Initial Commit

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/docker.yml

@@ -0,0 +1,67 @@
+name: docker
+
+on:
+  push:
+    branches:
+      - '**'
+      - '!dependabot/**'
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'main'
+      - 'gh-pages'
+  schedule:
+    - cron: '25 5 */7 * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-{{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -0,0 +1,104 @@
+FROM docker.io/library/wordpress:cli as cli
+
+FROM docker.io/library/wordpress:apache
+
+COPY --from=cli /usr/local/bin/wp /usr/local/bin/wp
+
+RUN set -ex; \
+        \
+        savedAptMark="$(apt-mark showmanual)"; \
+        \
+        apt-get update; \
+        apt-get install -y --no-install-recommends \
+          libonig-dev \
+          libxml2-dev; \
+        \
+        docker-php-ext-install -j "$(nproc)" \
+        mbstring \
+        xml; \
+        \
+        # some misbehaving extensions end up outputting to stdout 🙈 (https://github.com/docker-library/wordpress/issues/669#issuecomment-993945967)
+        out="$(php -r 'exit(0);')"; \
+        [ -z "$out" ]; \
+        err="$(php -r 'exit(0);' 3>&1 1>&2 2>&3)"; \
+        [ -z "$err" ]; \
+        \
+        extDir="$(php -r 'echo ini_get("extension_dir");')"; \
+        [ -d "$extDir" ]; \
+        # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+        apt-mark auto '.*' > /dev/null; \
+        apt-mark manual $savedAptMark; \
+        ldd "$extDir"/*.so \
+          | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
+          | sort -u \
+          | xargs -r dpkg-query --search \
+          | cut -d: -f1 \
+          | sort -u \
+          | xargs -rt apt-mark manual; \
+        \
+        apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+        rm -rf /var/lib/apt/lists/*; \
+        \
+        ! { ldd "$extDir"/*.so | grep 'not found'; }; \
+        # check for output like "PHP Warning:  PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
+        err="$(php --version 3>&1 1>&2 2>&3)"; \
+        [ -z "$err" ]
+
+RUN set -ex; \
+      pecl install igbinary; \
+      docker-php-ext-enable igbinary
+
+# Add persistent dependencies
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		jq \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+# "define( 'WP_HOME', 'https://#{new_resource.site}');
+# "define( 'WP_SITEURL', 'https://#{new_resource.site}');
+# line += "define( 'DISALLOW_FILE_EDIT', true);\r\n"
+# line += "define( 'DISALLOW_FILE_MODS', true);\r\n"
+# line += "define( 'AUTOMATIC_UPDATER_DISABLED', true);\r\n"
+# line += "define( 'FORCE_SSL_LOGIN', true);\r\n"
+# line += "define( 'FORCE_SSL_ADMIN', true);\r\n"
+# line += "define( 'WP_FAIL2BAN_SITE_HEALTH_SKIP_FILTERS', true);\r\n"
+# line += "define( 'WP_ENVIRONMENT_TYPE', 'production');\r\n"
+# line += "define( 'WP_MEMORY_LIMIT', '128M');\r\n"
+# line += "define( 'WP2FA_ENCRYPT_KEY', '#{new_resource.wp2fa_encrypt_key}');\r\n"
+
+
+WORKDIR /usr/src/wordpress
+RUN set -eux; \
+        find /etc/apache2 -name '*.conf' -type f -exec sed -ri -e "s!/var/www/html!$PWD!g" -e "s!Directory /var/www/!Directory $PWD!g" '{}' +; \
+	    cp -s wp-config-docker.php wp-config.php
+
+# Add custom themes and plugins
+COPY wp-addon-install.sh /usr/local/bin/
+RUN set -ex; \
+        chmod +x /usr/local/bin/wp-addon-install.sh; \
+        /usr/local/bin/wp-addon-install.sh
+
+# TMPFS /tmp
+# TMPFS /run
+# Persistent /usr/src/wordpress/wp-content/uploads
+
+# Add custom entrypoint to enable plugins/themes and run migrations during container startup
+COPY entrypoint-addon.sh /usr/local/bin/
+# Ensure compatibility with checkout on windows where execute bit not supported
+RUN chmod +x /usr/local/bin/wp-addon-install.sh
+
+# Add underprivileged runtime user
+RUN set -ex; \
+      groupadd --system wordpress; \
+      useradd --system --gid wordpress --no-create-home --home /nonexistent --comment "wordpress user" --shell /bin/false wordpress
+
+# Use the underprivileged runtime user
+USER wordpress
+
+ENV APACHE_RUN_USER=wordpress \
+    APACHE_RUN_GROUP=wordpress
+
+ENTRYPOINT ["entrypoint-addon.sh"]
+CMD ["apache2-foreground"]

TODO.md

@@ -0,0 +1,8 @@
+# Todo
+
+* ~~Underprivilaged runtime user. Files owned by www-data:www-data. Runtime: wordpress:wordpress~~
+* ~~Immutable Runtime~~
+* ~~Plugins downloaded at build time~~
+* ~~Themes downloaded a build time~~
+* WPML added as required?
+* Able to sennd email. SMTP plugin wp-mail-smtp or msmtp

docker-compose.yml

@@ -0,0 +1,61 @@
+services:
+
+  wordpress:
+    build: .
+    ports:
+      - 8080:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: wpuser
+      WORDPRESS_DB_PASSWORD: wppass
+      WORDPRESS_DB_NAME: wordpress
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'DISALLOW_FILE_EDIT', true);
+        define( 'DISALLOW_FILE_MODS', true);
+        define( 'AUTOMATIC_UPDATER_DISABLED', true);
+        define( 'WP_AUTO_UPDATE_CORE', false);
+        define( 'WP_HOME', 'http://localhost:8080');
+        define( 'WP_SITEURL', 'http://localhost:8080');
+    volumes:
+      - wordpress:/var/www/html
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: mysql:8.0
+    environment:
+      MYSQL_DATABASE: wordpress
+      MYSQL_USER: wpuser
+      MYSQL_PASSWORD: wppass
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+    healthcheck:
+          test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+          timeout: 20s
+          retries: 10
+
+  # cli:
+  #   image: wordpress:cli
+  #   command: sleep infinity
+  #   environment:
+  #     WORDPRESS_DB_HOST: db
+  #     WORDPRESS_DB_USER: wpuser
+  #     WORDPRESS_DB_PASSWORD: wppass
+  #     WORDPRESS_DB_NAME: wordpress
+  #     WORDPRESS_CONFIG_EXTRA: |
+  #       define( 'DISALLOW_FILE_EDIT', true);
+  #       define( 'DISALLOW_FILE_MODS', true);
+  #       define( 'AUTOMATIC_UPDATER_DISABLED', true);
+  #       define( 'WP_AUTO_UPDATE_CORE', false);
+  #       define( 'WP_HOME', 'http://localhost:8080');
+  #       define( 'WP_SITEURL', 'http://localhost:8080');
+  #   volumes:
+  #     - wordpress:/var/www/html
+  #   depends_on:
+  #     - db
+
+volumes:
+  wordpress:
+  db:

entrypoint-addon.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+echo "Running standard entrypoint to populate wp-config.php"
+docker-entrypoint.sh apache2 -l
+
+if ! wp  --path=/usr/src/wordpress core is-installed; then
+  wp --path=/usr/src/wordpress core install --url=http://localhost:8080 --title="Wordpress" --admin_user="osm_admin" --admin_email="[email protected]" --skip-email
+fi
+
+wp --path=/usr/src/wordpress core update-db
+
+wp --path=/usr/src/wordpress plugin activate --all
+
+exec "$@"

wp-addon-install.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+curl -Lsg 'https://api.wordpress.org/plugins/info/1.1/?action=plugin_information&request[slug]=wp-fail2ban' | jq -r .download_link
+# wp-last-login
+# wp-2fa
+# wp-fail2ban