AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
68 commits 11 branches 2 tags 16 MiB
Commit graph

2 commits

Author SHA1 Message Date
Imugiii
b9264f4ed7 feat(cron): purge de retention audit_log + throttle (mlt 13.4/13.5)
All checks were successful
CI / secret-scan (push) Successful in 9s
Details
CI / php-lint (push) Successful in 19s
Details
CI / static-tests (push) Successful in 45s
Details
CI / php-lint (pull_request) Successful in 25s
Details
CI / static-tests (pull_request) Successful in 35s
Details
CI / auto-merge (push) Has been skipped
Details
CI / secret-scan (pull_request) Successful in 9s
Details
CI / auto-merge (pull_request) Successful in 7s
Details 
Les vars de retention (AUDIT_LOG_RETENTION_DAYS, THROTTLE_PURGE_AFTER_HOURS)
etaient documentees comme purges cron mais aucun script/job n'existait, et les
vars n'etaient pas injectees au conteneur wakdo-cron (faux-semblant de conformite).

- purge-audit-log.sh : DELETE audit_log au-dela de AUDIT_LOG_RETENTION_DAYS
  (defaut 365). Unique exception documentee a l'append-only (RG-T14) : purge de
  retention planifiee, pas une mutation applicative.
- purge-throttle.sh : DELETE login_throttle + pin_throttle sans verrou actif et
  plus vieux que THROTTLE_PURGE_AFTER_HOURS (defaut 24), predicat mlt.md 13.5.
- crontab : jobs actives (15 4 audit, 45 4 throttle), fenetre de maintenance.
- docker-compose.yml : injection des 2 vars (avec defaut) au conteneur cron ;
  commentaire env aligne sur le user en moindre privilege.

Hors scope : la purge de customer_order (ORDER_RETENTION_DAYS) reste differee
tant que le domaine commande n'existe pas (RGPD = anonymisation a definir avec
le domaine, pas un simple DELETE).

Verifie : scripts lances dans l'image cron rebuildee contre la base dev (user
scope) -> exit 0 ; test positif/negatif sur login_throttle : la ligne stale sans
verrou est purgee, la ligne a verrou actif est conservee.
 2026-06-16 11:59:25 +00:00
Imugiii
ac8b6a6791 feat(docker): complete stack with compose and 4 services 
Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4):

- docker/apache/    Custom httpd:2.4-alpine with hardened main config,
                    MPM event tuning and 3 vhosts (healthz, kiosk static,
                    admin reverse FCGI to wakdo-app:9000). Kiosk vhost
                    explicitly denies .php to enforce Bloc 1 isolation.
- docker/php-fpm/   Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache,
                    intl, exif, zip and tini for signal handling.
                    Dynamic pool 3-10 workers listening on TCP 9000.
- docker/cron/      Custom alpine:3.20 with dcron, mariadb-client, gzip.
                    Nightly mysqldump at 03h00 with 14-day rotation and
                    512-byte sanity check. Purge and stats jobs templated.
- docker-compose.yml  4 services orchestrated on 2 networks (internal
                      bridge + external reverse-proxy). 2 named volumes
                      for DB and uploads, bind-mount for backups.
                      Traefik labels for 2 routers with HTTPS redirect.

Makefile adds `make backup` (manual dump) and `make backup-ls`.
.gitignore adds /var/ for backup bind-mount path.
docs/journal/2026-04-24--infra-docker.md documents 5 decisions with
alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A.

Validated: `docker compose config --quiet` passes. Smoke test deferred
to next session (requires server .env).
 2026-04-24 15:59:19 +00:00