hvg-dev/blog
1
0
Fork 0
Code Actions Activity

Compare commits

base: hvg-dev:old-main
Branches Tags
hvg-dev:main hvg-dev:dev hvg-dev:old-main
..
compare: hvg-dev:dev
Branches Tags
hvg-dev:dev hvg-dev:main hvg-dev:old-main

23 Commits
old-main ... dev

Author SHA1 Message Date
felegy
8410f0b6c8 ~ UPD update all dependencies
All checks were successful
/ build-and-deploy (push) Successful in 1m22s
Details
2025-12-16 15:35:28 +00:00
felegy
e34cb21af8 + ADD managing scripts 2025-12-16 15:21:51 +00:00
Gabor FELEGYHAZI
4b022855ea Change SMTP port from 587 to 2525 2025-12-16 08:57:24 +01:00
felegy
267c96c75f + ADD kubernetes deployment 2025-10-01 17:16:39 +00:00
hvg-dev
28c75bf5c0 Merge branch 'main' into dev
All checks were successful
/ build-and-deploy (push) Successful in 2m7s
Details
2025-09-25 16:42:33 +02:00
felegy
4289eb766c ~ CHG rebuild dev image
All checks were successful
/ build-and-deploy (push) Successful in 1m47s
Details
2025-09-25 14:32:32 +00:00
felegy
2bc32b8f25 ~ Upgrade dependencies
Some checks failed
/ build-and-deploy (push) Failing after 58m24s
Details
2025-09-24 11:32:15 +00:00
felegy
c6f3828607 ~ Rebuild Image
All checks were successful
/ build-and-deploy (push) Successful in 1m19s
Details
2025-09-05 07:25:37 +00:00
felegy
71fd1198d6 ~ Rebuild Image 2025-09-05 07:25:37 +00:00
felegy
b0e1cfca52 ~ Rebuild Image
All checks were successful
/ build-and-deploy (push) Successful in 2m0s
Details
2025-09-05 07:18:58 +00:00
felegy
b351c9a509 ~ FIX composer plugin-api-version
All checks were successful
/ build-and-deploy (push) Successful in 1m55s
Details
2025-09-03 16:05:46 +00:00
felegy
a4126afaa0 ~ FIX composer plugin-api-version
All checks were successful
/ build-and-deploy (push) Successful in 2m48s
Details
2025-09-03 16:00:37 +00:00
felegy
1e4f9d1da4 ~ FIX composer plugin-api-version 2025-09-03 15:56:27 +00:00
felegy
e73e282643 ~ FIX project descriptor file
All checks were successful
/ build-and-deploy (push) Successful in 1m46s
Details
2025-09-03 14:14:05 +00:00
felegy
d27d2e55ef ~ Rebuild Image
All checks were successful
/ build-and-deploy (push) Successful in 3m13s
Details
2025-09-03 14:07:57 +00:00
felegy
e10fa1f2e0 ~ FIX composer outdated
All checks were successful
/ build-and-deploy (push) Successful in 2m48s
Details
2025-09-03 12:30:59 +00:00
felegy
bfaba89985 + ADD Build environment 2025-09-03 12:27:41 +00:00
felegy
83aa042834 + ADD Build variables 2025-08-29 11:51:19 +00:00
felegy
cc84f76490 + ADD CI/CD 2025-08-29 11:44:13 +00:00
felegy
696fb9b22c + ADD keycloack.hvg.hu auth via SAML 2025-08-28 13:40:08 +00:00
felegy
1d2ee9e663 ~ UPD composer dependencies 2025-08-26 12:09:40 +00:00
felegy
dbb6916455 + ADD hvg theme images 2025-08-06 09:42:26 +00:00
felegy
7c8d2d60a7 + ADD robots.txt and ads.txt files 2025-08-04 14:10:44 +00:00
54 changed files with 2290 additions and 651 deletions
Expand all files Collapse all files

11
.devops/build/1-runner-role.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: runner-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'

11
.devops/build/2-runner-role-binding.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: runner-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: runner-role
subjects:
- kind: ServiceAccount
name: default

10
.devops/build/3-act-runner-vol.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: act-runner-vol
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

75
.devops/build/4-act-runner.yaml Normal file
View File

@@ -0,0 +1,75 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: act-runner
labels:
app: act-runner
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: act-runner
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: act-runner
spec:
containers:
- command:
- sh
- -c
- while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
sleep 5; done; /sbin/tini -- run.sh
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
key: token
name: runner-secret
image: gitea/act_runner:nightly
imagePullPolicy: IfNotPresent
name: runner
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: docker-certs
- mountPath: /data
name: runner-data
- env:
- name: DOCKER_TLS_CERTDIR
value: /certs
image: docker:23.0.6-dind
imagePullPolicy: IfNotPresent
name: daemon
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: docker-certs
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
volumes:
- name: docker-certs
- name: runner-data
persistentVolumeClaim:
claimName: act-runner-vol

755
.devops/db/wp_init_db Normal file
View File

File diff suppressed because one or more lines are too long

BIN
.devops/db/wp_init_db.gz
View File

Binary file not shown.

17
.devops/gitea-values.yaml Normal file
View File

@@ -0,0 +1,17 @@
fullnameOverride: gitea
ingress:
enabled: 'false'
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
external-dns.alpha.kubernetes.io/hostname: git.hvgrt.hu
hosts:
- host: git.hvgrt.hu
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- git.hvgrt.hu

BIN
.devops/img/wp_init_uploads.tgz Normal file
View File

Binary file not shown.

77
.devops/scripts/create-application.sh Normal file
View File

@@ -0,0 +1,77 @@
#!/usr/bin/env bash
# Usage: ./generate application.sh <application-name>
# Example: ./generate application.sh hvgblog-7koznapi > .env.hvgblog-7koznapi
script_dir=$(dirname "$0")
APPLICATION_NAME=${1:-"dev"}
if [ -z "$APPLICATION_NAME" ]; then
echo "Usage: $0 <application-name>"
exit 1
fi
SALT_PATTERN=${SALT_PATTERN:-':alnum:!"#$%&()*+,-./:;<=>?@[\]^_`{|}~'}
SALT_LENGTH=${SALT_LENGTH:-64}
PASS_PATTERN=${PASS_PATTERN:-':alnum:'}
PASS_LENGTH=${PASS_LENGTH:-16}
APPLICATION_NAMESPACE=${APPLICATION_NAMESPACE:-'hvg-dev'}
APPLICATION_DOMAIN=${APPLICATION_DOMAIN:-'hvgblog.hu'}
APPLICATION_HOST=${APPLICATION_HOST:-"${APPLICATION_NAME}.${APPLICATION_DOMAIN}"}
APPLICATION_EMAIL=${APPLICATION_EMAIL:-'blogadmin@hvg.hu'}
CERT=${SEAL_CERT_TMP:-$(mktemp)}
if [ -z "$SEAL_CERT" ]; then
echo "SEAL_CERT is not set, fetching..." | tee /dev/stderr
kubeseal --fetch-cert > "$CERT"
else
regex='(https?|ftp|file)://[-[:alnum:]\+&@#/%?=~_|!:,.;]*[-[:alnum:]\+&@#/%=~_|]'
if [[ $SEAL_CERT =~ $regex ]]; then
echo "SEAL_CERT looks like a URL, fetching..." | tee /dev/stderr
curl -sSL "$SEAL_CERT" -o "$CERT"
else
if [ -f "$SEAL_CERT" ]; then
echo "SEAL_CERT looks like a file path, using..." | tee /dev/stderr
cp "$SEAL_CERT" "$CERT"
else
echo "SEAL_CERT is not a valid URL or file path, exiting." | tee /dev/stderr
exit 1
fi
fi
fi
seal() {
local value=$1
echo -n "$value" |
kubeseal --cert "$CERT" --from-file=/dev/stdin --raw --scope cluster-wide
}
gen_salt() {
cat /dev/urandom | tr -dc "${SALT_PATTERN}" | fold -w "${SALT_LENGTH}" | head -n 1 | sed 's/\n//'
}
gen_pass() {
cat /dev/urandom | tr -dc "${PASS_PATTERN}" | fold -w "${PASS_LENGTH}" | head -n 1 | sed 's/\n//'
}
declare -A parameters
get_parameter() {
local key=$1
echo "${parameters[$key]}"
}
dump_parameters() {
echo "parameters:"
for key in "${!parameters[@]}"; do
echo " - name: $key"
echo " value: ${parameters[$key]}"
done
}
# shellcheck disable=SC1091
source "${script_dir}/parameters.tmp"
dump_parameters | tee

19
.devops/scripts/parameters.tmp Normal file
View File

@@ -0,0 +1,19 @@
declare -A parameters=( \
[db.name]=$APPLICATION_NAME \
[db.username]=$APPLICATION_NAME \
[db.sealedPassword]=$(seal $(gen_pass)) \
[env.BLOG_SLUG]=$APPLICATION_NAME \
[env.WP_HOME]="https://${APPLICATION_HOST}" \
[env.WP_SITEURL]="https://${APPLICATION_HOST}/wp" \
[env.ADMIN_EMAIL]=$APPLICATION_EMAIL \
[env.S3_UPLOADS_BUCKET]="hvgblog/${APPLICATION_NAME}" \
[env.S3_UPLOADS_BUCKET_URL]="https://cdn.${APPLICATION_DOMAIN}/${APPLICATION_NAME}" \
[sealedSecretEnv.AUTH_KEY]=$(seal $(gen_salt)) \
[sealedSecretEnv.AUTH_SALT]=$(seal $(gen_salt)) \
[sealedSecretEnv.LOGGED_IN_KEY]=$(seal $(gen_salt)) \
[sealedSecretEnv.LOGGED_IN_SALT]=$(seal $(gen_salt)) \
[sealedSecretEnv.NONCE_KEY]=$(seal $(gen_salt)) \
[sealedSecretEnv.NONCE_SALT]=$(seal $(gen_salt)) \
[sealedSecretEnv.SECURE_AUTH_KEY]=$(seal $(gen_salt)) \
[sealedSecretEnv.SECURE_AUTH_SALT]=$(seal $(gen_salt)) \
)

15
.editorconfig Normal file
View File

@@ -0,0 +1,15 @@
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
[*.php]
indent_size = 4
[*.md]
trim_trailing_whitespace = false

26
.editorconfig-checker.json Normal file
View File

@@ -0,0 +1,26 @@
{
"Verbose": false,
"Debug": false,
"IgnoreDefaults": false,
"SpacesAfterTabs": false,
"NoColor": false,
"Exclude": [
".git/",
"vendor/",
"web/wp/",
"web/app/",
"web/app/themes/",
"web/app/plugins/",
"web/app/languages"
],
"AllowedContentTypes": [],
"PassedFiles": [],
"Disable": {
"EndOfLine": false,
"Indentation": false,
"IndentSize": false,
"InsertFinalNewline": false,
"TrimTrailingWhitespace": false,
"MaxLineLength": false
}
}

1
.envrc Normal file
View File

@@ -0,0 +1 @@
export WP_PW=$(gopass show hvg/BLOG_ROOT_PWD)

54
.gitea/workflows/cd.yaml Normal file
View File

@@ -0,0 +1,54 @@
on:
push:
branches:
- main
- dev
env:
NAMESPACE: ${{ github.repository_owner }}
DOCKER_REGISTRY: ghcr.io
DOCKER_REPOSITORY: ${{ github.repository }}
jobs:
build-and-deploy:
env:
IMAGE: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install kpack-cli
env:
KPACK_CLI_VERSION: 0.13.0
KPACK_CLI_SHA256: 52f0c927a1350f4f1bb281575ec246f406fb96aa69dc974ed10a2fe52c538158
working-directory: /tmp
run: |
set -ex
curl -sLO "https://github.com/buildpacks-community/kpack-cli/releases/download/v${KPACK_CLI_VERSION}/kp-linux-amd64-${KPACK_CLI_VERSION}"
echo "${KPACK_CLI_SHA256} kp-linux-amd64-${KPACK_CLI_VERSION}" | sha256sum --check || exit 1
sudo mv kp-linux-amd64-${KPACK_CLI_VERSION} /usr/local/bin/kp
sudo chmod +x /usr/local/bin/kp
kp version
- name: Install kubectl
uses: azure/setup-kubectl@v4
- name: Configure kubectl
uses: azure/k8s-set-context@v1
with:
kubeconfig: ${{ secrets.KUBE_CONFIG }}
- name: Update kpack image
env:
SHA: ${{ github.sha }}
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
echo "SHORT_SHA=${SHORT_SHA}" >> $GITHUB_ENV
IMAGE_NAME="${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}-${GITHUB_REF##*/}"
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
kp image patch $IMAGE_NAME --replace-additional-tag "${IMAGE}:sha-${SHORT_SHA}" --git-revision "${SHA}" -n $NAMESPACE
kp image status $IMAGE_NAME -n $NAMESPACE
- name: Wait for build to complete
run: |
BUILD=$(kubectl -n $NAMESPACE get image $IMAGE_NAME -o jsonpath='{.status.buildCounter}')
BUILD_REF=$(kubectl -n $NAMESPACE get image $IMAGE_NAME -o jsonpath='{.status.latestBuildRef}')
kp build logs $IMAGE_NAME -n $NAMESPACE --build ${BUILD}
kp build status $IMAGE_NAME -n $NAMESPACE -b $BUILD
if [ "$(kubectl -n $NAMESPACE get build $BUILD_REF -o jsonpath='{.status.conditions[0].status}')" != "True" ]; then exit 1; fi
# - name: Update Kubernetes deployment
# run: |
# kubectl set image deployment/my-app my-app=<registry>/<repository>:${{ github.sha }}

70
.github/workflows/cicd.yaml vendored Normal file
View File

@@ -0,0 +1,70 @@
name: CI
on:
push:
branches:
- main
- dev
env:
DESCRIPTION: "Wordpress Heroku App Image https://hvgblog.hu"
PHP_VERSION: ${{ vars.PHP_VERSION }}
DEPLOY_REPO: ${{ vars.DEPLOY_REPO }}
jobs:
check:
name: Check
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@master
- uses: editorconfig-checker/action-editorconfig-checker@main
- name: EditorConfig Check
run: editorconfig-checker
- name: ShellCheck
uses: ludeeus/action-shellcheck@master
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: PHP security check
uses: symfonycorp/security-checker-action@v5
test:
name: Test
needs: [check]
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@master
- uses: php-actions/composer@v6
with:
dev: yes
args: --ignore-platform-reqs
php_version: "${{ env.PHP_VERSION }}"
- uses: php-actions/composer@v6
with:
command: outdate
args: --strict --direct --ignore-platform-reqs
php_version: "${{ env.PHP_VERSION }}"
- uses: php-actions/composer@v6
with:
command: test
php_version: "${{ env.PHP_VERSION }}"
image_build:
name: Image Build
needs: [check,test]
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: felegy/mirror-action@master
with:
REMOTE: git@${{ env.DEPLOY_REPO }}:${{ github.repository }}.git
SSH_CONFIG: |
Host ${{ env.DEPLOY_REPO }}
ProxyCommand cloudflared access ssh --hostname %h
GIT_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
GIT_SSH_NO_VERIFY_HOST: "true"

4
.gitignore vendored
View File

@@ -25,7 +25,9 @@ web/.htaccess
.env .env
.env.* .env.*
*.env *.env
.env.*
!.env.example !.env.example
!.envrc
# Heroku bin # Heroku bin
.heroku/* .heroku/*
@@ -44,6 +46,6 @@ wp-cli.local.yml
# Local gpg # Local gpg
/.gpg /.gpg
# Local db backips # Local db backups
*.sql *.sql
*.sql.gz *.sql.gz

10
.lando.yml
View File

@@ -7,9 +7,9 @@ recipe: wordpress
config: config:
php: '8.3' php: '8.3'
via: nginx via: nginx
database: mariadb:11.4.5 database: mariadb
webroot: web webroot: web
xdebug: true xdebug: false
config: config:
php: config/php.ini php: config/php.ini
vhosts: config/lando.conf.tpl vhosts: config/lando.conf.tpl
@@ -17,3 +17,9 @@ config:
services: services:
mailhog: mailhog:
type: mailhog type: mailhog
tooling:
tar:
service: appserver
cmd:
- tar

16
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1,16 @@
{
"[php]": {
"editor.formatOnSave": true,
"editor.defaultFormatter": "obliviousharmony.vscode-php-codesniffer"
},
"phpCodeSniffer.exclude": [
"**/vendor/**",
"web/wp",
"web/app/languages/",
"web/app/themes/hvg-blog-general/",
"web/app/themes/twentytwentyfive/",
"web/app/plugins/"
],
"phpCodeSniffer.autoloadPHPCSIntegration": true,
"phpCodeSniffer.autoExecutable": true
}

44
composer.json
View File

@@ -22,7 +22,12 @@
} }
], ],
"keywords": [ "keywords": [
"bedrock", "composer", "roots", "wordpress", "wp", "wp-config" "bedrock",
"composer",
"roots",
"wordpress",
"wp",
"wp-config"
], ],
"support": { "support": {
"issues": "https://github.com/roots/bedrock/issues", "issues": "https://github.com/roots/bedrock/issues",
@@ -32,11 +37,14 @@
{ {
"type": "composer", "type": "composer",
"url": "https://wpackagist.org", "url": "https://wpackagist.org",
"only": ["wpackagist-plugin/*", "wpackagist-theme/*"] "only": [
"wpackagist-plugin/*",
"wpackagist-theme/*"
]
}, },
{ {
"type": "vcs", "type": "vcs",
"url": "https://github.com/hvg-dev/hvg-blog-general" "url": "https://github.com/hvg-dev/hvg-blog-general"
} }
], ],
"require": { "require": {
@@ -48,7 +56,7 @@
"ext-exif": "*", "ext-exif": "*",
"ext-imagick": "*", "ext-imagick": "*",
"ext-intl": "*", "ext-intl": "*",
"composer/installers": "~2.2", "composer/installers": "^2.2",
"vlucas/phpdotenv": "^5.5", "vlucas/phpdotenv": "^5.5",
"oscarotero/env": "^2.1", "oscarotero/env": "^2.1",
"roots/bedrock-autoloader": "^1.0", "roots/bedrock-autoloader": "^1.0",
@@ -69,13 +77,14 @@
"wpackagist-plugin/wp-api-swaggerui": "^1.2", "wpackagist-plugin/wp-api-swaggerui": "^1.2",
"wpackagist-plugin/cloudflare": "^4.12", "wpackagist-plugin/cloudflare": "^4.12",
"wpackagist-plugin/menu-image": "^3.13", "wpackagist-plugin/menu-image": "^3.13",
"wpackagist-plugin/code-snippets": "^3.6" "wpackagist-plugin/code-snippets": "^3.6",
"wpackagist-plugin/saml-sso-wp-single-sign-on": "^1.4",
"wpackagist-plugin/fancy-facebook-comments": "^1.2"
}, },
"require-dev": { "require-dev": {
"heroku/heroku-buildpack-php": "*", "heroku/heroku-buildpack-php": "*",
"roave/security-advisories": "dev-latest", "squizlabs/php_codesniffer": "*",
"laravel/pint": "^1.18" "roave/security-advisories": "dev-latest"
}, },
"config": { "config": {
"optimize-autoloader": true, "optimize-autoloader": true,
@@ -89,15 +98,20 @@
"prefer-stable": true, "prefer-stable": true,
"extra": { "extra": {
"installer-paths": { "installer-paths": {
"web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin"], "web/app/mu-plugins/{$name}/": [
"web/app/plugins/{$name}/": ["type:wordpress-plugin"], "type:wordpress-muplugin"
"web/app/themes/{$name}/": ["type:wordpress-theme"] ],
"web/app/plugins/{$name}/": [
"type:wordpress-plugin"
],
"web/app/themes/{$name}/": [
"type:wordpress-theme"
]
}, },
"wordpress-install-dir": "web/wp" "wordpress-install-dir": "web/wp"
}, },
"scripts": { "scripts": {
"project-init": "php -v", "test": "phpcs",
"lint": "pint --test", "project-init": "php -v"
"lint:fix": "pint"
} }
} }

660
composer.lock generated
View File

File diff suppressed because it is too large Load Diff

2
config/app/base.php
View File

@@ -7,7 +7,6 @@ $env_keys = array();
# App Base environment keys # App Base environment keys
array_push($env_keys, 'BLOG_SLUG'); array_push($env_keys, 'BLOG_SLUG');
array_push($env_keys, 'USE_CDN');
array_push($env_keys, 'GA_CODE'); array_push($env_keys, 'GA_CODE');
array_push($env_keys, 'GTM_CODE'); array_push($env_keys, 'GTM_CODE');
array_push($env_keys, 'FORCE_SSL_ADMIN'); array_push($env_keys, 'FORCE_SSL_ADMIN');
@@ -30,6 +29,7 @@ array_push($env_keys, 'CLOUDFLARE_EMAIL');
array_push($env_keys, 'WP_CF_ACCESS_AUTH_DOMAIN'); array_push($env_keys, 'WP_CF_ACCESS_AUTH_DOMAIN');
array_push($env_keys, 'WP_CF_ACCESS_JWT_AUD'); array_push($env_keys, 'WP_CF_ACCESS_JWT_AUD');
array_push($env_keys, 'WP_CF_ACCESS_REDIRECT_LOGIN'); array_push($env_keys, 'WP_CF_ACCESS_REDIRECT_LOGIN');
array_push($env_keys, 'LOGOUT_REDIRECT_URL');
### ###
# App Secret environment keys # App Secret environment keys

4
config/php.ini
View File

@@ -0,0 +1,4 @@
upload_max_filesize=1024M
post_max_size=1024M
max_execution_time=300
max_input_time=300

6
k8s/build/0-default-lifecycle.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kpack.io/v1alpha2
kind: ClusterLifecycle
metadata:
name: default-lifecycle
spec:
image: buildpacksio/lifecycle

9
k8s/build/0-kpack-service-account.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kpack-service-account
namespace: kpack
secrets:
- name: kp-default-registry-creds
imagePullSecrets:
- name: kp-default-registry-creds

10
k8s/build/1-default-clusterstores.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kpack.io/v1alpha2
kind: ClusterStore
metadata:
name: default
spec:
serviceAccountRef:
name: kpack-service-account
namespace: kpack
sources:
- image: ghcr.io/hvg-dev/test-builder@sha256:3c169742c4d278f9baa79003b1a998d9337cc2050c7845207d8012207c16a1a7

13
k8s/build/1-heroku-24-clusterstacks.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: kpack.io/v1alpha2
kind: ClusterStack
metadata:
name: heroku-24
spec:
buildImage:
image: ghcr.io/hvg-dev/test-builder@sha256:6294ec780aeb492bbcef91884c21d9b5f1fc1f88f6096228ea2e3a640dadef09
id: heroku-24
runImage:
image: ghcr.io/hvg-dev/test-builder@sha256:9a80c7da247decbfb1350c1fb0aa6436d74bde59953751e6193835063ca38e84
serviceAccountRef:
name: kpack-service-account
namespace: kpack

25
k8s/build/3-builder-clusterbuilders.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: kpack.io/v1alpha2
kind: ClusterBuilder
metadata:
name: builder
spec:
lifecycle:
kind: ClusterLifecycle
name: default-lifecycle
order:
- group:
- id: heroku/php
- id: heroku/procfile
- group:
- id: heroku/nodejs
- id: heroku/procfile
serviceAccountRef:
name: kpack-service-account
namespace: kpack
stack:
kind: ClusterStack
name: heroku-24
store:
kind: ClusterStore
name: default
tag: ghcr.io/hvg-dev/test-builder

10
k8s/build/4-hvg-dev-service-account.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kpack-service-account
namespace: hvg-dev
secrets:
- name: kp-default-registry-creds
- name: git-ssh-auth-secret
imagePullSecrets:
- name: kp-default-registry-creds

20
k8s/build/blog-dev-image.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kpack.io/v1alpha2
kind: Image
metadata:
name: blog-dev
namespace: hvg-dev
spec:
additionalTags:
- ghcr.io/hvg-dev/blog:sha-2bc32b8
builder:
kind: ClusterBuilder
name: builder
failedBuildHistoryLimit: 10
imageTaggingStrategy: BuildNumber
serviceAccountName: kpack-service-account
source:
git:
revision: 2bc32b8f256bd8931d690ab78b08a6e31cab7af0
url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
successBuildHistoryLimit: 10
tag: ghcr.io/hvg-dev/blog:dev

20
k8s/build/blog-main-image.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kpack.io/v1alpha2
kind: Image
metadata:
name: blog-main
namespace: hvg-dev
spec:
additionalTags:
- ghcr.io/hvg-dev/blog:sha-b0e1cfc
builder:
kind: ClusterBuilder
name: builder
failedBuildHistoryLimit: 10
imageTaggingStrategy: BuildNumber
serviceAccountName: kpack-service-account
source:
git:
revision: b0e1cfca5205556c738e44b7eb040c5f87dac109
url: git@gitea-ssh.gitea.svc:hvg-dev/blog.git
successBuildHistoryLimit: 10
tag: ghcr.io/hvg-dev/blog:main

52
k8s/hvgblog-vcluster.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
annotations:
helmcharts.cattle.io/managed-by: helm-controller
name: hvgblog-vcluster
namespace: kube-system
spec:
chart: vcluster
createNamespace: true
repo: https://charts.loft.sh
set:
integrations.metricsServer.enabled: "true"
sync.toHost.ingresses.enabled: "true"
sync.toHost.persistentVolumeClaims.enabled: "true"
targetNamespace: hvgblog
valuesContent: |
controlPlane:
distro:
k3s:
enabled: true
extraArgs:
- --tls-san=hvgblog-vcluster.hvg.hu
image:
tag: v1.32.1-k3s1
ingress:
annotations:
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
ingress.kubernetes.io/force-ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
enabled: true
host: hvgblog-vcluster.hvg.hu
pathType: ImplementationSpecific
spec:
tls:
- hosts:
- hvgblog-vcluster.hvg.hu
secretName: tls-vcluster
exportKubeConfig:
context: hvgblog-vcluster
integrations:
metricsServer:
enabled: true
sync:
toHost:
ingresses:
enabled: true
persistentVolumeClaims:
enabled: true
version: 0.26.0

4
k8s/manifests/app/Chart.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v2
name: hvgblog
version: 0.1.0
type: application

15
k8s/manifests/app/templates/0-github-container-registry.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
name: github-container-registry
spec:
encryptedData:
.dockerconfigjson: {{ .Values.imagePullSealedSecret | quote }}
template:
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
name: github-container-registry
type: kubernetes.io/dockerconfigjson

33
k8s/manifests/app/templates/1-db-user.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: "{{ .Release.Name }}-db-pass"
namespace: {{ .Release.Namespace }}
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
spec:
encryptedData:
password: {{ .Values.db.sealedPassword | quote }}
template:
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
name: "{{ .Release.Name }}-db-pass"
namespace: {{ .Release.Namespace }}
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: User
metadata:
name: "{{ .Release.Name }}-db-user"
spec:
name: {{ .Values.db.username | quote }}
mariaDbRef:
name: mariadb
namespace: default
passwordSecretKeyRef:
name: "{{ .Release.Name }}-db-pass"
key: password
# This field is immutable and defaults to 10
host: "%"
cleanupPolicy: Delete
maxUserConnections: 0

13
k8s/manifests/app/templates/2-database.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: k8s.mariadb.com/v1alpha1
kind: Database
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
name: {{ .Values.db.name | quote }}
mariaDbRef:
name: mariadb
namespace: default
characterSet: utf8
collate: utf8_general_ci
cleanupPolicy: Delete

26
k8s/manifests/app/templates/3-db-grant.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: k8s.mariadb.com/v1alpha1
kind: Grant
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
mariaDbRef:
name: mariadb
namespace: default
privileges:
- "SELECT"
- "INSERT"
- "UPDATE"
- "DELETE"
- "CREATE"
- "DROP"
- "INDEX"
- "ALTER"
- "LOCK TABLES"
- "EXECUTE"
database: {{ .Values.db.name | quote }}
table: "*"
host: "%"
username: {{ .Values.db.username | quote }}
grantOption: true
cleanupPolicy: Delete

26
k8s/manifests/app/templates/4-db-connection.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: k8s.mariadb.com/v1alpha1
kind: Connection
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
mariaDbRef:
name: mariadb
namespace: default
username: {{ .Values.db.username | quote }}
passwordSecretKeyRef:
name: "{{ .Release.Name }}-db-pass"
key: password
database: {{ .Values.db.name | quote }}
secretName: "{{ .Release.Name }}-db-connection"
secretTemplate:
key: dsn
usernameKey: DB_USER
passwordKey: DB_PASSWORD
hostKey: DB_HOST
portKey: DB_PORT
databaseKey: DB_NAME
healthCheck:
interval: 60s
retryInterval: 30s
serviceName: mariadb

11
k8s/manifests/app/templates/5-configmap-env.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
data:
WP_HOME: "https://{{ .Values.host }}"
WP_SITEURL: "https://{{ .Values.host }}/wp"
{{- range $key, $val := .Values.env }}
{{ $key }}: {{ $val | quote }}
{{- end }}

18
k8s/manifests/app/templates/6-secret-env.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.sealedSecretEnv }}
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
spec:
encryptedData:
{{- range $key, $val := .Values.sealedSecretEnv }}
{{ $key }}: {{ $val | quote }}
{{- end }}
template:
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}

55
k8s/manifests/app/templates/7-wp-deployment.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
spec:
replicas: 1
# revisionHistoryLimit: 3
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
imagePullSecrets:
- name: github-container-registry
containers:
- name: {{ .Release.Name }}
image: {{ .Values.image }}
imagePullPolicy: Always
command:
- {{ .Values.command | default "web" | quote }}
resources:
requests:
memory: 128M
cpu: 100m
limits:
memory: 512M
ports:
- containerPort: 5000
envFrom:
- configMapRef:
name: {{ .Release.Name }}
- secretRef:
name: {{ .Release.Name }}
- secretRef:
name: "{{ .Release.Name }}-db-connection"
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
app: {{ .Release.Name }}
ports:
- name: wp
protocol: TCP
port: 5000
targetPort: 5000

22
k8s/manifests/app/templates/8-ingress.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
ingressClassName: nginx
rules:
- host: {{ .Values.host }}
http:
paths:
- backend:
service:
name: {{ .Release.Name }}
port:
number: 5000
path: /
pathType: Prefix
tls:
- hosts:
- {{ .Values.host }}
secretName: "{{ .Release.Name }}-tls"

49
k8s/manifests/app/values.yaml Normal file
View File

@@ -0,0 +1,49 @@
image: ghcr.io/hvg-dev/blog:dev
# Image pull secret for the container registry (see https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-create-imagepullsecrets)
imagePullSealedSecret: AgA56Wy8PD6cByq+xIFwOBl0OUPt0ricOB0tjaC+B/mpHhFnsKaGKt4EdUsfnDZccc3IdpoIFdhOo3rkAikxN+PjCFpb/bC0JZZiP8K3DAREizLAU1R0og0xWjOGZ+GHRdZMiuNFf3ADl5D65lrIr1e1wTrSuJ8SReOqo2rY9QGDwWC51iJwy0cmB3WVGDYjDUIz/vnx5p8BxzIEHsCIoSelBIQjJ0idZwe8JuaSxrQRUtk8/Cenj3mUVsXIVpNr4ExBMF4tBuYEAYuY1t98bp66l6dbbEfnLDpQXDusj7RITV0N2KQ++7h5fjlH9yC8nsXntZb4T6oVSZlJWUYDzqaqfBFckQ6S0L9XcgSOFHKeZa1MVEiKpjiU9uEn+hDCPbatg5exMUEAcvXl6LxnKW/Mn0dIykOv/LIQyxXeUFdGOoFj6pCvkj/Z2DFeHLq5/+rY0ZIvLnLtGYfxm2Du1ft3MldWUSq9i4BUuL0ddH5h4PRxC5SE7Yp/SGkU4qDqqSmh21GxVdezp4YK9Mg4gRrCcGPL+sViDYkDLvBXOpBVhhQbAQcZWkDHit58p3nh2byP0GpIL0etnFGVqx9n2W2BuckKbOeEaRGbdaeO8pT6f2IOA6ZyuT91RiqRYrzXYMA2hzmQBVYlKXjI3LAuEHOnccl7cA57j32U+yHsaCHpxQ0vbDpoZHwRj7O3De4BlEdFiMIBcgveXMK8V5t6Hie/KQZOXwt38UPj9axdGoMzPFe5KffWHNJrUYVyHkS9lfKgi4aHF/SIs034x39l7KPitk3+UqFtKUEuL0/P+EoxN9qre/HFGvF3uZRdllt6gruWYLVCrnLnHfKRKe9D9Mb5jVi+BbVfxuXBip/TFnc0x3JRGmGQQm2bICyYonPP3pQcDqqq/8dshKCGeVHmsN8mP+ERv/izbb2QU4loRg==
command: web
host: dev.hvgblog.hu
db:
name: dev
username: dev
# Use `kubeseal --fetch-cert > pub-cert.pem` to get the cert from the cluster
# Then use `tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1 | kubeseal --raw --scope cluster-wide --cert pub-cert.pem` to create a sealed password
sealedPassword: AgCjcJj1U6QOlCbQFVrT55D/6NECvZzwXZlQmVbeIW/b//SawiIIrlSnVHkQUYcC8VVswYJ854P1+3HANJriBHBs+fLklVsQytnjC6gktUgPcxuhBgACtOBWco3wyq3MNX5qU2IYevdCd7da31czaTNnLkowF8S7Oqyb4DKQAc1RE7geepJyHUxILGvFSsd3LiPkoI5y+J1IWcThFFU2ACZ247FYAprn/XqozgQcX28yO8U30ejW73TJrvxhKR4UvTlqNDSRh/XNBKre/zqCvKg8aKd+LgwCVegPQnGRMl3Jcw1CyRFDADYLg6YwQ9bRRpN518z3IQOonPL82EOAeXAYU6aTVQz2qwQZkDp7ww0MCknhypUSxfHTQ+FSauXxoweUICAzFP3LQuyoE+LUoUMKyC6tKh9Lsiiks+Y0gRp4Jpj0Rhm/f2wPQZwecN63Sd95pEmruYpsTfA4bqJo2omhdZHeQKLMfZQk4MGNBjGeXkif4NIk5RsOgQHM4Rf3tXOmxKoXRayl6J0ow36/jfxCMQAliiq7SGRcty6Mq7j2ou0MRi19b88fFUynLpxQUK7Ob7ziYmWDBPGwAGg9SLApJYidnpKO+351no58UBhAf+d4cyTI0PURvp9kZhkQNsCHuDFWh9CZ3B5RjJ7D/znkdZELvRWWGde7+qbRb924QfWmCpcmjxT6dOP0qQt4dUChVl/yBraBeWyL0EZtjXGDq/W+mf4AkAYN3fwpb98G
env:
PORT: 5000
BLOG_SLUG: dev
DB_PREFIX: wp_
WP_ENV: production
DISABLE_WP_CRON: 1
TZ: Europe/Budapest
#GTM_CODE:
S3_UPLOADS_BUCKET: hvgblog/dev
S3_UPLOADS_BUCKET_URL: https://cdn.hvgblog.hu
S3_UPLOADS_ENDPOINT: https://ams3.digitaloceanspaces.com
S3_UPLOADS_HTTP_CACHE_CONTROL: '30 * 24 * 60 * 60'
S3_UPLOADS_REGION: eu-west-1
SMTP_ENABLED: 1
SMTP_PORT: 2525
SMTP_SECURE: tls
SMTP_SERVER: smtp.eu.mailgun.org
SMTP_DOMAIN: mg.hvgblog.hu
SMTP_LOGIN: wp@mg.hvgblog.hu
sealedSecretEnv:
S3_UPLOADS_KEY: AgASNFNBXB4SlrioskAAXTkVjpmDTFUVI88/qx0w9LMaW6Xqd2W1LZkwNqNStCeN1XbLX8KBypJ2SDz6jUaXUDFl3K98j4VGcxm7o06kGz6MQFDKPTv3tiSaqS8dJeQBB0pMIWRkbAQUkgRxR7SE5R8bkuKWg3RgvPfX6Po/8+D+vT47xi6Vk04VkCoTw8xiBZu6ZtwENm/57saMK/1n0o9uvEm3NWY/lN7G146wIrpHKqzefWddUK5ddDuJJQdUbQnkHPHC9pUH+6a+86ywBp6ZFg5Tzc7jkq9QryRRUjlh6+/fUHZm9B0IEKgdpKaX+fFVFg+xy6fO8CuV/80aJD12v/9+b6Wd9G2U+LSm1KYBFWoWFEiuW/qoA+WH60PYw0/czOxh6FXZgfcqFFLG1mNpzE0/0MsXrZZzS1pFhG8VCGBmTrDGq6gBCsYZtdY456L7fo/REbAHzJ3B5RATlfCTqrr33nNHX6MZod46vE/123dgeZ/Uaui9pjM9/AQko1KGnIAfmiYMilA+CIupXNr1CgIPlB6Gd8iUdg4Lyko0ahkRfu27O9mx4ATLz4b7YD0jXa9TY+LnyucsySTnSbRkjHIL0JePPMYjGP0+M9q+h5IwttRf2xVMqNkBXngqBOsNoBBWyoe2BfVCedX3wh5B/o9gSQbARNPYR03ZI4XeMiG4MbIwAGvXOm+/Ef3h1RtDq4+q4GtG/oH8UQFzxigr3Qcdt+M=
S3_UPLOADS_SECRET: AgANZgOk9NWB7DGFPt0ovHX9ZjT4Sz4cqmx3/MveZORX6yuRaGPHapMnA3f0rgc90c3Z+2z9VlMgINsoJg11DLb/wTNnGcSIW/rmvIH7o+///qk94QbSvUp0kc6VgE7kEZhGU/nzsAd0Ak+8reEh17fNPH6yNf4TtkeICfi4onX64SxEcNmuIcpGTTBeJ300eKgKlTeTuGuN/+/cOn0VPj456nv6nlvag9eRfAcSy6Qo4t0gfvRTbML5zTXDGXArfCCWhMxtoos1KbD48WNlWU/t6d6bODNSaMMsjgIAgY3mkwrUGvuSQV5BAAU2eIgtvAFASXHVLThIt8gqaktappgCJQmLK2d922BYV/ifJMFjp6t0+dd4lsjSmDNQxKr2cjz9DLqdmcpJ3U/W+pKPefb5Na+iOOhzQXSsSTUV4J0pVjdXqnGILX+CSgs8aH+Ax1eLAciGIcajGV6C70GYhVIyMkvC9mmY+QboJBd5eidemIz73APP6yTuKFVO8zsn+CmQ+r65FhjNFzRYTcWpt8k000phtlJvRI9AJ0auhPpGe8rWEA5VcMwlfW0BFbfCT4lkEEirPXUvFhfRohu4Kl0CZkVvRHVhf0q9LU0MEPqjQDPf/xYLP7gVYTD5wYo5aZVCS4FXn3qY8ehucJCJT1X6XjZff2Ym2f4VHC21I3bjOOJrX7gPhAlITEoCcumzaOwWf7iBMQVBQkMo1uscsTZy3YG/OKi7B8Oy36QTMl1enSSX8U3XS/AoSdvSjQ==
SMTP_PASSWORD: AgA9mg9AReuqS8mNJ+6nukExGUhoMYRxHp6Yyuz9otonkn/7BXobjXjF3W8M9y77OysxlJNjfmuCDiYYSQY4EG8c3/lhA5qeMI9vZHIoOI+B/07Ur8BF2jrMdAkjJx6AIVnqIpoU1zGKuE58L4BV/5+D8wRJiEMaVWKcG/5doy2DqjYLEAUAAalrzL8EXM1NTqGS4g3tMNprkcriNSQ3Flj1WBkCX5QEIWtgjAtUajF0tQJLGq0fOHOO4ERM44sMBTS/JcHoLOB22N7YDeTCl+RZwfQgycLThunMbnTtwxjYRELxprWuf9d1Xt+mQ74owU/WWUb5J8DO9gRoI5WHMfCU/TSFLn2C5d6n4J/MlbVElJ8DJDN1CG2dA2XqkiHvoyAbhv66J25d8Jgx69E8cA2zLgBs3SD4rKZ7l8Sqj/G83bAPwqOO6M/fmMtOaHYU7od1buBybesWoZXFRNXBjz5q7UUQkIV6qegMc5Mef2CkrD2NCwJVWsOJMJuWbyFoowMMlgEB/OYEcN5qVVKT9UoaeYXf0h9MA54sv2U/YqDkFxYzVnPe3JMVoRY2x7x+PVe3gzh3rFjSrqjN8MVbAtIGFVJLOZmhN69r2alsJxFsUo+uEFNETYlPPfnmbTiuZwc4cbSRXSSwbhX7zI0mBQhVpVts+2DT5hu3vmUFw9L7M2JClJcECW/mopSS1Ao2jzPHpCwQ3tc/Io4Daut5n4fMsdISEoFUy50cnHlOCu1O09hH0f+FRCEojrP50Ycs2xb//PE=
### WordPress Salts
AUTH_KEY: AgCvDJbrBT/ze5NXqfrs4ZCjHkDj6uM19QVVomPy3mLkcDqBoRznD0heGbiWBLu6/kOcV18sw1q7WMwU//6cuU5eZmeYnhZHbNDxGDPE8Nw/UUmoOR9wOc/XozXf4DBK1zLn9ne4xA4lMdlYeJ7WBWPFYyoc0htrbEiB+MAEt8DXvlRooDIZYtitZzBHWrhFLuIhAi2mIA2SQ9V8simzbUU3DM7Wb/DY4Qoa4jP/XTEgcxdtQPzOXFJTlZt5poMqs1/ckrTeo1/9SLrZZTWQPeZlsoISs18J8oeK33ugTNYz51mRoOai0Yhnc2bbN+4WGgtXi6FPjPgFcdjKjul5gdb81Z47RIO8wwsPjnFTSQ1LXtSJ/HiX9uOj1OHUYEH1rIqzaOmxDo23VYParhDsU2QLDIf1S8mJo/WTn4Hb6IAA5Veb7bbudesffgxgMm69qTQrdoPumLaXNX6TnRC5tGM+YaYbBGVsuDxSZUnagEkobgG8D60V58c6mWbZ+k+VZ+0aNGyaLHEAjZDCDxh9/6AkOoqLIaUXOgL7hQ3eX2YAFfBdwIICY82ylC1DqwTxGqpjRP45E2tMHEp8IQHLgvdEChLBXmqPVk0kJF+FJIzdOE+OkLtnAmCD0L3eq2SXRoceISxf0UNVWLwXMYCrvOM2kSrDHT/PhCqtGwaIDWuLXdddXZzECPk5hcLJb+JSYG1yRc6Qc8nezag7hh31pvfFI6PtR4LqlI8xmsHz0RognxQi/MEI6uSJ23/w+4RbjlBBKILoLqkgE+v1mhbAUuMr0Q==
AUTH_SALT: AgBX0tOuA235buf6x054X0SmTsyqkjeYuevgDdbWIWqi+AWd9slUnlS2bnBtjYGg4U+fTIbldo2bYuEAHK+TIVOXTxud7+PSYEO+JjtpetHchQBYh0rNjTs8K11uK5mqPBSPVkLJE08U2BNvXXubc7plLerNjW4D44ICvJly7P6CO2Rnrjueg34DB1TnGnD8PANIiUZVTrJOCC/QSodhaerqDvJBuq6qS0q+GEqU4C5kineHyzuQnuGq5lUN6l+Gk2R8vlwLaT36x4MJlxRa/UjQsvbQ6CYRNGnZW1knPsvON/sukpy7BVEVYAnCYnrzRX/8kEgyxMfSePcWOwsG1JkSb1PrcQXftro7xZQjKgdkqacOGnkVd8sKn1n0f0w2iAGhMt2fCn7sf5htnSC5lL0mdBosNv3p1VwrfXIwjDr5Fzs1CHTbb1hJ8282aAGfzLxmGXPucAbk7nSvbD4iVhXmZ91vbWJRKC+DD/9HBdQloEplSKYm3uyTb0qlJzPIUVTNLu9b+yTeBQIckuAYu03NX2WWSVkX1M80YMER0/eNbvec4ZCSUxKWLzjVm+k3ra8ToL5tYrEr65Be/WuK57tMvx25106OHvokc6S0wp5B+VyirLtwXqRSGFBWqQv62hxJQDOySNsi45QzueD/BYxG+tf3QX1+bdc50WlwUHK1UEZuSNb6JnGfvFU1fJEApAZWJaK2odItjaR2dVVDMuW1NsXj4qLpB/CaNYM/B8C4Elg7jyCrwTv/1TaY3IW3j/SVnRstgXTwNjRnM/WCUIJbWA==
LOGGED_IN_KEY: AgDU2Ss24Cuw1kthXp2DcKahfQT7apnRWtaoQymBEZMMRpGlvxWMTRRMKAx4N7E0AZdW41QLTpK0ciaI63B0PRD2B6fPVVpoz3ybNlJO/0caIw0yHWL8YSOD7rGw6TkxKrz8lggqRVZerS0tEFT8nLGoqgi+SCsfBhh3u5JQ8QM60WLeWaPvph/QFlSl290+UC2xIVEjk37zQdyXou3goeS3DMjdtze8FiwnmK/XVPsPf2cWZQw0wwAwgIJMVZWhkK2bPOKrMmsdqy4G6YrihcjjRTK/0lGKZ6sEVUsu7NTKgeHGogbu8feA8gpTEuRYP60iFNgwNrCYGmOKCXyw0vSLtxHPE7+cm2pU57GhJCTnOe1Ez9zJZmv0Zc4OEZBAaLbCXoNvoJPskeDBUe7+qcV8ugdtFCxCBtoUolos9UukhAtUWp6+uTv/vjjnCv/7kGGp2fNK8lS1D1ksk1mB0JsnjxKo5pnMHBVhJfk3IfbPLx3yvMaz86wCDKZacm5h9IwsPYEvVzkvWhiOydg3ZRVH7WUE8uJ1+Ojt2+6hlB2cMNNQ5P16fTOmt9vfl9Schlrgo+ku2tU/KPfMs4hHCvvecOskqy9MeTOF5mJllI2gqTlGR2uQ5Hgb/OgH8YOmmycpS+MqKNaTKafvwgN1i0xBaYD8y3hSYeBRTmaHu+Szm8CKEDL8PW4ebJX3a+khJMXkf3UkDjRXjSQhUoFMyRNsHLwAt5mC3asySQue6jOP/mKbZ4c7lH0gx8caDoWrlJFHsDhr79jw3F0gkr4mN+ueAQ==
LOGGED_IN_SALT: AgAVoBL1paq14YzaeB9lkvabzo5iDoVN23gvEQAs6CgZUIejtUa2AAkTmQIjVfkb2S7LOdfXIq1lIAPBqSmO5LqfWDh8kuxgz23mTDxYWvVqqbDpiwAgaydokprDm0WEpPdGTyvqsvEk0Gtxq6rqbFXObsfkLCv85FweyfHxh8Gwo+L/e2l1/NUFOkmT5e1j7bkKmTgBUyMEVuWMA6lFVCd3D6vGfOZqS5O5NfzhFnK9U4ZG+55+LlgbFZZltHixs/jpMBms30B/wkRxBzAAGMMCyqVLlqr3bB0HQsobA/PWHAJbGBuFHV1e9XE+7SUlKLTmcmTyxx2cfHiX2XK7Ne3VW3wEtN/4IVeCPpbwCnceXEzK4uhTHH2Hwihewm+xN5uB7SDBLLO3qSLLznapEhgHIj2tPV2i2ftAsIUjzjuPHyFhdFumzXW3QxqOofvruRYqxQAFN1LBvbys6wWLRPkRgEez0/UIiL3xaWnA+r51/cozozNZI+QDgeAACQQguX/Ag7jR+q83Xga1SeYV0HYT9AvRr+UvRQ0NcTG2ObD5JE5rUmFUeRFWIwRh+HqgekDYy359vFds54vHDn/xtOS6Cb6fyr0qX1WygsBtWUV6jf6T59zYg9L2/kr+s1iUTbbBRizJOrRMdr2gswoUWW+THhM+yc/mIL7BCoWoHPBVJ9m5uvqemfy8VOvFHOVxlBnzqIsc5eAvTh4Nqy6hIxISxG8s44RHTLfDfDxWXxI2QVq8NzY91TlBL68fzINf+Bc4vks3CJnssYdinTS9AjQQOg==
NONCE_KEY: AgAHwWgpFVXSLcEdHG5USGPhqueGXo163MdqCSSscxXjxw9JXKjDQ13jrsnD0JcZIWnSJnBdJ/H84HgHdaFU9g8CDzL3mXC4s66RM+c7Jw/0VCHM72+3zr5Nw+h6ycLzlE1UmB806nY88t8h4/HKujmu42qSzdFySxC5x6WbnaOqri+H+VHZ57dQfyyNFlp7fum2WnqU+EXoxvbEOMgJaxpwc8iwsmKGwy+aSzE7DTpkt/9fA+T8LiaakwtAwcvo8EnVxBesCe9ioDsA+ZjgI3xOr7OsUPb/NxaGt3VGmVk2d8dcKI6YOiyoLCFjAL1z56922OjScOO0CUo7qq0jPRuUJdouT5S3OpDm3NGCr/yjCz9Mh8anWPKxYX1ZEg2QmPiR//r+94V10A0NP6W9frpiBQhIWDqMprUK/0SpZGX88C4F1FPmOi2RSn6Tl7mwOHpZadLzBLpbY2DY/AyGQO6H0W+MJpXCT65vZJeTDcLMjCNGkVEI9vxvtVedTVkbZNbLS6+ros/HA/0qMI803exlNZEnMMwlHn1Hm4z6ngeBP4KJBUkLYLD3ienwijmiMtqmgkOhGbG2K6r+IdKHrssWeizNrx5TzLXKXzyCyk5I/9jVLhC2AM6tBqxW8TVs2WfKS4RVsNvS55qpjWbVpZb7ei10+RiPA6KaVW4ZmwtDuW8bzD2d1rMd6yJ1SiYQhzUOVjcCCYEz6VWN3R5IZ/3UjpeCWnkQ7Lja+Xm3Asvxg4m41cA3B1S/ckmj+qOr2WgjFu7GymWX8IF0hZXZo1oz2g==
NONCE_SALT: AgABajYW5+6c0BPjlcQLPd7v706wd+i8U1hp69+up8PalMtvugwR754mEU/ed7L15U9pTWAf6zGjmuMIZYiFpQVosQl/ggq2LeciT+xBUcrvCxZ/EBCdTl8ig/TgzucVNsR2Y0dCK5Tp7YBTuAIOa0dqyK+v1+LGrgb4PnVQvi18hApBiDX0Txnn5QkGhBaSr7LJuD76KfgY+AZ8Gv95b30pTY2AtYydDJXrtqoDCIXfPcnPf102Hq3na5OfJp2m2N4IUD771tDesb+faeDgk7K/mVcn+kmXB8rIawOQFnaowt5UwbfZ60ppgy1MzQZiiq2pXvMA8F42EnhNUe+C3fPyG7Kl6t7jRo+3mHhz0Dv+o0DO4Iir8r0dTw0MruLqun9YU8pLOv17+BciAxWeG8obJ9Hs5sv9ZPv7wdmlQIX/8fvsxgJgy0cqgH4lWNBD5Em9EyiVAUiRmA6tOosFrlifJMS8F1wfaiNEZ7DxjdSVMrEBtntBO2ndSdrdqNIfUED9ZfIvBxP2UHRS9h4KEyCvxcM8HgWt7htnpiSx/XpFZCJr4meGfaNB1Tv5f40bCFpKmsbK1GXNMKJwOJcV1I2FV6xpp6Ch7tgHlZ/Il7hbQ4JsKav7l93b/Dd2e8y/58Jk3DvBQzrPOWPpQrKxrIOeT8o+HC8PS7jdi5xKJ0g9dR10LkgmW0m/usTdwCLWca/9I7iLxiAF/zRoN+7+8ySxIxnBTaFWykYsIDs+5nsYH6TgXseq9PFnxxtKutMp7EPtnO7vzc4DNtkuouS8oqt+Aw==
SECURE_AUTH_KEY: AgBAPzBURABD4yzbUrMr4l4CRD18wu9+o6+wA9UJ6NQ8F+Hn3ddGG8HMpbq/eWwXw4q7SXv7BEU4VVoeuPjTle5ChQJfrdbThjermhjwcEDu8Cgr6jczj9bKEJ6Th3ezXR2jf+gwpvoPbrlk2s+mPJdWnJrAGxkV89KJWTxPuCz2PbZp2ZaxdAbXiGSL2X9KPO1XHYZjpgN1nd4+2BqGnA9B0ozyVChPctYHv1taPdvF0ifMsJDiNu4PpEcq9Ga/hrgmjYEVvxvrA5J+zOs/DaVm68VtJvyQEIw3A6jZNOVC5WFUk7UuCoBhuj9X/6ayZTVjqvtHMhi3BT2pxFT0n7OXAWd8g4MctyX93dBYcmkjqE4aZn1kHndOdvS1E41J+aMjslWgzdCLDqGqzVxgilMbxXxM+AXOeuAzSzo96WzTnIxnX851xdkJEIjBnCedaIXVkXfEWOewE2SOa/7F7JbQAlMwCrNN5/Co45tLNsfolpwy4WQmWJWcI4nZVTOM79kZM9kr6hAYqhHCG6/8MQ/2Vd8fYvTblJKoagEpKhqZK0J7HQpBaneOGhFV/Wn42v8g73HZc2BdxMrj53yq2eHzpe5AQSApn9nNBWhivAR7+jaDWmNYjcsmDzFf5p8MVPsiyT6JZxVjphkKI38/AfUt7WENcGjyXW6I0MwFYvEXgiPUUPQXtMvX6yDscpxGa/aVIin+7BKrZiu12du4jfyr7VyF+hyw90/YSrk/hfehjiTWk844GDMF9K7LSMLR+tWQ47yUyV5rNQ2FsGqGqdKE/Q==
SECURE_AUTH_SALT: AgCuReJp+NF2X4ywkx+vNjLvX/7JrgCcw8qDGnfI6Pr4/rCUEAouzI9GQ81jLWJX5JL0xIoNfLzv9KyhVGpPEZ2qj+2pHveCFKab0QcMLTVdqLVu9JiESiJ769va7dwV0UZiv2hW1TDdHzTNCtujz3Sd2nP1QXE5stjunVYgMuR5TuDc0vMVYrD4G3GkEaIdKNyDFLrq5w4QHa+zxhDpYPIv1yg09K4X4j0dgYT/PiSdCyhjwyO+92q6AXaeRuq7o1/AavSvpslp3Zc7kiNPY79C6khZhI9VdHosT1H2xbySEovF1FO3f0q1nrxuMFVeMrJrnJBrOjf/7fxi3EQU8YHqcuLLZhOJ9vo7Xo6mpjdiUC3/HCtGDwlGGlsZtZ8xSOT7sqrSS7Z6L+8SMciO/JJY0SyOSQ+KI6XLCF+gLJ/ldguY07RLSCaEqpso1ov6BwdBgkMwYVEtCG19Ll6Qug4gEps6AAfX9fYtzZuqh7klHIstJJ+z1bRZyRMqiyKD3U8B3Xj76nDzmNoKGqEh64q+ylR1yDI7sN4myBXVSLxC86DEfHiDgb7Fpm9KvzqSuPc6WQiRAJOsshnju1g2Mks9XQ3o2xwNtC39uwfXB/aVtG69udi5AYjhRlXfHRkqNxl/nT3sDLR4F4ViLh736b30FPdzjiYx/SBdfwSEljrBWQfMpTSx7jEAFvgARci1MvIPk3SJi39PH4rej4wZGTuEtoWA33473bFKGx5ch7rXGHuVOEgtU4aTshUmKpIbYc0ViZcvKKJM9saEVetQjJvPJw==

25
k8s/manifests/dev-application.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dev.hvgblog.hu
namespace: hvg-dev
spec:
project: default
source:
repoURL: 'ssh://git@ssh.github.com:443/hvg-dev/blog.git'
path: k8s/manifests/app
targetRevision: HEAD
helm:
releaseName: hvgblog-dev-wp
parameters: []
valueFiles: []
destination:
server: 'https://hvgblog-vcluster.hvg.hu'
namespace: dev
ignoreDifferences: []
syncPolicy:
automated:
prune: true
selfHeal: false
syncOptions:
- CreateNamespace=true

4
k8s/manifests/sys/0-namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: site-system

40
k8s/manifests/sys/default/mariadb.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-my-cnf
namespace: default
data:
config: |
[mariadb]
bind-address=*
default_storage_engine=InnoDB
binlog_format=row
innodb_autoinc_lock_mode=2
wait_timeout=30
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: MariaDB
metadata:
name: mariadb
namespace: default
spec:
image: mariadb:11.8.2
imagePullPolicy: IfNotPresent
myCnfConfigMapKeyRef:
key: config
name: mariadb-my-cnf
port: 3306
replicas: 1
resources:
limits:
cpu: 200m
memory: 1024M
requests:
cpu: 50m
memory: 128M
rootPasswordSecretKeyRef:
key: password
name: mariadb-root-pass
generate: true
storage:
size: 1Gi

22
k8s/manifests/sys/mariadb-operator.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: mariadb-operator-crds
namespace: site-system
spec:
chart: mariadb-operator-crds
repo: https://mariadb-operator.github.io/mariadb-operator
version: 25.8.3
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: mariadb-operator
namespace: site-system
spec:
chart: mariadb-operator
repo: https://mariadb-operator.github.io/mariadb-operator
targetNamespace: site-system
version: 25.8.3
valuesContent: |
fullnameOverride: mariadb-operator

12
k8s/manifests/sys/sealed-secrets.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: sealed-secrets
namespace: site-system
spec:
repo: https://bitnami-labs.github.io/sealed-secrets
chart: sealed-secrets
targetNamespace: kube-system
version: 2.11.0
valuesContent: |
fullnameOverride: sealed-secrets-controller

333
nginx.conf
View File

@@ -1,333 +0,0 @@
# configuration file /opt/bitnami/nginx/conf/nginx.conf:
# Based on https://www.nginx.com/resources/wiki/start/topics/examples/full/#nginx-conf
user daemon daemon; ## Default: nobody
worker_processes auto;
error_log "/opt/bitnami/nginx/logs/error.log";
pid "/opt/bitnami/nginx/tmp/nginx.pid";
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2;
proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2;
fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2;
scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2;
uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log "/opt/bitnami/nginx/logs/access.log";
sendfile on;
tcp_nopush on;
tcp_nodelay off;
keepalive_timeout 65;
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
map $http_x_forwarded_proto $lando_https {
default '';
https on;
}
map $http_x_forwarded_proto $http_user_agent_https {
default '';
https ON;
}
client_max_body_size 80M;
server_tokens off;
include "/opt/bitnami/nginx/conf/vhosts/*.conf";
# HTTP Server
server {
# port to listen on. Can also be set to an IP:PORT
listen 80;
location /status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
}
# configuration file /opt/bitnami/nginx/conf/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /opt/bitnami/nginx/conf/vhosts/lando.conf:
server {
listen 443 ssl;
listen 80;
listen [::]:80 default ipv6only=on;
server_name localhost;
ssl_certificate /certs/cert.crt;
ssl_certificate_key /certs/cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root "/app/web";
include /app/config/nginx.conf;
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass fpm:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffers 256 128k;
fastcgi_connect_timeout 300s;
fastcgi_send_timeout 300s;
fastcgi_read_timeout 300s;
include fastcgi_params;
}
}
# configuration file /app/config/nginx.conf:
server_tokens off;
index index.php index.html;
charset UTF-8;
default_type text/html;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 10;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg;
client_max_body_size 1024M;
include /app/config/nginx/*.conf;
# Force installation to /wp-admin/install.php so siteurl is always correct
rewrite ^/wp/wp-admin/install.php(.*) $scheme://$http_host/wp-admin/install.php permanent;
# Rewrite rules to allow for an application-like wordpress directory structure
if (!-e $request_filename) {
rewrite ^/wp-admin$ $scheme://$http_host/wp-admin/ permanent;
rewrite ^/(wp-.*.php)$ /wp/$1 last;
rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last;
}
# Enable XML-RPC for WordPress
rewrite ^/(xmlrpc\.php)$ /wp/$1 last;
# Hide often probed WordPress file so that finding out the WordPress install
# and version would not be too easy
location /wp/readme.html {
return 404;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /ads.txt {
allow all;
log_not_found off;
access_log off;
}
# Block direct access to WooCommerce digital downloads. They can be accessed
# via the X-Accel-Redirect mechanism for fast and protected downloads.
location /wp/wp-content/uploads/woocommerce_uploads/ {
internal;
}
# Deny access to any other dot file
# ~ matches using regular expression all requests that contain '/.'
# anywhere in the URL, eg '/.htaccess' and '/wp-content/.htpasswd'.
# This regex will override all non-regex rules, except ^~ rules due
# how to Nginx location parsing and priorities works.
location ~ \/\. {
deny all;
}
location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
try_files $uri =404;
expires max;
add_header Pragma "public";
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
access_log off;
}
# Use actual file if exists, otherwise pass request to WordPress
# Last rule: match all requests (= URLs that start with /)
location / {
try_files $uri $uri/ /index.php?$args;
}
# If front page is requested, skip all other regex and rewrite rules and
# pass request directly to WordPress (= URLS that are exactly /)
# Tip from https://www.scalescale.com/tips/nginx/nginx-location-directive/
location = / {
try_files $uri $uri/ /index.php?$args;
}
# configuration file /opt/bitnami/nginx/conf/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $lando_https if_not_empty;
fastcgi_param HTTP_USER_AGENT_HTTPS $http_user_agent_https if_not_empty;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

26
phpcs.xml Normal file
View File

@@ -0,0 +1,26 @@
<?xml version="1.0"?>
<ruleset name="hvgblog">
<!-- Scan all files in directory -->
<file>.</file>
<!-- Scan only PHP files -->
<arg name="extensions" value="php"/>
<!-- Ignore WordPress and Composer dependencies -->
<exclude-pattern>web/wp</exclude-pattern>
<exclude-pattern>web/app/languages/</exclude-pattern>
<exclude-pattern>web/app/themes/hvg-blog-general/</exclude-pattern>
<exclude-pattern>web/app/themes/twentytwentyfive/</exclude-pattern>
<exclude-pattern>web/app/plugins/</exclude-pattern>
<exclude-pattern>vendor/</exclude-pattern>
<!-- Show colors in console -->
<arg value="-colors"/>
<!-- Show sniff codes in all reports -->
<arg value="ns"/>
<!-- Use PSR-2 as a base -->
<rule ref="PSR2"/>
</ruleset>

1
project.toml
View File

@@ -7,7 +7,6 @@ org.opencontainers.image.description= "HVG Blog cnb image"
[io.buildpacks] [io.buildpacks]
builder = "heroku/builder:24"
include = [ include = [
".profile.d", ".profile.d",
"Procfile", "Procfile",

6
web/ads.txt Normal file
View File

@@ -0,0 +1,6 @@
rubiconproject.com, 15714, DIRECT, 0bfd66d529a55807
rubiconproject.com, 13808, DIRECT, 0bfd66d529a55807
google.com, pub-9423445092945252, DIRECT
google.com, pub-1094437899690041, DIRECT
rubiconproject.com, 209908, DIRECT, 0bfd66d529a55807
adform.com, 2587, DIRECT

126
web/app/mu-plugins/app-mu.php
View File

@@ -15,68 +15,72 @@
* Author URI: https://github.com/felegy * Author URI: https://github.com/felegy
*/ */
defined( 'ABSPATH' ) || die('Restricted Area'); namespace App;
defined('ABSPATH') || die('Restricted Area');
class AppMuPlugin class AppMuPlugin
{ {
public function __construct() public function __construct()
{ {
// Define constants // Define constants
$this->define_constants(); $this->defineConstants();
if (defined('ERROR_LOG_TO_STDOUT')) { if (defined('ERROR_LOG_TO_STDOUT')) {
if (ERROR_LOG_TO_STDOUT) { if (ERROR_LOG_TO_STDOUT) {
// WP error log to stdout // WP error log to stdout
$this->error_log_to_stdout(); $this->errorLogToStdout();
} }
} }
if (defined('S3_UPLOADS_ENDPOINT')) { if (defined('S3_UPLOADS_ENDPOINT')) {
// Filter S3 Uploads params. // Filter S3 Uploads params.
$this->s3_uploads_endpoint(); $this->s3UploadsEndpoint();
} }
if (defined('SMTP_ENABLED') && SMTP_ENABLED) { if (defined('SMTP_ENABLED') && SMTP_ENABLED) {
// If SMTP is enabled, setup PHPMailer // If SMTP is enabled, setup PHPMailer
if (defined('SMTP_SERVER') && defined('SMTP_PORT')) { if (defined('SMTP_SERVER') && defined('SMTP_PORT')) {
$this->setup_phpmailer(); $this->setupPhpMailer();
} }
} }
$this->header_security(); $this->headerSecurity();
$this->no_wordpress_errors(); $this->noWordpressErrors();
$this->sanitize_file_name(); $this->sanitizeFileName();
$this->remove_wp_version(); $this->removeWpVersion();
$this->cc_mime_types(); $this->ccMimeTypes();
$this->two_factor_default(); $this->twoFactorDefault();
$this->onLogoutRedirect();
} }
private function define_constants() { private function defineConstants()
{
if ( ! defined( 'SMTP_SERVER') ) { if (!defined('SMTP_SERVER')) {
define( 'SMTP_SERVER', '127.0.0.1' ); define('SMTP_SERVER', '127.0.0.1');
} }
if ( ! defined( 'SMTP_PORT') ) { if (!defined('SMTP_PORT')) {
define( 'SMTP_PORT', 1025 ); define('SMTP_PORT', 1025);
} }
if ( ! defined( 'BLOG_SLUG') ) { if (!defined('BLOG_SLUG')) {
define( 'BLOG_SLUG', 'wp' ); define('BLOG_SLUG', 'wp');
} }
} }
private function error_log_to_stdout() { private function errorLogToStdout()
{
// Add your initialization code here. // Add your initialization code here.
// WP error log to stdout // WP error log to stdout
add_action('init', function () { add_action('init', function () {
ini_set ('error_log', '/dev/stdout'); // phpcs:ignore ini_set ('error_log', '/dev/stdout'); // phpcs:ignore
}, 10); }, 10);
} }
private function s3_uploads_endpoint() { private function s3UploadsEndpoint()
{
// Filter S3 Uploads params. // Filter S3 Uploads params.
add_filter('s3_uploads_s3_client_params', function ($params) { add_filter('s3_uploads_s3_client_params', function ($params) {
$params['endpoint'] = defined('S3_UPLOADS_ENDPOINT') ? S3_UPLOADS_ENDPOINT : ""; $params['endpoint'] = defined('S3_UPLOADS_ENDPOINT') ? S3_UPLOADS_ENDPOINT : "";
@@ -86,33 +90,36 @@ class AppMuPlugin
}); });
} }
private function header_security() { private function headerSecurity()
{
// Add Security headers. // Add Security headers.
add_filter('wp_headers', add_filter(
function ($headers) { 'wp_headers',
$headers['X-Frame-Options'] = 'SAMEORIGIN'; function ($headers) {
$headers['X-Content-Type-Options'] = 'nosniff'; $headers['X-Frame-Options'] = 'SAMEORIGIN';
$headers['X-XSS-Protection'] = '1; mode=block'; $headers['X-Content-Type-Options'] = 'nosniff';
$headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'; $headers['X-XSS-Protection'] = '1; mode=block';
$headers['Referrer-Policy'] = 'same-origin'; $headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains';
$headers['Permissions-Policy'] = 'geolocation=()'; $headers['Referrer-Policy'] = 'same-origin';
$headers['Content-Security-Policy'] = 'upgrade-insecure-requests'; $headers['Permissions-Policy'] = 'geolocation=()';
$headers['Content-Security-Policy'] = 'upgrade-insecure-requests';
return $headers; return $headers;
}); }
);
} }
private function no_wordpress_errors() private function noWordpressErrors()
{ {
add_filter('login_errors', function () { add_filter('login_errors', function () {
return 'Hiba történt a belépés során!'; return 'Hiba történt a belépés során!';
}); });
} }
private function sanitize_file_name() private function sanitizeFileName()
{ {
// Clean file name when uploading files in WordPress. // Clean file name when uploading files in WordPress.
add_filter('sanitize_file_name', function ($filename){ add_filter('sanitize_file_name', function ($filename) {
$extension = substr($filename, strrpos($filename, '.') + 1); $extension = substr($filename, strrpos($filename, '.') + 1);
$filename = substr($filename, 0, strrpos($filename, '.')); $filename = substr($filename, 0, strrpos($filename, '.'));
@@ -120,21 +127,23 @@ class AppMuPlugin
}); });
} }
private function remove_wp_version() { private function removeWpVersion()
{
// Remove WordPress version from HTML source. // Remove WordPress version from HTML source.
add_filter('the_generator', '__return_empty_string'); add_filter('the_generator', '__return_empty_string');
} }
private function cc_mime_types() { private function ccMimeTypes()
{
// Add SVG to mime_types. // Add SVG to mime_types.
add_filter('upload_mimes', function ($mimes) add_filter('upload_mimes', function ($mimes) {
{
$mimes['svg'] = 'image/svg+xml'; $mimes['svg'] = 'image/svg+xml';
return $mimes; return $mimes;
}); });
} }
private function setup_phpmailer() { private function setupPhpMailer()
{
add_action('phpmailer_init', function ($phpmailer) { add_action('phpmailer_init', function ($phpmailer) {
$phpmailer->Host = SMTP_SERVER; $phpmailer->Host = SMTP_SERVER;
$phpmailer->Port = SMTP_PORT; $phpmailer->Port = SMTP_PORT;
@@ -160,10 +169,9 @@ class AppMuPlugin
$phpmailer->SMTPSecure = false; // Disable encryption $phpmailer->SMTPSecure = false; // Disable encryption
} }
if(defined('SMTP_DOMAIN')) { if (defined('SMTP_DOMAIN')) {
$phpmailer->From = BLOG_SLUG . '@' . SMTP_DOMAIN; $phpmailer->From = BLOG_SLUG . '@' . SMTP_DOMAIN;
} } else {
else {
$dsn = (object) parse_url(get_bloginfo('url')); $dsn = (object) parse_url(get_bloginfo('url'));
$phpmailer->From = BLOG_SLUG . '@' . $dsn->host; $phpmailer->From = BLOG_SLUG . '@' . $dsn->host;
} }
@@ -174,16 +182,36 @@ class AppMuPlugin
}); });
} }
private function two_factor_default() { private function twoFactorDefault()
add_filter('two_factor_enabled_providers_for_user', function ($providers) {
{ add_filter('two_factor_providers', function ($providers) {
if (! in_array('Two_Factor_Email', $providers)) // Disable FIDO U2F by default
{ // ISSUE https://wordpress.org/support/topic/i-cant-add-my-yubikey/
$providers['Two_Factor_FIDO_U2F'] = '';
// Disable Dummy provider by default
$providers['Two_Factor_Dummy'] = '';
return $providers;
});
// Enable Two Factor Email by default
// force email two factor authentication
add_filter('two_factor_enabled_providers_for_user', function ($providers) {
if (! in_array('Two_Factor_Email', $providers)) {
array_push($providers, 'Two_Factor_Email'); array_push($providers, 'Two_Factor_Email');
} }
return $providers; return $providers;
}); });
} }
private function onLogoutRedirect()
{
add_action('wp_logout', function () {
if (defined('LOGOUT_REDIRECT_URL')) {
wp_redirect(LOGOUT_REDIRECT_URL);
exit;
}
});
}
} }
new AppMuPlugin(); new AppMuPlugin();

18
web/robots.txt Normal file
View File

@@ -0,0 +1,18 @@
User-agent: Googlebot
Allow: /
User-agent: Bingbot
Allow: /
User-agent: BingPreview
Allow: /
User-agent: Pinterestbot
Allow: /
User-agent: facebookexternalhit
Allow: /
User-agent: Applebot
Allow: /
User-agent: OSZKbot
Allow: /
User-agent: upday
Allow: /
User-agent: Mediapartners-Google
Allow: /