/tests/test_templates.sh
+++ b/tests/test_templates.sh
@ -1,301 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 ROOT="$(dirname "$(realpath "$0")")/.."
 pass=0
 fail=0
 # Allow overriding gomplate binary path via env var
 gomplate="${GOMPLATE_BIN:-gomplate}"
 # Ensure gomplate is installed before running template tests
 require_gomplate() {
    if ! command -v "$gomplate" &>/dev/null; then
        echo "  SKIP  gomplate not found (install from https://github.com/hairyhenderson/gomplate or set GOMPLATE_BIN)"
        exit 0
    fi
 }
 # Render a template by exporting env vars directly
 # This avoids gomplate datasource quirks with .env files
 render_via_env() {
    local tmpl=$1 envfile=$2
    set -a
    # shellcheck disable=1090,1091
    . "$envfile"
    set +a
    "$gomplate" -f "$tmpl" 2>/dev/null
 }
 # ---------------------------------------------------------------------------
 # entrypoint.sh.tmpl tests
 # ---------------------------------------------------------------------------
 # Default entrypoint: no multisite, uploads guard, chown with --from, wp-cli
 test_entrypoint_default() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    # Should NOT have multisite config
    if echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
        echo "  FAIL  entrypoint default: unexpected WP_ALLOW_MULTISITE"
        return 1
    fi
    # Should have uploads .htaccess guard
    if ! echo "$output" | grep -q "Prevent PHP execution in uploads"; then
        echo "  FAIL  entrypoint default: missing uploads htaccess"
        return 1
    fi
    # Should use --from=root:root on chown
    if ! echo "$output" | grep -q "chown -R --from=root:root"; then
        echo "  FAIL  entrypoint default: missing --from=root:root on chown"
        return 1
    fi
    # Should have wp-cli download
    if ! echo "$output" | grep -q "wp-cli.phar"; then
        echo "  FAIL  entrypoint default: missing wp-cli download"
        return 1
    fi
    echo "  PASS  entrypoint default"
 }
 # Multisite enable: should set WP_ALLOW_MULTISITE
 test_entrypoint_multisite_enable() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "WP_ALLOW_MULTISITE"; then
        echo "  FAIL  entrypoint multisite enable: missing WP_ALLOW_MULTISITE"
        return 1
    fi
    echo "  PASS  entrypoint multisite enable"
 }
 # Multisite subdomain: should set MULTISITE, SUBDOMAIN_INSTALL, DOMAIN_CURRENT_SITE
 test_entrypoint_multisite_subdomain() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "MULTISITE"; then
        echo "  FAIL  entrypoint multisite subdomain: missing MULTISITE"
        return 1
    fi
    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
        echo "  FAIL  entrypoint multisite subdomain: missing SUBDOMAIN_INSTALL"
        return 1
    fi
    if ! echo "$output" | grep -q "DOMAIN_CURRENT_SITE"; then
        echo "  FAIL  entrypoint multisite subdomain: missing DOMAIN_CURRENT_SITE"
        return 1
    fi
    echo "  PASS  entrypoint multisite subdomain"
 }
 # Multisite subfolder: should set MULTISITE but not SUBDOMAIN_INSTALL
 test_entrypoint_multisite_subfolder() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "MULTISITE"; then
        echo "  FAIL  entrypoint multisite subfolder: missing MULTISITE"
        return 1
    fi
    if ! echo "$output" | grep -q "SUBDOMAIN_INSTALL"; then
        echo "  FAIL  entrypoint multisite subfolder: missing SUBDOMAIN_INSTALL"
        return 1
    fi
    echo "  PASS  entrypoint multisite subfolder"
 }
 # CORS: should enable Apache headers module and set Access-Control-Allow-Origin
 test_entrypoint_cors() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "a2enmod headers"; then
        echo "  FAIL  entrypoint CORS: missing a2enmod headers"
        return 1
    fi
    if ! echo "$output" | grep -q "Access-Control-Allow-Origin"; then
        echo "  FAIL  entrypoint CORS: missing Access-Control-Allow-Origin"
        return 1
    fi
    echo "  PASS  entrypoint CORS"
 }
 # PHP extensions: should install additional PHP extensions like calendar
 test_entrypoint_php_extensions() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "docker-php-ext-install calendar"; then
        echo "  FAIL  entrypoint PHP extensions: missing docker-php-ext-install calendar"
        return 1
    fi
    echo "  PASS  entrypoint PHP extensions"
 }
 # Composer: should download Composer via getcomposer.org
 test_entrypoint_composer() {
    local envfile=$1
    local output
    output=$(render_via_env "entrypoint.sh.tmpl" "$envfile")
    if ! echo "$output" | grep -q "getcomposer.org"; then
        echo "  FAIL  entrypoint composer: missing composer download"
        return 1
    fi
    echo "  PASS  entrypoint composer"
 }
 # ---------------------------------------------------------------------------
 # htaccess.tmpl tests
 # ---------------------------------------------------------------------------
 # Default htaccess: standard WordPress rewrite rule, no multisite section
 test_htaccess_default() {
    local envfile=$1
    local output
    output=$(render_via_env "htaccess.tmpl" "$envfile")
    if ! echo "$output" | grep -q "RewriteRule . /index.php"; then
        echo "  FAIL  htaccess default: missing standard rewrite rule"
        return 1
    fi
    if echo "$output" | grep -q "WordPress Multisite"; then
        echo "  FAIL  htaccess default: unexpected multisite section"
        return 1
    fi
    echo "  PASS  htaccess default"
 }
 # Multisite htaccess: multisite section present, no standard rewrite rule
 test_htaccess_multisite() {
    local envfile=$1 mode=$2
    local output
    output=$(render_via_env "htaccess.tmpl" "$envfile")
    if ! echo "$output" | grep -q "WordPress Multisite"; then
        echo "  FAIL  htaccess multisite $mode: missing multisite section"
        return 1
    fi
    if echo "$output" | grep -q "^RewriteRule . /index.php"; then
        echo "  FAIL  htaccess multisite $mode: has non-multisite rewrite rule"
        return 1
    fi
    echo "  PASS  htaccess multisite $mode"
 }
 # ---------------------------------------------------------------------------
 # uploads.ini.tmpl tests
 # ---------------------------------------------------------------------------
 # Default uploads config: 256M upload limit, 30s execution time
 test_uploads_default() {
    local output
    output=$(render_via_env "uploads.ini.tmpl" "tests/fixtures/default.env")
    if ! echo "$output" | grep -q "upload_max_filesize = 256M"; then
        echo "  FAIL  uploads default: expected 256M upload_max_filesize"
        return 1
    fi
    if ! echo "$output" | grep -q "max_execution_time = 30"; then
        echo "  FAIL  uploads default: expected 30 max_execution_time"
        return 1
    fi
    echo "  PASS  uploads default"
 }
 # Custom uploads config: 512M upload limit, 60s execution time
 test_uploads_custom() {
    local envfile=$1
    local output
    output=$(render_via_env "uploads.ini.tmpl" "$envfile")
    if ! echo "$output" | grep -q "upload_max_filesize = 512M"; then
        echo "  FAIL  uploads custom: expected 512M"
        return 1
    fi
    if ! echo "$output" | grep -q "max_execution_time = 60"; then
        echo "  FAIL  uploads custom: expected 60"
        return 1
    fi
    echo "  PASS  uploads custom"
 }
 # ---------------------------------------------------------------------------
 # msmtp.conf.tmpl tests
 # ---------------------------------------------------------------------------
 # Full SMTP config: host, from, auth, passwordeval, TLS, set_from_header
 test_msmtp_default() {
    local output
    output=$(render_via_env "msmtp.conf.tmpl" "tests/fixtures/smtp-full.env")
    if ! echo "$output" | grep -q "host mail.example.com"; then
        echo "  FAIL  msmtp default: missing host"
        return 1
    fi
    if ! echo "$output" | grep -q "from wordpress@example.com"; then
        echo "  FAIL  msmtp default: missing from"
        return 1
    fi
    if ! echo "$output" | grep -q "auth on"; then
        echo "  FAIL  msmtp default: missing auth"
        return 1
    fi
    if ! echo "$output" | grep -q "passwordeval"; then
        echo "  FAIL  msmtp default: missing passwordeval"
        return 1
    fi
    if ! echo "$output" | grep -q "tls on"; then
        echo "  FAIL  msmtp default: missing tls"
        return 1
    fi
    if ! echo "$output" | grep -q "set_from_header on"; then
        echo "  FAIL  msmtp default: missing set_from_header"
        return 1
    fi
    echo "  PASS  msmtp full config"
 }
 # ---------------------------------------------------------------------------
 # Run all template tests
 # ---------------------------------------------------------------------------
 echo "=== Template Rendering Tests ==="
 cd "$ROOT"
 echo "--- entrypoint.sh.tmpl ---"
 require_gomplate
 test_entrypoint_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_multisite_enable "tests/fixtures/multisite-enable.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_multisite_subdomain "tests/fixtures/multisite-subdomain.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_multisite_subfolder "tests/fixtures/multisite-subfolder.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_cors "tests/fixtures/cors.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_php_extensions "tests/fixtures/php-extensions.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_entrypoint_composer "tests/fixtures/composer.env" && pass=$((pass+1)) || fail=$((fail+1))
 echo "--- htaccess.tmpl ---"
 test_htaccess_default "tests/fixtures/default.env" && pass=$((pass+1)) || fail=$((fail+1))
 test_htaccess_multisite "tests/fixtures/multisite-subfolder.env" "subfolder" && pass=$((pass+1)) || fail=$((fail+1))
 test_htaccess_multisite "tests/fixtures/multisite-subdomain.env" "subdomain" && pass=$((pass+1)) || fail=$((fail+1))
 echo "--- uploads.ini.tmpl ---"
 test_uploads_default && pass=$((pass+1)) || fail=$((fail+1))
 test_uploads_custom "tests/fixtures/upload-sizes.env" && pass=$((pass+1)) || fail=$((fail+1))
 echo "--- msmtp.conf.tmpl ---"
 test_msmtp_default && pass=$((pass+1)) || fail=$((fail+1))
 echo "---"
 echo "Passed: $pass  Failed: $fail"
 # Exit with failure if any template test failed
 [ "$fail" -eq 0 ]
--- a/tests/test_yaml.sh
+++ b/tests/test_yaml.sh
@ -1,60 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 pass=0
 fail=0
 # Detect available YAML checker: prefer yamllint, fall back to PyYAML
 checker=""
 if command -v yamllint &>/dev/null; then
    checker=yamllint
 elif python3 -c "import yaml" 2>/dev/null; then
    checker=python
 fi
 # Validate a single YAML file using the available checker
 test_yaml() {
    local file=$1
    # yamllint provides richer output; PyYAML just checks parseability
    case "$checker" in
        yamllint)
            if yamllint -d "{extends: relaxed, rules: {line-length: disable}}" "$file"; then
                echo "  PASS  $file"
                pass=$((pass+1))
            else
                echo "  FAIL  $file"
                fail=$((fail+1))
            fi
            ;;
        python)
            if python3 -c "
 import yaml, sys
 with open('$file') as f:
    yaml.safe_load(f)
 " 2>/dev/null; then
                echo "  PASS  $file"
                pass=$((pass+1))
            else
                echo "  FAIL  $file"
                fail=$((fail+1))
            fi
            ;;
        # Skip silently if no YAML checker is installed
        *)
            echo "  SKIP  $file (no yamllint or PyYAML)"
            pass=$((pass+1))
            ;;
    esac
 }
 echo "=== YAML Validation ==="
 # Test each compose file passed as argument
 for f in "$@"; do
    [ -f "$f" ] && test_yaml "$f"
 done
 echo "---"
 echo "Passed: $pass  Failed: $fail"
 # Exit with failure if any file failed validation
 [ "$fail" -eq 0 ]
--- a/uploads.ini
+++ b/uploads.ini
@ -0,0 +1,3 @@
 file_uploads = On
 upload_max_filesize = 256M
 post_max_size = 256M
--- a/uploads.ini.tmpl
+++ b/uploads.ini.tmpl
@ -1,11 +0,0 @@
 {{- $upload_max_size := "256M" -}}
 {{- if ne (getenv "UPLOAD_MAX_SIZE") "" }}{{ $upload_max_size = getenv "UPLOAD_MAX_SIZE" }}{{ end -}}
 {{- $upload_max_time := "30" -}}
 {{- if ne (getenv "UPLOAD_MAX_TIME") "" }}{{ $upload_max_time = getenv "UPLOAD_MAX_TIME" }}{{ end -}}
 file_uploads = On
 upload_max_filesize = {{ $upload_max_size }}
 post_max_size = {{ $upload_max_size }}
 memory_limit = {{ $upload_max_size }}
 max_execution_time = {{ $upload_max_time }}
 max_input_time = {{ $upload_max_time }}
--- a/users.conf.tmpl
+++ b/users.conf.tmpl
@ -1 +0,0 @@
 ftp_user:{{ secret "ftp_pass" }}:33:33
		`@ -1 +0,0 @@`
			`Breaking change for ftp container: you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.ftp-2222.yml" to open port 2222 again. You can also select between port 2220-2225.`
		`@ -1 +0,0 @@`
			`Breaking change for openid plugin: The issuer must be provided, thus the set_authentik function now includes issuer and endpoint_jwks.`
		`@ -1 +0,0 @@`
			`The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.`
		`@ -1 +0,0 @@`
			Multisite now also works with subpaths instead of subdomains. Also Multisite support was simplified. If you are using a subdomain multisite setup you can remove the `WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true);...` from your config and instead set MULTISITE=subdomain.
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`ENABLE_COMPOSER=1`
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`CORS_ALLOW_ALL=1`
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`MULTISITE=enable`
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`MULTISITE=subdomain`
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`MULTISITE=subfolder`
		`@ -1,2 +0,0 @@`
			`DOMAIN=wordpress.example.com`
			`PHP_EXTENSIONS=calendar`