corentin_wakdo

AcadeNice/corentin_wakdo

Fork 0

Commit graph

Author	SHA1	Message	Date
Imugiii	b85563b1b8	fix(db): moindre privilege pour le user applicatif (drop GRANT ALL) All checks were successful CI / secret-scan (pull_request) Successful in 8s Details CI / static-tests (pull_request) Successful in 34s Details CI / auto-merge (pull_request) Successful in 5s Details CI / php-lint (pull_request) Successful in 22s Details CI / secret-scan (push) Successful in 9s Details CI / php-lint (push) Successful in 24s Details CI / static-tests (push) Successful in 37s Details CI / auto-merge (push) Has been skipped Details L'image mariadb cree MARIADB_USER avec GRANT ALL PRIVILEGES sur la base, ce qui donnait au code back-office expose un acces DDL/DROP/GRANT dont il n'a aucun usage (les migrations tournent en root). La doc (compose, backup-db.sh) decrivait pourtant un moindre privilege jamais applique. - db/init/10-scope-app-user.sh : script d'init MariaDB (volume vierge) qui REVOKE ALL puis GRANT le set restreint SELECT/INSERT/UPDATE/DELETE + SHOW VIEW/TRIGGER/ LOCK TABLES (DML + besoins mysqldump), parametre sur MARIADB_USER/DATABASE. - docker-compose.yml : montage de db/init en /docker-entrypoint-initdb.d (ro). - backup-db.sh : commentaire aligne sur le set reel (mysqldump --single-transaction n'exige que SELECT + SHOW VIEW/TRIGGER). Verifie : sur volume vierge le user ressort scope (plus de ALL PRIVILEGES) ; sur la base dev (scopee manuellement, hors volume vierge) /api/health=200 (SELECT) et les 13 tests d'integration passent (DML create/update/delete en tant que wakdo).	2026-06-16 11:53:38 +00:00
Imugiii	ac8b6a6791	feat(docker): complete stack with compose and 4 services Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4): - docker/apache/ Custom httpd:2.4-alpine with hardened main config, MPM event tuning and 3 vhosts (healthz, kiosk static, admin reverse FCGI to wakdo-app:9000). Kiosk vhost explicitly denies .php to enforce Bloc 1 isolation. - docker/php-fpm/ Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache, intl, exif, zip and tini for signal handling. Dynamic pool 3-10 workers listening on TCP 9000. - docker/cron/ Custom alpine:3.20 with dcron, mariadb-client, gzip. Nightly mysqldump at 03h00 with 14-day rotation and 512-byte sanity check. Purge and stats jobs templated. - docker-compose.yml 4 services orchestrated on 2 networks (internal bridge + external reverse-proxy). 2 named volumes for DB and uploads, bind-mount for backups. Traefik labels for 2 routers with HTTPS redirect. Makefile adds `make backup` (manual dump) and `make backup-ls`. .gitignore adds /var/ for backup bind-mount path. docs/journal/2026-04-24--infra-docker.md documents 5 decisions with alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A. Validated: `docker compose config --quiet` passes. Smoke test deferred to next session (requires server .env).	2026-04-24 15:59:19 +00:00

Author

SHA1

Message

Date

Imugiii

b85563b1b8

fix(db): moindre privilege pour le user applicatif (drop GRANT ALL)

CI / secret-scan (pull_request) Successful in 8s

Details

CI / static-tests (pull_request) Successful in 34s

Details

CI / auto-merge (pull_request) Successful in 5s

Details

CI / php-lint (pull_request) Successful in 22s

Details

CI / secret-scan (push) Successful in 9s

Details

CI / php-lint (push) Successful in 24s

Details

CI / static-tests (push) Successful in 37s

Details

CI / auto-merge (push) Has been skipped

Details

L'image mariadb cree MARIADB_USER avec GRANT ALL PRIVILEGES sur la base, ce qui
donnait au code back-office expose un acces DDL/DROP/GRANT dont il n'a aucun
usage (les migrations tournent en root). La doc (compose, backup-db.sh) decrivait
pourtant un moindre privilege jamais applique.

- db/init/10-scope-app-user.sh : script d'init MariaDB (volume vierge) qui REVOKE
  ALL puis GRANT le set restreint SELECT/INSERT/UPDATE/DELETE + SHOW VIEW/TRIGGER/
  LOCK TABLES (DML + besoins mysqldump), parametre sur MARIADB_USER/DATABASE.
- docker-compose.yml : montage de db/init en /docker-entrypoint-initdb.d (ro).
- backup-db.sh : commentaire aligne sur le set reel (mysqldump --single-transaction
  n'exige que SELECT + SHOW VIEW/TRIGGER).

Verifie : sur volume vierge le user ressort scope (plus de ALL PRIVILEGES) ; sur
la base dev (scopee manuellement, hors volume vierge) /api/health=200 (SELECT) et
les 13 tests d'integration passent (DML create/update/delete en tant que wakdo).

2026-06-16 11:53:38 +00:00

Imugiii

ac8b6a6791

feat(docker): complete stack with compose and 4 services

Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4):

- docker/apache/    Custom httpd:2.4-alpine with hardened main config,
                    MPM event tuning and 3 vhosts (healthz, kiosk static,
                    admin reverse FCGI to wakdo-app:9000). Kiosk vhost
                    explicitly denies .php to enforce Bloc 1 isolation.
- docker/php-fpm/   Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache,
                    intl, exif, zip and tini for signal handling.
                    Dynamic pool 3-10 workers listening on TCP 9000.
- docker/cron/      Custom alpine:3.20 with dcron, mariadb-client, gzip.
                    Nightly mysqldump at 03h00 with 14-day rotation and
                    512-byte sanity check. Purge and stats jobs templated.
- docker-compose.yml  4 services orchestrated on 2 networks (internal
                      bridge + external reverse-proxy). 2 named volumes
                      for DB and uploads, bind-mount for backups.
                      Traefik labels for 2 routers with HTTPS redirect.

Makefile adds `make backup` (manual dump) and `make backup-ls`.
.gitignore adds /var/ for backup bind-mount path.
docs/journal/2026-04-24--infra-docker.md documents 5 decisions with
alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A.

Validated: `docker compose config --quiet` passes. Smoke test deferred
to next session (requires server .env).

2026-04-24 15:59:19 +00:00

2 commits