diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2a78f433d9b7d86a16a545f32a6d5b84752611ce..a30af8098d3f865f849dc2eeecd952fc812d4d00 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,45 +16,69 @@ before_script:
 
 .build: &build
   stage: build
-  only: &build-only
+  script:
+  - TARGET=${CI_JOB_NAME##*:}
+  - BUILD_TAG=${CI_REGISTRY_IMAGE}/${TARGET}/build:${CI_PIPELINE_ID}
+  - docker build .
+    --pull=true
+    --tag=${BUILD_TAG}
+    --target=${TARGET}
+    ${NGINX_VERSION:+--build-arg=nginx_version=$NGINX_VERSION}
+    ${PHP_VERSION:+--build-arg=php_version=$PHP_VERSION}
+    ${WORDPRESS_VERSION:+--build-arg=wp_version=$WORDPRESS_VERSION}
+  - docker push ${BUILD_TAG}
+
+.changes: &only-changes
+  only: &change-files
     changes:
+    - .gitlab-ci.yml
     - Dockerfile
     - data/*
     - plugins/*
     - scripts/*
-  script:
-  - docker build .
-    --pull=true
-    --tag=${CI_REGISTRY_IMAGE}/${CI_JOB_NAME#build-}/build:${CI_PIPELINE_ID}
-    ${TARGET+--target=$TARGET}
-  after_script:
-  - docker push
-    ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME#build-}/build:${CI_PIPELINE_ID}
-
-build-fastcgi:
-  <<: *build
-build-nginx:
-  <<: *build
-  variables:
-    TARGET: nginx
+
+.merge-requests: &only-merge-requests
+  only:
+    << : *change-files
+    refs:
+    - merge_requests
+
+build-master:fastcgi:
+  << : [ *build ]
+  only: [ master, schedules ]
+build-master:nginx:
+  << : [ *build ]
+  only: [ master, schedules ]
+
+build-mr:fastcgi:
+  << : [ *build, *only-merge-requests ]
+build-mr:nginx:
+  << : [ *build, *only-merge-requests ]
+
+build:fastcgi:
+  << : [ *build, *only-changes ]
+  except: [ merge_requests, master, schedules ]
+build:nginx:
+  << : [ *build, *only-changes ]
+  except: [ merge_requests, master, schedules ]
 
 
 .push-tags: &push-tags
   stage: deploy
   only:
-    <<: *build-only
-    refs: [master, develop]
+    << : *change-files
+    refs: [ master, develop, schedules ]
   script: |
-    BUILD_REPO=${CI_REGISTRY_IMAGE}/${CI_JOB_NAME#push-}/build:${CI_PIPELINE_ID}
-    DEPLOY_REPO=${CI_REGISTRY_IMAGE}/${CI_JOB_NAME#push-}
+    BUILD_REPO=${CI_REGISTRY_IMAGE}/${CI_JOB_NAME##*:}/build:${CI_PIPELINE_ID}
+    DEPLOY_REPO=${CI_REGISTRY_IMAGE}/${CI_JOB_NAME##*:}
     VERSION=`eval "docker run --rm ${BUILD_REPO} ${GET_VERSION}"`
     . scripts/deploy.sh
 
-push-fastcgi:
+push:fastcgi:
   <<: *push-tags
   variables:
     GET_VERSION: wp core version
-push-nginx:
+push:nginx:
   <<: *push-tags
   variables:
     GET_VERSION: nginx -V 2>&1 | sed -n '/nginx version:/s/.*nginx\///p'
diff --git a/Dockerfile b/Dockerfile
index 6ac80d3b9ae9d48dd8d2e35989a0650c678b4906..6c38af46ca8ae4e853189838b29fd43b53a25ee8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,15 +4,19 @@ ARG nginx_version=latest
 FROM nginx:${nginx_version} as nginx
 LABEL uk.org.kodo.maintainer = "Dom Sekotill <dom.sekotill@kodo.org.uk>"
 COPY data/nginx.conf /etc/nginx/conf.d/default.conf
+COPY data/fastcgi.nginx.conf /etc/nginx/fastcgi.conf
+COPY data/cache-bust.nginx.conf /etc/nginx/cache-bust.conf
+COPY data/5*.html /app/html/
 
 
-FROM php:7.3-fpm-alpine as deps
+ARG php_version=
+FROM php:${php_version:+$php_version-}fpm-alpine as deps
 RUN --mount=type=bind,source=scripts/install-deps.sh,target=/stage /stage
 
 FROM deps as compile
 RUN --mount=type=bind,source=scripts/compile.sh,target=/stage /stage
 
-FROM deps
+FROM deps as fastcgi
 
 LABEL uk.org.kodo.maintainer "Dom Sekotill <dom.sekotill@kodo.org.uk>"
 
@@ -20,13 +24,14 @@ ARG wp_version=latest
 WORKDIR /app
 ENV WORDPRESS_ROOT=/app
 
-COPY scripts/wp.sh /usr/local/bin/wp
 COPY --from=compile /usr/local/etc/php /usr/local/etc/php
 COPY --from=compile /usr/local/lib/php /usr/local/lib/php
+COPY scripts/wp.sh /usr/local/bin/wp
+COPY data/composer.json /app/composer.json
 RUN --mount=type=bind,source=scripts/install-wp.sh,target=/stage \
     /stage ${wp_version}
 
-COPY plugins/probe.php wp-content/mu-plugins/
+COPY plugins/* wp-content/mu-plugins/
 COPY data/fpm.conf /usr/local/etc/php-fpm.d/image.conf
 COPY data/opcache.ini /usr/local/etc/php/conf.d/opcache-recommended.ini
 COPY data/wp-config.php /usr/share/wordpress/wp-config.php
diff --git a/data/502.html b/data/502.html
new file mode 100644
index 0000000000000000000000000000000000000000..3e722061a0597d604be80189cd5b651b43010207
--- /dev/null
+++ b/data/502.html
@@ -0,0 +1,107 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" class="wp-toolbar" lang="en-GB">
+	<head>
+		<meta charset="utf-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+		<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" />
+		<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+		<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" defer="defer"></script>
+		<title>Site Unavailable</title>
+		<script>
+			var check = false;
+
+			function sleep(delay_ms) {
+				return new Promise((resolve) => setTimeout(resolve, delay_ms));
+			}
+
+			function head(url) {
+				return new Promise((resolve, reject) => {
+					jQuery.ajax({
+						url: url,
+						method: 'HEAD',
+						success: resolve,
+						error: reject,
+					});
+				})
+			}
+
+			$(document).ready(function() {
+				$('#checkModal')
+					.on('hide.bs.modal', function() {
+						check = false;
+					})
+					.on('shown.bs.modal', async function() {
+						check = true;
+						while (check) {
+							await sleep(1000);
+							try {
+								await head('#');
+							} catch (err) {
+								if (err.status === undefined)
+									throw err;
+								if (err.status == 502)
+									continue;
+							}
+							// non-502 code received
+							window.location.reload();
+						}
+					})
+					.modal('show');
+			});
+		</script>
+		<style>
+			.vertical-center {
+				min-height: 100%;
+				min-height:100vh;
+				display: flex;
+				align-items: center;
+			}
+		</style>
+	</head>
+	<body>
+		<div class="modal fade" tabindex="-1" id="checkModal" role="dialog" aria-labelledby="#checkModalLabel">
+			<div class="modal-dialog" role="document">
+				<div class="modal-content">
+
+					<!-- header -->
+					<div class="modal-header">
+						<h4 class="modal-title" id="checkModalLabel">Site Unavailable</h4>
+					</div>
+
+					<!-- body -->
+					<div class="modal-body">
+						<p>The page will reload automatically when the site becomes
+							available &#x2026;</p>
+					</div>
+
+					<!-- footer -->
+					<div class="modal-footer">
+						<button type="button" class="btn btn-danger" data-dismiss="modal">
+							<span class="spinner-border spinner-border-sm"></span>
+							Cancel
+						</button>
+					</div>
+
+				</div>
+			</div>
+		</div>
+
+		<div class="vertical-center">
+			<div class="container">
+
+				<div class="d-flex justify-content-center align-items-center">
+					<div class="p-2">
+						<h1>Site Unavailable</h1>
+						<p>This site is currently unavailable</p>
+						<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#checkModal">
+							Check availability
+						</button>
+					</div>
+				</div>
+
+			</div>
+		</div>
+
+	</body>
+</html>
diff --git a/data/cache-bust.nginx.conf b/data/cache-bust.nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fa5c8ed0e95b4eefc612d99cedec7feb77528b39
--- /dev/null
+++ b/data/cache-bust.nginx.conf
@@ -0,0 +1 @@
+add_header X-Clacks-Overhead "GNU Terry Pratchett";
diff --git a/data/composer.json b/data/composer.json
new file mode 100644
index 0000000000000000000000000000000000000000..c028f78b051f0f31074739ee76689ab6e3514fbd
--- /dev/null
+++ b/data/composer.json
@@ -0,0 +1,21 @@
+{
+	"type": "project",
+	"license": "MPL-2.0",
+	"repositories": [
+		{
+			"type": "gitlab",
+			"url": "https://code.kodo.org.uk/singing-chimes.co.uk/s3-uploads"
+		}
+	],
+	"require": {
+		"humanmade/s3-uploads": "dev-develop"
+	},
+	"config": {
+		"gitlab-domains": [ "code.kodo.org.uk" ]
+	},
+	"extra": {
+		"installer-paths": {
+			"wp-content/mu-plugins/{$name}/": [ "type:wordpress-plugin" ]
+		}
+	}
+}
diff --git a/data/fastcgi.nginx.conf b/data/fastcgi.nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..321efe261dbb98bcc6ff0c943739c2c04a504e7e
--- /dev/null
+++ b/data/fastcgi.nginx.conf
@@ -0,0 +1,26 @@
+fastcgi_pass upstream:9000;
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_FILENAME    /app$fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      /app;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $http_x_forwarded_proto;
+fastcgi_param  HTTPS              $forwarded_https;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_NAME        $server_name;
+fastcgi_param  SERVER_ADDR        $http_x_forwarded_host;
+fastcgi_param  SERVER_PORT        $http_x_forwarded_port;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/data/fpm.conf b/data/fpm.conf
index 20bd27fc785cfb90c09360d2d5f3ef88a32d9eb7..407f3aed220fdb0a150f33e66811ad2031718ecd 100644
--- a/data/fpm.conf
+++ b/data/fpm.conf
@@ -1 +1,4 @@
 access.format = "[%{%Y-%m-%dT%H:%M:%S%z}t] %{REMOTE_ADDR}e %m %{REQUEST_URI}e %s time=%{mili}d ms;"
+
+ping.path = "/.probe"
+ping.response = "OK"
diff --git a/data/nginx.conf b/data/nginx.conf
index 8f5fb750aeaa53137c31a6574d458a33085212ff..ebf21c51c875fd858cffb6372655db73af37d530 100644
--- a/data/nginx.conf
+++ b/data/nginx.conf
@@ -5,9 +5,12 @@ map $http_x_forwarded_proto $forwarded_https {
 
 log_format clear '[$time_iso8601] $remote_addr '
                  '$request_method $request_uri $status '
-				 ' sent=$body_bytes_sent bytes;'
-				 ' referrer=$http_referer;'
-				 ' user-agent=$http_user_agent';
+                 ' sent=$body_bytes_sent bytes;'
+                 ' referrer=$http_referer;'
+                 ' user-agent=$http_user_agent';
+
+fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=ERR:1m inactive=1d;
+fastcgi_cache_key "$scheme$request_method$host$request_uri";
 
 server {
 	listen 80;
@@ -25,16 +28,31 @@ server {
 	# Add Cache-Control headers for static files, removed in *.php location
 	add_header Cache-Control "public, max-age=7776000, stale-while-revalidate=86400, stale-if-error=604800";
 
-	location ~ \.php$ {
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME /app$fastcgi_script_name;
-		fastcgi_param DOCUMENT_ROOT /app;
-		fastcgi_param REQUEST_SCHEME $http_x_forwarded_proto;
-		fastcgi_param HTTPS $forwarded_https;
-		fastcgi_param SERVER_ADDR $http_x_forwarded_host;
-		fastcgi_param SERVER_PORT $http_x_forwarded_port;
-		add_header X-Clacks-Overhead "GNU Terry Pratchett";
-		fastcgi_pass upstream:9000;
+	error_page 404 /errors/404;
+	error_page 502 /errors/502.html;
+
+	location /errors {
+		alias /app/html;
+		internal;
+
+		location /errors/404 {
+			include fastcgi.conf;
+			fastcgi_param SCRIPT_FILENAME /app/index.php;
+			fastcgi_cache ERR;
+			fastcgi_cache_valid 404 1d;
+		}
+	}
+
+	location @index {
+		include fastcgi.conf;
+		include cache-bust.conf;
+		fastcgi_param SCRIPT_FILENAME /app/index.php;
+	}
+
+	location = /.probe {
+		include fastcgi.conf;
+		fastcgi_param SCRIPT_NAME /.probe;
+		access_log off;
 	}
 
 	# Don't return 200 for a missing favicon
@@ -49,25 +67,22 @@ server {
 		try_files $uri =404;
 	}
 
-	# block the XMLRPC script
-	location = /xmlrpc.php {
-		return 404;
-	}
-
-	# block external cron triggers
-	location = /wp-cron.php {
-		return 404;
-	}
-
 	# allow the new JSON REST API
 	location /wp-json/ {
-		rewrite ^ /index.php$is_args$args last;
+		include fastcgi.conf;
+		include cache-bust.conf;
+		fastcgi_param SCRIPT_FILENAME /app/index.php;
 	}
 
 	# use /index.php as a front controller if the base of the URI path does
 	# not exist
 	location / {
-		try_files $uri /index.php$is_args$args;
+		try_files $uri @index;
+	}
+
+	location = /wp-login.php {
+		include fastcgi.conf;
+		include cache-bust.conf;
 	}
 
 	# wp-admin uses lots of directly accessed PHP scripts, unfortunately
@@ -76,28 +91,19 @@ server {
 	}
 	location /wp-admin/ {
 		try_files $uri $uri/index.php;
-	}
 
-	# serve only static files from wp-includes
-	location ^~ /wp-includes/ {
-		# don't serve PHP source code from wp-includes
-		location ~ \.php {
-			return 404;
+		location ~ \.php$ {
+			include fastcgi.conf;
+			include cache-bust.conf;
 		}
 	}
 
-	# serve only static files from wp-content
-	location ^~ /wp-content/ {
-		# don't serve PHP source code from plugins, etc
-		location ~ \.php {
-			return 404;
-		}
-	}
-
-	# limit the usefulness of malicious HTML/JS hosted in /media/ by serving 
-	# only media & common data files with their correct mime-type
+	# Limit the usefulness of malicious HTML/JS hosted in /media/ by serving
+	# only media & common data files with their correct mime-type.
+	# Don't allow missing paths to be delegated to the PHP controller.
 	location /media/ {
 		root /app;
+		try_files $uri =404;
 		default_type application/octet-stream;
 		types {
 			# images #
diff --git a/data/wp-config.php b/data/wp-config.php
index 78063c294ec38bbcb32a6a03434f031e5a70a670..a9cdd92cbc9519416c4e95d54ad7956c554945f5 100644
--- a/data/wp-config.php
+++ b/data/wp-config.php
@@ -4,13 +4,6 @@
  * Additional configurations required by the docker image
  ****/
 
-/**
- * Plugins, themes and language packs cannot be configured through the admin 
- * interface; modify the configuration in /etc/wordpress/ according to the 
- * documentation for PLUGINS[_LIST], THEMES[_LIST] and LANGUAGES[_LIST]
- **/
-define('DISALLOW_FILE_MODS', true);
-
 /**
  * Disable running wp-cron.php on every page load. A sidecar process
  * examines the status of cron jobs and handles scheduling and running them.
@@ -22,3 +15,20 @@ define('DISABLE_WP_CRON', true);
  * installation.
  **/
 define('UPLOADS', 'media');
+
+/**
+ * Stop the site-health tool from complaining about unwritable filesystems.
+ * Background upgrades are performed by a user with write privileges via the
+ * wp-cli tool.
+ **/
+if ( !defined( 'WP_CLI' ) ):
+define('FTP_USER', 'nemo');
+define('FTP_PASS', '****');
+endif;
+
+/**
+ * Run the Composer autoloader, if available
+ * Assume the CWD is always /app and vendor is always in it.
+ **/
+if ( is_file(ABSPATH . 'vendor/autoload.php') )
+	require_once ABSPATH . 'vendor/autoload.php';
diff --git a/plugins/media-url.php b/plugins/media-url.php
new file mode 100644
index 0000000000000000000000000000000000000000..955cc97efdfeb5932785cb6b042e549ef08c74b3
--- /dev/null
+++ b/plugins/media-url.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Plugin Name: Media URL Fix
+ * Plugin URI: https://code.kodo.org.uk/singing-chimes.co.uk/wordpress/tree/master/plugins
+ * Description: Adjusts the media URL path base to /media, where the Nginx instance is hosting it.
+ * Licence: MPL-2.0
+ * Licence URI: https://www.mozilla.org/en-US/MPL/2.0/
+ * Author: Dominik Sekotill
+ * Author URI: https://code.kodo.org.uk/dom
+ */
+
+add_action( 'plugins_loaded', function() {
+	add_filter( 'upload_dir', function( $paths ) {
+		$baseurl = parse_url( $paths['baseurl'] );
+		$fullurl = parse_url( $paths['url'] );
+		$subdir = $paths['subdir'];
+
+		$baseurl['path'] = '/media';
+		$fullurl['path'] = '/media' . ($subdir ? "/{$subdir}" : '');
+
+		$paths['baseurl'] = unparse_url( $baseurl );
+		$paths['url']     = unparse_url( $fullurl );
+
+		return $paths;
+	});
+});
+
+function unparse_url( array $parts ) {
+	return (
+		(isset($parts['scheme'])   ?  "{$parts['scheme']}://" : '') .
+		(isset($parts['user'])     ?    $parts['user']        : '') .
+		(isset($parts['pass'])     ? ":{$parts['pass']}"      : '') .
+		(isset($parts['user']) || isset($parts['pass']) ? '@' : '') .
+		(isset($parts['host'])     ?    $parts['host']        : '') .
+		(isset($parts['port'])     ? ":{$parts['port']}"      : '') .
+		(isset($parts['path'])     ?    $parts['path']        : '') .
+		(isset($parts['query'])    ? "?{$parts['query']}"     : '') .
+		(isset($parts['fragment']) ? "#{$parts['fragment']}"  : '')
+	);
+}
diff --git a/plugins/override_file_mod.php b/plugins/override_file_mod.php
new file mode 100644
index 0000000000000000000000000000000000000000..d34dfa85e90db4f4f4a4338edbb611892b2334cd
--- /dev/null
+++ b/plugins/override_file_mod.php
@@ -0,0 +1,19 @@
+<?php
+/**
+ * Plugin Name: File Modification Blocker
+ * Plugin URI: https://wordpress.stackexchange.com/a/300718
+ * Description: Block file modification except for security updates.
+ * Licence: CC BY-SA 3.0
+ * Licence URI: https://creativecommons.org/licenses/by-sa/3.0/
+ * Author: Marc Guay
+ * Author URI: https://wordpress.stackexchange.com/users/69982/marcguay
+ */
+
+add_filter( 'file_mod_allowed', 'override_file_mod_allowed', 10, 2 );
+
+function override_file_mod_allowed( $setting, $context ) {
+	if ( $context == 'automatic_updater' ) {
+		return true;
+	}
+	return $setting;
+}
diff --git a/plugins/override_plugin_install.php b/plugins/override_plugin_install.php
new file mode 100644
index 0000000000000000000000000000000000000000..b8e8f6f8355eedc6d404cf64496effdc726879b0
--- /dev/null
+++ b/plugins/override_plugin_install.php
@@ -0,0 +1,27 @@
+<?php
+/**
+ * Plugin Name: Disable Plugins & Theme Management
+ * Plugin URI: https://code.kodo.org.uk/singing-chimes.co.uk/wordpress/tree/master/plugins
+ * Description: Prevents changes to installed code from the admin dashboard.  All such changes should be managed through deployment configuration.
+ * Licence: MPL-2.0
+ * Licence URI: https://www.mozilla.org/en-US/MPL/2.0/
+ * Author: Dominik Sekotill
+ * Author URI: https://code.kodo.org.uk/dom
+ */
+
+add_filter( 'user_has_cap', 'override_plugin_install', 10, 3 );
+
+function override_plugin_install( $allcaps, $caps, $args ) {
+	switch ($args[0]) {
+	case 'delete_plugins':
+	case 'delete_themes':
+	case 'edit_plugins':
+	case 'edit_themes':
+	case 'install_plugins':
+	case 'install_themes':
+	case 'update_plugins':
+	case 'update_themes':
+		$allcaps[$caps[0]] = false;
+	}
+	return $allcaps;
+}
diff --git a/plugins/probe.php b/plugins/probe.php
deleted file mode 100644
index 5c7dff5b6e7eb9a45007ef17e6a9e35ab8e48669..0000000000000000000000000000000000000000
--- a/plugins/probe.php
+++ /dev/null
@@ -1,18 +0,0 @@
-<?php
-/**
- * Plugin Name: Liveness Probe
- * Plugin URI: https://code.kodo.org.uk/singing-chimes.co.uk/wordpress/tree/master/plugins
- * Description: Responds to requests to /.probe with an HTTP code indicating the status of the app
- * Licence: MPL-2.0
- * Licence URI: https://www.mozilla.org/en-US/MPL/2.0/
- * Author: Dominik Sekotill
- * Author URI: https://code.kodo.org.uk/dom
- */
-
-
-if ( parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/.probe' ):
-
-add_filter('option_active_plugins', function( $plugins ) { return array(); });
-add_action('setup_theme', function() { exit(200); });
-
-endif;
diff --git a/plugins/s3-uploads.php b/plugins/s3-uploads.php
new file mode 100644
index 0000000000000000000000000000000000000000..f903c56574307808aece1fad270e119f87159889
--- /dev/null
+++ b/plugins/s3-uploads.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * Plugin Name: S3-Uploads
+ * Plugin URI: https://github.com/humanmade/S3-Uploads
+ * Description: S3-Uploads with custom endpoint configuration
+ * Licence: GPL-2.0+
+ * Licence URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+ * Author: Human Made Limited
+ * Author URI: http://hmn.md/
+ **/
+
+if ( defined( 'S3_UPLOADS_ENDPOINT_URL' ) || defined( 'WP_CLI' ) ):
+
+add_filter( 's3_uploads_s3_client_params', function ( $params ) {
+	$params['endpoint'] = S3_UPLOADS_ENDPOINT_URL;
+	$params['bucket_endpoint'] = true;
+	$params['disable_host_prefix_injection'] = true;
+	$params['use_path_style_endpoint'] = true;
+	$params['debug'] = WP_DEBUG && WP_DEBUG_DISPLAY;
+	$params['region'] = '';
+	return $params;
+} );
+
+require WPMU_PLUGIN_DIR . '/s3-uploads/s3-uploads.php';
+
+endif;
diff --git a/scripts/compile.sh b/scripts/compile.sh
index 3ef2c21f398205446b1e283b067aef1673a398c2..bd52b78856135b94c21d979d4be4629d483ca91c 100755
--- a/scripts/compile.sh
+++ b/scripts/compile.sh
@@ -9,6 +9,7 @@ BUILD_DEPS=(
 	imagemagick-dev
 	jpeg-dev
 	libpng-dev
+	libwebp-dev
 	libzip-dev
 )
 
@@ -24,12 +25,22 @@ PHP_EXT=(
 	zip
 )
 
+php_version() {
+	php -r "version_compare(PHP_VERSION, '$2', '${1#-}') or exit(1);" ||
+		return 1
+}
+
 # Install packaged dependencies
 apk update
 apk add "${BUILD_DEPS[@]}"
 
 # Build & install distributed extensions
-docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr
+if php_version -gt 7.4; then
+	GD_ARGS=( --with-jpeg=/usr --with-webp=/usr )
+else
+	GD_ARGS=( --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr )
+fi
+docker-php-ext-configure gd "${GD_ARGS[@]}"
 docker-php-ext-install -j$(nproc) "${PHP_EXT[@]}"
 
 # Download, build & install the Image Magick extension
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
index 475c184ab73ae3e811b0990d5882738a4380ba30..3a7779bd60436e22b35b63760ac5462a712373dd 100755
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@@ -32,6 +32,7 @@ declare -a STATIC_PATTERNS=(
 	"LICEN[CS]E"
 	"README"
 	"readme.html"
+	"composer.*"
 )
 declare -a PHP_DIRECTIVES=(
 	${PHP_DIRECTIVES-}
@@ -94,6 +95,46 @@ setup_database() {
 	wp rewrite structure /posts/%postname%
 }
 
+setup_s3() {
+	# https://github.com/humanmade/S3-Uploads
+
+	declare -a configs=( "${!S3_ENDPOINT_@}" )
+	[[ ${#configs[*]} -gt 0 ]] || return 0
+
+	[[ -v S3_UPLOADS_ENDPOINT_URL ]] &&
+	[[ -v S3_ENDPOINT_KEY ]] &&
+	[[ -v S3_ENDPOINT_SECRET ]] ||
+		return 0
+
+	composer update --prefer-dist --no-dev --with-dependencies \
+		humanmade/s3-uploads
+
+	[[ -v S3_UPLOADS_USE_LOCAL ]] &&
+		wp config set S3_UPLOADS_USE_LOCAL true --raw
+
+	if [[ -v S3_UPLOADS_REWRITE_URL ]]; then
+		wp config set S3_UPLOADS_BUCKET_URL "${S3_UPLOADS_REWRITE_URL}"
+	else
+		wp config set S3_UPLOADS_BUCKET_URL "${S3_UPLOADS_ENDPOINT_URL}"
+	fi
+
+	wp config set S3_UPLOADS_ENDPOINT_URL "${S3_UPLOADS_ENDPOINT_URL}"
+	wp config set S3_UPLOADS_KEY ${S3_ENDPOINT_KEY}
+	wp config set S3_UPLOADS_SECRET ${S3_ENDPOINT_SECRET} --quiet
+
+	# Plugin requires something here, it's not used
+	wp config set S3_UPLOADS_REGION ''
+
+	# Due to what appears to be a bug in the plugin, this MUST be a non-empty
+	# string; mostly it just affects the log output
+	wp config set S3_UPLOADS_BUCKET "CONFIGURED-BUCKET"
+
+	# If there is anything in ./media, upload it
+	local contents=( media/* )
+	[[ ${#contents[*]} -gt 0 ]] &&
+		wp s3-uploads upload-directory media
+}
+
 setup_components() {
 	setup_database
 
@@ -119,18 +160,34 @@ setup_components() {
 	[[ $(wp theme list --status=active --format=count) -eq 0 ]] &&
 		wp theme activate $(wp theme list --field=name | head -n1)
 
+	setup_s3
+
 	return 0
 }
 
+get_media_dir()
+{
+	[[ -v MEDIA ]] && return
+	MEDIA=$(
+		wp config get UPLOADS --type=constant ||
+		wp option get upload_path
+	)
+	[[ -n "${MEDIA}" ]] && return
+	local _wp_content=$(wp config get WP_CONTENT_DIR --type=constant)
+	MEDIA=${_wp_content:-wp-content}/uploads
+}
+
 setup_media()
 {
 	# UID values change on every run, ensure the owner and group are set 
-	# correctly on ./media
-	chown -R $WORKER_USER:$WORKER_USER ./media
+	# correctly on the media directory/volume.
+	get_media_dir
+	chown -R ${WORKER_USER}:${WORKER_USER} "${MEDIA}"
 }
 
 collect_static()
 {
+	get_media_dir
 	local IFS=,
 	declare -a flags=(flist stats remove del)
 	test -t 1 && flags+=(progress2)
@@ -140,8 +197,9 @@ collect_static()
 		--delete-delay \
 		--exclude-from=- \
 		--exclude='*.php' \
-		--exclude=static/ \
-		--exclude=media/ \
+		--exclude="${MEDIA}" \
+		--exclude=/static/ \
+		--exclude=/vendor/ \
 		--force \
 		--info="${flags[*]}" \
 		--times \
@@ -169,7 +227,7 @@ run_cron()
 
 run_background_cron()
 { (
-	export -f next_cron run_cron
+	export -f next_cron run_cron timestamp
 	exec -a wp-cron /bin/bash <<<run_cron
 )& }
 
diff --git a/scripts/install-deps.sh b/scripts/install-deps.sh
index 2125b8128a2fca2108aa9bd070ffed11d824ddc3..e6b4d75d2d995b43b7c3b36a0affe39e8bcb6bfe 100755
--- a/scripts/install-deps.sh
+++ b/scripts/install-deps.sh
@@ -9,5 +9,6 @@ apk add \
 	libgmpxx \
 	libjpeg \
 	libpng \
+	libwebp \
 	libzip \
 	rsync \
diff --git a/scripts/install-wp.sh b/scripts/install-wp.sh
index bf3a8186ad59dfa88edf07142e78b679c6bad2e4..55d1fb70ba91aae2680df75e8666d5708d081310 100755
--- a/scripts/install-wp.sh
+++ b/scripts/install-wp.sh
@@ -1,9 +1,15 @@
 #!/bin/bash
 set -eux
 
+COMPOSER_INSTALLER_URL=https://getcomposer.org/installer
 WP_CLI_URL=https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
 WP_PASSWORD_HASH=https://raw.githubusercontent.com/Ayesh/WordPress-Password-Hash/1.5.1
 
+# Install Composer
+curl -sSL ${COMPOSER_INSTALLER_URL} |
+	php -- --install-dir=/usr/local/lib --filename=composer.phar
+ln -s ../lib/composer.phar /usr/local/bin/composer
+
 # Install WP-CLI
 curl -sSL ${WP_CLI_URL} \
     >/usr/local/lib/wp-cli.phar
@@ -21,3 +27,7 @@ mkdir -p wp-content/mu-plugins
 # Install non-optional plugins
 curl ${WP_PASSWORD_HASH}/wp-php-password-hash.php \
 	>wp-content/mu-plugins/password-hash.php
+
+# Install composer managed dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+composer install --prefer-dist