Files
azionelab-v2/docs/deployment.md
T
2026-06-25 07:36:25 +02:00

1.6 KiB

Deployment

Local

Copy .env.example to .env, add 127.0.0.1 azionelab.org to the hosts file, then:

docker compose up --build -d
docker compose --profile tools run --rm wp-cli /scripts/bootstrap.sh

NGINX binds to loopback ports 8080/8443. WordPress and MariaDB remain private. The bootstrap is safe to rerun and does not duplicate demo records.

Production

Required controls:

  • WP_ENVIRONMENT_TYPE=production;
  • unique non-placeholder MariaDB passwords of at least 16 characters;
  • WORDPRESS_DEBUG=0 and a strong administrator password;
  • an HTTPS WP_URL;
  • managed secrets outside the Compose file;
  • either direct Let's Encrypt termination or a trusted external load balancer;
  • off-host database/file backups and monitoring.

When a load balancer terminates TLS, Certbot stays disabled. TRUST_PROXY_HEADERS=1 is safe only when firewall/network policy makes the load balancer the sole NGINX caller and it overwrites X-Forwarded-* headers.

For direct TLS, public DNS and inbound ports 80/443 must reach NGINX. Start with LETSENCRYPT_STAGING=1; application HTTP returns 503 until a certificate exists, then redirects to HTTPS. Switch to the production CA only after validating DNS and firewall behavior, removing only the staging certificate volume when necessary.

State and rollback

Database and WordPress file volumes must be backed up together. Code rollback is a container rebuild from a prior commit and does not require deleting volumes. Never use docker compose down --volumes where content must survive. Test database restoration in a disposable environment before any production restore.