Bastillefile

########################################################################################
# Copyright (c) 2023, Nozel, Sebas Veeke. All rights reserved.
#
# Licenced under a 3-Clause BSD License (https://opensource.org/license/bsd-3-clause).
#
# Contact:
# > e-mail      mail@nozel.org
# > GitHub      jail-templates
########################################################################################

# install required packages
PKG curl

# general variables
ARG UNZIP=/usr/bin/unzip
ARG CURL=/usr/local/bin/curl
ARG MYSQL=/usr/local/bin/mysql
ARG OPENSSL=/usr/bin/openssl
ARG LINE=*******************************************************************

# generate passwords and salt
ARG GENERATE_PASSWORD=$(head -c 256 /dev/urandom | strings -n 1 | tr -cd '[:alnum:]' | head -c 32)
CMD printf "%s" "${GENERATE_PASSWORD}" > /tmp/.mysql_password
CMD printf "%s" "${GENERATE_PASSWORD}" > /tmp/.owner_password
CMD printf "%s" "${GENERATE_PASSWORD}" > /tmp/.basicauth_password
ARG GENERATE_SALT=$(head -c 512 /dev/urandom | strings -n 1 | tr -cd '[:alnum:]~#$^*+=_()[]{}<>:;.,/?' | head -c 64)

# specific variables
ARG MYSQL_DB=wordpress
ARG MYSQL_USER=wordpress
ARG MYSQL_PASSWORD=$(cat /tmp/.mysql_password)
ARG MYSQL_CHARSET=utf8mb4
ARG MYSQL_PREFIX=wp_
ARG MYSQL_COLLATION=
ARG OWNER_USER=wordpress
ARG OWNER_GROUP=wordpress
ARG OWNER_PASSWORD=$(cat /tmp/.owner_password)
ARG BASICAUTH_USER=wordpress
ARG BASICAUTH_PASSWORD=$(cat /tmp/.basicauth_password)
ARG BASICAUTH_PASSWORD_ENCRYPTED=$(${OPENSSL} passwd -apr1 ${BASICAUTH_PASSWORD})
ARG WEB_USER=www
ARG WEB_GROUP=www
ARG WEB_DIR=/usr/local/www
ARG WP_DOWNLOAD=https://wordpress.org/latest.zip
ARG WP_DIR=/usr/local/www/wordpress

# create owner
CMD pw user add -n "${OWNER_USER}" -c 'System user for running Wordpress securely' -d /home/wordpress -m -s /bin/sh
CMD echo "${OWNER_PASSWORD}" | pw usermod "${OWNER_USER}" -h 0

# create wordpress database
CMD "${MYSQL}" -u root -e "CREATE DATABASE IF NOT EXISTS wordpress"
CMD "${MYSQL}" -u root -e "GRANT ALL PRIVILEGES ON ${MYSQL_DB}.* TO ${MYSQL_USER}@${JAIL_IP} IDENTIFIED BY '${MYSQL_PASSWORD}'"
CMD "${MYSQL}" -u root -e "FLUSH PRIVILEGES"

# download and decompress wordpress
CMD "${CURL}" "${WP_DOWNLOAD}" --output /tmp/latest.zip
CMD "${UNZIP}" /tmp/latest.zip -d /usr/local/www

# copy files
CP usr /

# generate wp-config.php
CMD sed -i '' 's%insert_db_name%${MYSQL_DB}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' 's%insert_db_user%${MYSQL_USER}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_db_password%${MYSQL_PASSWORD}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' 's%insert_db_host%${JAIL_IP}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' 's%insert_db_charset%${MYSQL_CHARSET}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' 's%insert_db_collation%${MYSQL_COLLATION}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' 's%insert_db_prefix%${MYSQL_PREFIX}%g' "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_auth_key%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_secure_auth_key%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_logged_in_key%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_nonce_key%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_auth_salt%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_secure_auth_salt%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_logged_in_salt%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"
CMD sed -i '' "s%insert_nonce_salt%${GENERATE_SALT}%g" "${WEB_DIR}/wp-config.php"

# enable BasicAuth
CMD touch "${WEB_DIR}/.htpasswd"
CMD printf "${BASICAUTH_USER}:${BASICAUTH_PASSWORD_ENCRYPTED}\n" >> "${WEB_DIR}/.htpasswd"

# set ownership and permissions
CMD chown -R "${OWNER_USER}":"${OWNER_GROUP}" "${WP_DIR}"
CMD chown "${WEB_USER}":"${WEB_GROUP}" "${WP_DIR}/wp-content"
CMD chown -R "${WEB_USER}":"${WEB_GROUP}" "${WP_DIR}/wp-content/plugins"
CMD chown -R "${WEB_USER}":"${WEB_GROUP}" "${WP_DIR}/wp-content/themes"
CMD chown "${OWNER_USER}":"${OWNER_GROUP}" "${WEB_DIR}/wp-config.php"
CMD chown "${OWNER_USER}":"${OWNER_GROUP}" "${WEB_DIR}/.htpasswd"
CMD find "${WP_DIR}" -type d -exec chmod 755 {} \;
CMD find "${WP_DIR}" -type f -exec chmod 644 {} \;
CMD chmod 444 "${WP_DIR}/.htaccess"
CMD chmod 444 "${WP_DIR}/wp-admin/.htaccess"
CMD chmod 444 "${WEB_DIR}/wp-config.php"
CMD chmod 444 "${WEB_DIR}/.htpasswd"

# generate, save and show account and database configuration
CMD touch /root/.wordpress
CMD chown root:wheel /root/.wordpress
CMD chmod 440 /root/.wordpress
CMD printf "Account name:\t\t${OWNER_USER}\nAccount group:\t\t${OWNER_GROUP}\nAccount password:\t${OWNER_PASSWORD}\n\nBasicAuth file:\t\t${WEB_DIR}/.htpasswd\nBasicAuth user:\t\t${BASICAUTH_USER}\nBasicAuth password:\t${BASICAUTH_PASSWORD}\n\nDatabase name:\t\t${MYSQL_DB}\nDatabase user:\t\t${MYSQL_USER}\nDatabase password:\t${MYSQL_PASSWORD}\nDatabase host:\t\t${JAIL_IP}\n" > /root/.wordpress
CMD printf "${LINE}\n* A Wordpress FreeBSD account was automatically created:\n* Account name:\t\t${OWNER_USER}\n* Account group:\t${OWNER_GROUP}\n* Account password:\t${OWNER_PASSWORD}\n*\n* A BasicAuth account to access wp-admin was automatically created:\n* BasicAuth file:\t${WEB_DIR}/.htpasswd\n* BasicAuth user:\t${BASICAUTH_USER}\n* BasicAuth password:\t${BASICAUTH_PASSWORD}\n*\n* A Wordpress database was automatically created:\n* Database name:\t${MYSQL_DB}\n* Database user:\t${MYSQL_USER}\n* Database password:\t${MYSQL_PASSWORD}\n* Database host:\t${JAIL_IP}\n*\n* A backup of this information can be found in /root/.wordpress\n${LINE}\n"

# remove temporary files
CMD rm /tmp/latest.zip
CMD rm /tmp/.mysql_password
CMD rm /tmp/.owner_password
CMD rm /tmp/.basicauth_password