~ UPD update all dependencies

.devops/build/1-runner-role.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: runner-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'

.devops/build/2-runner-role-binding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: runner-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: runner-role
+subjects:
+- kind: ServiceAccount
+  name: default

.devops/build/3-act-runner-vol.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: act-runner-vol
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

.devops/build/4-act-runner.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: act-runner
+  labels:
+    app: act-runner
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: act-runner
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: act-runner
+    spec:
+      containers:
+      - command:
+        - sh
+        - -c
+        - while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
+          sleep 5; done; /sbin/tini -- run.sh
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        - name: GITEA_INSTANCE_URL
+          value: http://gitea-http.gitea.svc.cluster.local:3000
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: token
+              name: runner-secret
+        image: gitea/act_runner:nightly
+        imagePullPolicy: IfNotPresent
+        name: runner
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /certs
+          name: docker-certs
+        - mountPath: /data
+          name: runner-data
+      - env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        image: docker:23.0.6-dind
+        imagePullPolicy: IfNotPresent
+        name: daemon
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /certs
+          name: docker-certs
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: docker-certs
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: act-runner-vol

.devops/gitea-values.yaml

@@ -0,0 +1,17 @@
+    fullnameOverride: gitea
+    ingress:
+      enabled: 'false'
+      className: nginx
+      annotations:
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
+        external-dns.alpha.kubernetes.io/hostname: git.hvgrt.hu
+      hosts:
+      - host: git.hvgrt.hu
+        paths:
+          - path: /
+            pathType: Prefix
+      tls:
+      - secretName: gitea-tls
+        hosts:
+        - git.hvgrt.hu

.devops/scripts/create-application.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+# Usage: ./generate application.sh <application-name>
+# Example: ./generate application.sh hvgblog-7koznapi > .env.hvgblog-7koznapi
+
+script_dir=$(dirname "$0")
+
+APPLICATION_NAME=${1:-"dev"}
+if [ -z "$APPLICATION_NAME" ]; then
+  echo "Usage: $0 <application-name>"
+  exit 1
+fi
+
+SALT_PATTERN=${SALT_PATTERN:-':alnum:!"#$%&()*+,-./:;<=>?@[\]^_`{|}~'}
+SALT_LENGTH=${SALT_LENGTH:-64}
+
+PASS_PATTERN=${PASS_PATTERN:-':alnum:'}
+PASS_LENGTH=${PASS_LENGTH:-16}
+
+APPLICATION_NAMESPACE=${APPLICATION_NAMESPACE:-'hvg-dev'}
+APPLICATION_DOMAIN=${APPLICATION_DOMAIN:-'hvgblog.hu'}
+APPLICATION_HOST=${APPLICATION_HOST:-"${APPLICATION_NAME}.${APPLICATION_DOMAIN}"}
+APPLICATION_EMAIL=${APPLICATION_EMAIL:-'blogadmin@hvg.hu'}
+
+CERT=${SEAL_CERT_TMP:-$(mktemp)}
+
+if [ -z "$SEAL_CERT" ]; then
+  echo "SEAL_CERT is not set, fetching..." | tee /dev/stderr
+  kubeseal --fetch-cert > "$CERT"
+else
+  regex='(https?|ftp|file)://[-[:alnum:]\+&@#/%?=~_|!:,.;]*[-[:alnum:]\+&@#/%=~_|]'
+  if [[ $SEAL_CERT =~ $regex ]]; then
+    echo "SEAL_CERT looks like a URL, fetching..." | tee /dev/stderr
+    curl -sSL "$SEAL_CERT" -o "$CERT"
+  else
+    if [ -f "$SEAL_CERT" ]; then
+      echo "SEAL_CERT looks like a file path, using..." | tee /dev/stderr
+      cp "$SEAL_CERT" "$CERT"
+    else
+      echo "SEAL_CERT is not a valid URL or file path, exiting." | tee /dev/stderr
+      exit 1
+    fi
+  fi
+fi
+
+seal() {
+  local value=$1
+  echo -n "$value" |
+    kubeseal --cert "$CERT" --from-file=/dev/stdin --raw --scope cluster-wide
+}
+
+gen_salt() {
+  cat /dev/urandom | tr -dc "${SALT_PATTERN}" | fold -w "${SALT_LENGTH}" | head -n 1 | sed 's/\n//'
+}
+
+gen_pass() {
+  cat /dev/urandom | tr -dc "${PASS_PATTERN}" | fold -w "${PASS_LENGTH}" | head -n 1 | sed 's/\n//'
+}
+
+declare -A parameters
+
+get_parameter() {
+  local key=$1
+  echo "${parameters[$key]}"
+}
+
+dump_parameters() {
+  echo "parameters:"
+  for key in "${!parameters[@]}"; do
+    echo "  - name: $key"
+    echo "    value: ${parameters[$key]}"
+  done
+}
+
+# shellcheck disable=SC1091
+source "${script_dir}/parameters.tmp"
+dump_parameters | tee

.devops/scripts/parameters.tmp

@@ -0,0 +1,19 @@
+declare -A parameters=( \
+  [db.name]=$APPLICATION_NAME \
+  [db.username]=$APPLICATION_NAME \
+  [db.sealedPassword]=$(seal $(gen_pass)) \
+  [env.BLOG_SLUG]=$APPLICATION_NAME \
+  [env.WP_HOME]="https://${APPLICATION_HOST}" \
+  [env.WP_SITEURL]="https://${APPLICATION_HOST}/wp" \
+  [env.ADMIN_EMAIL]=$APPLICATION_EMAIL \
+  [env.S3_UPLOADS_BUCKET]="hvgblog/${APPLICATION_NAME}" \
+  [env.S3_UPLOADS_BUCKET_URL]="https://cdn.${APPLICATION_DOMAIN}/${APPLICATION_NAME}" \
+  [sealedSecretEnv.AUTH_KEY]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.AUTH_SALT]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.LOGGED_IN_KEY]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.LOGGED_IN_SALT]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.NONCE_KEY]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.NONCE_SALT]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.SECURE_AUTH_KEY]=$(seal $(gen_salt)) \
+  [sealedSecretEnv.SECURE_AUTH_SALT]=$(seal $(gen_salt)) \
+)

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.php]
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false

.editorconfig-checker.json

@@ -0,0 +1,26 @@
+{
+  "Verbose": false,
+  "Debug": false,
+  "IgnoreDefaults": false,
+  "SpacesAfterTabs": false,
+  "NoColor": false,
+  "Exclude": [
+    ".git/",
+    "vendor/",
+    "web/wp/",
+    "web/app/",
+    "web/app/themes/",
+    "web/app/plugins/",
+    "web/app/languages"
+  ],
+  "AllowedContentTypes": [],
+  "PassedFiles": [],
+  "Disable": {
+    "EndOfLine": false,
+    "Indentation": false,
+    "IndentSize": false,
+    "InsertFinalNewline": false,
+    "TrimTrailingWhitespace": false,
+    "MaxLineLength": false
+  }
+}

.envrc

@@ -0,0 +1 @@
+export WP_PW=$(gopass show hvg/BLOG_ROOT_PWD)

.gitea/workflows/cd.yaml

@@ -0,0 +1,54 @@
+on:
+  push:
+    branches:
+    - main
+    - dev
+env:
+  NAMESPACE: ${{ github.repository_owner }}
+  DOCKER_REGISTRY: ghcr.io
+  DOCKER_REPOSITORY: ${{ github.repository }}
+jobs:
+  build-and-deploy:
+    env:
+      IMAGE: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install kpack-cli
+      env:
+        KPACK_CLI_VERSION: 0.13.0
+        KPACK_CLI_SHA256: 52f0c927a1350f4f1bb281575ec246f406fb96aa69dc974ed10a2fe52c538158
+      working-directory: /tmp
+      run: |
+        set -ex
+        curl -sLO "https://github.com/buildpacks-community/kpack-cli/releases/download/v${KPACK_CLI_VERSION}/kp-linux-amd64-${KPACK_CLI_VERSION}"
+        echo "${KPACK_CLI_SHA256} kp-linux-amd64-${KPACK_CLI_VERSION}" | sha256sum --check || exit 1
+        sudo mv kp-linux-amd64-${KPACK_CLI_VERSION} /usr/local/bin/kp
+        sudo chmod +x /usr/local/bin/kp
+        kp version
+    - name: Install kubectl
+      uses: azure/setup-kubectl@v4
+    - name: Configure kubectl
+      uses: azure/k8s-set-context@v1
+      with:
+        kubeconfig: ${{ secrets.KUBE_CONFIG }}
+    - name: Update kpack image
+      env:
+        SHA: ${{ github.sha }}
+      run: |
+        SHORT_SHA=$(git rev-parse --short HEAD)
+        echo "SHORT_SHA=${SHORT_SHA}" >> $GITHUB_ENV
+        IMAGE_NAME="${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}-${GITHUB_REF##*/}"
+        echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
+        kp image patch $IMAGE_NAME --replace-additional-tag "${IMAGE}:sha-${SHORT_SHA}" --git-revision "${SHA}" -n $NAMESPACE
+        kp image status $IMAGE_NAME -n $NAMESPACE
+    - name: Wait for build to complete
+      run: |
+        BUILD=$(kubectl -n $NAMESPACE get image $IMAGE_NAME -o jsonpath='{.status.buildCounter}')
+        BUILD_REF=$(kubectl -n $NAMESPACE get image $IMAGE_NAME -o jsonpath='{.status.latestBuildRef}')
+        kp build logs $IMAGE_NAME -n $NAMESPACE --build ${BUILD}
+        kp build status $IMAGE_NAME -n $NAMESPACE -b $BUILD
+        if [ "$(kubectl -n $NAMESPACE get build $BUILD_REF -o jsonpath='{.status.conditions[0].status}')" != "True" ]; then exit 1; fi
+#    - name: Update Kubernetes deployment
+#      run: |
+#        kubectl set image deployment/my-app my-app=<registry>/<repository>:${{ github.sha }}

.github/workflows/cicd.yaml

@@ -0,0 +1,70 @@
+name: CI
+
+on:
+  push:
+    branches:
+    - main
+    - dev
+
+env:
+  DESCRIPTION: "Wordpress Heroku App Image https://hvgblog.hu"
+  PHP_VERSION: ${{ vars.PHP_VERSION }}
+  DEPLOY_REPO: ${{ vars.DEPLOY_REPO }}
+jobs:
+
+  check:
+    name: Check
+    runs-on: [ubuntu-latest]
+
+    steps:
+      - uses: actions/checkout@master
+      - uses: editorconfig-checker/action-editorconfig-checker@main
+      - name: EditorConfig Check
+        run: editorconfig-checker
+      - name: ShellCheck
+        uses: ludeeus/action-shellcheck@master
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: PHP security check
+        uses: symfonycorp/security-checker-action@v5
+
+  test:
+    name: Test
+    needs: [check]
+    runs-on: [ubuntu-latest]
+
+    steps:
+    - uses: actions/checkout@master
+    - uses: php-actions/composer@v6
+      with:
+        dev: yes
+        args: --ignore-platform-reqs
+        php_version: "${{ env.PHP_VERSION }}"
+    - uses: php-actions/composer@v6
+      with:
+        command: outdate
+        args: --strict --direct --ignore-platform-reqs
+        php_version: "${{ env.PHP_VERSION }}"
+    - uses: php-actions/composer@v6
+      with:
+        command: test
+        php_version: "${{ env.PHP_VERSION }}"
+
+  image_build:
+    name: Image Build
+    needs: [check,test]
+    runs-on: [ubuntu-latest]
+    steps:
+
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - uses: felegy/mirror-action@master
+      with:
+        REMOTE: git@${{ env.DEPLOY_REPO }}:${{ github.repository }}.git
+        SSH_CONFIG: |
+          Host ${{ env.DEPLOY_REPO }}
+            ProxyCommand cloudflared access ssh --hostname %h
+        GIT_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+        GIT_SSH_NO_VERIFY_HOST: "true"

.gitignore

@@ -25,7 +25,9 @@ web/.htaccess
 .env
 .env.*
 *.env
+.env.*
 !.env.example
+!.envrc
 
 # Heroku bin
 .heroku/*
@@ -44,6 +46,6 @@ wp-cli.local.yml
 # Local gpg
 /.gpg
 
-# Local db backips
+# Local db backups
 *.sql
 *.sql.gz

.lando.yml

@@ -7,9 +7,9 @@ recipe: wordpress
 config:
   php: '8.3'
   via: nginx
-  database: mariadb:11.4.5
+  database: mariadb
   webroot: web
-  xdebug: true
+  xdebug: false
   config:
     php: config/php.ini
     vhosts: config/lando.conf.tpl
@@ -17,3 +17,9 @@ config:
 services:
   mailhog:
     type: mailhog
+
+tooling:
+  tar:
+    service: appserver
+    cmd:
+      - tar

.vscode/settings.json

@@ -0,0 +1,16 @@
+{
+    "[php]": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "obliviousharmony.vscode-php-codesniffer"
+    },
+    "phpCodeSniffer.exclude": [
+      "**/vendor/**",
+      "web/wp",
+      "web/app/languages/",
+      "web/app/themes/hvg-blog-general/",
+      "web/app/themes/twentytwentyfive/",
+      "web/app/plugins/"
+    ],
+    "phpCodeSniffer.autoloadPHPCSIntegration": true,
+    "phpCodeSniffer.autoExecutable": true
+}

composer.json

@@ -22,7 +22,12 @@
     }
   ],
   "keywords": [
-    "bedrock", "composer", "roots", "wordpress", "wp", "wp-config"
+    "bedrock",
+    "composer",
+    "roots",
+    "wordpress",
+    "wp",
+    "wp-config"
   ],
   "support": {
     "issues": "https://github.com/roots/bedrock/issues",
@@ -32,11 +37,14 @@
     {
       "type": "composer",
       "url": "https://wpackagist.org",
-      "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
+      "only": [
+        "wpackagist-plugin/*",
+        "wpackagist-theme/*"
+      ]
     },
     {
-        "type": "vcs",
-        "url": "https://github.com/hvg-dev/hvg-blog-general"
+      "type": "vcs",
+      "url": "https://github.com/hvg-dev/hvg-blog-general"
     }
   ],
   "require": {
@@ -48,7 +56,7 @@
     "ext-exif": "*",
     "ext-imagick": "*",
     "ext-intl": "*",
-    "composer/installers": "~2.2",
+    "composer/installers": "^2.2",
     "vlucas/phpdotenv": "^5.5",
     "oscarotero/env": "^2.1",
     "roots/bedrock-autoloader": "^1.0",
@@ -69,13 +77,14 @@
     "wpackagist-plugin/wp-api-swaggerui": "^1.2",
     "wpackagist-plugin/cloudflare": "^4.12",
     "wpackagist-plugin/menu-image": "^3.13",
-    "wpackagist-plugin/code-snippets": "^3.6"
-
+    "wpackagist-plugin/code-snippets": "^3.6",
+    "wpackagist-plugin/saml-sso-wp-single-sign-on": "^1.4",
+    "wpackagist-plugin/fancy-facebook-comments": "^1.2"
   },
   "require-dev": {
     "heroku/heroku-buildpack-php": "*",
-    "roave/security-advisories": "dev-latest",
-    "laravel/pint": "^1.18"
+    "squizlabs/php_codesniffer": "*",
+    "roave/security-advisories": "dev-latest"
   },
   "config": {
     "optimize-autoloader": true,
@@ -89,15 +98,20 @@
   "prefer-stable": true,
   "extra": {
     "installer-paths": {
-      "web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin"],
-      "web/app/plugins/{$name}/": ["type:wordpress-plugin"],
-      "web/app/themes/{$name}/": ["type:wordpress-theme"]
+      "web/app/mu-plugins/{$name}/": [
+        "type:wordpress-muplugin"
+      ],
+      "web/app/plugins/{$name}/": [
+        "type:wordpress-plugin"
+      ],
+      "web/app/themes/{$name}/": [
+        "type:wordpress-theme"
+      ]
     },
     "wordpress-install-dir": "web/wp"
   },
   "scripts": {
-    "project-init": "php -v",
-    "lint": "pint --test",
-    "lint:fix": "pint"
+    "test": "phpcs",
+    "project-init": "php -v"
   }
 }

config/app/base.php

@@ -7,7 +7,6 @@ $env_keys = array();
 
 # App Base environment keys
 array_push($env_keys, 'BLOG_SLUG');
-array_push($env_keys, 'USE_CDN');
 array_push($env_keys, 'GA_CODE');
 array_push($env_keys, 'GTM_CODE');
 array_push($env_keys, 'FORCE_SSL_ADMIN');
@@ -30,6 +29,7 @@ array_push($env_keys, 'CLOUDFLARE_EMAIL');
 array_push($env_keys, 'WP_CF_ACCESS_AUTH_DOMAIN');
 array_push($env_keys, 'WP_CF_ACCESS_JWT_AUD');
 array_push($env_keys, 'WP_CF_ACCESS_REDIRECT_LOGIN');
+array_push($env_keys, 'LOGOUT_REDIRECT_URL');
 ###
 
 # App Secret environment keys

config/lando.conf.tpl

@@ -30,4 +30,4 @@ server {
         fastcgi_read_timeout 300s;
         include fastcgi_params;
     }
-}
+}

config/php.ini

@@ -0,0 +1,4 @@
+upload_max_filesize=1024M
+post_max_size=1024M
+max_execution_time=300
+max_input_time=300

k8s/build/0-default-lifecycle.yaml

@@ -0,0 +1,6 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterLifecycle
+metadata:
+  name: default-lifecycle
+spec:
+  image: buildpacksio/lifecycle

k8s/build/0-kpack-service-account.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kpack-service-account
+  namespace: kpack
+secrets:
+- name: kp-default-registry-creds
+imagePullSecrets:
+- name: kp-default-registry-creds

k8s/build/1-default-clusterstores.yaml

@@ -0,0 +1,10 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterStore
+metadata:
+  name: default
+spec:
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack
+  sources:
+    - image: ghcr.io/hvg-dev/test-builder@sha256:3c169742c4d278f9baa79003b1a998d9337cc2050c7845207d8012207c16a1a7

k8s/build/1-heroku-24-clusterstacks.yaml

@@ -0,0 +1,13 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterStack
+metadata:
+  name: heroku-24
+spec:
+  buildImage:
+    image: ghcr.io/hvg-dev/test-builder@sha256:6294ec780aeb492bbcef91884c21d9b5f1fc1f88f6096228ea2e3a640dadef09
+  id: heroku-24
+  runImage:
+    image: ghcr.io/hvg-dev/test-builder@sha256:9a80c7da247decbfb1350c1fb0aa6436d74bde59953751e6193835063ca38e84
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack

k8s/build/3-builder-clusterbuilders.yaml

@@ -0,0 +1,25 @@
+apiVersion: kpack.io/v1alpha2
+kind: ClusterBuilder
+metadata:
+  name: builder
+spec:
+  lifecycle:
+    kind: ClusterLifecycle
+    name: default-lifecycle
+  order:
+    - group:
+        - id: heroku/php
+        - id: heroku/procfile
+    - group:
+        - id: heroku/nodejs
+        - id: heroku/procfile
+  serviceAccountRef:
+    name: kpack-service-account
+    namespace: kpack
+  stack:
+    kind: ClusterStack
+    name: heroku-24
+  store:
+    kind: ClusterStore
+    name: default
+  tag: ghcr.io/hvg-dev/test-builder

k8s/build/4-hvg-dev-service-account.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kpack-service-account
+  namespace: hvg-dev
+secrets:
+- name: kp-default-registry-creds
+- name: git-ssh-auth-secret
+imagePullSecrets:
+- name: kp-default-registry-creds

k8s/build/blog-dev-image.yaml

@@ -0,0 +1,20 @@
+apiVersion: kpack.io/v1alpha2
+kind: Image
+metadata:
+  name: blog-dev
+  namespace: hvg-dev
+spec:
+  additionalTags:
+    - ghcr.io/hvg-dev/blog:sha-2bc32b8
+  builder:
+    kind: ClusterBuilder
+    name: builder
+  failedBuildHistoryLimit: 10
+  imageTaggingStrategy: BuildNumber
+  serviceAccountName: kpack-service-account
+  source:
+    git:
+      revision: 2bc32b8f256bd8931d690ab78b08a6e31cab7af0
+      url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
+  successBuildHistoryLimit: 10
+  tag: ghcr.io/hvg-dev/blog:dev

k8s/build/blog-main-image.yaml

@@ -0,0 +1,20 @@
+apiVersion: kpack.io/v1alpha2
+kind: Image
+metadata:
+  name: blog-main
+  namespace: hvg-dev
+spec:
+  additionalTags:
+    - ghcr.io/hvg-dev/blog:sha-b0e1cfc
+  builder:
+    kind: ClusterBuilder
+    name: builder
+  failedBuildHistoryLimit: 10
+  imageTaggingStrategy: BuildNumber
+  serviceAccountName: kpack-service-account
+  source:
+    git:
+      revision: b0e1cfca5205556c738e44b7eb040c5f87dac109
+      url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
+  successBuildHistoryLimit: 10
+  tag: ghcr.io/hvg-dev/blog:main

k8s/hvgblog-vcluster.yaml

@@ -0,0 +1,52 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  annotations:
+    helmcharts.cattle.io/managed-by: helm-controller
+  name: hvgblog-vcluster
+  namespace: kube-system
+spec:
+  chart: vcluster
+  createNamespace: true
+  repo: https://charts.loft.sh
+  set:
+    integrations.metricsServer.enabled: "true"
+    sync.toHost.ingresses.enabled: "true"
+    sync.toHost.persistentVolumeClaims.enabled: "true"
+  targetNamespace: hvgblog
+  valuesContent: |
+    controlPlane:
+      distro:
+        k3s:
+          enabled: true
+          extraArgs:
+          - --tls-san=hvgblog-vcluster.hvg.hu
+          image:
+            tag: v1.32.1-k3s1
+      ingress:
+        annotations:
+          cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
+          ingress.kubernetes.io/force-ssl-redirect: "true"
+          kubernetes.io/ingress.class: nginx
+          nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        enabled: true
+        host: hvgblog-vcluster.hvg.hu
+        pathType: ImplementationSpecific
+        spec:
+          tls:
+          - hosts:
+              - hvgblog-vcluster.hvg.hu
+            secretName: tls-vcluster
+    exportKubeConfig:
+      context: hvgblog-vcluster
+    integrations:
+      metricsServer:
+        enabled: true
+    sync:
+      toHost:
+        ingresses:
+          enabled: true
+        persistentVolumeClaims:
+          enabled: true
+  version: 0.26.0

k8s/manifests/app/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: hvgblog
+version: 0.1.0
+type: application

k8s/manifests/app/templates/0-github-container-registry.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+  name: github-container-registry
+spec:
+  encryptedData:
+    .dockerconfigjson: {{ .Values.imagePullSealedSecret | quote }}
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      name: github-container-registry
+    type: kubernetes.io/dockerconfigjson

k8s/manifests/app/templates/1-db-user.yaml

@@ -0,0 +1,33 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: "{{ .Release.Name }}-db-pass"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  encryptedData:
+    password: {{ .Values.db.sealedPassword | quote }}
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      name: "{{ .Release.Name }}-db-pass"
+      namespace: {{ .Release.Namespace }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: "{{ .Release.Name }}-db-user"
+spec:
+  name: {{ .Values.db.username | quote }}
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  passwordSecretKeyRef:
+    name: "{{ .Release.Name }}-db-pass"
+    key: password
+  # This field is immutable and defaults to 10
+  host: "%"
+  cleanupPolicy: Delete
+  maxUserConnections: 0

k8s/manifests/app/templates/2-database.yaml

@@ -0,0 +1,13 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  name: {{ .Values.db.name | quote }}
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  characterSet: utf8
+  collate: utf8_general_ci
+  cleanupPolicy: Delete

k8s/manifests/app/templates/3-db-grant.yaml

@@ -0,0 +1,26 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  privileges:
+    - "SELECT"
+    - "INSERT"
+    - "UPDATE"
+    - "DELETE"
+    - "CREATE"
+    - "DROP"
+    - "INDEX"
+    - "ALTER"
+    - "LOCK TABLES"
+    - "EXECUTE"
+  database: {{ .Values.db.name | quote }}
+  table: "*"
+  host: "%"
+  username: {{ .Values.db.username | quote }}
+  grantOption: true
+  cleanupPolicy: Delete

k8s/manifests/app/templates/4-db-connection.yaml

@@ -0,0 +1,26 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  mariaDbRef:
+    name: mariadb
+    namespace: default
+  username: {{ .Values.db.username | quote }}
+  passwordSecretKeyRef:
+    name: "{{ .Release.Name }}-db-pass"
+    key: password
+  database: {{ .Values.db.name | quote }}
+  secretName: "{{ .Release.Name }}-db-connection"
+  secretTemplate:
+    key: dsn
+    usernameKey: DB_USER
+    passwordKey: DB_PASSWORD
+    hostKey: DB_HOST
+    portKey: DB_PORT
+    databaseKey: DB_NAME
+  healthCheck:
+    interval: 60s
+    retryInterval: 30s
+  serviceName: mariadb

k8s/manifests/app/templates/5-configmap-env.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+data:
+  WP_HOME: "https://{{ .Values.host  }}"
+  WP_SITEURL: "https://{{ .Values.host }}/wp"
+{{- range $key, $val := .Values.env }}
+  {{ $key }}: {{ $val | quote }}
+{{- end }}

k8s/manifests/app/templates/6-secret-env.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.sealedSecretEnv }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  encryptedData:
+  {{- range $key, $val := .Values.sealedSecretEnv }}
+    {{ $key }}: {{ $val | quote }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ .Release.Name }}
+      namespace: {{ .Release.Namespace }}
+{{- end }}

k8s/manifests/app/templates/7-wp-deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}
+spec:
+  replicas: 1
+# revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      imagePullSecrets:
+      - name: github-container-registry
+      containers:
+      - name: {{ .Release.Name }}
+        image: {{ .Values.image }}
+        imagePullPolicy: Always
+        command:
+        - {{ .Values.command | default "web" | quote }}
+        resources:
+          requests:
+            memory: 128M
+            cpu: 100m
+          limits:
+            memory: 512M
+        ports:
+        - containerPort: 5000
+        envFrom:
+        - configMapRef:
+            name: {{ .Release.Name }}
+        - secretRef:
+            name: {{ .Release.Name }}
+        - secretRef:
+            name: "{{ .Release.Name }}-db-connection"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: {{ .Release.Name }}
+  ports:
+  - name: wp
+    protocol: TCP
+    port: 5000
+    targetPort: 5000

k8s/manifests/app/templates/8-ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ .Values.host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: {{ .Release.Name }}
+            port:
+              number: 5000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - {{ .Values.host }}
+    secretName: "{{ .Release.Name }}-tls"

k8s/manifests/app/values.yaml

@@ -0,0 +1,49 @@
+image: ghcr.io/hvg-dev/blog:dev
+
+# Image pull secret for the container registry (see https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-create-imagepullsecrets)
+imagePullSealedSecret: AgA56Wy8PD6cByq+xIFwOBl0OUPt0ricOB0tjaC+B/mpHhFnsKaGKt4EdUsfnDZccc3IdpoIFdhOo3rkAikxN+PjCFpb/bC0JZZiP8K3DAREizLAU1R0og0xWjOGZ+GHRdZMiuNFf3ADl5D65lrIr1e1wTrSuJ8SReOqo2rY9QGDwWC51iJwy0cmB3WVGDYjDUIz/vnx5p8BxzIEHsCIoSelBIQjJ0idZwe8JuaSxrQRUtk8/Cenj3mUVsXIVpNr4ExBMF4tBuYEAYuY1t98bp66l6dbbEfnLDpQXDusj7RITV0N2KQ++7h5fjlH9yC8nsXntZb4T6oVSZlJWUYDzqaqfBFckQ6S0L9XcgSOFHKeZa1MVEiKpjiU9uEn+hDCPbatg5exMUEAcvXl6LxnKW/Mn0dIykOv/LIQyxXeUFdGOoFj6pCvkj/Z2DFeHLq5/+rY0ZIvLnLtGYfxm2Du1ft3MldWUSq9i4BUuL0ddH5h4PRxC5SE7Yp/SGkU4qDqqSmh21GxVdezp4YK9Mg4gRrCcGPL+sViDYkDLvBXOpBVhhQbAQcZWkDHit58p3nh2byP0GpIL0etnFGVqx9n2W2BuckKbOeEaRGbdaeO8pT6f2IOA6ZyuT91RiqRYrzXYMA2hzmQBVYlKXjI3LAuEHOnccl7cA57j32U+yHsaCHpxQ0vbDpoZHwRj7O3De4BlEdFiMIBcgveXMK8V5t6Hie/KQZOXwt38UPj9axdGoMzPFe5KffWHNJrUYVyHkS9lfKgi4aHF/SIs034x39l7KPitk3+UqFtKUEuL0/P+EoxN9qre/HFGvF3uZRdllt6gruWYLVCrnLnHfKRKe9D9Mb5jVi+BbVfxuXBip/TFnc0x3JRGmGQQm2bICyYonPP3pQcDqqq/8dshKCGeVHmsN8mP+ERv/izbb2QU4loRg==
+command: web
+
+host: dev.hvgblog.hu
+
+db:
+  name: dev
+  username: dev
+  # Use `kubeseal --fetch-cert > pub-cert.pem` to get the cert from the cluster
+  # Then use `tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1 | kubeseal --raw --scope  cluster-wide --cert pub-cert.pem` to create a sealed password
+  sealedPassword: AgCjcJj1U6QOlCbQFVrT55D/6NECvZzwXZlQmVbeIW/b//SawiIIrlSnVHkQUYcC8VVswYJ854P1+3HANJriBHBs+fLklVsQytnjC6gktUgPcxuhBgACtOBWco3wyq3MNX5qU2IYevdCd7da31czaTNnLkowF8S7Oqyb4DKQAc1RE7geepJyHUxILGvFSsd3LiPkoI5y+J1IWcThFFU2ACZ247FYAprn/XqozgQcX28yO8U30ejW73TJrvxhKR4UvTlqNDSRh/XNBKre/zqCvKg8aKd+LgwCVegPQnGRMl3Jcw1CyRFDADYLg6YwQ9bRRpN518z3IQOonPL82EOAeXAYU6aTVQz2qwQZkDp7ww0MCknhypUSxfHTQ+FSauXxoweUICAzFP3LQuyoE+LUoUMKyC6tKh9Lsiiks+Y0gRp4Jpj0Rhm/f2wPQZwecN63Sd95pEmruYpsTfA4bqJo2omhdZHeQKLMfZQk4MGNBjGeXkif4NIk5RsOgQHM4Rf3tXOmxKoXRayl6J0ow36/jfxCMQAliiq7SGRcty6Mq7j2ou0MRi19b88fFUynLpxQUK7Ob7ziYmWDBPGwAGg9SLApJYidnpKO+351no58UBhAf+d4cyTI0PURvp9kZhkQNsCHuDFWh9CZ3B5RjJ7D/znkdZELvRWWGde7+qbRb924QfWmCpcmjxT6dOP0qQt4dUChVl/yBraBeWyL0EZtjXGDq/W+mf4AkAYN3fwpb98G
+
+env:
+  PORT: 5000
+  BLOG_SLUG: dev
+  DB_PREFIX: wp_
+  WP_ENV: production
+  DISABLE_WP_CRON: 1
+  TZ: Europe/Budapest
+  #GTM_CODE:
+  S3_UPLOADS_BUCKET: hvgblog/dev
+  S3_UPLOADS_BUCKET_URL: https://cdn.hvgblog.hu
+  S3_UPLOADS_ENDPOINT: https://ams3.digitaloceanspaces.com
+  S3_UPLOADS_HTTP_CACHE_CONTROL: '30 * 24 * 60 * 60'
+  S3_UPLOADS_REGION: eu-west-1
+  SMTP_ENABLED: 1
+  SMTP_PORT: 2525
+  SMTP_SECURE: tls
+  SMTP_SERVER: smtp.eu.mailgun.org
+  SMTP_DOMAIN: mg.hvgblog.hu
+  SMTP_LOGIN: wp@mg.hvgblog.hu
+
+sealedSecretEnv:
+  S3_UPLOADS_KEY: AgASNFNBXB4SlrioskAAXTkVjpmDTFUVI88/qx0w9LMaW6Xqd2W1LZkwNqNStCeN1XbLX8KBypJ2SDz6jUaXUDFl3K98j4VGcxm7o06kGz6MQFDKPTv3tiSaqS8dJeQBB0pMIWRkbAQUkgRxR7SE5R8bkuKWg3RgvPfX6Po/8+D+vT47xi6Vk04VkCoTw8xiBZu6ZtwENm/57saMK/1n0o9uvEm3NWY/lN7G146wIrpHKqzefWddUK5ddDuJJQdUbQnkHPHC9pUH+6a+86ywBp6ZFg5Tzc7jkq9QryRRUjlh6+/fUHZm9B0IEKgdpKaX+fFVFg+xy6fO8CuV/80aJD12v/9+b6Wd9G2U+LSm1KYBFWoWFEiuW/qoA+WH60PYw0/czOxh6FXZgfcqFFLG1mNpzE0/0MsXrZZzS1pFhG8VCGBmTrDGq6gBCsYZtdY456L7fo/REbAHzJ3B5RATlfCTqrr33nNHX6MZod46vE/123dgeZ/Uaui9pjM9/AQko1KGnIAfmiYMilA+CIupXNr1CgIPlB6Gd8iUdg4Lyko0ahkRfu27O9mx4ATLz4b7YD0jXa9TY+LnyucsySTnSbRkjHIL0JePPMYjGP0+M9q+h5IwttRf2xVMqNkBXngqBOsNoBBWyoe2BfVCedX3wh5B/o9gSQbARNPYR03ZI4XeMiG4MbIwAGvXOm+/Ef3h1RtDq4+q4GtG/oH8UQFzxigr3Qcdt+M=
+  S3_UPLOADS_SECRET: AgANZgOk9NWB7DGFPt0ovHX9ZjT4Sz4cqmx3/MveZORX6yuRaGPHapMnA3f0rgc90c3Z+2z9VlMgINsoJg11DLb/wTNnGcSIW/rmvIH7o+///qk94QbSvUp0kc6VgE7kEZhGU/nzsAd0Ak+8reEh17fNPH6yNf4TtkeICfi4onX64SxEcNmuIcpGTTBeJ300eKgKlTeTuGuN/+/cOn0VPj456nv6nlvag9eRfAcSy6Qo4t0gfvRTbML5zTXDGXArfCCWhMxtoos1KbD48WNlWU/t6d6bODNSaMMsjgIAgY3mkwrUGvuSQV5BAAU2eIgtvAFASXHVLThIt8gqaktappgCJQmLK2d922BYV/ifJMFjp6t0+dd4lsjSmDNQxKr2cjz9DLqdmcpJ3U/W+pKPefb5Na+iOOhzQXSsSTUV4J0pVjdXqnGILX+CSgs8aH+Ax1eLAciGIcajGV6C70GYhVIyMkvC9mmY+QboJBd5eidemIz73APP6yTuKFVO8zsn+CmQ+r65FhjNFzRYTcWpt8k000phtlJvRI9AJ0auhPpGe8rWEA5VcMwlfW0BFbfCT4lkEEirPXUvFhfRohu4Kl0CZkVvRHVhf0q9LU0MEPqjQDPf/xYLP7gVYTD5wYo5aZVCS4FXn3qY8ehucJCJT1X6XjZff2Ym2f4VHC21I3bjOOJrX7gPhAlITEoCcumzaOwWf7iBMQVBQkMo1uscsTZy3YG/OKi7B8Oy36QTMl1enSSX8U3XS/AoSdvSjQ==
+  SMTP_PASSWORD: AgA9mg9AReuqS8mNJ+6nukExGUhoMYRxHp6Yyuz9otonkn/7BXobjXjF3W8M9y77OysxlJNjfmuCDiYYSQY4EG8c3/lhA5qeMI9vZHIoOI+B/07Ur8BF2jrMdAkjJx6AIVnqIpoU1zGKuE58L4BV/5+D8wRJiEMaVWKcG/5doy2DqjYLEAUAAalrzL8EXM1NTqGS4g3tMNprkcriNSQ3Flj1WBkCX5QEIWtgjAtUajF0tQJLGq0fOHOO4ERM44sMBTS/JcHoLOB22N7YDeTCl+RZwfQgycLThunMbnTtwxjYRELxprWuf9d1Xt+mQ74owU/WWUb5J8DO9gRoI5WHMfCU/TSFLn2C5d6n4J/MlbVElJ8DJDN1CG2dA2XqkiHvoyAbhv66J25d8Jgx69E8cA2zLgBs3SD4rKZ7l8Sqj/G83bAPwqOO6M/fmMtOaHYU7od1buBybesWoZXFRNXBjz5q7UUQkIV6qegMc5Mef2CkrD2NCwJVWsOJMJuWbyFoowMMlgEB/OYEcN5qVVKT9UoaeYXf0h9MA54sv2U/YqDkFxYzVnPe3JMVoRY2x7x+PVe3gzh3rFjSrqjN8MVbAtIGFVJLOZmhN69r2alsJxFsUo+uEFNETYlPPfnmbTiuZwc4cbSRXSSwbhX7zI0mBQhVpVts+2DT5hu3vmUFw9L7M2JClJcECW/mopSS1Ao2jzPHpCwQ3tc/Io4Daut5n4fMsdISEoFUy50cnHlOCu1O09hH0f+FRCEojrP50Ycs2xb//PE=
+
+  ### WordPress Salts
+  AUTH_KEY: AgCvDJbrBT/ze5NXqfrs4ZCjHkDj6uM19QVVomPy3mLkcDqBoRznD0heGbiWBLu6/kOcV18sw1q7WMwU//6cuU5eZmeYnhZHbNDxGDPE8Nw/UUmoOR9wOc/XozXf4DBK1zLn9ne4xA4lMdlYeJ7WBWPFYyoc0htrbEiB+MAEt8DXvlRooDIZYtitZzBHWrhFLuIhAi2mIA2SQ9V8simzbUU3DM7Wb/DY4Qoa4jP/XTEgcxdtQPzOXFJTlZt5poMqs1/ckrTeo1/9SLrZZTWQPeZlsoISs18J8oeK33ugTNYz51mRoOai0Yhnc2bbN+4WGgtXi6FPjPgFcdjKjul5gdb81Z47RIO8wwsPjnFTSQ1LXtSJ/HiX9uOj1OHUYEH1rIqzaOmxDo23VYParhDsU2QLDIf1S8mJo/WTn4Hb6IAA5Veb7bbudesffgxgMm69qTQrdoPumLaXNX6TnRC5tGM+YaYbBGVsuDxSZUnagEkobgG8D60V58c6mWbZ+k+VZ+0aNGyaLHEAjZDCDxh9/6AkOoqLIaUXOgL7hQ3eX2YAFfBdwIICY82ylC1DqwTxGqpjRP45E2tMHEp8IQHLgvdEChLBXmqPVk0kJF+FJIzdOE+OkLtnAmCD0L3eq2SXRoceISxf0UNVWLwXMYCrvOM2kSrDHT/PhCqtGwaIDWuLXdddXZzECPk5hcLJb+JSYG1yRc6Qc8nezag7hh31pvfFI6PtR4LqlI8xmsHz0RognxQi/MEI6uSJ23/w+4RbjlBBKILoLqkgE+v1mhbAUuMr0Q==
+  AUTH_SALT: AgBX0tOuA235buf6x054X0SmTsyqkjeYuevgDdbWIWqi+AWd9slUnlS2bnBtjYGg4U+fTIbldo2bYuEAHK+TIVOXTxud7+PSYEO+JjtpetHchQBYh0rNjTs8K11uK5mqPBSPVkLJE08U2BNvXXubc7plLerNjW4D44ICvJly7P6CO2Rnrjueg34DB1TnGnD8PANIiUZVTrJOCC/QSodhaerqDvJBuq6qS0q+GEqU4C5kineHyzuQnuGq5lUN6l+Gk2R8vlwLaT36x4MJlxRa/UjQsvbQ6CYRNGnZW1knPsvON/sukpy7BVEVYAnCYnrzRX/8kEgyxMfSePcWOwsG1JkSb1PrcQXftro7xZQjKgdkqacOGnkVd8sKn1n0f0w2iAGhMt2fCn7sf5htnSC5lL0mdBosNv3p1VwrfXIwjDr5Fzs1CHTbb1hJ8282aAGfzLxmGXPucAbk7nSvbD4iVhXmZ91vbWJRKC+DD/9HBdQloEplSKYm3uyTb0qlJzPIUVTNLu9b+yTeBQIckuAYu03NX2WWSVkX1M80YMER0/eNbvec4ZCSUxKWLzjVm+k3ra8ToL5tYrEr65Be/WuK57tMvx25106OHvokc6S0wp5B+VyirLtwXqRSGFBWqQv62hxJQDOySNsi45QzueD/BYxG+tf3QX1+bdc50WlwUHK1UEZuSNb6JnGfvFU1fJEApAZWJaK2odItjaR2dVVDMuW1NsXj4qLpB/CaNYM/B8C4Elg7jyCrwTv/1TaY3IW3j/SVnRstgXTwNjRnM/WCUIJbWA==
+  LOGGED_IN_KEY: AgDU2Ss24Cuw1kthXp2DcKahfQT7apnRWtaoQymBEZMMRpGlvxWMTRRMKAx4N7E0AZdW41QLTpK0ciaI63B0PRD2B6fPVVpoz3ybNlJO/0caIw0yHWL8YSOD7rGw6TkxKrz8lggqRVZerS0tEFT8nLGoqgi+SCsfBhh3u5JQ8QM60WLeWaPvph/QFlSl290+UC2xIVEjk37zQdyXou3goeS3DMjdtze8FiwnmK/XVPsPf2cWZQw0wwAwgIJMVZWhkK2bPOKrMmsdqy4G6YrihcjjRTK/0lGKZ6sEVUsu7NTKgeHGogbu8feA8gpTEuRYP60iFNgwNrCYGmOKCXyw0vSLtxHPE7+cm2pU57GhJCTnOe1Ez9zJZmv0Zc4OEZBAaLbCXoNvoJPskeDBUe7+qcV8ugdtFCxCBtoUolos9UukhAtUWp6+uTv/vjjnCv/7kGGp2fNK8lS1D1ksk1mB0JsnjxKo5pnMHBVhJfk3IfbPLx3yvMaz86wCDKZacm5h9IwsPYEvVzkvWhiOydg3ZRVH7WUE8uJ1+Ojt2+6hlB2cMNNQ5P16fTOmt9vfl9Schlrgo+ku2tU/KPfMs4hHCvvecOskqy9MeTOF5mJllI2gqTlGR2uQ5Hgb/OgH8YOmmycpS+MqKNaTKafvwgN1i0xBaYD8y3hSYeBRTmaHu+Szm8CKEDL8PW4ebJX3a+khJMXkf3UkDjRXjSQhUoFMyRNsHLwAt5mC3asySQue6jOP/mKbZ4c7lH0gx8caDoWrlJFHsDhr79jw3F0gkr4mN+ueAQ==
+  LOGGED_IN_SALT: AgAVoBL1paq14YzaeB9lkvabzo5iDoVN23gvEQAs6CgZUIejtUa2AAkTmQIjVfkb2S7LOdfXIq1lIAPBqSmO5LqfWDh8kuxgz23mTDxYWvVqqbDpiwAgaydokprDm0WEpPdGTyvqsvEk0Gtxq6rqbFXObsfkLCv85FweyfHxh8Gwo+L/e2l1/NUFOkmT5e1j7bkKmTgBUyMEVuWMA6lFVCd3D6vGfOZqS5O5NfzhFnK9U4ZG+55+LlgbFZZltHixs/jpMBms30B/wkRxBzAAGMMCyqVLlqr3bB0HQsobA/PWHAJbGBuFHV1e9XE+7SUlKLTmcmTyxx2cfHiX2XK7Ne3VW3wEtN/4IVeCPpbwCnceXEzK4uhTHH2Hwihewm+xN5uB7SDBLLO3qSLLznapEhgHIj2tPV2i2ftAsIUjzjuPHyFhdFumzXW3QxqOofvruRYqxQAFN1LBvbys6wWLRPkRgEez0/UIiL3xaWnA+r51/cozozNZI+QDgeAACQQguX/Ag7jR+q83Xga1SeYV0HYT9AvRr+UvRQ0NcTG2ObD5JE5rUmFUeRFWIwRh+HqgekDYy359vFds54vHDn/xtOS6Cb6fyr0qX1WygsBtWUV6jf6T59zYg9L2/kr+s1iUTbbBRizJOrRMdr2gswoUWW+THhM+yc/mIL7BCoWoHPBVJ9m5uvqemfy8VOvFHOVxlBnzqIsc5eAvTh4Nqy6hIxISxG8s44RHTLfDfDxWXxI2QVq8NzY91TlBL68fzINf+Bc4vks3CJnssYdinTS9AjQQOg==
+  NONCE_KEY: AgAHwWgpFVXSLcEdHG5USGPhqueGXo163MdqCSSscxXjxw9JXKjDQ13jrsnD0JcZIWnSJnBdJ/H84HgHdaFU9g8CDzL3mXC4s66RM+c7Jw/0VCHM72+3zr5Nw+h6ycLzlE1UmB806nY88t8h4/HKujmu42qSzdFySxC5x6WbnaOqri+H+VHZ57dQfyyNFlp7fum2WnqU+EXoxvbEOMgJaxpwc8iwsmKGwy+aSzE7DTpkt/9fA+T8LiaakwtAwcvo8EnVxBesCe9ioDsA+ZjgI3xOr7OsUPb/NxaGt3VGmVk2d8dcKI6YOiyoLCFjAL1z56922OjScOO0CUo7qq0jPRuUJdouT5S3OpDm3NGCr/yjCz9Mh8anWPKxYX1ZEg2QmPiR//r+94V10A0NP6W9frpiBQhIWDqMprUK/0SpZGX88C4F1FPmOi2RSn6Tl7mwOHpZadLzBLpbY2DY/AyGQO6H0W+MJpXCT65vZJeTDcLMjCNGkVEI9vxvtVedTVkbZNbLS6+ros/HA/0qMI803exlNZEnMMwlHn1Hm4z6ngeBP4KJBUkLYLD3ienwijmiMtqmgkOhGbG2K6r+IdKHrssWeizNrx5TzLXKXzyCyk5I/9jVLhC2AM6tBqxW8TVs2WfKS4RVsNvS55qpjWbVpZb7ei10+RiPA6KaVW4ZmwtDuW8bzD2d1rMd6yJ1SiYQhzUOVjcCCYEz6VWN3R5IZ/3UjpeCWnkQ7Lja+Xm3Asvxg4m41cA3B1S/ckmj+qOr2WgjFu7GymWX8IF0hZXZo1oz2g==
+  NONCE_SALT: AgABajYW5+6c0BPjlcQLPd7v706wd+i8U1hp69+up8PalMtvugwR754mEU/ed7L15U9pTWAf6zGjmuMIZYiFpQVosQl/ggq2LeciT+xBUcrvCxZ/EBCdTl8ig/TgzucVNsR2Y0dCK5Tp7YBTuAIOa0dqyK+v1+LGrgb4PnVQvi18hApBiDX0Txnn5QkGhBaSr7LJuD76KfgY+AZ8Gv95b30pTY2AtYydDJXrtqoDCIXfPcnPf102Hq3na5OfJp2m2N4IUD771tDesb+faeDgk7K/mVcn+kmXB8rIawOQFnaowt5UwbfZ60ppgy1MzQZiiq2pXvMA8F42EnhNUe+C3fPyG7Kl6t7jRo+3mHhz0Dv+o0DO4Iir8r0dTw0MruLqun9YU8pLOv17+BciAxWeG8obJ9Hs5sv9ZPv7wdmlQIX/8fvsxgJgy0cqgH4lWNBD5Em9EyiVAUiRmA6tOosFrlifJMS8F1wfaiNEZ7DxjdSVMrEBtntBO2ndSdrdqNIfUED9ZfIvBxP2UHRS9h4KEyCvxcM8HgWt7htnpiSx/XpFZCJr4meGfaNB1Tv5f40bCFpKmsbK1GXNMKJwOJcV1I2FV6xpp6Ch7tgHlZ/Il7hbQ4JsKav7l93b/Dd2e8y/58Jk3DvBQzrPOWPpQrKxrIOeT8o+HC8PS7jdi5xKJ0g9dR10LkgmW0m/usTdwCLWca/9I7iLxiAF/zRoN+7+8ySxIxnBTaFWykYsIDs+5nsYH6TgXseq9PFnxxtKutMp7EPtnO7vzc4DNtkuouS8oqt+Aw==
+  SECURE_AUTH_KEY: AgBAPzBURABD4yzbUrMr4l4CRD18wu9+o6+wA9UJ6NQ8F+Hn3ddGG8HMpbq/eWwXw4q7SXv7BEU4VVoeuPjTle5ChQJfrdbThjermhjwcEDu8Cgr6jczj9bKEJ6Th3ezXR2jf+gwpvoPbrlk2s+mPJdWnJrAGxkV89KJWTxPuCz2PbZp2ZaxdAbXiGSL2X9KPO1XHYZjpgN1nd4+2BqGnA9B0ozyVChPctYHv1taPdvF0ifMsJDiNu4PpEcq9Ga/hrgmjYEVvxvrA5J+zOs/DaVm68VtJvyQEIw3A6jZNOVC5WFUk7UuCoBhuj9X/6ayZTVjqvtHMhi3BT2pxFT0n7OXAWd8g4MctyX93dBYcmkjqE4aZn1kHndOdvS1E41J+aMjslWgzdCLDqGqzVxgilMbxXxM+AXOeuAzSzo96WzTnIxnX851xdkJEIjBnCedaIXVkXfEWOewE2SOa/7F7JbQAlMwCrNN5/Co45tLNsfolpwy4WQmWJWcI4nZVTOM79kZM9kr6hAYqhHCG6/8MQ/2Vd8fYvTblJKoagEpKhqZK0J7HQpBaneOGhFV/Wn42v8g73HZc2BdxMrj53yq2eHzpe5AQSApn9nNBWhivAR7+jaDWmNYjcsmDzFf5p8MVPsiyT6JZxVjphkKI38/AfUt7WENcGjyXW6I0MwFYvEXgiPUUPQXtMvX6yDscpxGa/aVIin+7BKrZiu12du4jfyr7VyF+hyw90/YSrk/hfehjiTWk844GDMF9K7LSMLR+tWQ47yUyV5rNQ2FsGqGqdKE/Q==
+  SECURE_AUTH_SALT: AgCuReJp+NF2X4ywkx+vNjLvX/7JrgCcw8qDGnfI6Pr4/rCUEAouzI9GQ81jLWJX5JL0xIoNfLzv9KyhVGpPEZ2qj+2pHveCFKab0QcMLTVdqLVu9JiESiJ769va7dwV0UZiv2hW1TDdHzTNCtujz3Sd2nP1QXE5stjunVYgMuR5TuDc0vMVYrD4G3GkEaIdKNyDFLrq5w4QHa+zxhDpYPIv1yg09K4X4j0dgYT/PiSdCyhjwyO+92q6AXaeRuq7o1/AavSvpslp3Zc7kiNPY79C6khZhI9VdHosT1H2xbySEovF1FO3f0q1nrxuMFVeMrJrnJBrOjf/7fxi3EQU8YHqcuLLZhOJ9vo7Xo6mpjdiUC3/HCtGDwlGGlsZtZ8xSOT7sqrSS7Z6L+8SMciO/JJY0SyOSQ+KI6XLCF+gLJ/ldguY07RLSCaEqpso1ov6BwdBgkMwYVEtCG19Ll6Qug4gEps6AAfX9fYtzZuqh7klHIstJJ+z1bRZyRMqiyKD3U8B3Xj76nDzmNoKGqEh64q+ylR1yDI7sN4myBXVSLxC86DEfHiDgb7Fpm9KvzqSuPc6WQiRAJOsshnju1g2Mks9XQ3o2xwNtC39uwfXB/aVtG69udi5AYjhRlXfHRkqNxl/nT3sDLR4F4ViLh736b30FPdzjiYx/SBdfwSEljrBWQfMpTSx7jEAFvgARci1MvIPk3SJi39PH4rej4wZGTuEtoWA33473bFKGx5ch7rXGHuVOEgtU4aTshUmKpIbYc0ViZcvKKJM9saEVetQjJvPJw==

k8s/manifests/dev-application.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dev.hvgblog.hu
+  namespace: hvg-dev
+spec:
+  project: default
+  source:
+    repoURL: 'ssh://git@ssh.github.com:443/hvg-dev/blog.git'
+    path: k8s/manifests/app
+    targetRevision: HEAD
+    helm:
+      releaseName: hvgblog-dev-wp
+      parameters: []
+      valueFiles: []
+  destination:
+    server: 'https://hvgblog-vcluster.hvg.hu'
+    namespace: dev
+  ignoreDifferences: []
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false
+    syncOptions:
+    - CreateNamespace=true

k8s/manifests/sys/0-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: site-system

k8s/manifests/sys/default/mariadb.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mariadb-my-cnf
+  namespace: default
+data:
+  config: |
+    [mariadb]
+    bind-address=*
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    wait_timeout=30
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: mariadb
+  namespace: default
+spec:
+  image: mariadb:11.8.2
+  imagePullPolicy: IfNotPresent
+  myCnfConfigMapKeyRef:
+    key: config
+    name: mariadb-my-cnf
+  port: 3306
+  replicas: 1
+  resources:
+    limits:
+      cpu: 200m
+      memory: 1024M
+    requests:
+      cpu: 50m
+      memory: 128M
+  rootPasswordSecretKeyRef:
+    key: password
+    name: mariadb-root-pass
+    generate: true
+  storage:
+    size: 1Gi

k8s/manifests/sys/mariadb-operator.yaml

@@ -0,0 +1,22 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: mariadb-operator-crds
+  namespace: site-system
+spec:
+  chart: mariadb-operator-crds
+  repo: https://mariadb-operator.github.io/mariadb-operator
+  version: 25.8.3
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: mariadb-operator
+  namespace: site-system
+spec:
+  chart: mariadb-operator
+  repo: https://mariadb-operator.github.io/mariadb-operator
+  targetNamespace: site-system
+  version: 25.8.3
+  valuesContent: |
+    fullnameOverride: mariadb-operator

k8s/manifests/sys/sealed-secrets.yaml

@@ -0,0 +1,12 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: sealed-secrets
+  namespace: site-system
+spec:
+  repo: https://bitnami-labs.github.io/sealed-secrets
+  chart: sealed-secrets
+  targetNamespace: kube-system
+  version: 2.11.0
+  valuesContent: |
+    fullnameOverride: sealed-secrets-controller

nginx.conf

@@ -1,333 +0,0 @@
-# configuration file /opt/bitnami/nginx/conf/nginx.conf:
-# Based on https://www.nginx.com/resources/wiki/start/topics/examples/full/#nginx-conf
-user              daemon daemon;  ## Default: nobody
-
-worker_processes  auto;
-error_log         "/opt/bitnami/nginx/logs/error.log";
-pid               "/opt/bitnami/nginx/tmp/nginx.pid";
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       mime.types;
-
-    default_type  application/octet-stream;
-
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
-
-    client_body_temp_path  "/opt/bitnami/nginx/tmp/client_body" 1 2;
-    proxy_temp_path        "/opt/bitnami/nginx/tmp/proxy" 1 2;
-    fastcgi_temp_path      "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
-    scgi_temp_path         "/opt/bitnami/nginx/tmp/scgi" 1 2;
-    uwsgi_temp_path        "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
-
-    log_format    main '$remote_addr - $remote_user [$time_local] '
-                       '"$request" $status  $body_bytes_sent "$http_referer" '
-                       '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log    "/opt/bitnami/nginx/logs/access.log";
-
-    sendfile           on;
-
-    tcp_nopush         on;
-    tcp_nodelay        off;
-
-    keepalive_timeout  65;
-    gzip               on;
-    gzip_http_version  1.0;
-    gzip_comp_level    2;
-    gzip_proxied       any;
-    gzip_types         text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-    ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;
-
-    map $http_x_forwarded_proto $lando_https {
-      default '';
-      https on;
-    }
-
-    map $http_x_forwarded_proto $http_user_agent_https {
-      default '';
-      https ON;
-    }
-
-    client_max_body_size 80M;
-    server_tokens off;
-    include  "/opt/bitnami/nginx/conf/vhosts/*.conf";
-
-    # HTTP Server
-    server {
-        # port to listen on. Can also be set to an IP:PORT
-        listen  80;
-
-        location /status {
-            stub_status on;
-            access_log   off;
-            allow 127.0.0.1;
-            deny all;
-        }
-    }
-}
-
-# configuration file /opt/bitnami/nginx/conf/mime.types:
-
-types {
-    text/html                                        html htm shtml;
-    text/css                                         css;
-    text/xml                                         xml;
-    image/gif                                        gif;
-    image/jpeg                                       jpeg jpg;
-    application/javascript                           js;
-    application/atom+xml                             atom;
-    application/rss+xml                              rss;
-
-    text/mathml                                      mml;
-    text/plain                                       txt;
-    text/vnd.sun.j2me.app-descriptor                 jad;
-    text/vnd.wap.wml                                 wml;
-    text/x-component                                 htc;
-
-    image/avif                                       avif;
-    image/png                                        png;
-    image/svg+xml                                    svg svgz;
-    image/tiff                                       tif tiff;
-    image/vnd.wap.wbmp                               wbmp;
-    image/webp                                       webp;
-    image/x-icon                                     ico;
-    image/x-jng                                      jng;
-    image/x-ms-bmp                                   bmp;
-
-    font/woff                                        woff;
-    font/woff2                                       woff2;
-
-    application/java-archive                         jar war ear;
-    application/json                                 json;
-    application/mac-binhex40                         hqx;
-    application/msword                               doc;
-    application/pdf                                  pdf;
-    application/postscript                           ps eps ai;
-    application/rtf                                  rtf;
-    application/vnd.apple.mpegurl                    m3u8;
-    application/vnd.google-earth.kml+xml             kml;
-    application/vnd.google-earth.kmz                 kmz;
-    application/vnd.ms-excel                         xls;
-    application/vnd.ms-fontobject                    eot;
-    application/vnd.ms-powerpoint                    ppt;
-    application/vnd.oasis.opendocument.graphics      odg;
-    application/vnd.oasis.opendocument.presentation  odp;
-    application/vnd.oasis.opendocument.spreadsheet   ods;
-    application/vnd.oasis.opendocument.text          odt;
-    application/vnd.openxmlformats-officedocument.presentationml.presentation
-                                                     pptx;
-    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
-                                                     xlsx;
-    application/vnd.openxmlformats-officedocument.wordprocessingml.document
-                                                     docx;
-    application/vnd.wap.wmlc                         wmlc;
-    application/wasm                                 wasm;
-    application/x-7z-compressed                      7z;
-    application/x-cocoa                              cco;
-    application/x-java-archive-diff                  jardiff;
-    application/x-java-jnlp-file                     jnlp;
-    application/x-makeself                           run;
-    application/x-perl                               pl pm;
-    application/x-pilot                              prc pdb;
-    application/x-rar-compressed                     rar;
-    application/x-redhat-package-manager             rpm;
-    application/x-sea                                sea;
-    application/x-shockwave-flash                    swf;
-    application/x-stuffit                            sit;
-    application/x-tcl                                tcl tk;
-    application/x-x509-ca-cert                       der pem crt;
-    application/x-xpinstall                          xpi;
-    application/xhtml+xml                            xhtml;
-    application/xspf+xml                             xspf;
-    application/zip                                  zip;
-
-    application/octet-stream                         bin exe dll;
-    application/octet-stream                         deb;
-    application/octet-stream                         dmg;
-    application/octet-stream                         iso img;
-    application/octet-stream                         msi msp msm;
-
-    audio/midi                                       mid midi kar;
-    audio/mpeg                                       mp3;
-    audio/ogg                                        ogg;
-    audio/x-m4a                                      m4a;
-    audio/x-realaudio                                ra;
-
-    video/3gpp                                       3gpp 3gp;
-    video/mp2t                                       ts;
-    video/mp4                                        mp4;
-    video/mpeg                                       mpeg mpg;
-    video/quicktime                                  mov;
-    video/webm                                       webm;
-    video/x-flv                                      flv;
-    video/x-m4v                                      m4v;
-    video/x-mng                                      mng;
-    video/x-ms-asf                                   asx asf;
-    video/x-ms-wmv                                   wmv;
-    video/x-msvideo                                  avi;
-}
-
-# configuration file /opt/bitnami/nginx/conf/vhosts/lando.conf:
-server {
-    listen       443 ssl;
-    listen       80;
-    listen   [::]:80 default ipv6only=on;
-    server_name  localhost;
-
-    ssl_certificate      /certs/cert.crt;
-    ssl_certificate_key  /certs/cert.key;
-
-    ssl_session_cache    shared:SSL:1m;
-    ssl_session_timeout  5m;
-
-    ssl_ciphers  HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers  on;
-
-    root "/app/web";
-
-    include /app/config/nginx.conf;
-
-    index index.php index.html index.htm;
-
-    location ~ \.php$ {
-        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-        fastcgi_pass fpm:9000;
-        fastcgi_index  index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_buffers 256 128k;
-        fastcgi_connect_timeout 300s;
-        fastcgi_send_timeout 300s;
-        fastcgi_read_timeout 300s;
-        include fastcgi_params;
-    }
-}
-# configuration file /app/config/nginx.conf:
-server_tokens off;
-
-index index.php index.html;
-charset UTF-8;
-default_type text/html;
-
-gzip on;
-gzip_disable "msie6";
-
-gzip_vary on;
-gzip_proxied any;
-gzip_comp_level 6;
-gzip_buffers 16 8k;
-gzip_min_length 10;
-gzip_http_version 1.1;
-gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg;
-
-client_max_body_size 1024M;
-
-include /app/config/nginx/*.conf;
-
-# Force installation to /wp-admin/install.php so siteurl is always correct
-rewrite ^/wp/wp-admin/install.php(.*) $scheme://$http_host/wp-admin/install.php permanent;
-
-# Rewrite rules to allow for an application-like wordpress directory structure
-if (!-e $request_filename) {
-  rewrite ^/wp-admin$ $scheme://$http_host/wp-admin/ permanent;
-  rewrite ^/(wp-.*.php)$ /wp/$1 last;
-  rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last;
-}
-
-# Enable XML-RPC for WordPress
-rewrite ^/(xmlrpc\.php)$ /wp/$1 last;
-
-# Hide often probed WordPress file so that finding out the WordPress install
-# and version would not be too easy
-location /wp/readme.html {
-  return 404;
-}
-
-location = /favicon.ico {
-  log_not_found off;
-  access_log off;
-}
-
-location = /robots.txt {
-  allow all;
-  log_not_found off;
-  access_log off;
-}
-
-location = /ads.txt {
-  allow all;
-  log_not_found off;
-  access_log off;
-}
-
-# Block direct access to WooCommerce digital downloads. They can be accessed
-# via the X-Accel-Redirect mechanism for fast and protected downloads.
-location /wp/wp-content/uploads/woocommerce_uploads/ {
-  internal;
-}
-
-# Deny access to any other dot file
-# ~ matches using regular expression all requests that contain '/.'
-# anywhere in the URL, eg '/.htaccess' and '/wp-content/.htpasswd'.
-# This regex will override all non-regex rules, except ^~ rules due
-# how to Nginx location parsing and priorities works.
-location ~ \/\. {
-  deny all;
-}
-
-location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
-  try_files $uri =404;
-  expires max;
-  add_header Pragma "public";
-  add_header Cache-Control "public, must-revalidate, proxy-revalidate";
-  access_log off;
-}
-
-# Use actual file if exists, otherwise pass request to WordPress
-# Last rule: match all requests (= URLs that start with /)
-location / {
-  try_files $uri $uri/ /index.php?$args;
-}
-
-# If front page is requested, skip all other regex and rewrite rules and
-# pass request directly to WordPress (= URLS that are exactly /)
-# Tip from https://www.scalescale.com/tips/nginx/nginx-location-directive/
-location = / {
-  try_files $uri $uri/ /index.php?$args;
-}
-
-# configuration file /opt/bitnami/nginx/conf/fastcgi_params:
-fastcgi_param   QUERY_STRING            $query_string;
-fastcgi_param   REQUEST_METHOD          $request_method;
-fastcgi_param   CONTENT_TYPE            $content_type;
-fastcgi_param   CONTENT_LENGTH          $content_length;
-
-fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
-fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
-fastcgi_param   PATH_INFO               $fastcgi_path_info;
-fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
-fastcgi_param   REQUEST_URI             $request_uri;
-fastcgi_param   DOCUMENT_URI            $document_uri;
-fastcgi_param   DOCUMENT_ROOT           $document_root;
-fastcgi_param   SERVER_PROTOCOL         $server_protocol;
-
-fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
-fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
-
-fastcgi_param   REMOTE_ADDR             $remote_addr;
-fastcgi_param   REMOTE_PORT             $remote_port;
-fastcgi_param   SERVER_ADDR             $server_addr;
-fastcgi_param   SERVER_PORT             $server_port;
-fastcgi_param   SERVER_NAME             $server_name;
-
-fastcgi_param   HTTPS                   $lando_https if_not_empty;
-fastcgi_param   HTTP_USER_AGENT_HTTPS   $http_user_agent_https if_not_empty;
-
-# PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param   REDIRECT_STATUS         200;
-

phpcs.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<ruleset name="hvgblog">
+
+  <!-- Scan all files in directory -->
+  <file>.</file>
+
+  <!-- Scan only PHP files -->
+  <arg name="extensions" value="php"/>
+
+  <!-- Ignore WordPress and Composer dependencies -->
+  <exclude-pattern>web/wp</exclude-pattern>
+  <exclude-pattern>web/app/languages/</exclude-pattern>
+  <exclude-pattern>web/app/themes/hvg-blog-general/</exclude-pattern>
+  <exclude-pattern>web/app/themes/twentytwentyfive/</exclude-pattern>
+  <exclude-pattern>web/app/plugins/</exclude-pattern>
+  <exclude-pattern>vendor/</exclude-pattern>
+
+  <!-- Show colors in console -->
+  <arg value="-colors"/>
+
+  <!-- Show sniff codes in all reports -->
+  <arg value="ns"/>
+
+  <!-- Use PSR-2 as a base -->
+  <rule ref="PSR2"/>
+</ruleset>

project.toml

@@ -7,7 +7,6 @@ org.opencontainers.image.description= "HVG Blog cnb image"
 
 
 [io.buildpacks]
-builder = "heroku/builder:24"
 include = [
     ".profile.d",
     "Procfile",

web/ads.txt

@@ -0,0 +1,6 @@
+rubiconproject.com, 15714, DIRECT, 0bfd66d529a55807
+rubiconproject.com, 13808, DIRECT, 0bfd66d529a55807
+google.com, pub-9423445092945252, DIRECT
+google.com, pub-1094437899690041, DIRECT
+rubiconproject.com, 209908, DIRECT, 0bfd66d529a55807
+adform.com, 2587, DIRECT

web/app/mu-plugins/app-mu.php

@@ -15,68 +15,72 @@
 * Author URI: https://github.com/felegy
 */
 
-defined( 'ABSPATH' ) || die('Restricted Area');
+namespace App;
 
+defined('ABSPATH') || die('Restricted Area');
 
 class AppMuPlugin
 {
     public function __construct()
     {
         // Define constants
-        $this->define_constants();         
-        
+        $this->defineConstants();
+
         if (defined('ERROR_LOG_TO_STDOUT')) {
             if (ERROR_LOG_TO_STDOUT) {
                 // WP error log to stdout
-                $this->error_log_to_stdout();
+                $this->errorLogToStdout();
             }
         }
         if (defined('S3_UPLOADS_ENDPOINT')) {
             // Filter S3 Uploads params.
-            $this->s3_uploads_endpoint();
+            $this->s3UploadsEndpoint();
         }
-        
+
         if (defined('SMTP_ENABLED') && SMTP_ENABLED) {
             // If SMTP is enabled, setup PHPMailer
             if (defined('SMTP_SERVER') && defined('SMTP_PORT')) {
-                $this->setup_phpmailer();
+                $this->setupPhpMailer();
             }
         }
 
-        $this->header_security();
-        $this->no_wordpress_errors();
-        $this->sanitize_file_name();
-        $this->remove_wp_version();
-        $this->cc_mime_types();
-        $this->two_factor_default();
+        $this->headerSecurity();
+        $this->noWordpressErrors();
+        $this->sanitizeFileName();
+        $this->removeWpVersion();
+        $this->ccMimeTypes();
+        $this->twoFactorDefault();
+        $this->onLogoutRedirect();
     }
 
 
-    private function define_constants() {
+    private function defineConstants()
+    {
 
-        if ( ! defined( 'SMTP_SERVER') ) {
-            define( 'SMTP_SERVER', '127.0.0.1' );
+        if (!defined('SMTP_SERVER')) {
+            define('SMTP_SERVER', '127.0.0.1');
         }
 
-        if ( ! defined( 'SMTP_PORT') ) {
-            define( 'SMTP_PORT', 1025 );
+        if (!defined('SMTP_PORT')) {
+            define('SMTP_PORT', 1025);
         }
 
-        if ( ! defined( 'BLOG_SLUG') ) {
-            define( 'BLOG_SLUG', 'wp' );
+        if (!defined('BLOG_SLUG')) {
+            define('BLOG_SLUG', 'wp');
         }
     }
 
-    private function  error_log_to_stdout() {
+    private function errorLogToStdout()
+    {
         // Add your initialization code here.
         // WP error log to stdout
         add_action('init', function () {
             ini_set ('error_log', '/dev/stdout'); // phpcs:ignore
         }, 10);
-
     }
-    
-    private function s3_uploads_endpoint() {
+
+    private function s3UploadsEndpoint()
+    {
         // Filter S3 Uploads params.
         add_filter('s3_uploads_s3_client_params', function ($params) {
             $params['endpoint'] = defined('S3_UPLOADS_ENDPOINT') ? S3_UPLOADS_ENDPOINT : "";
@@ -86,33 +90,36 @@ class AppMuPlugin
         });
     }
 
-    private function header_security() {
+    private function headerSecurity()
+    {
         // Add Security headers.
-        add_filter('wp_headers', 
-        function ($headers) {
-            $headers['X-Frame-Options'] = 'SAMEORIGIN';
-            $headers['X-Content-Type-Options'] = 'nosniff';
-            $headers['X-XSS-Protection'] = '1; mode=block';
-            $headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains';
-            $headers['Referrer-Policy'] = 'same-origin';
-            $headers['Permissions-Policy'] = 'geolocation=()';
-            $headers['Content-Security-Policy'] = 'upgrade-insecure-requests';
+        add_filter(
+            'wp_headers',
+            function ($headers) {
+                $headers['X-Frame-Options'] = 'SAMEORIGIN';
+                $headers['X-Content-Type-Options'] = 'nosniff';
+                $headers['X-XSS-Protection'] = '1; mode=block';
+                $headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains';
+                $headers['Referrer-Policy'] = 'same-origin';
+                $headers['Permissions-Policy'] = 'geolocation=()';
+                $headers['Content-Security-Policy'] = 'upgrade-insecure-requests';
 
-            return $headers;
-        });
+                return $headers;
+            }
+        );
     }
 
-    private function no_wordpress_errors()
+    private function noWordpressErrors()
     {
         add_filter('login_errors', function () {
             return 'Hiba történt a belépés során!';
         });
     }
 
-    private function sanitize_file_name()
+    private function sanitizeFileName()
     {
         // Clean file name when uploading files in WordPress.
-        add_filter('sanitize_file_name', function ($filename){
+        add_filter('sanitize_file_name', function ($filename) {
             $extension = substr($filename, strrpos($filename, '.') + 1);
             $filename  = substr($filename, 0, strrpos($filename, '.'));
 
@@ -120,25 +127,27 @@ class AppMuPlugin
         });
     }
 
-    private function remove_wp_version() {
+    private function removeWpVersion()
+    {
         // Remove WordPress version from HTML source.
         add_filter('the_generator', '__return_empty_string');
     }
 
-    private function cc_mime_types() {
+    private function ccMimeTypes()
+    {
         // Add SVG to mime_types.
-        add_filter('upload_mimes', function ($mimes)
-        {
+        add_filter('upload_mimes', function ($mimes) {
             $mimes['svg'] = 'image/svg+xml';
             return $mimes;
         });
     }
 
-    private function setup_phpmailer() {
+    private function setupPhpMailer()
+    {
         add_action('phpmailer_init', function ($phpmailer) {
             $phpmailer->Host = SMTP_SERVER;
             $phpmailer->Port = SMTP_PORT;
-            
+
             // If SMTP_LOGIN is defined, use it for authentication
             if (defined('SMTP_LOGIN')) {
                 $phpmailer->SMTPAuth = true; // Enable SMTP authentication
@@ -160,10 +169,9 @@ class AppMuPlugin
                 $phpmailer->SMTPSecure = false; // Disable encryption
             }
 
-            if(defined('SMTP_DOMAIN')) {
+            if (defined('SMTP_DOMAIN')) {
                 $phpmailer->From = BLOG_SLUG . '@' . SMTP_DOMAIN;
-            }
-            else {
+            } else {
                 $dsn = (object) parse_url(get_bloginfo('url'));
                 $phpmailer->From = BLOG_SLUG . '@' . $dsn->host;
             }
@@ -174,16 +182,36 @@ class AppMuPlugin
         });
     }
 
-    private function two_factor_default() {
-        add_filter('two_factor_enabled_providers_for_user', function ($providers)
-        {
-            if (! in_array('Two_Factor_Email', $providers))
-            {
+    private function twoFactorDefault()
+    {
+        add_filter('two_factor_providers', function ($providers) {
+            // Disable FIDO U2F by default
+            // ISSUE https://wordpress.org/support/topic/i-cant-add-my-yubikey/
+            $providers['Two_Factor_FIDO_U2F'] = '';
+            // Disable Dummy provider by default
+            $providers['Two_Factor_Dummy'] = '';
+            return $providers;
+        });
+
+        // Enable Two Factor Email by default
+        //  force email two factor authentication
+        add_filter('two_factor_enabled_providers_for_user', function ($providers) {
+            if (! in_array('Two_Factor_Email', $providers)) {
                 array_push($providers, 'Two_Factor_Email');
             }
             return $providers;
         });
     }
+
+    private function onLogoutRedirect()
+    {
+        add_action('wp_logout', function () {
+            if (defined('LOGOUT_REDIRECT_URL')) {
+                wp_redirect(LOGOUT_REDIRECT_URL);
+                exit;
+            }
+        });
+    }
 }
 
 new AppMuPlugin();

web/robots.txt

@@ -0,0 +1,18 @@
+User-agent: Googlebot
+Allow: /
+User-agent: Bingbot
+Allow: /
+User-agent: BingPreview
+Allow: /
+User-agent: Pinterestbot
+Allow: /
+User-agent: facebookexternalhit
+Allow: /
+User-agent: Applebot
+Allow: /
+User-agent: OSZKbot
+Allow: /
+User-agent: upday
+Allow: /
+User-agent: Mediapartners-Google
+Allow: /