feat: convert WordOps from Nginx to OpenLiteSpeed + LSPHP + LSCache

Complete conversion of the WordOps stack from Nginx + PHP-FPM to
OpenLiteSpeed + LSPHP + LSCache. This is a full rewrite across all 7
phases of the codebase:

- Foundation: OLS paths, variables, services, removed pynginxconfig dep
- Templates: 11 new OLS mustache templates, removed nginx-specific ones
- Stack: stack_pref, stack, stack_services, stack_upgrade, stack_migrate
- Site: site_functions, site, site_create, site_update
- Plugins: debug, info, log, clean rewritten for OLS
- SSL/ACME: acme.sh deploy uses lswsctrl, OLS vhssl blocks
- Other: secure, backup, clone, install script

Additional features:
- Debian 13 (trixie) support
- PHP 8.5 support
- WP Fort Knox mu-plugin integration (wo secure --lockdown/--unlock)
- --nginx CLI flag preserved for backward compatibility

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

wo/core/acme.py

@@ -128,33 +128,36 @@ class WOAcme:
                 self, "mkdir -p {0}/{1} && {2} --install-cert -d {1} --ecc "
                 "--cert-file {0}/{1}/cert.pem --key-file {0}/{1}/key.pem "
                 "--fullchain-file {0}/{1}/fullchain.pem "
-                "--ca-file {0}/{1}/ca.pem --reloadcmd \"nginx -t && "
-                "service nginx restart\" "
+                "--ca-file {0}/{1}/ca.pem --reloadcmd \"{3} restart\" "
                 .format(WOVar.wo_ssl_live,
-                        wo_domain_name, WOAcme.wo_acme_exec)):
+                        wo_domain_name, WOAcme.wo_acme_exec,
+                        WOVar.wo_ols_ctrl)):
                 Log.valide(self, "Deploying SSL cert")
             else:
                 Log.failed(self, "Deploying SSL cert")
                 Log.error(self, "Unable to deploy certificate")
 
-            if os.path.isdir('/var/www/{0}/conf/nginx'
-                             .format(wo_domain_name)):
-
+            vhost_dir = '{0}/{1}'.format(
+                WOVar.wo_ols_vhost_dir, wo_domain_name)
+            if os.path.isdir(vhost_dir):
                 data = dict(ssl_live_path=WOVar.wo_ssl_live,
                             domain=wo_domain_name, quic=True)
                 WOTemplate.deploy(self,
-                                  '/var/www/{0}/conf/nginx/ssl.conf'
-                                  .format(wo_domain_name),
-                                  'ssl.mustache', data, overwrite=False)
+                                  '{0}/ssl.conf'.format(vhost_dir),
+                                  'ols-ssl.mustache', data, overwrite=False)
 
-            if not WOFileUtils.grep(self, '/var/www/22222/conf/nginx/ssl.conf',
-                                    '/etc/letsencrypt'):
+            backend_ssl = '{0}/22222/vhconf.conf'.format(
+                WOVar.wo_ols_vhost_dir)
+            if (os.path.isfile(backend_ssl) and
+                    not WOFileUtils.grep(
+                        self, backend_ssl, '/etc/letsencrypt')):
                 Log.info(self, "Securing WordOps backend with current cert")
                 data = dict(ssl_live_path=WOVar.wo_ssl_live,
                             domain=wo_domain_name, quic=False)
                 WOTemplate.deploy(self,
-                                  '/var/www/22222/conf/nginx/ssl.conf',
-                                  'ssl.mustache', data, overwrite=True)
+                                  '{0}/22222/ssl.conf'.format(
+                                      WOVar.wo_ols_vhost_dir),
+                                  'ols-ssl.mustache', data, overwrite=True)
 
             WOGit.add(self, ["/etc/letsencrypt"],
                       msg="Adding letsencrypt folder")
@@ -223,16 +226,13 @@ class WOAcme:
         return False
 
     def removeconf(self, domain):
-        sslconf = ("/var/www/{0}/conf/nginx/ssl.conf"
-                   .format(domain))
-        sslforce = ("/etc/nginx/conf.d/force-ssl-{0}.conf"
-                    .format(domain))
+        sslconf = ("{0}/{1}/ssl.conf"
+                   .format(WOVar.wo_ols_vhost_dir, domain))
         acmedir = [
-            '{0}'.format(sslforce), '{0}'.format(sslconf),
+            '{0}'.format(sslconf),
             '{0}/{1}_ecc'.format(WOVar.wo_ssl_archive, domain),
-            '{0}.disabled'.format(sslconf), '{0}.disabled'
-            .format(sslforce), '{0}/{1}'
-            .format(WOVar.wo_ssl_live, domain),
+            '{0}.disabled'.format(sslconf),
+            '{0}/{1}'.format(WOVar.wo_ssl_live, domain),
             '/etc/letsencrypt/shared/{0}.conf'.format(domain)]
         wo_domain = domain
         # check acme.sh is installed
@@ -255,16 +255,15 @@ class WOAcme:
         else:
             if os.path.islink("{0}".format(sslconf)):
                 WOFileUtils.remove_symlink(self, "{0}".format(sslconf))
-                WOFileUtils.rm(self, '{0}'.format(sslforce))
 
-        if WOFileUtils.grepcheck(self, '/var/www/22222/conf/nginx/ssl.conf',
-                                 '{0}'.format(domain)):
+        backend_ssl = '{0}/22222/ssl.conf'.format(WOVar.wo_ols_vhost_dir)
+        if (os.path.isfile(backend_ssl) and
+                WOFileUtils.grepcheck(self, backend_ssl,
+                                      '{0}'.format(domain))):
             Log.info(
                 self, "Setting back default certificate for WordOps backend")
-            with open("/var/www/22222/conf/nginx/"
-                      "ssl.conf", "w") as ssl_conf_file:
-                ssl_conf_file.write("ssl_certificate "
-                                    "/var/www/22222/cert/22222.crt;\n"
-                                    "ssl_certificate_key "
-                                    "/var/www/22222/cert/22222.key;\n"
-                                    "ssl_stapling off;\n")
+            with open(backend_ssl, "w") as ssl_conf_file:
+                ssl_conf_file.write("vhssl {\n"
+                                    "  keyFile /var/www/22222/cert/22222.key\n"
+                                    "  certFile /var/www/22222/cert/22222.crt\n"
+                                    "}\n")