wordpress template - nginx (ready for traefik), php-fpm, mysql

my.cnf

[mysqld]
; mysql > 5.6 changes this to sha2 which php doesn't support yet
default_authentication_plugin=mysql_native_password

nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
error_log  /var/log/nginx/error.log  notice;
error_log  /var/log/nginx/error.log  info;

pid        /run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nodelay on;
    keepalive_timeout  65;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    index   index.html index.htm;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server_names_hash_bucket_size 64;
    disable_symlinks off;
    server {
        listen       80 default_server;
        root         /usr/share/nginx/html;
        index        index.php;

        ### begin hardening

        server_tokens off;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade";

        ### end hardening
        ### begin wp-cache

        set $cache_uri $request_uri;

        if ($request_method = POST) {
            set $cache_uri 'null cache';
        }
        if ($query_string != "") {
            set $cache_uri 'null cache';
        }
        if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
                              |wp-.*.php|/feed/|index.php|wp-comments-popup.php
                              |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
                              |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {

            set $cache_uri 'null cache';
        }
        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
                             |wp-postpass|wordpress_logged_in") {
            set $cache_uri 'null cache';
        }
        set $cachefile "/wp-content/cache/supercache/$http_host/$cache_uri/index.html";
        if ($https ~* "on") {
            set $cachefile "/wp-content/cache/supercache/$http_host/$cache_uri/index-https.html";
        }
        # Try in the following order: (1) cachefile, (2) normal url, (3) php
        location / {
            try_files $cachefile $uri $uri/ /index.php?$args;
        }

        ### end wp-cache
        ### begin wordpress

        location ~ \.php$ {

                try_files $uri $uri/ /index.php?$args;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass wp:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;

        }


        # serve static files directly
        location ~* \.(jpg|jpeg|gif|png|ico|html|xml|txt|woff|svg)$ {
            expires           max;
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin *;
        }

        location ~* \.(?:css|js)$ {
            expires 1w;
            add_header Cache-Control "public";
        }

        rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
        rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        ### end wordpress

    }
}

php-fpm.conf

[www]

user = www-data
group = www-data
listen = 0.0.0.0:9000

pm = dynamic

pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

; general php hardening
php_admin_flag[expose_php] = Off
php_admin_value[error_reporting] = E_ALL
php_admin_flag[display_errors] = Off
php_admin_flag[display_startup_errors] = Off

; wordpress
php_admin_value[upload_max_filesize] = 128M
php_admin_value[post_max_size] = 128M
php_admin_value[memory_limit] = 256M
php_admin_value[max_execution_time] = 600
php_admin_value[max_input_vars] = 10000
php_admin_value[max_input_time] = 400

stack.yml

version: '3.6'

services:

  mysql:
    image: mysql
    restart: always
    networks:
      db:
        aliases:
          - "db"
    environment:
      MYSQL_ROOT_PASSWORD: test
      MYSQL_ROOT_HOST: '%'
      MYSQL_USER: user
      MYSQL_PASSWORD: password
      MYSQL_DATABASE: testing
    volumes:
      - data:/var/lib/mysql
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.database == true
    configs:
      - source: mysql
        target: /etc/mysql/conf.d/default-auth.cnf
        mode: 0664
        uid: '0'
        gid: '0'

  wordpress:
    image: wordpress:4.9.5-fpm-alpine
    networks:
      db:
      web:
        aliases:
          - 'wp'
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: user
      WORDPRESS_DB_PASSWORD: password
      WORDPRESS_DB_NAME: testing
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.web == true
    configs:
      - source: php-fpm
        target: /usr/local/etc/php-fpm.d/www.conf
        mode: 0644
        uid: '0'
        gid: '0'
    volumes:
      - files:/var/www/html
    depends_on:
      - mysql

  wp-cli:
    image: wordpress:cli
    entrypoint: 'tail -f /dev/null'
    networks:
      db:
      web:
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: user
      WORDPRESS_DB_PASSWORD: password
      WORDPRESS_DB_NAME: testing
    configs:
      - source: php-fpm
        target: /usr/local/etc/php-fpm.d/www.conf
        mode: 0644
        uid: '0'
        gid: '0'
    volumes:
      - files:/var/www/html
    depends_on:
      - mysql
      - wordpress
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.web == true

  nginx:
    image: nginx
    networks:
      web:
      traefik:
    volumes:
      - files:/usr/share/nginx/html:ro
    deploy:
      placement:
        constraints:
          - node.labels.web == true
      replicas: 1
      labels:
        - "traefik.enable=true"
        - "traefik.port=80"
        - "traefik.protocol=http"
        - "traefik.backend=testwp"
        - "traefik.docker.network=traefik"
        - "traefik.frontend.rule=Host:testwp"
    configs:
      - source: nginx
        target: /etc/nginx/nginx.conf
        mode: 0644
        uid: '0'
        gid: '0'
    depends_on:
      - wordpress

networks:
  db:
    driver: overlay
  traefik:
    name: traefik
    external: true
  web:
    driver: overlay

volumes:
  data:
    name: wp-testing-db
    driver: local-persist
    driver_opts:
      mountpoint: /local-persist/wp-testing-db
  files:
    name: wp-testing-web
    driver: local-persist
    driver_opts:
      mountpoint: /local-persist/wp-testing-web

configs:
  php-fpm:
    file: ./php-fpm.conf
  nginx:
    file: ./nginx.conf
  mysql:
    file: ./my.cnf