docker-compose.yml

x-wordpress-configuration-env: &wordpress-configuration-env
  WORDPRESS_PLUGIN_LIST: "maintenance redis-cache"
  WORDPRESS_REDIS_HOST: redis
  WORDPRESS_CACHE: 1
  WORDPRESS_CACHE_KEY_SALT: 'Wp-'
  WORDPRESS_TABLE_PREFIX: 'wp_'
  WORDPRESS_DEBUG: 0
  DEFAULT_EMAIL: "webmaster@example.com"
  WORDPRESS_DB_USER: wordpress
  WORDPRESS_DB_NAME: wordpress
  WORDPRESS_DB_HOST: database
  WORDPRESS_CONFIG_EXTRA: |
    define('WP_AUTO_UPDATE_CORE', false);
    define('WP_SITEURL', 'http://localhost');
    define('WP_HOME', 'http://localhost');
    define('WP_CACHE', true);
    define('WP_CACHE_KEY_SALT', 'Wp-');
    define('WP_REDIS_HOST', "cache");
    define('DISABLE_WP_CRON', true);
    $$_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] = false;

# Required since nginx unit will not pass environment variables s6-envdir loads. wp-config.php has docker_getenv()
x-wordpress-secrets-files: &wordpress-secrets-files-env
  WORDPRESS_AUTH_KEY_FILE: /run/secrets/wordpress_auth_key
  WORDPRESS_SECURE_AUTH_KEY_FILE: /run/secrets/wordpress_secure_auth_key
  WORDPRESS_LOGGED_IN_KEY_FILE: /run/secrets/wordpress_logged_in_key
  WORDPRESS_NONCE_KEY_FILE: /run/secrets/wordpress_nonce_key
  WORDPRESS_AUTH_SALT_FILE: /run/secrets/wordpress_auth_salt
  WORDPRESS_SECURE_AUTH_SALT_FILE: /run/secrets/wordpress_secure_auth_salt
  WORDPRESS_LOGGED_IN_SALT_FILE: /run/secrets/wordpress_logged_in_salt
  WORDPRESS_NONCE_SALT_FILE: /run/secrets/wordpress_nonce_salt
  WORDPRESS_DB_PASSWORD_FILE: /run/secrets/wordpress_db_password

x-wordpress-init-env: &wordpress-init-env
  WORDPRESS_INIT_ENABLE: "true"
  WORDPRESS_INIT_ADMIN_USER: admin
  # WORDPRESS_INIT_ADMIN_PASSWORD is defined in secrets
  WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com
  WORDPRESS_INIT_SITE_TITLE: "Your Example Site"
  WORDPRESS_INIT_SITE_URL: "http://localhost"


networks:
  default:

secrets:
  database_root_password:
    file: ./.secrets/database_root_password.txt
  wordpress_database_password:
    file: ./.secrets/wordpress_database_password.txt
  wordpress_db_password:
    file: ./.secrets/wordpress_database_password.txt
  wordpress_auth_key:
    file: ./.secrets/wordpress_auth_key
  wordpress_secure_auth_key:
    file: ./.secrets/wordpress_secure_auth_key
  wordpress_logged_in_key:
    file: ./.secrets/wordpress_logged_in_key
  wordpress_nonce_key:
    file: ./.secrets/wordpress_nonce_key
  wordpress_auth_salt:
    file: ./.secrets/wordpress_auth_salt
  wordpress_secure_auth_salt:
    file: ./.secrets/wordpress_secure_auth_salt
  wordpress_logged_in_salt:
    file: ./.secrets/wordpress_logged_in_salt
  wordpress_nonce_salt:
    file: ./.secrets/wordpress_nonce_salt
  wordpress_init_admin_password:
    file: ./.secrets/wordpress_init_admin_password


services:
  wordpress:
    image: ghcr.io/n0rthernl1ghts/wordpress:6.6.2
    deploy:
      restart_policy:
        condition: any
    healthcheck: # See: src/wp-utils/healthcheck
      test: [ "CMD", "/usr/local/bin/healthcheck" ]
      interval: 30s
      timeout: 5s
      retries: 3
    secrets:
      - wordpress_db_password
      - wordpress_auth_key
      - wordpress_secure_auth_key
      - wordpress_logged_in_key
      - wordpress_nonce_key
      - wordpress_auth_salt
      - wordpress_secure_auth_salt
      - wordpress_logged_in_salt
      - wordpress_nonce_salt
      - wordpress_init_admin_password
    environment:
      <<: [ *wordpress-configuration-env, *wordpress-secrets-files-env, *wordpress-init-env ]
      CRON_ENABLED: "false"
    labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance
      - "traefik.enable=true"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-http.rule=Host(`example.com`)"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-http.entrypoints=web"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-https.tls=true"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-https.tls.certresolver=le"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-https.rule=Host(`example.com`)"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-https.entrypoints=websecure"
      - "traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80"
    volumes:
      - ./data/wordpress/wp-content:/var/www/html/wp-content
    networks:
      default:

  # It's a good idea to have a separate service for the cron job
  cron:
    extends:
      service: wordpress
    image: ghcr.io/n0rthernl1ghts/wordpress-cron:6.6.2
    deploy:
      resources:
        limits:
          memory: 512M # Limit the memory for the cron job to 512 MB. This is a good practice to avoid memory leaks.
    environment:
      CRON_ENABLED: "true"

  # Redis is optional, but it works really well for caching. If removed, please update x-wordpress-configuration-env
  cache:
    image: redis:alpine
    init: true
    healthcheck:
      test: ["CMD", "/usr/local/bin/redis-cli", "PING"]
      interval: 20s
      timeout: 3s
      retries: 3
    deploy:
      restart_policy:
        condition: any
      resources:
        limits:
          memory: 64M
    networks:
      default:

  # Please update environment accordingly
  database:
    image: 'ghcr.io/n0rthernl1ghts/mariadb:10.11'
    deploy:
      replicas: 1
      restart_policy:
        condition: any
      resources:
        limits:
          memory: 512M # Should be adjusted accordingly to the website size. 512MB is usually enough for small website
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 20s
      retries: 3
    environment:
      PUID: 1000
      PGID: 1000
      MARIADB_INIT_DATABASES: wordpress
      MARIADB_INIT_USERS: wordpress
      FILE__MARIADB_ROOT_PASSWORD: /run/secrets/database_root_password
      FILE__MARIADB_USER_wordpress_PASSWORD: /run/secrets/wordpress_database_password
      FORCE_CONFIG_OVERWRITE: 1
    volumes:
      - ./data/database/config:/config
      - ./data/database/data:/var/lib/mysql
    secrets:
      - database_root_password
      - wordpress_database_password
    networks:
      default: