Add EXTRA_DOMAINS support

See compose-stacks/organising#19

.drone.yml

@@ -3,7 +3,7 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: wordpress
@@ -11,32 +11,12 @@ steps:
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
     environment:
       DOMAIN: wordpress.swarm-test.autonomic.zone
       STACK_NAME: wordpress
       LETS_ENCRYPT_ENV: production
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-      PHP_UPLOADS_CONF_VERSION: v1
-      ENTRYPOINT_CONF_VERSION: v1
+      DB_PASSWORD_VERSION: v1
+      DB_ROOT_PASSWORD_VERSION: v1
 trigger:
   branch:
     - master
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,74 +0,0 @@
-TYPE=wordpress
-TIMEOUT=300
-ENABLE_AUTO_UPDATE=true
-COMPOSE_FILE="compose.yml"
-
-DOMAIN=wordpress.example.com
-## Domain aliases
-#EXTRA_DOMAINS=', `www.wordpress.example.com`'
-LETS_ENCRYPT_ENV=production
-
-# Setup Wordpress settings on each deploy:
-#POST_DEPLOY_CMDS="app core_install"
-
-# Optional settings, otherwise can be set in the installer
-# (Required for `app core_install`
-#TITLE="My Example Blog"
-#LOCALE="en_US" # de_DE
-#ADMIN_EMAIL=admin@example.com
-
-# Every new user is per default subscriber, uncomment to change it
-#DEFAULT_USER_ROLE=administrator
-
-# Uncomment to install PHP Composer
-#COMPOSER=1
-
-#WORDPRESS_DEBUG=true
-
-## Additional extensions
-#PHP_EXTENSIONS="calendar"
-
-SECRET_DB_ROOT_PASSWORD_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-
-# Mostly for compatibility with existing database dumps...
-#WORDPRESS_TABLE_PREFIX=wp_
-
-# Multisite
-#WORDPRESS_CONFIG_EXTRA="\
-#define('WP_CACHE', false);\
-#define('WP_ALLOW_MULTISITE', true );"
-
-# Multisite phase 2 (see README)
-#WORDPRESS_CONFIG_EXTRA="define('MULTISITE', true); define('SUBDOMAIN_INSTALL', true); define('DOMAIN_CURRENT_SITE', '${DOMAIN}'); define('PATH_CURRENT_SITE', '/');	define('SITE_ID_CURRENT_SITE', 1); define('BLOG_ID_CURRENT_SITE', 1); define('FORCE_SSL_ADMIN', true ); define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
-
-# Local SMTP relay
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mailrelay.yml"
-#SMTP_HOST="postfix_relay_app"
-#MAIL_FROM="wordpress@example.com"
-
-# Remote SMTP relay
-#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
-#SMTP_HOST="mail.example.com"
-#MAIL_FROM="wordpress@example.com"
-#SMTP_USER="wordpress@example.com"  # optional, defaults to MAIL_FROM
-#SMTP_OVERRIDE_FROM=on  # force "From" to MAIL_FROM, usually necessary
-#SMTP_PORT=587
-#SMTP_AUTH=on
-#SMTP_TLS=on
-#SECRET_SMTP_PASSWORD_VERSION=v1
-
-# Authentik SSO
-#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-#AUTHENTIK_DOMAIN=authentik.example.com
-#SECRET_AUTHENTIK_SECRET_VERSION=v1
-#SECRET_AUTHENTIK_ID_VERSION=v1
-#LOGIN_TYPE='auto'
-
-# Allow remote connections to db
-# 🚩🚩 dangerous, use only for development sites!
-#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
-
-# Wide-open CORS
-# 🚩🚩 dangerous, use only for development sites!
-#CORS_ALLOW_ALL=1

.envrc.sample

@@ -0,0 +1,38 @@
+export DOMAIN=wordpress.example.com
+## Domain aliases
+#export EXTRA_DOMAINS=', `www.wordpress.example.com`'
+
+export STACK_NAME=wordpress
+export LETS_ENCRYPT_ENV=production
+
+export DB_ROOT_PASSWORD_VERSION=v1
+export DB_PASSWORD_VERSION=v1
+
+# Multisite
+#export WORDPRESS_CONFIG_EXTRA="\
+#	define('WP_CACHE', false);\
+#	define('WP_ALLOW_MULTISITE', true );"
+
+# Multisite phase 2 (see README)
+#export WORDPRESS_CONFIG_EXTRA="\
+#	define('WP_CACHE', false);\
+#	define('WP_ALLOW_MULTISITE', true );\
+#	define('MULTISITE', true);\
+#	define('SUBDOMAIN_INSTALL', true);\
+#	define('DOMAIN_CURRENT_SITE', '${DOMAIN}');\
+#	define('PATH_CURRENT_SITE', '/');\
+#	define('SITE_ID_CURRENT_SITE', 1);\
+#	define('BLOG_ID_CURRENT_SITE', 1);\
+#	define('FORCE_SSL_ADMIN', true );\
+#	define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
+
+# Backups
+#export COMPOSE_FILE="compose.yml:compose.backup.yml"
+
+# SMTP
+#export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
+#export SMTP_HOST="postfix_relay_app"
+#export MAIL_FROM="wordpress@example.com"
+#
+#export MSMTP_CONF_VERSION=v1
+#export ENTRYPOINT_MAILRELAY_CONF_VERSION=v1

README.md

@@ -1,83 +1,59 @@
-# Wordpress
+# wordpress
 
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/wordpress/status.svg)](https://build.coopcloud.tech/coop-cloud/wordpress)
+[![Build Status](https://drone.autonomic.zone/api/badges/compose-stacks/wordpress/status.svg)](https://drone.autonomic.zone/compose-stacks/wordpress)
 
 Coöp Cloud + [Wordpress](https://wordpress.org) = 🥳
 
-<!-- metadata -->
-
-* **Category**: Apps
-* **Status**: 3, stable
-* **Image**: [`wordpress`](https://hub.docker.com/_/wordpress), 4, upstream
-* **Healthcheck**: Yes
-* **Backups**: Yes
-* **Email**: 3
-* **Tests**: 2
-* **SSO**: No
-
-<!-- endmetadata -->
-
-
-## Quick start
-
-
-* `abra app new wordpress`
-* `abra app config <app-name>`
-* `abra app secret generate -a <app-name>`
-* `abra app deploy <app-name>`
-* `abra app cmd <app-name> app core_install`
-
-### Authentik Integration
-
-
-`abra app config <app-name>` 
-Configure the following envs:
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-AUTHENTIK_DOMAIN=authentik.example.com
-AUTHENTIK_SECRET_NAME=authentik_example_com_wordpress_secret_v1  # the same as in authentik
-AUTHENTIK_ID_NAME=authentik_example_com_wordpress_id_v1  # the same as in authentik
-```
-
-`abra app cmd <app-name> app set_authentik`
-
-## Running WP-CLI
-
-`abra app cmd <app-name> app wp -- core check-update --major`
+1. Set up Docker Swarm and [`abra`][abra]
+2. Deploy [`compose-stacks/traefik`][compose-traefik]
+3. `cp .envrc.sample .envrc`
+4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
+   your Docker swarm box
+5. `direnv allow` (or `. .envrc`)
+6. Generate secrets:
+   ```
+   abra secret_generate db_password v1
+   abra secret_generate db_root_password v1
+   ```
+7. `abra deploy`
+8. Open the configured domain in your browser to finish set-up
+9. `abra run wordpress chown www-data:www-data /var/www/html/wp-content` to fix
+   file permissions (see #3)
 
 ## Network (Multi-site)
 
 _(Only tested using subdomains)_
 
 1. Set up as above
-2. `abra app config <app-name>`, and uncomment the first `# Multisite` section
-3. `abra app deploy <app-name>`
-4. Log into the Wordpress admin dashboard, go to Tools » Network Setup
-5. Don't worry about the suggested file changes
-6. `abra app config <app-name>` again - comment out the first `# Multisite`
-   section in `.envrc`, uncomment the `# Multisite phase 2` section, and add
-   your multisite subdomain(s) to `EXTRA_DOMAINS` (beware the weird syntax..)
-7. `abra app deploy <app-name>`
+2. Uncomment the first `# Multisite` section in `.envrc`
+3. `direnv allow` (or re-run `source .envrc`)
+4. `abra deploy`
+5. Log into the Wordpress admin dashboard, go to Tools » Network Setup
+6. Don't worry about the suggested file changes
+7. Comment out the first `# Multisite` section in `.envrc` and uncomment the
+   `# Multisite phase 2` section
+8. `direnv allow` (or re-run `source .envrc`)
+9. `abra deploy`
+10. FIXME setting up SSL / routing
 
 ## Installing a custom theme
 
-`abra app cp <app-name> ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+`abra cp ~/path/to/local/theme wordpress:/var/www/html/wp-content/themes/`
+
+## Backups
+
+1. Edit `.envrc` and uncomment the `export COMPOSE_FILE="compose.yml:compose.backup.yml"` line
+2. `direnv allow`
+3. `abra deploy`
 
 ## Email
 
-There is a local or remote SMTP relay configuration available.
-
-* **local**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml`
-* **remote**: `COMPOSE_FILE=compose.yml:compose.mailrelay.yml:compose.smtp.yml`
-
-Below are the instructions for the local relay.
-
-1. Deploy [`postfix-relay`][cc-postfix-relay]
-2. `abra app config <app-name>`, and uncomment the email lines; change
-   `MAIL_FROM` to make sure the domain is the same as `postfix-relay`'s
-   `$DOMAIN` or in its `$EXTRA_SENDER_DOMAINS`
-3. `abra app deploy <app-name>`
+1. Deploy `postfix-relay`
+2. Edit `.envrc` and uncomment the email lines; change `MAIL_FROM` to make sure
+   the domain is the same as `postfix-relay`'s `$DOMAIN` or in its
+   `$EXTRA_SENDER_DOMAINS`
+3. `direnv allow` (or `source .envrc`)
+7. `abra deploy`
 
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
-[cc-postfix-relay]: https://git.autonomic.zone/coop-cloud/traefik
+[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik

abra.sh

@@ -1,151 +0,0 @@
-export PHP_UPLOADS_CONF_VERSION=v3
-export ENTRYPOINT_CONF_VERSION=v5
-export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
-export MSMTP_CONF_VERSION=v4
-
-wp() {
-    su -p www-data -s /bin/bash -c "/usr/local/bin/wp $@"
-}
-
-core_install(){
-    ADMIN=admin
-    if [ -n "$AUTHENTIK_DOMAIN" ]
-    then
-        ADMIN=akadmin
-    fi
-    chown www-data:www-data -R /var/www/html/wp-content
-    wp "core install --url=$DOMAIN --title=\"$TITLE\" --admin_user=$ADMIN --admin_email=$ADMIN_EMAIL --locale=$LOCALE --skip-email"
-    wp "language core install $LOCALE"
-    wp "site switch-language $LOCALE"
-    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp 'option update dwcun_setting on' 
-    if [ -n "$DEFAULT_USER_ROLE" ]
-    then
-        wp "option set default_role $DEFAULT_USER_ROLE"
-    else
-        wp "option set default_role subscriber"
-    fi
-    wp 'plugin auto-updates enable --all' || exit 0
-}
-
-set_authentik(){
-    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
-    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
-    if [ -z $LOGIN_TYPE ]
-    then
-        LOGIN_TYPE='button'
-    fi
-    wp "user create akadmin admin@example.com --role=administrator"
-    wp "plugin install --activate daggerhart-openid-connect-generic"
-    wp "option update --format=json openid_connect_generic_settings '
-    {
-        \"login_type\":\"$LOGIN_TYPE\",
-        \"client_id\":\"$AUTHENTIK_ID\",
-        \"client_secret\":\"$AUTHENTIK_SECRET\",
-        \"scope\":\"email profile openid\",
-        \"endpoint_login\":\"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
-        \"endpoint_userinfo\":\"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
-        \"endpoint_token\":\"https://$AUTHENTIK_DOMAIN/application/o/token/\",
-        \"endpoint_end_session\":\"https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/\",
-        \"acr_values\":\"\",
-        \"identity_key\":\"preferred_username\",
-        \"no_sslverify\":\"0\",
-        \"http_request_timeout\":\"30\",
-        \"enforce_privacy\":\"0\",
-        \"alternate_redirect_uri\":\"1\",
-        \"nickname_key\":\"preferred_username\",
-        \"email_format\":\"{email}\",
-        \"displayname_format\":\"\",
-        \"identify_with_username\":\"1\",
-        \"state_time_limit\":\"\",
-        \"token_refresh_enable\":\"1\",
-        \"link_existing_users\":\"1\",
-        \"create_if_does_not_exist\":\"1\",
-        \"redirect_user_back\":\"0\",
-        \"redirect_on_logout\":\"1\",
-        \"enable_logging\":\"0\",
-        \"log_limit\":\"1000\"
-    }'"
-    wp "rewrite flush"
-    wp "cache flush"
-
-}
-
-fix_mysql() {
-  echo "ALTER TABLE mysql.column_stats MODIFY histogram longblob; ALTER TABLE mysql.column_stats MODIFY hist_type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB');" | mysql -u root -p$(cat /run/secrets/db_root_password)
-}
-
-sub_wp() {
-  CONTAINER=$(docker container ls -f "Name=${STACK_NAME}_app" --format '{{ .ID }}')
-  if [ -z "$CONTAINER" ]; then
-    error "Can't find a container for ${STACK_NAME}_app"
-    exit
-  fi
-  debug "Using Container ID ${CONTAINER}"
-
-  # FIXME 3wc: we're fighting the Wordpress image, which recommends a named
-  # volume for /var/www/html -- this used to work fine using --volumes-from
-  # because the actual MySQL password was inserted into the generated
-  # wp-config.php -- but as of Wordpress 5.7.0, wp-config loads data straight
-  # from the environment, which requires Docker secrets to work, which only work
-  # in swarm services (not one-off `docker run` commands). Defining a `cli`
-  # service in compose.yml almost works, but there's no volumes_from: in Compose
-  # V3, and without it then the `cli` service can't access Wordpress core.
-  # See https://git.autonomic.zone/coop-cloud/wordpress/issues/21
-  warning "Slowly looking up MySQL password..."
-  silence
-  abra__service_="app"
-  DB_PASSWORD="$(sub_app_run cat "/run/secrets/db_password")"
-  unsilence
-
-  # shellcheck disable=SC2154,SC2086
-  docker run -it \
-	--volumes-from "$CONTAINER" \
-	--network "container:$CONTAINER" \
-	-u xfs:xfs \
-    -e WORDPRESS_DB_HOST=db \
-    -e WORDPRESS_DB_USER=wordpress \
-    -e WORDPRESS_DB_PASSWORD="${DB_PASSWORD}" \
-    -e WORDPRESS_DB_NAME=wordpress \
-    -e WORDPRESS_CONFIG_EXTRA="${WORDPRESS_CONFIG_EXTRA}" \
-	wordpress:cli wp ${abra__args_[*]}
-}
-
-abra_backup_app() {
-  _abra_backup_dir "app:/var/www/html/wp-content"
-}
-
-abra_backup_db() {
-  _abra_backup_mysql "db" "wordpress"
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}
-
-abra_restore_app() {
-  # shellcheck disable=SC2034
-  {
-	abra__src_="-"
-	abra__dst_="app:/var/www/html/"
-  }
-
-  zcat "$@" | sub_app_cp
-
-  success "Restored 'app'"
-}
-
-abra_restore_db() {
-  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-  # got this far..
-
-  # shellcheck disable=SC2034
-  abra___no_tty="true"
-
-  DB_ROOT_PASSWORD=$(sub_app_run cat /run/secrets/db_root_password)
-
-  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
-
-  success "Restored 'db'"
-}

backup.d/NOTES.md

@@ -0,0 +1,3 @@
+# Notes
+
+- The only thing different between [fr_singlesite_wordpress.yml](./fr_singlesite_wordpress.yml) and [fr_microsites_wordpress.yml](./fr_microsites_wordpress.yml) is the `BORGBASE_REPO` environment variable and the `backup_bot_singlesite_passwd_v1`/`backup_bot_multisite_passwd_v1` secret. These are the two details which are needed for Borgmatic to know how to differentiate between each repository on the Borgbase side (where our backups are stored). Sooo, there could most definitely be a reduction in boilerplate here but I was just moving super fast and wanted to get the backup work done.

backup.d/borgmatic.yml

@@ -0,0 +1,36 @@
+location:
+  source_directories:
+    - /var/www/html/wp-content
+  repositories:
+    - {{ env "BORGBASE_REPO" }}
+
+storage:
+  compression: auto,zstd
+  encryption_passphrase: {{ secret "backup_bot_password" }}
+  archive_name_format: "{hostname}-{now}"
+  ssh_command: "ssh -o 'StrictHostKeyChecking no' -i /run/secrets/backup_bot_ssh_key"
+
+retention:
+  keep_daily: 3
+  keep_weekly: 4
+  keep_monthly: 12
+  keep_yearly: 2
+  prefix: "{hostname}-"
+
+consistency:
+  checks:
+    - disabled
+  check_last: 3
+  prefix: "{hostname}-"
+
+hooks:
+  before_backup:
+    - echo "`date` - Starting backup"
+  after_backup:
+    - echo "`date` - Finished backup"
+  mysql_databases:
+    - name: {{ env "DB_TABLE" }}
+      hostname: {{ env "DB_HOST" }}
+      port: 3306
+      username: {{ env "DB_USER" }}
+      password: {{ secret "db_password" }}

backup.d/fr_microsites_wordpress.yml

@@ -0,0 +1,47 @@
+---
+version: "3.8"
+
+services:
+  backupbot:
+    image: "decentral1se/backup-bot:latest"
+    networks:
+      - backend
+    volumes:
+      - "wordpress_content:/var/www/html/wp-content/"
+    secrets:
+      - source: backup_bot_ssh_key
+        mode: 0400
+      - backup_bot_password
+      - db_password
+    configs:
+      - source: borgmatic_config_yml
+        target: /etc/borgmatic/config.yaml
+    environment:
+      - BORGBASE_REPO="bp5oj726@bp5oj726.repo.borgbase.com:repo"
+      - DB_HOST=mariadb
+      - DB_TABLE=wordpress
+      - DB_USER=wordpress
+    deploy:
+      mode: replicated
+      replicas: 0
+      labels:
+        - "swarm.cronjob.enable=true"
+        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
+      restart_policy:
+        condition: none
+    networks:
+      - backend
+
+configs:
+  borgmatic_config_yml:
+    name: borgmatic_config_yml_v1
+    file: backup.d/borgmatic.yml
+    template_driver: golang
+
+secrets:
+  backup_bot_ssh_key:
+    name: backup_bot_ssh_key_v1
+    external: true
+  backup_bot_password:
+    name: backup_bot_multisite_passwd_v1
+    external: true

backup.d/fr_singlesite_wordpress.yml

@@ -0,0 +1,47 @@
+---
+version: "3.8"
+
+services:
+  backupbot:
+    image: "decentral1se/backup-bot:latest"
+    networks:
+      - backend
+    volumes:
+      - "wordpress_content:/var/www/html/wp-content/"
+    secrets:
+      - source: backup_bot_ssh_key
+        mode: 0400
+      - backup_bot_password
+      - db_password
+    configs:
+      - source: borgmatic_config_yml
+        target: /etc/borgmatic/config.yaml
+    environment:
+      - BORGBASE_REPO="l32s99em@l32s99em.repo.borgbase.com:repo"
+      - DB_HOST=mariadb
+      - DB_TABLE=wordpress
+      - DB_USER=wordpress
+    deploy:
+      mode: replicated
+      replicas: 0
+      labels:
+        - "swarm.cronjob.enable=true"
+        - "swarm.cronjob.schedule=0 2 * * *" # At 02:00
+      restart_policy:
+        condition: none
+    networks:
+      - backend
+
+configs:
+  borgmatic_config_yml:
+    name: borgmatic_config_yml_v1
+    file: backup.d/borgmatic.yml
+    template_driver: golang
+
+secrets:
+  backup_bot_ssh_key:
+    name: backup_bot_ssh_key_v1
+    external: true
+  backup_bot_password:
+    name: backup_bot_singlesite_passwd_v1
+    external: true

compose.abra.yml

@@ -0,0 +1,65 @@
+# #############################################################################
+# NOTE(decentral1se): this is a test compose.yml to test abra based deployments
+# #############################################################################
+
+---
+version: "3.8"
+
+services:
+  wordpress:
+    image: "wordpress:5.5.1"
+    networks:
+      - backend
+      - proxy
+    environment:
+      - WORDPRESS_DB_HOST=mariadb
+      - WORDPRESS_DB_USER=wordpress
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
+      - WORDPRESS_DB_NAME=wordpress
+    secrets:
+      - db_password
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.routers.${NAME}.tls=true"
+        - "traefik.http.services.${NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${NAME}.tls.certresolver=production"
+        - "traefik.http.routers.${NAME}.entrypoints=web-secure"
+
+  mariadb:
+    image: "mariadb:10.5"
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - backend
+    environment:
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MYSQL_DATABASE=wordpress
+      - MYSQL_USER=wordpress
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+    secrets:
+      - db_password
+      - db_root_password
+
+networks:
+  backend:
+    driver: overlay
+  proxy:
+    external: true
+
+volumes:
+  mariadb:
+  wordpress_content:
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${DB_ROOT_PASSWD}
+  db_password:
+    external: true
+    name: ${DB_PASSWD}

compose.authentik.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  app:
-    secrets:
-      - authentik_secret
-      - authentik_id
-
-secrets:
-  authentik_secret:
-    external: true
-    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
-  authentik_id:
-    external: true
-    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.mailrelay.yml

@@ -1,26 +1,31 @@
 ---
 version: "3.8"
-
+ 
 services:
   app:
-    entrypoint: /docker-entrypoint.mailrelay.sh
+    entrypoint: /docker-entrypoint.sh
     environment:
       - SMTP_HOST=${SMTP_HOST}
-      - SMTP_PORT=${SMTP_PORT:-25}
       - MAIL_FROM=${MAIL_FROM}
+    networks:
+      - mail
     configs:
       - source: mstmp_conf
         target: /etc/msmtprc
-      - source: entrypoint_mailrelay_conf
-        target: /docker-entrypoint.mailrelay.sh
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
         mode: 0555
 
+networks:
+  mail:
+    external: true
+
 configs:
   mstmp_conf:
     name: ${STACK_NAME}_mstmp_conf_${MSMTP_CONF_VERSION}
     file: msmtp.conf.tmpl
     template_driver: golang
-  entrypoint_mailrelay_conf:
+  entrypoint_conf:
     name: ${STACK_NAME}_entrypoint_mailrelay_${ENTRYPOINT_MAILRELAY_CONF_VERSION}
     file: entrypoint.mailrelay.sh.tmpl
     template_driver: golang

compose.public-db.yml

@@ -1,9 +0,0 @@
----
-version: "3.8"
-
-services:
-  db:
-    ports:
-      - target: 3306
-        published: 3306
-        mode: host

compose.smtp.yml

@@ -1,19 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - smtp_password
-    environment:
-      - SMTP_HOST
-      - SMTP_PORT=${SMTP_PORT:-25}
-      - SMTP_AUTH
-      - SMTP_TLS
-      - MAIL_FROM
-      - SMTP_OVERRIDE_FROM
-
-secrets:
-  smtp_password:
-    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
-    external: true

compose.yml

@@ -3,35 +3,20 @@ version: "3.8"
 
 services:
   app:
-    image: "wordpress:6.3.0"
+    image: "wordpress:5.5.1"
     volumes:
       - "wordpress_content:/var/www/html/wp-content/"
     networks:
       - backend
       - proxy
     environment:
-      WORDPRESS_CONFIG_EXTRA: |
-            define( 'AUTOMATIC_UPDATER_DISABLED', false );
-            define( 'WP_AUTO_UPDATE_CORE', false );
-            ${WORDPRESS_CONFIG_EXTRA}
-      PAGER: more
-      WORDPRESS_DB_HOST: db
-      WORDPRESS_DB_USER: wordpress
-      WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
-      WORDPRESS_DB_NAME: wordpress
-      WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX:-wp_}
-      PHP_EXTENSIONS: ${PHP_EXTENSIONS}
-      CORS_ALLOW_ALL:
-      COMPOSER:
+      - WORDPRESS_DB_HOST=db
+      - WORDPRESS_DB_USER=wordpress
+      - WORDPRESS_DB_PASSWORD_FILE=/run/secrets/db_password
+      - WORDPRESS_DB_NAME=wordpress
+      - WORDPRESS_CONFIG_EXTRA=${WORDPRESS_CONFIG_EXTRA}
     secrets:
       - db_password
-    configs:
-      - source: php_uploads_conf
-        target: /usr/local/etc/php/conf.d/uploads.ini
-      - source: entrypoint_conf
-        target: /docker-entrypoint.sh
-        mode: 0555
-    entrypoint: /docker-entrypoint.sh
     depends_on:
       - db
     healthcheck:
@@ -51,17 +36,13 @@ services:
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         # 3wc: this rule works for routing, but not for generating certificates
-        # see https://git.autonomic.zone/coop-cloud/planning/issues/14
+        # see https://git.autonomic.zone/compose-stacks/planning/issues/14
         #- "traefik.http.routers.${STACK_NAME}.rule=HostRegexp(`{subdomain:.+}.${DOMAIN}`, `${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html"
-        - "coop-cloud.${STACK_NAME}.version=2.5.1+6.3.0"
 
   db:
-    image: "mariadb:11.0"
+    image: "mariadb:10.5"
     volumes:
       - "mariadb:/var/lib/mysql"
     networks:
@@ -74,17 +55,10 @@ services:
     secrets:
       - db_password
       - db_root_password
-    deploy:
-      labels:
-        backupbot.backup: "true"
-        backupbot.backup.pre-hook: "sh -c 'mariadb-dump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress | gzip > /var/lib/mysql/dump.sql.gz'"
-        backupbot.backup.path: "/var/lib/mysql/dump.sql.gz"
-        backupbot.backup.post-hook: "rm -f /var/lib/mysql/dump.sql.gz"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'gzip -d /var/lib/mysql/dump.sql.gz && mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" wordpress < /var/lib/mysql/dump.sql && rm -f /var/lib/mysql/dump.sql'"
 
 networks:
   backend:
+    driver: overlay
   proxy:
     external: true
 
@@ -95,16 +69,7 @@ volumes:
 secrets:
   db_root_password:
     external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-
-configs:
-  entrypoint_conf:
-    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
-    file: entrypoint.sh.tmpl
-    template_driver: golang
-  php_uploads_conf:
-    name: ${STACK_NAME}_php_uploads_conf_${PHP_UPLOADS_CONF_VERSION}
-    file: uploads.ini
+    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}

entrypoint.mailrelay.sh.tmpl

@@ -4,4 +4,6 @@ apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y msmtp && rm
 
 echo "sendmail_path = /usr/bin/msmtp -t -i" > /usr/local/etc/php/conf.d/sendmail.ini
 
-/docker-entrypoint.sh
+# Upstream ENTRYPOINT
+# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
+/usr/local/bin/docker-entrypoint.sh apache2-foreground "$@"

entrypoint.sh.tmpl

@@ -1,33 +0,0 @@
-#!/bin/bash
-
-{{ if (env "PHP_EXTENSIONS") }}
-docker-php-ext-install {{ env "PHP_EXTENSIONS" }}
-{{ end }}
-
-curl -z /usr/local/bin/wp -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
-chmod +x /usr/local/bin/wp
-
-{{ if eq (env "COMPOSER") "1" }}
-mkdir -p /var/www/.composer
-chown www-data:www-data /var/www/.composer
-
-curl https://getcomposer.org/installer -o /tmp/composer-setup.php
-php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
-php /tmp/composer-setup.php
-rm /tmp/composer-setup.php
-
-mv /var/www/html/composer.phar /usr/local/bin/composer
-{{ end }}
-
-{{ if eq (env "CORS_ALLOW_ALL") "1" }}
-a2enmod headers
-sed -ri -e 's/^([ \t]*)(<\/VirtualHost>)/\1\tHeader set Access-Control-Allow-Origin "*"\n\1\2/g' /etc/apache2/sites-available/*.conf
-{{ end }}
-
-if [ -n "$@" ]; then
-	"$@"
-fi
-
-# Upstream ENTRYPOINT
-# https://github.com/docker-library/wordpress/blob/master/php7.4/apache/Dockerfile#L120
-/usr/local/bin/docker-entrypoint.sh apache2-foreground

msmtp.conf.tmpl

@@ -1,19 +1,3 @@
 account default
 host {{ env "SMTP_HOST" }}
 from {{ env "MAIL_FROM" }}
-user {{ or (env "SMTP_USER") (env "MAIL_FROM") }}
-port {{ env "SMTP_PORT" }}
-
-{{ if eq (env "SMTP_OVERRIDE_FROM") "on" }}
-set_from_header on
-{{ end }}
-
-{{ if eq (env "SMTP_AUTH") "on" }}
-auth {{ env "SMTP_AUTH" }}
-passwordeval "cat /run/secrets/smtp_password"
-{{ end }}
-
-{{ if eq (env "SMTP_TLS") "on" }}
-tls {{ env "SMTP_TLS" }}
-tls_trust_file /etc/ssl/certs/ca-certificates.crt
-{{ end }}

package.yml

@@ -0,0 +1,17 @@
+---
+name: Wordpress
+description: Open source software you can use to create a beautiful website, blog, or app
+arguments:
+  name:
+    description: The name of your Wordpress application
+    example: my-cool-project
+  domain:
+    description: The domain name where your Wordpress will be available on the web
+    example: my-cool-project.com
+secrets:
+  db_passwd:
+    description: The normal user database password
+    length: 8
+  db_root_passwd:
+    description: The root user database password
+    length: 8

release/next

@@ -1 +0,0 @@
-The authentik secrets need to be inserted again, as wordpress is not sharing the secret with authentik any more.

uploads.ini

@@ -1,3 +0,0 @@
-file_uploads = On
-upload_max_filesize = 256M
-post_max_size = 256M