underpost 3.2.0 → 3.2.2

package/src/runtime/wp/Wp.js

@@ -132,10 +132,11 @@ class WpService {
     const subDir = pathRoute && pathRoute !== '/' ? pathRoute.replace(/^\/+/, '').replace(/\/+$/, '') : '';
     const wpDir = subDir ? path.join(vhostDir, subDir) : vhostDir;
 
+    let freshInstall = false;
     if (repository) {
-      WpService.provisionClone({ host, siteRoot: wpDir, repository, db, wp, subDir });
+      ({ freshInstall } = WpService.provisionClone({ host, siteRoot: wpDir, repository, db, wp, subDir }));
     } else {
-      WpService.provisionFresh({ host, siteRoot: wpDir, db, wp, subDir });
+      ({ freshInstall } = WpService.provisionFresh({ host, siteRoot: wpDir, db, wp, subDir }));
     }
 
     // Ensure git is initialized and linked to the backup repository.
@@ -152,6 +153,9 @@ class WpService {
       WpService.ensureSubdirHtaccess({ vhostDir, subDir });
     }
 
+    // Write security rules into the WordPress root .htaccess
+    WpService.ensureSecurityHtaccess({ dir: wpDir });
+
     // Make the site writable by the XAMPP Apache process (runs as daemon:daemon).
     // This is required for plugins like Wordfence WAF and Sucuri that write config/upload files.
     shellExec(`sudo chown -R daemon:daemon "${vhostDir}"`);
@@ -170,6 +174,13 @@ class WpService {
       resetRouter,
     });
 
+    // Immediately commit and push all generated files (wp-config.php, .htaccess,
+    // security rules, plugins, etc.) so that on rollout/restart the clone will
+    // have a complete working state and won't fall back to fresh install again.
+    if (repository && freshInstall) {
+      WpService.persistToRepo({ siteRoot: wpDir, repository, host });
+    }
+
     return { disabled };
   }
 
@@ -194,8 +205,7 @@ class WpService {
     logger.info(`${host}: remote accessible = ${repoAccessible} (${repository})`);
     if (!repoAccessible) {
       logger.warn(`${host}: remote repository not accessible (${repository}) — running fresh install`);
-      WpService.provisionFresh({ host, siteRoot, db, wp, subDir });
-      return;
+      return WpService.provisionFresh({ host, siteRoot, db, wp, subDir });
     }
 
     // Step 1 — clone if the directory does not exist yet
@@ -219,8 +229,10 @@ class WpService {
     if (!fs.existsSync(path.join(siteRoot, 'wp-config.php'))) {
       logger.warn(`${host}: wp-config.php not found — wiping site root and running fresh install`);
       shellExec(`sudo rm -rf "${siteRoot}"`);
-      WpService.provisionFresh({ host, siteRoot, db, wp, subDir });
+      return WpService.provisionFresh({ host, siteRoot, db, wp, subDir });
     }
+
+    return { freshInstall: false };
   }
 
   /**
@@ -235,7 +247,7 @@ class WpService {
     // Validator: wp-config.php presence means installation is complete/valid
     if (fs.existsSync(path.join(siteRoot, 'wp-config.php'))) {
       logger.info(`${host}: wp-config.php found at ${siteRoot}, skipping fresh install`);
-      return;
+      return { freshInstall: false };
     }
 
     logger.info(`${host}: fresh install → ${siteRoot}`);
@@ -267,6 +279,8 @@ class WpService {
     } else {
       logger.warn(`${host}: no db config provided — wp-config.php not written`);
     }
+
+    return { freshInstall: true };
   }
 
   /**
@@ -378,6 +392,134 @@ ${marker} end`;
     logger.info(`subdirectory .htaccess updated`, { vhostDir, subDir });
   }
 
+  /**
+   * Writes security rules into the WordPress site root `.htaccess`.
+   * Protects `.git` directories, sensitive config files, and SQL dumps
+   * from being served by Apache. Idempotent — uses marker comments to
+   * detect and replace existing blocks on re-runs.
+   * @param {{ dir: string }} opts
+   * @param {string} opts.dir - Absolute path to the WordPress root (where .htaccess lives).
+   */
+  static ensureSecurityHtaccess({ dir }) {
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const htaccessPath = path.join(dir, '.htaccess');
+
+    const marker = '# -- wp-security --';
+    const block = `${marker}
+# Block access to .git directories and files
+RedirectMatch 404 /\\.git
+
+# Block access to sensitive dotfiles
+<FilesMatch "^\\.(env|htpasswd|htaccess\\.bak|DS_Store)">
+  Require all denied
+</FilesMatch>
+
+# Block access to WordPress config backups and SQL dumps
+<FilesMatch "(wp-config\\.php\\.bak|wp-config-sample\\.php|\\.sql|\\.sql\\.gz)$">
+  Require all denied
+</FilesMatch>
+
+# Block direct access to PHP files in uploads
+<IfModule mod_rewrite.c>
+  RewriteEngine On
+  RewriteRule ^wp-content/uploads/.*\\.php$ - [F,L]
+</IfModule>
+
+# Block access to xmlrpc.php (common attack vector)
+<Files "xmlrpc.php">
+  Require all denied
+</Files>
+
+# Block access to readme.html and license.txt (version disclosure)
+<FilesMatch "^(readme\\.html|license\\.txt)$">
+  Require all denied
+</FilesMatch>
+${marker} end`;
+
+    let existing = '';
+    if (fs.existsSync(htaccessPath)) {
+      existing = fs.readFileSync(htaccessPath, 'utf8');
+    }
+
+    const markerRegex = new RegExp(
+      `${marker.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}[\\s\\S]*?${marker.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')} end`,
+    );
+
+    if (markerRegex.test(existing)) {
+      existing = existing.replace(markerRegex, block);
+    } else {
+      existing = existing ? `${existing}\n${block}\n` : `${block}\n`;
+    }
+
+    fs.writeFileSync(htaccessPath, existing, 'utf8');
+    logger.info(`security .htaccess updated`, { dir });
+  }
+
+  /**
+   * Ensures a WordPress-specific `.gitignore` exists in the site root so that
+   * large/transient files are excluded from the backup repository while
+   * wp-config.php and security .htaccess ARE tracked.
+   * Idempotent — only writes when the file is missing.
+   * @param {{ dir: string }} opts
+   */
+  static ensureGitignore({ dir }) {
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (fs.existsSync(gitignorePath)) return;
+    const content = `# WordPress .gitignore
+# Cache and temp
+wp-content/cache/
+wp-content/upgrade/
+wp-content/backup-db/
+wp-content/backups/
+wp-content/blogs.dir/
+wp-content/advanced-cache.php
+wp-content/wp-cache-config.php
+wp-content/debug.log
+
+# OS / editor
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+`;
+    fs.writeFileSync(gitignorePath, content, 'utf8');
+    logger.info(`.gitignore written`, { dir });
+  }
+
+  /**
+   * Commits all files in the WordPress site root and pushes to the remote
+   * repository. This persists wp-config.php, .htaccess security rules,
+   * installed plugins, and theme files so that on pod rollout/restart a
+   * `git clone` yields a fully working site without needing a fresh install.
+   *
+   * Safe to call repeatedly — `git commit` is a no-op when the working tree
+   * is clean (`|| true` prevents non-zero exit).
+   *
+   * @param {object} opts
+   * @param {string}      opts.siteRoot   - Absolute path to the WordPress root.
+   * @param {string}      opts.repository - Git remote URL.
+   * @param {string}      opts.host       - Virtual-host name (for logging/commit msg).
+   */
+  static persistToRepo({ siteRoot, repository, host }) {
+    if (!fs.existsSync(path.join(siteRoot, '.git'))) {
+      logger.warn(`persistToRepo: .git missing at ${siteRoot} — skipping`);
+      return;
+    }
+
+    WpService.ensureGitignore({ dir: siteRoot });
+
+    const githubOrg = process.env.GITHUB_USERNAME || 'underpostnet';
+    const repoName = repository.split('/').pop().split('.')[0];
+
+    logger.info(`${host}: persisting site to repository`);
+    shellExec(
+      `cd "${siteRoot}" && git add -A && git commit -m "wp provision ${host} $(date -u +%Y-%m-%dT%H:%M:%SZ)" || true`,
+    );
+    shellExec(`cd "${siteRoot}" && underpost push . ${githubOrg}/${repoName} -f`);
+    logger.info(`${host}: initial commit pushed to ${githubOrg}/${repoName}`);
+  }
+
   /**
    * Drops and recreates a MariaDB database to ensure a clean state for fresh installs.
    * @param {{ host: string, name: string, user: string, password: string }} db

package/src/server/backup.js

@@ -6,10 +6,8 @@
 
 import fs from 'fs-extra';
 import { loggerFactory } from './logger.js';
-import { shellExec } from './process.js';
 import Underpost from '../index.js';
-import { loadCronDeployEnv, readConfJson } from './conf.js';
-import { WpService } from '../runtime/wp/Wp.js';
+import { loadCronDeployEnv } from './conf.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -22,59 +20,77 @@ class BackUp {
   /**
    * @method callback
    * @description Initiates a backup operation for the specified deployment list.
-   * @param {string} deployList - The list of deployments to backup.
+   * Orchestrates two backup phases per deployment:
+   *   1. Database export (MariaDB / MongoDB dump via `node bin db --export`).
+   *   2. Repository backup (git commit+push inside the deployment pod via `node bin db --repo-backup`).
+   *
+   * Commands are always forwarded to the host node via SSH because the CronJob
+   * container itself has no kubectl access. GITHUB_TOKEN and GITHUB_USERNAME
+   * are passed as ephemeral inline env vars so they never touch the host filesystem.
+   *
+   * @param {string} deployList - Comma-separated list of deployment IDs.
    * @param {Object} options - The options for the backup operation.
    * @param {boolean} options.git - Whether to backup data using Git.
    * @param {boolean} [options.k3s] - Use k3s cluster context.
    * @param {boolean} [options.kind] - Use kind cluster context.
    * @param {boolean} [options.kubeadm] - Use kubeadm cluster context.
-   * @param {boolean} [options.ssh] - Execute backup commands via SSH on the remote node.
    * @memberof UnderpostBakcUp
    */
   static callback = async function (deployList, options = { git: false }) {
-    loadCronDeployEnv();
-    if ((!deployList || deployList === 'dd') && fs.existsSync(`./engine-private/deploy/dd.router`))
-      deployList = fs.readFileSync(`./engine-private/deploy/dd.router`, 'utf8').trim();
+    const firstDeployId = deployList && deployList !== 'dd' ? deployList.split(',')[0].trim() : '';
+    const { ephemeral } = Underpost.repo.privateEngineRepoFactory(firstDeployId || undefined);
+    try {
+      loadCronDeployEnv();
+      if ((!deployList || deployList === 'dd') && fs.existsSync(`./engine-private/deploy/dd.router`))
+        deployList = fs.readFileSync(`./engine-private/deploy/dd.router`, 'utf8').trim();
 
-    logger.info('init backups callback', deployList);
-    await logger.setUpInfo();
+      logger.info('init backups callback', deployList);
+      await logger.setUpInfo();
 
-    const clusterFlag = options.k3s ? ' --k3s' : options.kind ? ' --kind' : options.kubeadm ? ' --kubeadm' : '';
+      const clusterFlag = options.k3s ? ' --k3s' : options.kind ? ' --kind' : options.kubeadm ? ' --kubeadm' : '';
 
-    for (const _deployId of deployList.split(',')) {
-      const deployId = _deployId.trim();
-      if (!deployId) continue;
+      for (const _deployId of deployList.split(',')) {
+        const deployId = _deployId.trim();
+        if (!deployId) continue;
 
-      const command = `node bin db ${options.git ? '--git --force-clone ' : ''}--export --primary-pod${clusterFlag} ${deployId}`;
+        const dbCommand = `node bin db ${options.git ? '--git --force-clone ' : ''}--export --primary-pod${clusterFlag} ${deployId}`;
+        const repoCommand = `node bin db --repo-backup${clusterFlag} ${deployId}`;
 
-      if (options.ssh) {
-        logger.info('Executing database export via SSH for', deployId);
-        await Underpost.ssh.sshRemoteRunner(command, {
-          remote: true,
-          useSudo: true,
-          cd: '/home/dd/engine',
-        });
-      } else {
-        logger.info('Executing database export for', deployId);
-        shellExec(command);
-      }
-      {
-        const confServer = readConfJson(deployId, 'server');
-        for (const host of Object.keys(confServer)) {
-          for (const path of Object.keys(confServer[host])) {
-            const entry = confServer[host][path];
-            try {
-              switch (entry.runtime) {
-                case 'wp':
-                  WpService.backup({ host, repository: entry.repository });
-                  break;
-              }
-            } catch (err) {
-              logger.error(`Error during entry runtime backup for ${host}${path}:`, err);
-            }
-          }
+        // Pass GITHUB_TOKEN and GITHUB_USERNAME ephemerally through the SSH command
+        // so git operations can push backups without relying on host env files.
+        const envPrefix = [
+          process.env.GITHUB_TOKEN ? `GITHUB_TOKEN=${process.env.GITHUB_TOKEN}` : '',
+          process.env.GITHUB_USERNAME ? `GITHUB_USERNAME=${process.env.GITHUB_USERNAME}` : '',
+        ]
+          .filter(Boolean)
+          .join(' ');
+        const prefixCmd = (cmd) => (envPrefix ? `${envPrefix} ${cmd}` : cmd);
+
+        try {
+          logger.info('Executing database export via SSH for', deployId);
+          await Underpost.ssh.sshRemoteRunner(prefixCmd(dbCommand), {
+            remote: true,
+            useSudo: true,
+            cd: '/home/dd/engine',
+          });
+        } catch (err) {
+          logger.error(`Error during database export for ${deployId}:`, err);
+        }
+
+        // Repository backup: Cron container → SSH to host → host finds pod → kubectl exec git backup
+        try {
+          logger.info('Executing repository backup via SSH for', deployId);
+          await Underpost.ssh.sshRemoteRunner(prefixCmd(repoCommand), {
+            remote: true,
+            useSudo: true,
+            cd: '/home/dd/engine',
+          });
+        } catch (err) {
+          logger.error(`Error during repository backup for ${deployId}:`, err);
         }
       }
+    } finally {
+      if (ephemeral) Underpost.repo.cleanupPrivateEngineRepo();
     }
   };
 }

package/src/server/cron.js

@@ -33,7 +33,9 @@ const underpostContainerEnvPath = '/usr/lib/node_modules/underpost/.env';
  * @param {string} [params.cmd] - Optional pre-script commands to run before cron execution
  * @param {boolean} [params.suspend=false] - Whether the CronJob is suspended
  * @param {boolean} [params.dryRun=false] - Pass --dry-run flag to the cron command inside the container
- * @param {boolean} [params.ssh=false] - Execute backup commands via SSH on the remote node
+ * @param {boolean} [params.k3s=false] - Pass --k3s flag to the cron command inside the container
+ * @param {boolean} [params.kind=false] - Pass --kind flag to the cron command inside the container
+ * @param {boolean} [params.kubeadm=false] - Pass --kubeadm flag to the cron command inside the container
  * @returns {string} Kubernetes CronJob YAML manifest
  * @memberof UnderpostCron
  */
@@ -49,7 +51,9 @@ const cronJobYamlFactory = ({
   cmd,
   suspend = false,
   dryRun = false,
-  ssh = false,
+  k3s = false,
+  kind = false,
+  kubeadm = false,
 }) => {
   const containerImage = image || `underpost/underpost-engine:${Underpost.version}`;
 
@@ -60,10 +64,12 @@ const cronJobYamlFactory = ({
     .replace(/^-|-$/g, '')
     .substring(0, 52);
 
-  const cmdPart = cmd ? `${cmd} && ` : '';
   const cronBin = dev ? 'node bin' : 'underpost';
-  const flags = `${git ? '--git ' : ''}${dev ? '--dev ' : ''}${dryRun ? '--dry-run ' : ''}${ssh ? '--ssh ' : ''}`;
-  const cronCommand = `${cmdPart}${cronBin} cron ${flags}${deployList} ${jobList}`;
+  const flags = `${git ? '--git ' : ''}${dev ? '--dev ' : ''}${dryRun ? '--dry-run ' : ''}${k3s ? '--k3s ' : ''}${kind ? '--kind ' : ''}${kubeadm ? '--kubeadm ' : ''}`;
+  const commands = [`cd ${enginePath}`, `node bin run secret`];
+  if (cmd) commands.push(cmd);
+  commands.push(`${cronBin} cron ${flags}${deployList} ${jobList}`);
+  const fullCommand = commands.join(' &&\n                  ');
 
   return `apiVersion: batch/v1
 kind: CronJob
@@ -95,7 +101,7 @@ spec:
                 - /bin/sh
                 - -c
                 - >
-                  ${cronCommand}
+                  ${fullCommand}
               volumeMounts:
                 - mountPath: ${enginePath}
                   name: ${cronVolumeName}
@@ -183,7 +189,6 @@ class UnderpostCron {
      * @param {boolean} [options.kubeadm] - Use kubeadm cluster context (apply directly on host)
      * @param {boolean} [options.dryRun] - Preview cron jobs without executing them
      * @param {boolean} [options.createJobNow] - After applying, immediately create a Job from each CronJob (requires --apply)
-     * @param {boolean} [options.ssh] - Execute backup commands via SSH on the remote node
      * @memberof UnderpostCron
      */
     callback: async function (
@@ -227,7 +232,6 @@ class UnderpostCron {
      * @param {boolean} [options.k3s] - k3s cluster context (apply directly on host)
      * @param {boolean} [options.kind] - kind cluster context (apply via kind-worker container)
      * @param {boolean} [options.kubeadm] - kubeadm cluster context (apply directly on host)
-     * @param {boolean} [options.ssh] - Execute backup commands via SSH on the remote node
      * @memberof UnderpostCron
      */
     setupDeployStart: async function (deployId, options = {}) {
@@ -270,20 +274,20 @@ class UnderpostCron {
       }
 
       // Generate and apply cron job manifests for this deploy-id
+      const hasExplicitCluster = options.k3s || options.kind || options.kubeadm;
       await Underpost.cron.generateK8sCronJobs({
         deployId,
         namespace: options.namespace,
         image: options.image,
         apply: options.apply,
         createJobNow: options.createJobNow,
-        git: true,
-        dev: true,
-        kubeadm: true,
-        ssh: true,
-        cmd: ` cd ${enginePath} && node bin env ${deployId} production`,
-        k3s: false,
-        kind: false,
-        dryRun: false,
+        git: options.git !== undefined ? options.git : true,
+        dev: options.dev !== undefined ? options.dev : true,
+        kubeadm: hasExplicitCluster ? !!options.kubeadm : true,
+        cmd: options.cmd || `node bin env ${deployId} production`,
+        k3s: !!options.k3s,
+        kind: !!options.kind,
+        dryRun: !!options.dryRun,
       });
     },
 
@@ -305,7 +309,6 @@ class UnderpostCron {
      * @param {boolean} [options.kubeadm=false] - kubeadm cluster context (apply directly on host)
      * @param {boolean} [options.createJobNow=false] - After applying, create a Job from each CronJob immediately
      * @param {boolean} [options.dryRun=false] - Pass --dry-run=client to kubectl commands
-     * @param {boolean} [options.ssh=false] - Execute backup commands via SSH on the remote node
      * @memberof UnderpostCron
      */
     generateK8sCronJobs: async function (options = {}) {
@@ -362,7 +365,9 @@ class UnderpostCron {
           cmd: options.cmd,
           suspend: false,
           dryRun: !!options.dryRun,
-          ssh: !!options.ssh,
+          k3s: !!options.k3s,
+          kind: !!options.kind,
+          kubeadm: !!options.kubeadm,
         });
 
         const yamlFilePath = `${outputDir}/${cronJobName}.yaml`;

package/src/server/start.js

@@ -164,10 +164,9 @@ class UnderpostStartUp {
         shellExec(`mkdir -p ${buildBasePath}/engine`);
         shellExec(`cd ${buildBasePath} && sudo cp -a ./${repoName}/. ./engine`);
         shellExec(`cd ${buildBasePath} && sudo rm -rf ./${repoName}`);
-        shellExec(`cd ${buildBasePath}/engine && underpost clone ${process.env.GITHUB_USERNAME}/${repoName}-private`);
-        shellExec(`cd ${buildBasePath}/engine && sudo mv ./${repoName}-private ./engine-private`);
       }
       shellCd(`${buildBasePath}/engine`);
+      Underpost.repo.privateEngineRepoFactory(deployId);
       shellExec(options?.underpostQuicklyInstall ? `underpost install` : `npm install`);
       shellExec(`node bin env ${deployId} ${env}`);
       if (fs.existsSync('./engine-private/itc-scripts')) {
@@ -198,12 +197,8 @@ class UnderpostStartUp {
       shellExec(`node bin env ${deployId} ${env}`);
       shellExec(`npm ${runCmd} ${deployId}`, { async: true });
       await awaitDeployMonitor(true);
+      if (env === 'production' && isInsideContainer()) Underpost.secret.globalSecretClean();
       Underpost.env.set('container-status', `${deployId}-${env}-running-deployment`);
-      if (env === 'production' && isInsideContainer()) {
-        Underpost.env.clean();
-        shellExec(`sudo rm -rf /home/dd/engine/engine-private`);
-        if (fs.existsSync('/etc/config/.env.production')) fs.removeSync('/etc/config/.env.production');
-      }
     },
   };
 }