docs(memory): backfill registries for docker, certbot, formation

decisions.md  — log BDR-004 (containerize site with nginx:alpine behind reverse
                proxy): rationale, hardening flags (read_only, cap_drop,
                no-new-privileges, tmpfs), alternatives rejected (bare nginx,
                Caddy/Traefik). Reference commits: 7957b04.

learnings.md  — log LRN-001 (certbot --nginx matches `server_name`, not
                filename): root cause was leftover `server_name autreprojet.fr`
                in `sites-available/bchanot.fr`. Future check:
                `grep -n "server_name" /etc/nginx/sites-enabled/*` before any
                certbot install on a multi-site VPS.

journal.md    — 5 lines covering docker setup, git init + remote + push,
                certbot diagnose + fix, prior commit batch, and today's
                feat(formation) section work (commit 1d5fbfa).

Co-Authored-By: Claude <noreply@anthropic.com>

.claude/memory/decisions.md

@@ -25,6 +25,7 @@ rules:
 | BDR-001 | 2026-05-15 | Static single-file site, no framework | accepted |
 | BDR-002 | 2026-05-15 | weasyprint pour PDF CV depuis HTML | accepted |
 | BDR-003 | 2026-05-15 | Position pro: CDI prioritaire, freelance parallèle | accepted |
+| BDR-004 | 2026-05-15 | Containerize site with nginx:alpine behind reverse proxy | accepted |
 
 ---
 
@@ -64,3 +65,17 @@ rules:
 - **Décision**: Site annonce **CDI systèmes/embarqué prioritaire**, ZenQuality (freelance) en parallèle. Géo: full remote idéal, hybride 1-2 j/mois si Paris, mobilité Pays de la Loire.
 - **Pourquoi**: Recadrage user. Première version annonçait "Missions long terme & expertise" — pas représentatif. Hiérarchie CDI > freelance maintenant explicite (hero eyebrow + about para + callout + CV header).
 - **Référence**: `index.html` (hero-eyebrow, about-text para 3, about-callout) + `CV_Bastien_Chanot.html` (header).
+
+---
+
+## BDR-004 — Containerize site with nginx:alpine behind reverse proxy
+
+- **Date**: 2026-05-15
+- **Status**: accepted
+- **Decision**: Ship site as `bchanot-web` Docker container (`nginx:1.27-alpine`). Container listens on port 80 internally; host port configurable via `PORT` env (default 8080), bound to `127.0.0.1`. Host nginx terminates TLS + `proxy_pass` to container.
+- **Why**: VPS hosts multiple sites (`zenquality.fr`, `nuit-folle.zenquality.fr`, `bchanot.fr`). Container isolates static assets + nginx config, easier rollback, reproducible build. Loopback bind blocks direct external hits, forces traffic through host nginx (TLS, rate limit, logs).
+- **Hardening**: `read_only: true`, `cap_drop: ALL` + minimal `cap_add`, `no-new-privileges`, tmpfs for `/var/cache/nginx` + `/var/run` + `/tmp`. CSP allows inline CSS/JS (project convention) + Google Fonts. HSTS deliberately omitted at container level — set by outer proxy after TLS termination.
+- **Alternatives rejected**:
+  - Bare static files served by host nginx — no isolation, config drift between sites, harder rollback.
+  - Caddy / Traefik container — overkill for 1 static site, host nginx already handles TLS for other domains.
+- **Reference**: `Dockerfile`, `nginx.conf`, `docker-compose.yml`, `.env.example`.

.claude/memory/journal.md

@@ -20,3 +20,8 @@ rules:
 - Serveur dev: `python3 -m http.server 8000 --bind 0.0.0.0` → LAN sur `192.168.1.101:8000`.
 - Position pro précisée: CDI embarqué/logiciel prioritaire, freelance ZenQuality parallèle, remote ou Paris 1-2 j/mois, mobilité Pays de la Loire.
 - Squelette `.claude/` + `CLAUDE.md` + `README.md` créés a posteriori (init-project skippé init pour single-file livrable).
+- Docker setup: `Dockerfile` (nginx:1.27-alpine), `nginx.conf` (gzip+cache+CSP), `docker-compose.yml` (`PORT` env, 127.0.0.1 bind, hardened). Decision logged BDR-004.
+- Git init + remote `https://git.bchanot.fr/bchanot/bchanot-cv.git`. 2 commits baseline + docker, branch renamed `main`→`master` to match remote default. Pushed `7957b04..54e8300`.
+- Certbot install failed for `bchanot.fr`: diagnosed mismatch — `sites-available/bchanot.fr` contained `server_name autreprojet.fr;` (copy-paste leftover). Fix: sed rewrite. Learning logged LRN-001.
+- Commits: `54e8300..7957b04` + user's `414bce1` (CV final).
+- Dedicated `#formation` section added between Parcours + Contact: timeline reused, 3 theme-cards inside École 42 entry (Systèmes/Kernel · Bas niveau · Sécurité/Algo), TSRIT block with `Félicitations du jury` honors pill. Removed `.contact-side` aside + dead CSS, `.contact-list` 2-col on >=768px to fill freed space. Nav link inserted. Commit `1d5fbfa`.

.claude/memory/learnings.md

@@ -19,14 +19,13 @@ rules:
 
 | ID | Date | Pattern | Applies to |
 |----|------|---------|------------|
+| LRN-001 | 2026-05-15 | certbot --nginx matches `server_name`, not filename | nginx + certbot on multi-site VPS |
 
-<!-- Append entries below. Template:
-
-## LRN-XXX - <pattern abstrait>
+---
 
-- **Date** : YYYY-MM-DD
-- **Pattern** : <ce qui a été observé, formulé de manière réutilisable>
-- **Contexte** : <où et quand, concret>
-- **Application future** : <quand se rappeler de ceci>
+## LRN-001 — certbot --nginx matches `server_name`, not filename
 
--->
+- **Date**: 2026-05-15
+- **Pattern**: `certbot install --cert-name X` (and `certbot --nginx -d X`) locates the target vhost by scanning every `server_name` directive in active nginx configs. The filename in `sites-available/` is irrelevant. A file named `X.conf` with `server_name Y;` inside will NOT be picked up for domain X.
+- **Context**: `/etc/nginx/sites-available/bchanot.fr` existed and was symlinked into `sites-enabled/`, but its body still contained `server_name autreprojet.fr www.autreprojet.fr;` — a copy-paste leftover from a previous project. Certbot returned `Could not automatically find a matching server block for bchanot.fr`.
+- **Future application**: Before running certbot on a multi-site VPS, `grep -n "server_name" /etc/nginx/sites-enabled/*` — confirm the target domain is actually declared inside, not just present in the filename. Same logic applies when troubleshooting "why is nginx serving the wrong site" — match by `server_name`, never by filename.