ac8b6a6791
Deliver the full Docker stack for Bloc 5 DevOps (Cr 7.c.3 and 7.c.4):
- docker/apache/ Custom httpd:2.4-alpine with hardened main config,
MPM event tuning and 3 vhosts (healthz, kiosk static,
admin reverse FCGI to wakdo-app:9000). Kiosk vhost
explicitly denies .php to enforce Bloc 1 isolation.
- docker/php-fpm/ Custom php:8.3-fpm-alpine3.20 with pdo_mysql, opcache,
intl, exif, zip and tini for signal handling.
Dynamic pool 3-10 workers listening on TCP 9000.
- docker/cron/ Custom alpine:3.20 with dcron, mariadb-client, gzip.
Nightly mysqldump at 03h00 with 14-day rotation and
512-byte sanity check. Purge and stats jobs templated.
- docker-compose.yml 4 services orchestrated on 2 networks (internal
bridge + external reverse-proxy). 2 named volumes
for DB and uploads, bind-mount for backups.
Traefik labels for 2 routers with HTTPS redirect.
Makefile adds `make backup` (manual dump) and `make backup-ls`.
.gitignore adds /var/ for backup bind-mount path.
docs/journal/2026-04-24--infra-docker.md documents 5 decisions with
alternatives, maps 16 RNCP criteria to artefacts and prepares 6 jury Q&A.
Validated: `docker compose config --quiet` passes. Smoke test deferred
to next session (requires server .env).
67 lines
2.2 KiB
INI
67 lines
2.2 KiB
INI
; Wakdo - configuration PHP runtime (surcharge le php.ini par defaut)
|
|
; Charge en dernier via le prefixe zz- pour avoir le dernier mot.
|
|
|
|
[PHP]
|
|
; --- Erreurs ---
|
|
; En dev : on affiche les erreurs a l'ecran. En prod : surcharge via override
|
|
; docker-compose.prod.yml qui remplace ce fichier (display_errors=0, log_errors=1).
|
|
display_errors = On
|
|
display_startup_errors = On
|
|
error_reporting = E_ALL
|
|
log_errors = On
|
|
error_log = /proc/self/fd/2
|
|
|
|
; --- Memoire et temps ---
|
|
memory_limit = 256M
|
|
max_execution_time = 30
|
|
max_input_time = 60
|
|
|
|
; --- Upload images produits (voir .env UPLOAD_MAX_SIZE_MB=5) ---
|
|
; post_max_size >= upload_max_filesize + overhead des autres champs du form.
|
|
file_uploads = On
|
|
upload_max_filesize = 5M
|
|
post_max_size = 8M
|
|
max_file_uploads = 5
|
|
|
|
; --- Timezone ---
|
|
; Cr technique : eviter les warnings et les decalages date silencieux.
|
|
date.timezone = Europe/Paris
|
|
|
|
; --- Sessions ---
|
|
; Le nom du cookie et la lifetime sont surcharges par l'appli au runtime via
|
|
; session_set_cookie_params() a partir des variables SESSION_* du .env.
|
|
; Ce qui est fixe ici = les defaults securises.
|
|
session.use_strict_mode = 1
|
|
session.use_cookies = 1
|
|
session.use_only_cookies = 1
|
|
session.cookie_httponly = 1
|
|
session.cookie_samesite = "Strict"
|
|
session.cookie_secure = 1
|
|
; session.save_path est laisse par defaut (/tmp dans le conteneur).
|
|
; Persistance inter-container non necessaire : chaque session est liee a une
|
|
; instance unique du service wakdo-app (pas de scale horizontal pour ce projet).
|
|
|
|
; --- Expose_php = Off : ne pas leak la version PHP dans l'entete HTTP ---
|
|
expose_php = Off
|
|
|
|
; --- OPcache (perf + stabilite) ---
|
|
[opcache]
|
|
opcache.enable = 1
|
|
opcache.enable_cli = 0
|
|
opcache.memory_consumption = 128
|
|
opcache.interned_strings_buffer = 16
|
|
opcache.max_accelerated_files = 10000
|
|
opcache.validate_timestamps = 1
|
|
; En dev : revalidate toutes les 2s pour prendre en compte les modifs du bind-mount.
|
|
; En prod : validate_timestamps=0 via override (invalidation manuelle au deploy).
|
|
opcache.revalidate_freq = 2
|
|
opcache.fast_shutdown = 1
|
|
|
|
; --- PDO / MySQL ---
|
|
[PDO]
|
|
; Pas de persistent connections pour un projet a faible volume : plus simple
|
|
; a debugger et moins de risques de fuite de sessions BDD.
|
|
|
|
[MySQLi]
|
|
mysqli.default_host = wakdo-db
|
|
mysqli.default_port = 3306
|