# Architecture NGINX is the only public entry point for `azionelab.org`. It proxies HTTP to the official WordPress 7.0/PHP 8.3 Apache image over the private `web` network. WordPress connects to MariaDB 11.8 LTS over a separate internal `data` network. Neither WordPress nor MariaDB publishes a host port; automated security checks guard this assumption. The custom `azionelab` classic theme renders the public single page. Theme modifications store the hero, manifesto, laboratory, teacher, lesson, and contact fields. The `azionelab-content` must-use plugin registers Shows and Gallery custom post types so structured editorial content survives a theme change. Images use WordPress featured images with local SVG fallbacks. WP-CLI is an opt-in tools-profile service. Its idempotent bootstrap installs WordPress, activates the theme, configures the site, and creates realistic demo content. Certbot is another optional service, enabled only for direct deployments. It shares challenge and certificate volumes with NGINX but has no container-control access. Apache includes a small defense-in-depth hardening file that denies uploaded PHP files, direct `wp-config.php` requests, and direct access to selected internal WordPress PHP paths even if a future routing mistake bypasses NGINX. Persistent state lives in host-based bind mounts configured by `DB_DATA_PATH`, `WORDPRESS_DATA_PATH`, `LETSENCRYPT_DATA_PATH`, and `CERTBOT_CHALLENGES_PATH`. Functional tests replace the database and WordPress mounts with isolated Docker test volumes and reach NGINX via an internal `azionelab.org` network alias. See [ADR-0001](adr/0001-wordpress-single-page.md).