1.6 KiB
Deployment
Local
Copy .env.example to .env, add 127.0.0.1 azionelab.org to the hosts file, then:
docker compose up --build -d
docker compose --profile tools run --rm wp-cli /scripts/bootstrap.sh
NGINX binds to loopback ports 8080/8443. WordPress and MariaDB remain private. The bootstrap is safe to rerun and does not duplicate demo records.
Production
Required controls:
WP_ENVIRONMENT_TYPE=production;- unique non-placeholder MariaDB passwords of at least 16 characters;
WORDPRESS_DEBUG=0and a strong administrator password;- an HTTPS
WP_URL; - managed secrets outside the Compose file;
- either direct Let's Encrypt termination or a trusted external load balancer;
- off-host database/file backups and monitoring.
When a load balancer terminates TLS, Certbot stays disabled. TRUST_PROXY_HEADERS=1
is safe only when firewall/network policy makes the load balancer the sole NGINX
caller and it overwrites X-Forwarded-* headers.
For direct TLS, public DNS and inbound ports 80/443 must reach NGINX. Start with
LETSENCRYPT_STAGING=1; application HTTP returns 503 until a certificate exists, then
redirects to HTTPS. Switch to the production CA only after validating DNS and firewall
behavior, removing only the staging certificate volume when necessary.
State and rollback
Database and WordPress file volumes must be backed up together. Code rollback is a
container rebuild from a prior commit and does not require deleting volumes. Never use
docker compose down --volumes where content must survive. Test database restoration
in a disposable environment before any production restore.