Initial commit from template

.deploy.yml

@@ -0,0 +1,12 @@
+sn48:
+  vault:
+    hydrate:
+      branches:
+        - master
+
+  copy_files:
+    - docker/wordpress/php.ini
+    - docker/wordpress/public_dir/to-bool.php
+    - docker/filebrowser/settings.json
+
+  deploy: 4

.drone.yml

@@ -0,0 +1,147 @@
+kind: pipeline
+type: docker
+name: default
+trigger:
+  branch:
+    - master
+
+steps:
+- name: debug-secrets
+  image: alpine
+  environment:
+    VAULT_API_URL:
+      from_secret: VAULT_API_URL
+  commands:
+    - 'echo "Docker Registry URL: $${VAULT_API_URL}"'
+  when:
+    event:
+      - push
+      - tag
+
+# Make the image available for next step
+- name: cron
+  image: plugins/docker
+  settings:
+    dockerfile: docker/wp-cron/Dockerfile
+    context: .
+    registry: registry.sn48.zivili.ch
+    repo: registry.sn48.zivili.ch/meow/wp-cron
+    tags:
+      - "amd64-1.0.0"
+      - "latest"
+    username:
+      from_secret: PORTUS_USER
+    password:
+      from_secret: PORTUS_PASSWORD
+    debug: true
+    launch_debug: true
+    # make sure to replace image with same tag
+    force_tag: true
+  when:
+    event:
+      - push
+      - tag
+
+- name: deploy
+  image: registry.sn48.zivili.ch/meow/drone-deploy:amd64-1.0.0
+  pull: never
+  settings:
+    ssh_port:
+      from_secret: SSH_PORT
+        # this is required for the moment to generate the .docker/config.json
+    # drone is failing to do it on its own at the moment
+    dockerconfigjson:
+      from_secret: dockerconfigjson
+    # use portus or directly docker logins
+    portus_user:
+      from_secret: PORTUS_USER
+    portus_password:
+      from_secret: PORTUS_PASSWORD
+    # used by deploy to login to deploy server
+    ssh_host:
+      from_secret: SSH_HOST
+    ssh_user:
+      from_secret: SSH_USER
+    ssh_key:
+      from_secret: SSH_KEY
+    ssh_fingerprint:
+      from_secret: SSH_FINGERPRINT
+    # used by the deploy script to gather all project's .env values from vault
+    drone_agent1_token:
+      from_secret: DRONE_AGENT1_TOKEN
+    # used by deploy script to know where to gather secrets from
+    vault_api_url:
+      from_secret: VAULT_API_URL
+
+---
+kind: secret
+name: SSH_HOST
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_HOST
+
+---
+kind: secret
+name: SSH_USER
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_USER
+
+---
+kind: secret
+name: SSH_KEY
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_KEY
+
+---
+kind: secret
+name: DRONE_AGENT1_TOKEN
+get:
+  path: kv/data/__drone-admin-secrets
+  name: DRONE_AGENT1_TOKEN
+
+---
+kind: secret
+name: VAULT_API_URL
+get:
+  path: kv/data/__drone-admin-secrets
+  name: VAULT_API_URL
+
+---
+kind: secret
+name: PORTUS_USER
+get:
+  path: kv/data/__drone-admin-secrets
+  name: PORTUS_USER
+
+---
+kind: secret
+name: PORTUS_PASSWORD
+get:
+  path: kv/data/__drone-admin-secrets
+  name: PORTUS_PASSWORD
+
+---
+kind: secret
+name: dockerconfigjson
+get:
+  path: kv/data/__drone-admin-secrets
+  name: dockerconfigjson
+
+image_pull_secrets:
+  from_secret: dockerconfigjson
+
+---
+kind: secret
+name: SSH_PORT
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_PORT
+
+---
+kind: secret
+name: SSH_FINGERPRINT
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_FINGERPRINT

.gitignore

@@ -0,0 +1,4 @@
+.env*
+themeforest-*
+display/
+.DS_Store

docker-compose.yml

@@ -0,0 +1,142 @@
+version: "3.9"
+
+services:
+  wp_db:
+    image: mariadb:11
+    container_name: "${REVERSE_DOMAIN}_wp_db"
+    environment:
+      MYSQL_ROOT_PASSWORD: "${DB_ROOT_PASSWORD}"
+      MYSQL_DATABASE: "${DB_NAME}"
+      MYSQL_USER: "${DB_USER}"
+      MYSQL_PASSWORD: "${DB_PASSWORD}"
+    expose:
+      - 3306
+    volumes:
+      - wp_mysql:/var/lib/mysql
+    restart: always
+    networks:
+      - app_network
+
+  wp_db_phpmyadmin:
+    image: phpmyadmin/phpmyadmin
+    container_name: "${REVERSE_DOMAIN}_db_phpmyadmin"
+    depends_on:
+      - wp_db
+    environment:
+      PMA_HOST: "${REVERSE_DOMAIN}_wp_db"
+      PMA_PORT: 3306
+      MYSQL_ROOT_PASSWORD: "${DB_ROOT_PASSWORD}"
+      MYSQL_DATABASE: "${DB_NAME}"
+      MYSQL_USER: "${DB_USER}"
+      MYSQL_PASSWORD: "${DB_PASSWORD}"
+      UPLOAD_LIMIT: 300M
+    expose:
+      - 80
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_pma.rule=Host(`pma.${APPLICATION_DOMAIN_NAME}`)"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_pma.entrypoints=websecure"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_pma.tls.certresolver=myresolver"
+      - "traefik.http.services.${REVERSE_DOMAIN}_pma.loadbalancer.server.port=80"
+      # VERY IMPORTANT WHEN TWO NETWORKS
+      - "traefik.docker.network=shared_network"
+    restart: always
+    networks:
+      - shared_network
+      - app_network
+
+  wp_filebrowser:
+    image: filebrowser/filebrowser:latest
+    container_name: "${REVERSE_DOMAIN}_filebrowser"
+    volumes:
+      - wp_content:/srv
+      - filebrowser_db:/database
+      - ./docker/filebrowser/settings.json:/config/settings.json
+    environment:
+      - PUID=$(id -u)
+      - PGID=$(id -g)
+    expose:
+      - 80
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_filebrowser.rule=Host(`ftp.${APPLICATION_DOMAIN_NAME}`)"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_filebrowser.entrypoints=websecure"
+      - "traefik.http.routers.${REVERSE_DOMAIN}_filebrowser.tls.certresolver=myresolver"
+      - "traefik.http.services.${REVERSE_DOMAIN}_filebrowser.loadbalancer.server.port=80"
+      - "traefik.docker.network=shared_network"
+    restart: always
+    networks:
+      - shared_network
+      - app_network
+
+  wp:
+    image: "${DOCKER_IMAGE}:${DOCKER_IMAGE_TAG}"
+    container_name: "${REVERSE_DOMAIN}_wp"
+    depends_on:
+      - wp_db
+    environment:
+      WORDPRESS_DB_HOST: "${REVERSE_DOMAIN}_wp_db"
+      WORDPRESS_DB_NAME: "${DB_NAME}"
+      WORDPRESS_DB_USER: "${DB_USER}"
+      WORDPRESS_DB_PASSWORD: "${DB_PASSWORD}"
+      WORDPRESS_DB_CHARSET: "utf8"
+      WORDPRESS_DB_COLLATE: ""
+      WORDPRESS_AUTH_KEY: "${AUTH_KEY}"
+      WORDPRESS_SECURE_AUTH_KEY: "${SECURE_AUTH_KEY}"
+      WORDPRESS_LOGGED_IN_KEY: "${LOGGED_IN_KEY}"
+      WORDPRESS_NONCE_KEY: "${NONCE_KEY}"
+      WORDPRESS_AUTH_SALT: "${AUTH_SALT}"
+      WORDPRESS_SECURE_AUTH_SALT: "${SECURE_AUTH_SALT}"
+      WORDPRESS_LOGGED_IN_SALT: "${LOGGED_IN_SALT}"
+      WORDPRESS_NONCE_SALT: "${NONCE_SALT}"
+      WORDPRESS_TABLE_PREFIX: "${TABLE_PREFIX}"
+      WORDPRESS_CONFIG_EXTRA: |
+        $$to_bool = include __DIR__ . '/to-bool.php';
+        define( 'WP_DEBUG', $$to_bool('${WP_DEBUG}') );
+        define( 'WP_DEBUG_LOG', $$to_bool('${WP_DEBUG_LOG}') );
+        define( 'WP_DEBUG_DISPLAY', $$to_bool('${WP_DEBUG_DISPLAY}') );
+        define( 'DISABLE_WP_CRON', $$to_bool('${DISABLE_WP_CRON}') );
+    expose:
+      - 80
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${REVERSE_DOMAIN}.rule=Host(`${APPLICATION_DOMAIN_NAME}`)"
+      - "traefik.http.routers.${REVERSE_DOMAIN}.entrypoints=websecure"
+      - "traefik.http.routers.${REVERSE_DOMAIN}.tls.certresolver=myresolver"
+      - "traefik.http.services.${REVERSE_DOMAIN}.loadbalancer.server.port=80"
+      - "traefik.docker.network=shared_network"
+    volumes:
+      # only user data persists
+      - wp_content:/var/www/html/wp-content
+      - ./docker/wordpress/php.ini:/usr/local/etc/php/conf.d/uploads.ini:ro
+      - ./docker/wordpress/public_dir/to-bool.php:/var/www/html/to-bool.php:ro
+    restart: always
+    networks:
+      - shared_network
+      - app_network
+
+  wp_cron:
+    image: registry.sn48.zivili.ch/meow/wp-cron:amd64-1.0.0
+    container_name: "${REVERSE_DOMAIN}_wp_cron"
+    depends_on:
+      - wp
+    networks:
+      - app_network
+
+networks:
+  shared_network:
+    name: shared_network
+    external: true
+  app_network:
+    name: ${REVERSE_DOMAIN}-app_network
+
+volumes:
+  wp_mysql:
+    name: "${REVERSE_DOMAIN}_wp_db-volume"
+    external: true
+  wp_content:
+    name: "${REVERSE_DOMAIN}_wp-data"
+    external: true
+  filebrowser_db:
+    name: "${REVERSE_DOMAIN}_filebrowser_db"
+    external: true

docker/wordpress/Dockerfile

@@ -0,0 +1,23 @@
+FROM wordpress:latest
+
+# WP-CLI and other extras …
+RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \
+    && chmod +x wp-cli.phar && mv wp-cli.phar /usr/local/bin/wp
+
+# keep the upstream entrypoint
+RUN mv /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint-upstream.sh
+
+# –– tracked application code ––––––––––––––––––
+COPY docker/wordpress/public_dir/themes          /usr/src/themes
+COPY docker/wordpress/public_dir/to-bool.php     /usr/src/to-bool.php
+COPY docker/wordpress/duplicator-initial-deploy /usr/src/duplicator
+
+COPY docker/wordpress/php.ini         /usr/local/etc/php/php.ini
+
+# custom wrapper
+COPY docker/wordpress/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+EXPOSE 80
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["apache2-foreground"]

docker/wordpress/docker-entrypoint.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+################################################################################
+# ONE-TIME Duplicator restore
+################################################################################
+if [ ! -f /var/www/html/wp-content/.duplicator_restored ]; then
+  echo "▶ First run – copy Duplicator package"
+  mkdir -p /var/www/html
+  cp -r /usr/src/duplicator/* /var/www/html/
+  chown -R www-data:www-data /var/www/html
+  touch /var/www/html/wp-content/.duplicator_restored
+  echo "✓ Package placed – browse /installer.php to finish the restore"
+fi
+
+################################################################################
+# ALWAYS sync the code we keep under version control
+################################################################################
+echo "▶ Syncing version-controlled themes"
+rsync -a --delete /usr/src/themes/ /var/www/html/wp-content/themes/
+
+################################################################################
+# (optional) run safe automatic DB migrations, plugin installs, etc.
+# wp core update-db --yes
+# wp plugin update --all --quiet
+################################################################################
+
+# Hand back to the real WP entrypoint
+exec /usr/local/bin/docker-entrypoint-upstream.sh "$@"

docker/wordpress/php.ini

@@ -0,0 +1,5 @@
+; php.ini
+memory_limit = 512M
+upload_max_filesize = 100M
+post_max_size = 100M
+max_execution_time = 300

docker/wordpress/public_dir/to-bool.php

@@ -0,0 +1,13 @@
+<?php
+$env_to_bool = function ($v): bool {
+    if (is_bool($v)) return $v;
+    if (is_numeric($v)) return (bool) intval($v);
+    if (is_string($v)) {
+        $n = mb_strtolower(trim($v));
+        if (in_array($n, ['1','true','on','yes','y','t'], true))  return true;
+        if (in_array($n, ['0','false','off','no','n','f'], true)) return false;
+    }
+    throw new Exception('Could not convert value to bool');
+};
+
+return $env_to_bool;

docker/wp-cron/Dockerfile

@@ -0,0 +1,8 @@
+FROM alpine
+
+# Install curl and set up the cron job
+RUN apk add --no-cache curl && \
+    echo "*/5 * * * * curl http://wp:80/wp-cron.php?doing_wp_cron" > /etc/crontabs/root
+
+# Run crond in the foreground
+CMD ["crond", "-f"]

generate-env-secrets.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Generate secure passwords and WordPress salts for .env.prod
+# Usage: ./generate-env-secrets.sh [project-name] [domain]
+# Example: ./generate-env-secrets.sh php-wp-ch_hair_select hair-sct.ch
+
+set -e
+
+PROJECT_NAME="${1:-php-wp-example}"
+DOMAIN="${2:-example.com}"
+TABLE_PREFIX="${3:-wp_}"
+
+# Generate random passwords
+DB_ROOT_PASSWORD=$(openssl rand -base64 32)
+DB_PASSWORD=$(openssl rand -base64 32)
+FTP_PASSWORD=$(openssl rand -base64 24)
+
+# Fetch WordPress salts from official API
+echo "Fetching WordPress salts from api.wordpress.org..."
+SALTS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/)
+
+# Extract individual salt values and escape for shell
+extract_salt() {
+    echo "$SALTS" | grep "define('$1'" | sed "s/define('$1', *'//" | sed "s/');$//" | sed "s/\\\$/\\\\\$/g" | sed "s/\`/\\\\\`/g"
+}
+
+AUTH_KEY=$(extract_salt "AUTH_KEY")
+SECURE_AUTH_KEY=$(extract_salt "SECURE_AUTH_KEY")
+LOGGED_IN_KEY=$(extract_salt "LOGGED_IN_KEY")
+NONCE_KEY=$(extract_salt "NONCE_KEY")
+AUTH_SALT=$(extract_salt "AUTH_SALT")
+SECURE_AUTH_SALT=$(extract_salt "SECURE_AUTH_SALT")
+LOGGED_IN_SALT=$(extract_salt "LOGGED_IN_SALT")
+NONCE_SALT=$(extract_salt "NONCE_SALT")
+
+# Write .env.prod
+cat > .env.prod << EOF
+REVERSE_DOMAIN=${PROJECT_NAME}
+DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
+DB_NAME=${PROJECT_NAME}-db_name
+DB_USER=${PROJECT_NAME}-db_user
+DB_PASSWORD=${DB_PASSWORD}
+APPLICATION_DOMAIN_NAME=${DOMAIN}
+DOCKER_IMAGE=wordpress
+DOCKER_IMAGE_TAG=latest
+AUTH_KEY="'${AUTH_KEY}'"
+SECURE_AUTH_KEY="'${SECURE_AUTH_KEY}'"
+LOGGED_IN_KEY="'${LOGGED_IN_KEY}'"
+NONCE_KEY="'${NONCE_KEY}'"
+AUTH_SALT="'${AUTH_SALT}'"
+SECURE_AUTH_SALT="'${SECURE_AUTH_SALT}'"
+LOGGED_IN_SALT="'${LOGGED_IN_SALT}'"
+NONCE_SALT="'${NONCE_SALT}'"
+TABLE_PREFIX=${TABLE_PREFIX}
+
+WP_DEBUG=1
+WP_DEBUG_LOG=1
+WP_DEBUG_DISPLAY=false
+DISABLE_WP_CRON=true
+
+FTP_USERNAME=admin
+FTP_PASSWORD=${FTP_PASSWORD}
+EOF
+
+echo "Generated .env.prod for ${PROJECT_NAME} (${DOMAIN})"
+echo "Remember to update TABLE_PREFIX if migrating existing database!"