# Deployment ## Local Copy `.env.example` to `.env`, add `127.0.0.1 azionelab.org` to the hosts file, then: ```bash docker compose up --build -d docker compose --profile tools run --rm wp-cli /scripts/bootstrap.sh ``` NGINX binds to loopback ports 8080/8443. WordPress and MariaDB remain private. The bootstrap is safe to rerun and does not duplicate demo records. ## Production Required controls: - `WP_ENVIRONMENT_TYPE=production`; - unique non-placeholder MariaDB passwords of at least 16 characters; - `WORDPRESS_DEBUG=0` and a strong administrator password; - an HTTPS `WP_URL`; - managed secrets outside the Compose file; - either direct Let's Encrypt termination or a trusted external load balancer; - off-host database/file backups and monitoring. When a load balancer terminates TLS, Certbot stays disabled. `TRUST_PROXY_HEADERS=1` is safe only when firewall/network policy makes the load balancer the sole NGINX caller and it overwrites `X-Forwarded-*` headers. For direct TLS, public DNS and inbound ports 80/443 must reach NGINX. Start with `LETSENCRYPT_STAGING=1`; application HTTP returns 503 until a certificate exists, then redirects to HTTPS. Switch to the production CA only after validating DNS and firewall behavior, removing only the staging certificate volume when necessary. ## State and rollback Database and WordPress file volumes must be backed up together. Code rollback is a container rebuild from a prior commit and does not require deleting volumes. Never use `docker compose down --volumes` where content must survive. Test database restoration in a disposable environment before any production restore.