feat: add wordpress site variant

This commit is contained in:
bisco
2026-06-25 07:36:25 +02:00
parent cae9180bc6
commit c66dd7e511
46 changed files with 2091 additions and 136 deletions
+37 -9
View File
@@ -1,13 +1,41 @@
# Operations
Describe operational procedures.
## Routine commands
Include:
```bash
docker compose up --build -d
docker compose ps
docker compose logs -f proxy wordpress db certbot
docker compose --profile tools run --rm wp-cli -c 'wp core version'
docker compose down
```
- startup and shutdown;
- health checks;
- logs;
- monitoring;
- backup and restore;
- routine maintenance;
- known operational risks.
The proxy healthcheck reaches WordPress, and WordPress health reaches its login route.
MariaDB uses its official readiness check. WordPress access logs are disabled while
PHP warnings/errors remain visible. NGINX is the request audit trail; apply an explicit
retention policy because it contains client metadata.
## Updates
WordPress, PHP, MariaDB, NGINX, Certbot, and Playwright use explicit image versions.
Review security releases routinely, update pins in a task branch, rebuild, run the full
test suite, and deploy. Production disables WordPress web-based file modifications, so
image rebuilds are the update path.
## Backup and restore
Create database and `wordpress_data` backups in one maintenance window. Backups contain
credentials, accounts, contact information, and uploaded media; encrypt them, restrict
access, set retention, and store copies off-host.
A restore is destructive. Validate it on isolated volumes, then stop WordPress, restore
the database and file volume together, restart, and verify the homepage, media,
`/wp-admin/`, and user accounts.
## Known risks
- Local named volumes are not backups.
- SMTP is not configured; WordPress password-reset email needs an external mail service.
- Admin MFA and network allowlisting are deployment concerns and are not bundled.
- WordPress plugins expand the attack surface; install only reviewed, maintained,
necessary plugins.