Files
2026-06-26 15:54:57 +02:00

1.7 KiB

Architecture

NGINX is the only public entry point for azionelab.org. It proxies HTTP to the official WordPress 7.0/PHP 8.3 Apache image over the private web network. WordPress connects to MariaDB 11.8 LTS over a separate internal data network. Neither WordPress nor MariaDB publishes a host port; automated security checks guard this assumption.

The custom azionelab classic theme renders the public single page. Theme modifications store the hero, manifesto, laboratory, teacher, lesson, and contact fields. The azionelab-content must-use plugin registers Shows and Gallery custom post types so structured editorial content survives a theme change. These custom post types are editorial data sources for the homepage, not standalone public routes or REST collections. Images use WordPress featured images with local SVG fallbacks.

WP-CLI is an opt-in tools-profile service. Its idempotent bootstrap installs WordPress, activates the theme, configures the site, and creates realistic demo content. Certbot is another optional service, enabled only for direct deployments. It shares challenge and certificate volumes with NGINX but has no container-control access.

Apache includes a small defense-in-depth hardening file that denies uploaded PHP files, direct wp-config.php requests, and direct access to selected internal WordPress PHP paths even if a future routing mistake bypasses NGINX.

Persistent state lives in host-based bind mounts configured by DB_DATA_PATH, WORDPRESS_DATA_PATH, LETSENCRYPT_DATA_PATH, and CERTBOT_CHALLENGES_PATH. Functional tests replace the database and WordPress mounts with isolated Docker test volumes and reach NGINX via an internal azionelab.org network alias.

See ADR-0001.