Le Makefile portait surtout des cibles mortes/trompeuses (test/test-unit/
test-integration/lint annoncaient "pas implemente" alors que les tests tournent ;
install-hooks pointait sur des fichiers absents) ; sa seule cible porteuse, `init`,
existait parce que `docker compose up` seul n'applique pas les migrations.
En deplacant migrate + seed DANS la stack, `docker compose up` devient l'unique
commande qui amene une stack complete et loginnable -> Cr 7.c.4 satisfait sans
dependance a l'outil `make`.
- db/migrate-container.sh : runner in-container (connexion par le reseau compose),
applique db/migrations/*.sql (suivi schema_migrations) puis db/seeds/*.sql (suivi
seeds_applied), idempotent.
- Service one-shot `wakdo-migrate` (depends_on db healthy) ; wakdo-app/web attendent
sa completion (service_completed_successfully).
- Makefile supprime ; db/migrate.sh (hote) conserve pour l'usage manuel / --status.
- Docs realignees : README, .env.example, db/README, docker-compose, PROJECT_CONTEXT
(`make *` -> `docker compose *`, Cr 7.b porte par les scripts Bash). Correction au
passage : la CI/CD est Forgejo Actions (pas GitHub Actions), protections cote Forgejo.
- Journal : docs/journal/2026-06-17--makefile-to-compose-migrate.md (rationale + verif
sur base ephemere : 2 migrations + 2 seeds, idempotent ; note de deploiement pour
les bases deja seedees).
Verifie : docker compose config valide ; runner teste sur MariaDB ephemere (5 roles,
23 permissions, admin present) ; re-run = 0 nouveau. Aucun code PHP/JS touche.
Three issues surfaced when running 'make init' on the deployment host
and were fixed in place:
- wakdo_internal network: explicit subnet 192.168.148.0/24 (RFC 1918,
in the free 192.168.144-159 gap). The host's Docker daemon has its
default address pools saturated by other stacks, so auto-allocation
failed. An explicit subnet bypasses the allocator and isolates Wakdo
from neighbour churn.
- wakdo-cron: init: true added so Docker injects tini as PID 1. Without
it, dcron loops on 'setpgid: Operation not permitted' because PID 1
in a container without an init system cannot change process groups
for its children.
- healthz vhost: served as a static file from /usr/local/apache2/htdocs/
instead of a RewriteRule [R=200] that triggered Apache's ErrorDocument
template (and leaked 'internal error' wording into a 200 response).
The file lives outside /var/www/html/ which is bind-mounted at runtime
and would otherwise mask the COPY.
Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4):
- docker/apache/ Custom httpd:2.4-alpine with hardened main config,
MPM event tuning and 3 vhosts (healthz, kiosk static,
admin reverse FCGI to wakdo-app:9000). Kiosk vhost
explicitly denies .php to enforce Bloc 1 isolation.
- docker/php-fpm/ Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache,
intl, exif, zip and tini for signal handling.
Dynamic pool 3-10 workers listening on TCP 9000.
- docker/cron/ Custom alpine:3.20 with dcron, mariadb-client, gzip.
Nightly mysqldump at 03h00 with 14-day rotation and
512-byte sanity check. Purge and stats jobs templated.
- docker-compose.yml 4 services orchestrated on 2 networks (internal
bridge + external reverse-proxy). 2 named volumes
for DB and uploads, bind-mount for backups.
Traefik labels for 2 routers with HTTPS redirect.
Makefile adds `make backup` (manual dump) and `make backup-ls`.
.gitignore adds /var/ for backup bind-mount path.
docs/journal/2026-04-24--infra-docker.md documents 5 decisions with
alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A.
Validated: `docker compose config --quiet` passes. Smoke test deferred
to next session (requires server .env).
