compose reconcile

.dockerignore

@@ -1,6 +1,8 @@
 .git/
 .env
 secrets/
+docker-compose.override.yml
+docker-compose.override.yaml
 vendor/
 web/wp/
 web/app/uploads/

.gitignore

@@ -1,6 +1,7 @@
 .env
 secrets
 !secrets/.keep
+docker-compose.override.yml
 docker-compose.override.yaml
 vendor/
 web/wp/

Dockerfile

@@ -1,4 +1,3 @@
-# syntax=docker/dockerfile:1.20.0@sha256:26147acbda4f14c5add9946e2fd2ed543fc402884fd75146bd342a7f6271dc1d
 ARG BASE_IMAGE=libops/wp:nginx-1.30.3-php84
 FROM ${BASE_IMAGE}
 

Makefile

@@ -1,6 +1,6 @@
 SHELL := /bin/bash
 
-.PHONY: help rollout test lint
+.PHONY: help test lint
 .SILENT:
 
 -include custom.Makefile
@@ -11,9 +11,6 @@ help: ## Show this help message
 	echo 'Available targets:'
 	awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "  \033[36m%s\033[0m\t%s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort | column -t -s $$'\t'
 
-rollout: ## Roll out the currently checked out WordPress stack
-	./scripts/rollout.sh
-
 test: ## Run template checks
 	./scripts/test.sh
 

README.md

@@ -1,10 +1,16 @@
 # WordPress Bedrock Docker Template
 
-LibOps Docker Compose template for running a Composer-managed [Bedrock](https://roots.io/bedrock/) WordPress site with Traefik, MariaDB, and the LibOps WordPress PHP/nginx image.
+The WordPress Bedrock Docker Template gives you a Docker Compose repository for running a Composer-managed [Bedrock](https://roots.io/bedrock/) WordPress site. It includes Traefik, MariaDB, and the LibOps WordPress PHP/nginx image, and is designed to be managed with [`sitectl-wp`](https://github.com/libops/sitectl-wp).
+
+Docs:
+
+- [Managed application architecture](https://sitectl.libops.io/apps)
+- [WordPress sitectl plugin](https://sitectl.libops.io/plugins/wordpress)
 
 ## Requirements
 
 - [sitectl](https://sitectl.libops.io/install) installed on the host that will run the site.
+- [`sitectl-wp`](https://github.com/libops/sitectl-wp) installed for WordPress create, validation, healthcheck, and helper commands.
 - Docker with the Compose v2 plugin installed on the same host.
 
 ## Quick start
@@ -22,39 +28,65 @@ sitectl create wp/default \
 
 The site is served through Traefik at `http://localhost`. The first boot runs `wp-cli` automatically. The default admin account is `admin`; its password is generated in `./secrets/WORDPRESS_ADMIN_PASSWORD`.
 
-## Basic operations with sitectl
+## Local image build
+
+The `wp` service builds this checkout on top of the LibOps WordPress base image. The Dockerfile copies Composer lockfiles before local plugins and themes so Docker can reuse dependency layers when only site customizations change. Local builds use the platform selected by the Docker CLI and do not push images.
+
+## Basic Operations
 
 Run these from the generated checkout, or add `--context <name>` when operating from elsewhere.
 
+Start or update the stack with [`sitectl compose`](https://sitectl.libops.io/commands/compose):
+
 ```bash
-# Start or update the Compose stack
 sitectl compose up --remove-orphans -d
+```
+
+Check the site and context configuration with [`sitectl healthcheck`](https://sitectl.libops.io/commands/healthcheck) and [`sitectl validate`](https://sitectl.libops.io/commands/validate):
 
-# Check the site and context configuration
+```bash
 sitectl healthcheck
 sitectl validate
+```
+
+Update image tags or pin a full image reference with [`sitectl image`](https://sitectl.libops.io/commands/image):
 
-# Update image tags or pin a full image reference
+```bash
 sitectl image set --tag wp=nginx-1.30.3-php84
 sitectl image set --image wp=libops/wp:nginx-1.30.3-php84@sha256:...
+```
+
+Enable local development bind mounts with [`sitectl set`](https://sitectl.libops.io/commands/set), then apply the component change with [`sitectl converge`](https://sitectl.libops.io/commands/converge):
 
-# Enable local development bind mounts
+```bash
 sitectl set dev-mode enabled
 sitectl converge
+```
 
-# Switch TLS modes
+Switch TLS modes with the [Traefik service commands](https://sitectl.libops.io/plugins/traefik):
+
+```bash
 sitectl traefik tls mkcert --domain wordpress.localhost
 sitectl traefik tls letsencrypt --email ops@example.org
+```
+
+Trust an upstream load balancer or reverse proxy with [`sitectl set`](https://sitectl.libops.io/commands/set), then apply it with [`sitectl converge`](https://sitectl.libops.io/commands/converge):
 
-# Trust an upstream load balancer or reverse proxy
+```bash
 sitectl set reverse-proxy enabled --trusted-ip 203.0.113.10/32
 sitectl converge
+```
+
+Raise upload limits with [`sitectl set`](https://sitectl.libops.io/commands/set), then apply them with [`sitectl converge`](https://sitectl.libops.io/commands/converge):
 
-# Raise upload limits for larger media
+```bash
 sitectl set upload-limits enabled --max-upload-size 2G --upload-timeout 10m
 sitectl converge
+```
+
+Run WordPress-specific helpers documented in the [WordPress plugin docs](https://sitectl.libops.io/plugins/wordpress):
 
-# Run WordPress-specific helpers from the plugin
+```bash
 sitectl wp cli plugin list
 sitectl wp composer
 sitectl wp db export ./backup.sql
@@ -68,7 +100,7 @@ See the [WordPress sitectl plugin docs](https://sitectl.libops.io/plugins/wordpr
 The Makefile is intentionally small. It only keeps WordPress-specific targets that are not core sitectl operations:
 
 ```bash
-make rollout
+sitectl deploy
 make test
 make lint
 ```

conf/traefik/wordpress.tmpl

@@ -17,7 +17,7 @@ http:
         regex: '^https?://[^/]+/wp-content/uploads/(.*)'
         replacement: '/app/uploads/${1}'
         permanent: true
-  {{- if eq (env "TRAEFIK_TLS_ENABLED") "true" }}
+  {{- if eq (env "URI_SCHEME") "https" }}
     wordpress-https-redirect:
       redirectScheme:
         scheme: https
@@ -41,7 +41,7 @@ http:
       middlewares:
         - wordpress-uploads-redirect
       service: noop@internal
-  {{- if eq (env "TRAEFIK_TLS_ENABLED") "true" }}
+  {{- if eq (env "URI_SCHEME") "https" }}
   {{- if hasPrefix "www." (env "DOMAIN") }}
     wordpress-apex-websecure:
       rule: 'Host(`{{ trimPrefix "www." (env "DOMAIN") }}`)'
@@ -68,12 +68,12 @@ http:
       rule: 'Host(`{{ env "DOMAIN" | default "localhost" }}`)'
       entryPoints:
         - web
-      {{- if eq (env "TRAEFIK_TLS_ENABLED") "true" }}
+      {{- if eq (env "URI_SCHEME") "https" }}
       middlewares:
         - wordpress-https-redirect
       {{- end }}
       service: wordpress
-  {{- if eq (env "TRAEFIK_TLS_ENABLED") "true" }}
+  {{- if eq (env "URI_SCHEME") "https" }}
     wordpress-websecure:
       rule: 'Host(`{{ env "DOMAIN" }}`)'
       entryPoints:

docker-compose.yaml

@@ -46,9 +46,9 @@ services:
       - --entrypoints.web.transport.respondingTimeouts.readTimeout=300s
     environment:
       DOMAIN: "${DOMAIN:-localhost}"
-      TRAEFIK_TLS_ENABLED: "false"
+      URI_SCHEME: "${URI_SCHEME:-http}"
     ports:
-      - "${HOST_INSECURE_PORT:-80}:80"
+      - "80:80"
     volumes:
       - ./conf/traefik/wordpress.tmpl:/etc/traefik/dynamic/wordpress.yml:ro
     depends_on:
@@ -69,7 +69,6 @@ services:
     image: libops/wp:nginx-1.30.3-php84
     build:
       context: .
-      pull: true
       args:
         BASE_IMAGE: libops/wp:nginx-1.30.3-php84
     working_dir: /var/www/bedrock
@@ -100,7 +99,7 @@ services:
       - wordpress-uploads:/var/www/bedrock/web/app/uploads:rw
     depends_on:
       mariadb:
-        condition: service_started
+        condition: service_healthy
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider http://localhost/ || exit 1"]
       interval: 30s

scripts/generate-secrets.sh

@@ -17,8 +17,11 @@ yq -r '.secrets[].file' docker-compose.yaml | uniq | while read -r SECRET; do
   fi
 done
 
-if [ -f docker-compose.override.yaml ]; then
-  yq -r '.secrets[].file' docker-compose.override.yaml | uniq | while read -r SECRET; do
+for OVERRIDE_FILE in docker-compose.override.yml docker-compose.override.yaml; do
+  if [ ! -f "${OVERRIDE_FILE}" ]; then
+    continue
+  fi
+  yq -r '.secrets[].file' "${OVERRIDE_FILE}" | uniq | while read -r SECRET; do
     if [ ! -f "${SECRET}" ]; then
       echo "Creating: ${SECRET}" >&2
       DIR=$(dirname "${SECRET}")
@@ -28,4 +31,4 @@ if [ -f docker-compose.override.yaml ]; then
       (grep -ao "${CHARACTERS}" < /dev/urandom || true) | head "-${LENGTH}" | tr -d '\n' > "${SECRET}"
     fi
   done
-fi
+done

scripts/test.sh

@@ -3,19 +3,20 @@
 set -eou pipefail
 
 docker compose build --pull
-./scripts/init-if-needed.sh
+docker compose run --rm init
 docker compose up --remove-orphans -d
 
 max_attempts=20
 attempt=0
+target_url="${SITE_URL:-http://localhost/}"
 
 while [ $attempt -lt $max_attempts ]; do
   attempt=$(( attempt + 1 ))
   echo "Attempt $attempt of $max_attempts..."
 
   sleep 10
 
-  if curl -sf "http://localhost:${HOST_INSECURE_PORT:-80}/" | grep -qi "wordpress"; then
+  if curl -sf "$target_url" | grep -qi "wordpress"; then
     echo "WordPress is up!"
     exit 0
   fi