1.7 KiB
Architecture
NGINX is the only public entry point for azionelab.org. It proxies HTTP to the
official WordPress 7.0/PHP 8.3 Apache image over the private web network. WordPress
connects to MariaDB 11.8 LTS over a separate internal data network. Neither WordPress
nor MariaDB publishes a host port; automated security checks guard this assumption.
The custom azionelab classic theme renders the public single page. Theme modifications
store the hero, manifesto, laboratory, teacher, lesson, and contact fields. The
azionelab-content must-use plugin registers Shows and Gallery custom post types so
structured editorial content survives a theme change. These custom post types are
editorial data sources for the homepage, not standalone public routes or REST
collections. Images use WordPress featured images with local SVG fallbacks.
WP-CLI is an opt-in tools-profile service. Its idempotent bootstrap installs WordPress, activates the theme, configures the site, and creates realistic demo content. Certbot is another optional service, enabled only for direct deployments. It shares challenge and certificate volumes with NGINX but has no container-control access.
Apache includes a small defense-in-depth hardening file that denies uploaded PHP files,
direct wp-config.php requests, and direct access to selected internal WordPress PHP
paths even if a future routing mistake bypasses NGINX.
Persistent state lives in host-based bind mounts configured by DB_DATA_PATH,
WORDPRESS_DATA_PATH, LETSENCRYPT_DATA_PATH, and CERTBOT_CHALLENGES_PATH.
Functional tests replace the database and WordPress mounts with isolated Docker test
volumes and reach NGINX via an internal azionelab.org network alias.
See ADR-0001.