From e262925d7444014222f3f58d01821220ff3a6ece Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Wed, 31 Dec 2025 14:31:50 +0100
Subject: [PATCH 01/16] fix: production configurations

---
 Makefile                                      | 61 +++++++++++--------
 docker-compose.dev.yml                        |  1 +
 docker-compose.prod.yml                       | 52 ++++++++++++++++
 docker-compose.yml                            |  5 +-
 ...efault.conf.template => dev.conf.template} |  0
 nginx/prod.conf.template                      | 24 ++++++++
 6 files changed, 116 insertions(+), 27 deletions(-)
 create mode 100644 docker-compose.prod.yml
 rename nginx/{default.conf.template => dev.conf.template} (100%)
 create mode 100644 nginx/prod.conf.template

diff --git a/Makefile b/Makefile
index cdc83dd..2062a36 100644
--- a/Makefile
+++ b/Makefile
@@ -1,35 +1,48 @@
-# Variables for compose files
-COMPOSE_DEV := docker-compose -f docker-compose.yml -f docker-compose.dev.yml
-# COMPOSE_PROD  := docker-compose -f docker-compose.yml -f docker-compose.prod.yml
+COMPOSE_DEV  := docker compose -f docker-compose.yml -f docker-compose.dev.yml
+COMPOSE_PROD := docker compose -f docker-compose.yml -f docker-compose.prod.yml
 
-# Default compose (dev by default)
-COMPOSE := $(COMPOSE_DEV)
+# =====================
+# === DEV TARGETS ====
+# =====================
 
-# Primary targets
-up: 
-	@$(COMPOSE) up -d --build
+up:
+	@$(COMPOSE_DEV) up -d --build
 
-down: 
-	@$(COMPOSE) down
+down:
+	@$(COMPOSE_DEV) down
 
-clean: 
-	@$(COMPOSE) down -v
-
-restart: down up
+clean:
+	@$(COMPOSE_DEV) down -v
 
 reset: clean up
 
-logs: 
-	@$(COMPOSE) logs -f
+logs:
+	@$(COMPOSE_DEV) logs -f
+
+sync-site-url:
+	@$(COMPOSE_DEV) exec -T wp-cli sh /scripts/wp-init/site-url/sync-site-url.sh
+
+db-backup:
+	@$(COMPOSE_DEV) exec -T db-cli sh /scripts/db-backup/run-db-backup-once.sh
+
+db-restore:
+	@$(COMPOSE_DEV) exec -T db-cli sh -c "/scripts/db-cli/run-db-restore.sh '$(SQLFILE)'"
+
+# ======================
+# === PROD TARGETS ====
+# ======================
+
+up-prod:
+	@$(COMPOSE_PROD) up -d
 
-# Dev-specific targets (requires containers to be running)
-sync-site-url: 
-	@$(COMPOSE) exec -T wp-cli sh /scripts/wp-init/site-url/sync-site-url.sh
+down-prod:
+	@$(COMPOSE_PROD) down
 
-db-backup: 
-	@$(COMPOSE) exec -T db-cli sh /scripts/db-backup/run-db-backup-once.sh
+logs-prod:
+	@$(COMPOSE_PROD) logs -f
 
-db-restore: 
-	@$(COMPOSE) exec -T db-cli sh -c "/scripts/db-cli/run-db-restore.sh '$(SQLFILE)'"
+wp-init-prod:
+	@$(COMPOSE_PROD) run --rm wp-init
 
-.PHONY: up down clean restart reset logs sync-site-url db-backup db-restore
\ No newline at end of file
+.PHONY: up down clean reset logs sync-site-url db-backup db-restore \
+        up-prod down-prod logs-prod wp-init-prod 
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index df6d4bc..d28ab43 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -9,6 +9,7 @@ services:
 
   nginx:
     volumes:
+      - ./nginx/dev.conf.template:/etc/nginx/templates/default.conf.template:ro
       - ./src:/var/www/html/wp-content:rw
 
   wp-init:
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..64684fc
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,52 @@
+services:
+  database:
+    #
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+
+  wordpress:
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define('WP_ENVIRONMENT_TYPE', 'production');
+        define('DISALLOW_FILE_EDIT', true);
+        define('DISALLOW_FILE_MODS', true);
+    read_only: true
+    tmpfs:
+      - /tmp
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+
+  nginx:
+    ports:
+      - "80:80" #
+      - "443:443"
+    volumes:
+      - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
+    deploy:
+      resources:
+        limits:
+          memory: 64M
+
+  wp-init:
+    restart: "no"
+    volumes:
+      - wordpress:/var/www/html
+      - ./scripts:/scripts:ro
+    entrypoint: ["/scripts/wp-init/entrypoint.sh"]
+
+  db-backup:
+    restart: unless-stopped
+    volumes:
+      - db_backups:/backups
+      - ./scripts:/scripts:ro
+    entrypoint: ["/scripts/db-backup/entrypoint.sh"]
+
+volumes:
+  db_backups:
diff --git a/docker-compose.yml b/docker-compose.yml
index 387337a..7fc781e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,7 +16,7 @@ services:
       timeout: 30s
       retries: 10
     volumes:
-      - dbdata:/var/lib/mysql
+      - db_data:/var/lib/mysql
     networks:
       - internal
 
@@ -49,7 +49,6 @@ services:
     ports:
       - "${HTTP_PORT:-8000}:80"
     volumes:
-      - ./nginx:/etc/nginx/templates:ro
       - wordpress:/var/www/html
     networks:
       - internal
@@ -91,7 +90,7 @@ services:
       - internal
 
 volumes:
-  dbdata:
+  db_data:
   wordpress:
 
 networks:
diff --git a/nginx/default.conf.template b/nginx/dev.conf.template
similarity index 100%
rename from nginx/default.conf.template
rename to nginx/dev.conf.template
diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template
new file mode 100644
index 0000000..727da6f
--- /dev/null
+++ b/nginx/prod.conf.template
@@ -0,0 +1,24 @@
+server {
+    listen 443 ssl http2;
+    server_name ${SERVER_NAME};
+
+    root /var/www/html;
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        fastcgi_pass wordpress:9000;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+}

From 2e9dbe4639dad29673783ea1b3a78ebd1806f8a5 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Wed, 31 Dec 2025 16:20:43 +0100
Subject: [PATCH 02/16] fix: wp-init service with no wordpress db

---
 Makefile                                         |  5 +----
 docker-compose.prod.yml                          |  2 +-
 scripts/wp-cli/check-wp-installed.sh             | 16 ++++++++++++++++
 scripts/wp-init/site-url/get-current-site-url.sh |  2 ++
 scripts/wp-init/site-url/update-site-url.sh      |  2 ++
 5 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 scripts/wp-cli/check-wp-installed.sh

diff --git a/Makefile b/Makefile
index 2062a36..148067d 100644
--- a/Makefile
+++ b/Makefile
@@ -41,8 +41,5 @@ down-prod:
 logs-prod:
 	@$(COMPOSE_PROD) logs -f
 
-wp-init-prod:
-	@$(COMPOSE_PROD) run --rm wp-init
-
 .PHONY: up down clean reset logs sync-site-url db-backup db-restore \
-        up-prod down-prod logs-prod wp-init-prod 
+        up-prod down-prod logs-prod 
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 64684fc..082f221 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,6 +1,6 @@
 services:
   database:
-    #
+    # maybe smaller image
     command:
       - --character-set-server=utf8mb4
       - --collation-server=utf8mb4_unicode_ci
diff --git a/scripts/wp-cli/check-wp-installed.sh b/scripts/wp-cli/check-wp-installed.sh
new file mode 100644
index 0000000..54fb4e3
--- /dev/null
+++ b/scripts/wp-cli/check-wp-installed.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+check_wp_installed() {
+  if [ "${WP_INSTALLED_READY}" = "true" ]; then
+    return 0
+  fi
+
+  if ! wp core is-installed --allow-root >/dev/null 2>&1; then
+    echo "WordPress is not installed in the database"
+    return 1
+  fi
+
+  export WP_INSTALLED_READY=true
+  echo "WordPress database is available"
+  return 0
+}
diff --git a/scripts/wp-init/site-url/get-current-site-url.sh b/scripts/wp-init/site-url/get-current-site-url.sh
index 830dd5e..4560f31 100644
--- a/scripts/wp-init/site-url/get-current-site-url.sh
+++ b/scripts/wp-init/site-url/get-current-site-url.sh
@@ -3,6 +3,7 @@ set -e
 
 . /scripts/wp-cli/check-wp-path.sh
 . /scripts/wp-cli/check-wp-cli.sh
+. /scripts/wp-cli/check-wp-installed.sh
 . /scripts/db-common/wait-for-db.sh
 
 check_wp_path
@@ -10,6 +11,7 @@ check_wp_cli
 
 # shellcheck disable=SC2119
 wait_for_db
+check_wp_installed || exit 0
 
 CURRENT_SITE_URL=$(wp option get siteurl --allow-root 2>/dev/null || true)
 
diff --git a/scripts/wp-init/site-url/update-site-url.sh b/scripts/wp-init/site-url/update-site-url.sh
index 65db999..64d6b46 100644
--- a/scripts/wp-init/site-url/update-site-url.sh
+++ b/scripts/wp-init/site-url/update-site-url.sh
@@ -4,6 +4,7 @@ set -e
 . /scripts/utils/check-required-vars.sh
 . /scripts/wp-cli/check-wp-path.sh
 . /scripts/wp-cli/check-wp-cli.sh
+. /scripts/wp-cli/check-wp-installed.sh
 . /scripts/db-common/wait-for-db.sh
 
 check_required_vars "CURRENT_SITE_URL SITE_URL"
@@ -13,6 +14,7 @@ check_wp_cli
 
 # shellcheck disable=SC2119
 wait_for_db
+check_wp_installed || exit 0
 
 echo "Starting site URL update: ${CURRENT_SITE_URL} → ${SITE_URL}"
 

From a767536a646e3bd9e78a73e6887bb28952a0076d Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Wed, 31 Dec 2025 17:10:08 +0100
Subject: [PATCH 03/16] fix: docker yml comment

---
 docker-compose.prod.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 082f221..787339c 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,6 +1,5 @@
 services:
   database:
-    # maybe smaller image
     command:
       - --character-set-server=utf8mb4
       - --collation-server=utf8mb4_unicode_ci

From 52f878eefb1ad18bc6d4e39e21d80d46e5b83f48 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 11:00:27 +0100
Subject: [PATCH 04/16] fix: resource config and improvements

---
 .env.example            | 91 ++++++++++++++++++++++++++++-------------
 Makefile                | 12 +++---
 docker-compose.dev.yml  |  2 +
 docker-compose.prod.yml | 19 +++++++--
 docker-compose.yml      |  2 -
 5 files changed, 86 insertions(+), 40 deletions(-)

diff --git a/.env.example b/.env.example
index ecccb17..1cb42b4 100644
--- a/.env.example
+++ b/.env.example
@@ -1,54 +1,87 @@
-# =============================
-# === App Container Prefix ===
-# =============================
+# --------------------------------------------------
+# Core application settings
+# --------------------------------------------------
+
+# Docker container name prefix
 CONTAINER_NAME=app
 
-# =============================
-# === Database Configuration ===
-# =============================
+# --------------------------------------------------
+# Database (MySQL)
+# --------------------------------------------------
+
 DATABASE_NAME=wordpress
 DATABASE_USER=wp_user
 DATABASE_PASSWORD=wp_password
 DATABASE_ROOT_PASSWORD=root_password
 
-# =============================
-# === Nginx Configuration ===
-# =============================
-SERVER_NAME=localhost
-HTTP_PORT=8000
+# --------------------------------------------------
+# Web / Nginx
+# --------------------------------------------------
 
-# =============================
-# === phpMyAdmin Configuration ===
-# =============================
-PHPMYADMIN_PORT=8001
+# Public server name (domain or hostname)
+SERVER_NAME=localhost
 
-# =============================
-# === WordPress Initialization ===
-# =============================
+# --------------------------------------------------
+# WordPress initialization (wp-init)
+# --------------------------------------------------
 
-# Skip WordPress initialization service (true/false)
+# Skip WordPress initialization tasks (true/false)
 SKIP_WP_INIT=false
 
-# Full site URL
+# Final site URL used by WordPress
+# In production this should be: https://<SERVER_NAME>
 SITE_URL=http://${SERVER_NAME}:${HTTP_PORT}
 
-# Columns to skip during WP-CLI search-replace (comma-separated, no spaces)
-# Example: guid,post_content
+# Columns to skip during WP-CLI search-replace
+# Comma-separated, no spaces (e.g. guid,post_content)
 SKIP_COLUMNS=guid
 
-# =============================
-# === Database Backup Service ===
-# =============================
+# --------------------------------------------------
+# Database backup service (db-backup)
+# --------------------------------------------------
 
-# Skip database backup service (true/false)
+# Skip automated database backups (true/false)
 SKIP_DB_BACKUP=false
 
 # Maximum number of backup files to keep
 DATABASE_BACKUP_MAX_FILES=3
 
-# Initial delay before first backup (supports s/m/h/d)
-# Examples: 60s, 5m, 2h, 1d
+# Delay before first backup (s/m/h/d)
 DATABASE_BACKUP_INITIAL_DELAY=60s
 
-# Interval between backups (supports s/m/h/d)
+# Interval between backups (s/m/h/d)
 DATABASE_BACKUP_INTERVAL=3600s
+
+# --------------------------------------------------
+# Development only (docker-compose.dev.yml)
+# --------------------------------------------------
+
+# HTTP port exposed by Nginx
+HTTP_PORT=8000
+
+# phpMyAdmin exposed port
+PHPMYADMIN_PORT=8001
+
+# --------------------------------------------------
+# Production only (docker-compose.prod.yml)
+# --------------------------------------------------
+
+# Database
+DB_CPUS=1.0
+DB_MEM_LIMIT=1024M
+
+# WordPress
+WP_CPUS=1.0
+WP_MEM_LIMIT=512M
+
+# Nginx
+NGINX_CPUS=0.5
+NGINX_MEM_LIMIT=128M
+
+# wp-init (one-shot container)
+WP_INIT_CPUS=0.5
+WP_INIT_MEM_LIMIT=128M
+
+# db-backup
+DB_BACKUP_CPUS=0.5
+DB_BACKUP_MEM_LIMIT=256M
diff --git a/Makefile b/Makefile
index 148067d..e5ee3e1 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,9 @@
 COMPOSE_DEV  := docker compose -f docker-compose.yml -f docker-compose.dev.yml
 COMPOSE_PROD := docker compose -f docker-compose.yml -f docker-compose.prod.yml
 
-# =====================
-# === DEV TARGETS ====
-# =====================
+# --------------------------------------------------
+# Development targets
+# --------------------------------------------------
 
 up:
 	@$(COMPOSE_DEV) up -d --build
@@ -28,9 +28,9 @@ db-backup:
 db-restore:
 	@$(COMPOSE_DEV) exec -T db-cli sh -c "/scripts/db-cli/run-db-restore.sh '$(SQLFILE)'"
 
-# ======================
-# === PROD TARGETS ====
-# ======================
+# --------------------------------------------------
+# Production targets
+# --------------------------------------------------
 
 up-prod:
 	@$(COMPOSE_PROD) up -d
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index d28ab43..1064fdc 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -8,6 +8,8 @@ services:
       - ./src:/var/www/html/wp-content:rw
 
   nginx:
+    ports:
+      - "${HTTP_PORT:-8000}:80"
     volumes:
       - ./nginx/dev.conf.template:/etc/nginx/templates/default.conf.template:ro
       - ./src:/var/www/html/wp-content:rw
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 787339c..d6f166c 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -6,7 +6,8 @@ services:
     deploy:
       resources:
         limits:
-          memory: 512M
+          cpus: '${DB_CPUS:-1.0}'
+          memory: ${DB_MEM_LIMIT:-1024M}
 
   wordpress:
     environment:
@@ -20,7 +21,8 @@ services:
     deploy:
       resources:
         limits:
-          memory: 256M
+          cpus: '${WP_CPUS:-1.0}'
+          memory: ${WP_MEM_LIMIT:-512M}
 
   nginx:
     ports:
@@ -31,7 +33,8 @@ services:
     deploy:
       resources:
         limits:
-          memory: 64M
+          cpus: '${NGINX_CPUS:-0.5}'
+          memory: ${NGINX_MEM_LIMIT:-128M}
 
   wp-init:
     restart: "no"
@@ -39,6 +42,11 @@ services:
       - wordpress:/var/www/html
       - ./scripts:/scripts:ro
     entrypoint: ["/scripts/wp-init/entrypoint.sh"]
+    deploy:
+      resources:
+        limits:
+          cpus: '${WP_INIT_CPUS:-0.5}'
+          memory: ${WP_INIT_MEM_LIMIT:-128M}
 
   db-backup:
     restart: unless-stopped
@@ -46,6 +54,11 @@ services:
       - db_backups:/backups
       - ./scripts:/scripts:ro
     entrypoint: ["/scripts/db-backup/entrypoint.sh"]
+    deploy:
+      resources:
+        limits:
+          cpus: '${DB_BACKUP_CPUS:-0.5}'
+          memory: ${DB_BACKUP_MEM_LIMIT:-256M}
 
 volumes:
   db_backups:
diff --git a/docker-compose.yml b/docker-compose.yml
index 7fc781e..208b721 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -46,8 +46,6 @@ services:
     env_file: .env
     environment:
       - SERVER_NAME=${SERVER_NAME}
-    ports:
-      - "${HTTP_PORT:-8000}:80"
     volumes:
       - wordpress:/var/www/html
     networks:

From b20b46d6ee982484bb7f9b3580e9904bdc2b3feb Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 13:04:12 +0100
Subject: [PATCH 05/16] feat: php configurations

---
 docker-compose.dev.yml  |  1 +
 docker-compose.prod.yml |  2 ++
 php/zz-dev.ini          | 25 +++++++++++++++++++++++++
 php/zz-prod.ini         | 32 ++++++++++++++++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 php/zz-dev.ini
 create mode 100644 php/zz-prod.ini

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 1064fdc..01e49de 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -5,6 +5,7 @@ services:
 
   wordpress:
     volumes:
+      - ./php/zz-dev.ini:/usr/local/etc/php/conf.d/zz-dev.ini:ro
       - ./src:/var/www/html/wp-content:rw
 
   nginx:
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index d6f166c..89fbf0a 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -15,6 +15,8 @@ services:
         define('WP_ENVIRONMENT_TYPE', 'production');
         define('DISALLOW_FILE_EDIT', true);
         define('DISALLOW_FILE_MODS', true);
+    volumes:
+      - ./php/zz-prod.ini:/usr/local/etc/php/conf.d/zz-prod.ini:ro
     read_only: true
     tmpfs:
       - /tmp
diff --git a/php/zz-dev.ini b/php/zz-dev.ini
new file mode 100644
index 0000000..b764d1f
--- /dev/null
+++ b/php/zz-dev.ini
@@ -0,0 +1,25 @@
+; --------------------------------------------------
+; PHP configuration overrides (Development)
+; --------------------------------------------------
+
+; Increase memory for local development
+;memory_limit = 256M
+
+; Allow longer execution time during development
+;max_execution_time = 60
+;max_input_time = 60
+
+; Allow larger uploads for media and testing
+;upload_max_filesize = 64M
+;post_max_size = 64M
+
+; Display errors for debugging
+;display_errors = On
+;display_startup_errors = On
+;error_reporting = E_ALL
+
+; Expose PHP version in headers (acceptable in dev)
+;expose_php = On
+
+; Default character set
+;default_charset = "UTF-8"
diff --git a/php/zz-prod.ini b/php/zz-prod.ini
new file mode 100644
index 0000000..9bfb43d
--- /dev/null
+++ b/php/zz-prod.ini
@@ -0,0 +1,32 @@
+; --------------------------------------------------
+; PHP configuration overrides (Production)
+; --------------------------------------------------
+
+; Limit memory usage to avoid exhausting the host
+;memory_limit = 256M
+
+; Prevent long-running PHP processes
+;max_execution_time = 30
+;max_input_time = 30
+
+; Reasonable upload limits
+;upload_max_filesize = 64M
+;post_max_size = 64M
+
+; Do NOT display errors in production
+;display_errors = Off
+;display_startup_errors = Off
+;error_reporting = E_ALL
+
+; Log errors instead (handled by container logs)
+;log_errors = On
+
+; Hide PHP version from headers
+;expose_php = Off
+
+; Default character set
+;default_charset = "UTF-8"
+
+; Avoid memory fragmentation issues
+;realpath_cache_size = 4096K
+;realpath_cache_ttl = 600

From 812485e440984028ab239c6a026ba505ae0903a3 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 13:26:21 +0100
Subject: [PATCH 06/16] fix: comment

---
 php/zz-prod.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/zz-prod.ini b/php/zz-prod.ini
index 9bfb43d..3017fbb 100644
--- a/php/zz-prod.ini
+++ b/php/zz-prod.ini
@@ -27,6 +27,6 @@
 ; Default character set
 ;default_charset = "UTF-8"
 
-; Avoid memory fragmentation issues
+; Realpath cache for performance
 ;realpath_cache_size = 4096K
 ;realpath_cache_ttl = 600

From 4c05533f78071e547796eab8cfb0ce9a266a89ac Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 16:42:12 +0100
Subject: [PATCH 07/16] fix: small improvements

---
 docker-compose.dev.yml  | 10 +++++-----
 docker-compose.prod.yml |  2 --
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 01e49de..ab0de4f 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -6,18 +6,18 @@ services:
   wordpress:
     volumes:
       - ./php/zz-dev.ini:/usr/local/etc/php/conf.d/zz-dev.ini:ro
-      - ./src:/var/www/html/wp-content:rw
+      - ./src:/var/www/html/wp-content
 
   nginx:
     ports:
       - "${HTTP_PORT:-8000}:80"
     volumes:
       - ./nginx/dev.conf.template:/etc/nginx/templates/default.conf.template:ro
-      - ./src:/var/www/html/wp-content:rw
+      - ./src:/var/www/html/wp-content
 
   wp-init:
     volumes:
-      - ./src:/var/www/html/wp-content:rw
+      - ./src:/var/www/html/wp-content
       - ./scripts:/scripts:ro
     entrypoint: ["/scripts/wp-init/entrypoint.sh"]
 
@@ -41,9 +41,9 @@ services:
       WORDPRESS_DB_PASSWORD: ${DATABASE_PASSWORD}
       WORDPRESS_PATH: /var/www/html
     volumes:
-      - wordpress:/var/www/html
-      - ./src:/var/www/html/wp-content:rw
+      - ./src:/var/www/html/wp-content
       - ./scripts:/scripts:ro
+      - wordpress:/var/www/html
     networks:
       - internal
     entrypoint: ["tail", "-f", "/dev/null"]
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 89fbf0a..485319b 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -17,7 +17,6 @@ services:
         define('DISALLOW_FILE_MODS', true);
     volumes:
       - ./php/zz-prod.ini:/usr/local/etc/php/conf.d/zz-prod.ini:ro
-    read_only: true
     tmpfs:
       - /tmp
     deploy:
@@ -41,7 +40,6 @@ services:
   wp-init:
     restart: "no"
     volumes:
-      - wordpress:/var/www/html
       - ./scripts:/scripts:ro
     entrypoint: ["/scripts/wp-init/entrypoint.sh"]
     deploy:

From 9a8739783cedc080b5da3daadab3f70e7e71c60a Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 19:44:28 +0100
Subject: [PATCH 08/16] feat: logs in prod

---
 .env.example            |  6 ++++++
 docker-compose.prod.yml | 14 +++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 1cb42b4..271f4db 100644
--- a/.env.example
+++ b/.env.example
@@ -66,6 +66,12 @@ PHPMYADMIN_PORT=8001
 # Production only (docker-compose.prod.yml)
 # --------------------------------------------------
 
+# Maximum size of a single container log file
+LOG_SIZE=10m
+
+# Number of rotated log files to keep
+LOG_FILES=3
+
 # Database
 DB_CPUS=1.0
 DB_MEM_LIMIT=1024M
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 485319b..d523724 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,5 +1,13 @@
+x-logging: &default-logging
+  logging:
+    driver: json-file
+    options:
+      max-size: "${LOG_SIZE:-10m}"
+      max-file: "${LOG_FILES:-3}"
+
 services:
   database:
+    <<: *default-logging
     command:
       - --character-set-server=utf8mb4
       - --collation-server=utf8mb4_unicode_ci
@@ -10,6 +18,7 @@ services:
           memory: ${DB_MEM_LIMIT:-1024M}
 
   wordpress:
+    <<: *default-logging
     environment:
       WORDPRESS_CONFIG_EXTRA: |
         define('WP_ENVIRONMENT_TYPE', 'production');
@@ -26,6 +35,7 @@ services:
           memory: ${WP_MEM_LIMIT:-512M}
 
   nginx:
+    <<: *default-logging
     ports:
       - "80:80" #
       - "443:443"
@@ -38,6 +48,7 @@ services:
           memory: ${NGINX_MEM_LIMIT:-128M}
 
   wp-init:
+    <<: *default-logging
     restart: "no"
     volumes:
       - ./scripts:/scripts:ro
@@ -49,10 +60,11 @@ services:
           memory: ${WP_INIT_MEM_LIMIT:-128M}
 
   db-backup:
+    <<: *default-logging
     restart: unless-stopped
     volumes:
-      - db_backups:/backups
       - ./scripts:/scripts:ro
+      - db_backups:/backups
     entrypoint: ["/scripts/db-backup/entrypoint.sh"]
     deploy:
       resources:

From abf0834c1b9e4866b8e4b13e9091c63eeac95f69 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Thu, 1 Jan 2026 20:04:49 +0100
Subject: [PATCH 09/16] feat: additional prod configs

---
 docker-compose.prod.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index d523724..ad518cc 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -19,6 +19,9 @@ services:
 
   wordpress:
     <<: *default-logging
+    init: true
+    security_opt:
+      - no-new-privileges:true
     environment:
       WORDPRESS_CONFIG_EXTRA: |
         define('WP_ENVIRONMENT_TYPE', 'production');
@@ -36,6 +39,9 @@ services:
 
   nginx:
     <<: *default-logging
+    init: true
+    security_opt:
+      - no-new-privileges:true
     ports:
       - "80:80" #
       - "443:443"

From e8b85f4f7b63d30aea67dfec678bd9fb777b76a4 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 10:03:29 +0100
Subject: [PATCH 10/16] feat: certbot service

---
 .env.example                     |  7 ++++++
 docker-compose.prod.yml          | 22 ++++++++++++++++++-
 nginx/prod.conf.template         | 37 +++++++++++++++++++++++++++++---
 scripts/certbot/certbot-renew.sh | 24 +++++++++++++++++++++
 scripts/certbot/entrypoint.sh    | 15 +++++++++++++
 scripts/certbot/lib/terminate.sh |  6 ++++++
 6 files changed, 107 insertions(+), 4 deletions(-)
 create mode 100644 scripts/certbot/certbot-renew.sh
 create mode 100644 scripts/certbot/entrypoint.sh
 create mode 100644 scripts/certbot/lib/terminate.sh

diff --git a/.env.example b/.env.example
index 271f4db..cb70c4e 100644
--- a/.env.example
+++ b/.env.example
@@ -91,3 +91,10 @@ WP_INIT_MEM_LIMIT=128M
 # db-backup
 DB_BACKUP_CPUS=0.5
 DB_BACKUP_MEM_LIMIT=256M
+
+# Certbot
+# Skip certbot service (true/false)
+SKIP_CERTBOT=false
+
+# Certbot renewal interval (s/m/h/d)
+CERTBOT_RENEW_INTERVAL=12h
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index ad518cc..7dc6e2f 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -43,10 +43,12 @@ services:
     security_opt:
       - no-new-privileges:true
     ports:
-      - "80:80" #
+      - "80:80"
       - "443:443"
     volumes:
       - ./nginx/prod.conf.template:/etc/nginx/templates/default.conf.template:ro
+      - certbot_conf:/etc/letsencrypt
+      - certbot_www:/var/www/certbot
     deploy:
       resources:
         limits:
@@ -78,5 +80,23 @@ services:
           cpus: '${DB_BACKUP_CPUS:-0.5}'
           memory: ${DB_BACKUP_MEM_LIMIT:-256M}
 
+  certbot:
+    <<: *default-logging
+    image: certbot/certbot:v5.2.2
+    container_name: ${CONTAINER_NAME}-certbot
+    restart: unless-stopped
+    volumes:
+      - ./scripts:/scripts:ro
+      - certbot_conf:/etc/letsencrypt
+      - certbot_www:/var/www/certbot
+    entrypoint: ["/scripts/certbot/entrypoint.sh"]
+    deploy:
+      resources:
+        limits:
+          cpus: '${CERTBOT_CPUS:-0.5}'
+          memory: ${CERTBOT_MEM_LIMIT:-128M}
+
 volumes:
   db_backups:
+  certbot_conf:
+  certbot_www:
diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template
index 727da6f..02b6fb0 100644
--- a/nginx/prod.conf.template
+++ b/nginx/prod.conf.template
@@ -1,5 +1,6 @@
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
+    http2 on;
     server_name ${SERVER_NAME};
 
     root /var/www/html;
@@ -8,17 +9,47 @@ server {
     ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
 
-    add_header Strict-Transport-Security "max-age=31536000" always;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options SAMEORIGIN;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy strict-origin-when-cross-origin;
 
     location / {
         try_files $uri $uri/ /index.php?$args;
     }
 
     location ~ \.php$ {
-        fastcgi_pass wordpress:9000;
         include fastcgi_params;
+        fastcgi_pass wordpress:9000;
+        fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
+        fastcgi_read_timeout 60s;
+    }
+
+    location ~ /\.(?!well-known) {
+        deny all;
+    }
+}
+
+server {
+    listen 80;
+    server_name ${SERVER_NAME};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
     }
 }
diff --git a/scripts/certbot/certbot-renew.sh b/scripts/certbot/certbot-renew.sh
new file mode 100644
index 0000000..69317e6
--- /dev/null
+++ b/scripts/certbot/certbot-renew.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+. /scripts/certbot/lib/terminate.sh
+
+CERTBOT_RENEW_INTERVAL="${CERTBOT_RENEW_INTERVAL:-12h}"
+
+trap terminate TERM INT
+
+echo "[$(date)] Certbot renewal service started"
+echo "[$(date)] Renewal interval: ${CERTBOT_RENEW_INTERVAL}"
+
+while true; do
+  echo "[$(date)] Checking certificates..."
+
+  if certbot renew --webroot -w /var/www/certbot --quiet; then
+    echo "[$(date)] Renewal check completed"
+  else
+    echo "[$(date)] Renewal failed"
+  fi
+
+  echo "[$(date)] Next check in ${CERTBOT_RENEW_INTERVAL}"
+  sleep "${CERTBOT_RENEW_INTERVAL}"
+done
diff --git a/scripts/certbot/entrypoint.sh b/scripts/certbot/entrypoint.sh
new file mode 100644
index 0000000..b9af5ce
--- /dev/null
+++ b/scripts/certbot/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+if [ "${SKIP_CERTBOT}" = "true" ]; then
+  echo "Certbot service skipped"
+  exit 0
+fi
+
+if [ ! -x /scripts/certbot/certbot-renew.sh ]; then
+  echo "Error: certbot-renew.sh not found or not executable"
+  exit 1
+fi
+
+echo "Starting Certbot renewal service"
+/scripts/certbot/certbot-renew.sh
diff --git a/scripts/certbot/lib/terminate.sh b/scripts/certbot/lib/terminate.sh
new file mode 100644
index 0000000..09ff2d1
--- /dev/null
+++ b/scripts/certbot/lib/terminate.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+terminate() {
+  echo "[$(date)] Stopping certbot renewal service"
+  exit 0
+}

From 9188d8efa7cf8a0afdfa2ad0c7108e811d66d6c1 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 10:07:13 +0100
Subject: [PATCH 11/16] fix: server nginx

---
 nginx/prod.conf.template | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template
index 02b6fb0..f2cc578 100644
--- a/nginx/prod.conf.template
+++ b/nginx/prod.conf.template
@@ -1,3 +1,16 @@
+server {
+    listen 80;
+    server_name ${SERVER_NAME};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
 server {
     listen 443 ssl;
     http2 on;
@@ -40,16 +53,3 @@ server {
         deny all;
     }
 }
-
-server {
-    listen 80;
-    server_name ${SERVER_NAME};
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}

From f78d9b1d39db210a07380f2bb53a9632c1a04aa1 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 10:14:42 +0100
Subject: [PATCH 12/16] refactor: nginx template readability

---
 nginx/dev.conf.template  | 4 +++-
 nginx/prod.conf.template | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/nginx/dev.conf.template b/nginx/dev.conf.template
index 385090d..1cac9f2 100644
--- a/nginx/dev.conf.template
+++ b/nginx/dev.conf.template
@@ -10,11 +10,13 @@ server {
     }
 
     location ~ \.php$ {
+        include fastcgi_params;
         try_files $uri =404;
+
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass wordpress:9000;
         fastcgi_index index.php;
-        include fastcgi_params;
+
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
     }
diff --git a/nginx/prod.conf.template b/nginx/prod.conf.template
index f2cc578..ce89145 100644
--- a/nginx/prod.conf.template
+++ b/nginx/prod.conf.template
@@ -40,6 +40,7 @@ server {
 
     location ~ \.php$ {
         include fastcgi_params;
+
         fastcgi_pass wordpress:9000;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

From 182bbe320f6b3d3e5b0e6b5ac2076b6e3f6a4454 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 10:16:14 +0100
Subject: [PATCH 13/16] refactor: dev nginx template

---
 nginx/dev.conf.template | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/nginx/dev.conf.template b/nginx/dev.conf.template
index 1cac9f2..64a0e44 100644
--- a/nginx/dev.conf.template
+++ b/nginx/dev.conf.template
@@ -4,7 +4,11 @@ server {
 
     root /var/www/html;
     index index.php index.html;
-    
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+
     location / {
         try_files $uri $uri/ /index.php?$args;
     }
@@ -24,8 +28,4 @@ server {
     location ~ /\.ht {
         deny all;
     }
-
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-Content-Type-Options "nosniff";
-    add_header X-XSS-Protection "1; mode=block";
 }
\ No newline at end of file

From b73e9b4add7dfaefc546f733d1ca541fab6b9ef4 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 10:53:41 +0100
Subject: [PATCH 14/16] fix: small improvement

---
 docker-compose.prod.yml          | 2 ++
 scripts/certbot/certbot-renew.sh | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 7dc6e2f..1d607ce 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -85,6 +85,8 @@ services:
     image: certbot/certbot:v5.2.2
     container_name: ${CONTAINER_NAME}-certbot
     restart: unless-stopped
+    tmpfs:
+      - /var/lib/letsencrypt
     volumes:
       - ./scripts:/scripts:ro
       - certbot_conf:/etc/letsencrypt
diff --git a/scripts/certbot/certbot-renew.sh b/scripts/certbot/certbot-renew.sh
index 69317e6..813d553 100644
--- a/scripts/certbot/certbot-renew.sh
+++ b/scripts/certbot/certbot-renew.sh
@@ -19,6 +19,6 @@ while true; do
     echo "[$(date)] Renewal failed"
   fi
 
-  echo "[$(date)] Next check in ${CERTBOT_RENEW_INTERVAL}"
+  echo "[$(date)] Waiting ${CERTBOT_RENEW_INTERVAL} for next check..."
   sleep "${CERTBOT_RENEW_INTERVAL}"
 done

From e219bcc4e87249e015dd14c7e22521ea2532e439 Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Fri, 2 Jan 2026 18:15:46 +0100
Subject: [PATCH 15/16] feat: certbot renew task

---
 scripts/certbot/certbot-renew.sh              | 24 -------------------
 .../certbot/certbot-renew/certbot-renew.sh    | 24 +++++++++++++++++++
 .../certbot/certbot-renew/lib/terminate.sh    |  6 +++++
 scripts/certbot/entrypoint.sh                 | 12 +++++-----
 scripts/certbot/execute-certbot-tasks.sh      |  4 ++++
 scripts/certbot/lib/terminate.sh              |  6 -----
 6 files changed, 40 insertions(+), 36 deletions(-)
 delete mode 100644 scripts/certbot/certbot-renew.sh
 create mode 100644 scripts/certbot/certbot-renew/certbot-renew.sh
 create mode 100644 scripts/certbot/certbot-renew/lib/terminate.sh
 create mode 100644 scripts/certbot/execute-certbot-tasks.sh
 delete mode 100644 scripts/certbot/lib/terminate.sh

diff --git a/scripts/certbot/certbot-renew.sh b/scripts/certbot/certbot-renew.sh
deleted file mode 100644
index 813d553..0000000
--- a/scripts/certbot/certbot-renew.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-set -e
-
-. /scripts/certbot/lib/terminate.sh
-
-CERTBOT_RENEW_INTERVAL="${CERTBOT_RENEW_INTERVAL:-12h}"
-
-trap terminate TERM INT
-
-echo "[$(date)] Certbot renewal service started"
-echo "[$(date)] Renewal interval: ${CERTBOT_RENEW_INTERVAL}"
-
-while true; do
-  echo "[$(date)] Checking certificates..."
-
-  if certbot renew --webroot -w /var/www/certbot --quiet; then
-    echo "[$(date)] Renewal check completed"
-  else
-    echo "[$(date)] Renewal failed"
-  fi
-
-  echo "[$(date)] Waiting ${CERTBOT_RENEW_INTERVAL} for next check..."
-  sleep "${CERTBOT_RENEW_INTERVAL}"
-done
diff --git a/scripts/certbot/certbot-renew/certbot-renew.sh b/scripts/certbot/certbot-renew/certbot-renew.sh
new file mode 100644
index 0000000..1657b7f
--- /dev/null
+++ b/scripts/certbot/certbot-renew/certbot-renew.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+. /scripts/certbot/certbot-renew/lib/terminate.sh
+
+CERTBOT_RENEW_INTERVAL="${CERTBOT_RENEW_INTERVAL:-12h}"
+
+trap terminate TERM INT
+
+echo "Certbot renewal service started"
+echo "Renewal interval: ${CERTBOT_RENEW_INTERVAL}"
+
+while true; do
+  echo "Checking certificates..."
+
+  if certbot renew --webroot -w /var/www/certbot --quiet; then
+    echo "Renewal check completed"
+  else
+    echo "Renewal failed"
+  fi
+
+  echo "Waiting ${CERTBOT_RENEW_INTERVAL} for next check..."
+  sleep "${CERTBOT_RENEW_INTERVAL}"
+done
diff --git a/scripts/certbot/certbot-renew/lib/terminate.sh b/scripts/certbot/certbot-renew/lib/terminate.sh
new file mode 100644
index 0000000..079f439
--- /dev/null
+++ b/scripts/certbot/certbot-renew/lib/terminate.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+terminate() {
+  echo "Stopping certbot renewal service"
+  exit 0
+}
diff --git a/scripts/certbot/entrypoint.sh b/scripts/certbot/entrypoint.sh
index b9af5ce..4ca9518 100644
--- a/scripts/certbot/entrypoint.sh
+++ b/scripts/certbot/entrypoint.sh
@@ -1,15 +1,15 @@
 #!/bin/sh
 set -e
 
-if [ "${SKIP_CERTBOT}" = "true" ]; then
-  echo "Certbot service skipped"
+if [ "${SKIP_CERTBOT_TASKS}" = "true" ]; then
+  echo "Certbot tasks skipped"
   exit 0
 fi
 
-if [ ! -x /scripts/certbot/certbot-renew.sh ]; then
-  echo "Error: certbot-renew.sh not found or not executable"
+if [ ! -x /scripts/certbot/execute-certbot-tasks.sh ]; then
+  echo "Error: execute-certbot-tasks.sh not found or not executable"
   exit 1
 fi
 
-echo "Starting Certbot renewal service"
-/scripts/certbot/certbot-renew.sh
+echo "Executing certbot tasks"
+/scripts/certbot/execute-certbot-tasks.sh
diff --git a/scripts/certbot/execute-certbot-tasks.sh b/scripts/certbot/execute-certbot-tasks.sh
new file mode 100644
index 0000000..b1763d5
--- /dev/null
+++ b/scripts/certbot/execute-certbot-tasks.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+
+/scripts/certbot/certbot-renew/certbot-renew.sh
diff --git a/scripts/certbot/lib/terminate.sh b/scripts/certbot/lib/terminate.sh
deleted file mode 100644
index 09ff2d1..0000000
--- a/scripts/certbot/lib/terminate.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-terminate() {
-  echo "[$(date)] Stopping certbot renewal service"
-  exit 0
-}

From 919d1f70207922e59f6c3af0a59b0275b37f78ed Mon Sep 17 00:00:00 2001
From: Tayfun Gumus <tayfun.gumus@proton.me>
Date: Mon, 5 Jan 2026 10:49:02 +0100
Subject: [PATCH 16/16] feat: certbot targets

---
 .env.example                                  |  4 ++--
 Makefile                                      | 20 ++++++++++++++++++-
 docker-compose.prod.yml                       |  7 +++++--
 .../certbot-dry-run/certbot-dry-run.sh        |  8 ++++++++
 .../certbot-first-issue.sh                    | 19 ++++++++++++++++++
 .../certbot/certbot-renew/certbot-renew.sh    |  6 ++----
 scripts/certbot/entrypoint.sh                 | 15 --------------
 scripts/certbot/execute-certbot-tasks.sh      |  4 ----
 8 files changed, 55 insertions(+), 28 deletions(-)
 create mode 100644 scripts/certbot/certbot-dry-run/certbot-dry-run.sh
 create mode 100644 scripts/certbot/certbot-first-issue/certbot-first-issue.sh
 delete mode 100644 scripts/certbot/entrypoint.sh
 delete mode 100644 scripts/certbot/execute-certbot-tasks.sh

diff --git a/.env.example b/.env.example
index cb70c4e..3bff736 100644
--- a/.env.example
+++ b/.env.example
@@ -93,8 +93,8 @@ DB_BACKUP_CPUS=0.5
 DB_BACKUP_MEM_LIMIT=256M
 
 # Certbot
-# Skip certbot service (true/false)
-SKIP_CERTBOT=false
+# Email used for Let's Encrypt registration
+LETSENCRYPT_EMAIL=admin@example.com
 
 # Certbot renewal interval (s/m/h/d)
 CERTBOT_RENEW_INTERVAL=12h
diff --git a/Makefile b/Makefile
index e5ee3e1..58e06ca 100644
--- a/Makefile
+++ b/Makefile
@@ -41,5 +41,23 @@ down-prod:
 logs-prod:
 	@$(COMPOSE_PROD) logs -f
 
+certbot-first-issue:
+	@$(COMPOSE_PROD) run --rm \
+		--entrypoint sh \
+		certbot \
+		/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
+
+certbot-dry-run:
+	@$(COMPOSE_PROD) run --rm \
+		--entrypoint sh \
+		certbot \
+		/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
+
+certbot-renew:
+	@$(COMPOSE_PROD) run --rm \
+		--entrypoint sh \
+		certbot \
+		/scripts/certbot/certbot-renew/certbot-renew.sh
+
 .PHONY: up down clean reset logs sync-site-url db-backup db-restore \
-        up-prod down-prod logs-prod 
+        up-prod down-prod logs-prod certbot-first-issue certbot-dry-run certbot-renew
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 1d607ce..fb7b5d5 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -84,14 +84,17 @@ services:
     <<: *default-logging
     image: certbot/certbot:v5.2.2
     container_name: ${CONTAINER_NAME}-certbot
-    restart: unless-stopped
+    env_file: .env
+    environment:
+      SERVER_NAME: ${SERVER_NAME}
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
+      CERTBOT_RENEW_INTERVAL: ${CERTBOT_RENEW_INTERVAL:-12h}
     tmpfs:
       - /var/lib/letsencrypt
     volumes:
       - ./scripts:/scripts:ro
       - certbot_conf:/etc/letsencrypt
       - certbot_www:/var/www/certbot
-    entrypoint: ["/scripts/certbot/entrypoint.sh"]
     deploy:
       resources:
         limits:
diff --git a/scripts/certbot/certbot-dry-run/certbot-dry-run.sh b/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
new file mode 100644
index 0000000..4d18ff1
--- /dev/null
+++ b/scripts/certbot/certbot-dry-run/certbot-dry-run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+echo "Running Certbot dry-run (renew simulation)"
+
+certbot renew --dry-run
+
+echo "Dry-run completed successfully"
diff --git a/scripts/certbot/certbot-first-issue/certbot-first-issue.sh b/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
new file mode 100644
index 0000000..d249d74
--- /dev/null
+++ b/scripts/certbot/certbot-first-issue/certbot-first-issue.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+. /scripts/utils/check-required-vars.sh
+
+check_required_vars "SERVER_NAME LETSENCRYPT_EMAIL"
+
+echo "Requesting first Let's Encrypt certificate for $SERVER_NAME"
+
+certbot certonly \
+  --webroot \
+  --webroot-path /var/www/certbot \
+  --domain "$SERVER_NAME" \
+  --email "$LETSENCRYPT_EMAIL" \
+  --agree-tos \
+  --no-eff-email \
+  --non-interactive
+
+echo "Certificate successfully issued"
diff --git a/scripts/certbot/certbot-renew/certbot-renew.sh b/scripts/certbot/certbot-renew/certbot-renew.sh
index 1657b7f..bed3543 100644
--- a/scripts/certbot/certbot-renew/certbot-renew.sh
+++ b/scripts/certbot/certbot-renew/certbot-renew.sh
@@ -3,20 +3,18 @@ set -e
 
 . /scripts/certbot/certbot-renew/lib/terminate.sh
 
-CERTBOT_RENEW_INTERVAL="${CERTBOT_RENEW_INTERVAL:-12h}"
-
 trap terminate TERM INT
 
 echo "Certbot renewal service started"
 echo "Renewal interval: ${CERTBOT_RENEW_INTERVAL}"
 
 while true; do
-  echo "Checking certificates..."
+  echo "Checking certificates"
 
   if certbot renew --webroot -w /var/www/certbot --quiet; then
     echo "Renewal check completed"
   else
-    echo "Renewal failed"
+    echo "Renewal check returned non-zero status (may be expected)"
   fi
 
   echo "Waiting ${CERTBOT_RENEW_INTERVAL} for next check..."
diff --git a/scripts/certbot/entrypoint.sh b/scripts/certbot/entrypoint.sh
deleted file mode 100644
index 4ca9518..0000000
--- a/scripts/certbot/entrypoint.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ "${SKIP_CERTBOT_TASKS}" = "true" ]; then
-  echo "Certbot tasks skipped"
-  exit 0
-fi
-
-if [ ! -x /scripts/certbot/execute-certbot-tasks.sh ]; then
-  echo "Error: execute-certbot-tasks.sh not found or not executable"
-  exit 1
-fi
-
-echo "Executing certbot tasks"
-/scripts/certbot/execute-certbot-tasks.sh
diff --git a/scripts/certbot/execute-certbot-tasks.sh b/scripts/certbot/execute-certbot-tasks.sh
deleted file mode 100644
index b1763d5..0000000
--- a/scripts/certbot/execute-certbot-tasks.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-set -e
-
-/scripts/certbot/certbot-renew/certbot-renew.sh