docs(memory): backfill registries for docker, certbot, formation

decisions.md  — log BDR-004 (containerize site with nginx:alpine behind reverse
                proxy): rationale, hardening flags (read_only, cap_drop,
                no-new-privileges, tmpfs), alternatives rejected (bare nginx,
                Caddy/Traefik). Reference commits: 7957b04.

learnings.md  — log LRN-001 (certbot --nginx matches `server_name`, not
                filename): root cause was leftover `server_name autreprojet.fr`
                in `sites-available/bchanot.fr`. Future check:
                `grep -n "server_name" /etc/nginx/sites-enabled/*` before any
                certbot install on a multi-site VPS.

journal.md    — 5 lines covering docker setup, git init + remote + push,
                certbot diagnose + fix, prior commit batch, and today's
                feat(formation) section work (commit 1d5fbfa).

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
bastien 2026-05-15 20:37:28 +02:00
parent 1d5fbfa148
commit c2e1dd30a8
3 changed files with 27 additions and 8 deletions

View File

@ -25,6 +25,7 @@ rules:
| BDR-001 | 2026-05-15 | Static single-file site, no framework | accepted | | BDR-001 | 2026-05-15 | Static single-file site, no framework | accepted |
| BDR-002 | 2026-05-15 | weasyprint pour PDF CV depuis HTML | accepted | | BDR-002 | 2026-05-15 | weasyprint pour PDF CV depuis HTML | accepted |
| BDR-003 | 2026-05-15 | Position pro: CDI prioritaire, freelance parallèle | accepted | | BDR-003 | 2026-05-15 | Position pro: CDI prioritaire, freelance parallèle | accepted |
| BDR-004 | 2026-05-15 | Containerize site with nginx:alpine behind reverse proxy | accepted |
--- ---
@ -64,3 +65,17 @@ rules:
- **Décision**: Site annonce **CDI systèmes/embarqué prioritaire**, ZenQuality (freelance) en parallèle. Géo: full remote idéal, hybride 1-2 j/mois si Paris, mobilité Pays de la Loire. - **Décision**: Site annonce **CDI systèmes/embarqué prioritaire**, ZenQuality (freelance) en parallèle. Géo: full remote idéal, hybride 1-2 j/mois si Paris, mobilité Pays de la Loire.
- **Pourquoi**: Recadrage user. Première version annonçait "Missions long terme & expertise" — pas représentatif. Hiérarchie CDI > freelance maintenant explicite (hero eyebrow + about para + callout + CV header). - **Pourquoi**: Recadrage user. Première version annonçait "Missions long terme & expertise" — pas représentatif. Hiérarchie CDI > freelance maintenant explicite (hero eyebrow + about para + callout + CV header).
- **Référence**: `index.html` (hero-eyebrow, about-text para 3, about-callout) + `CV_Bastien_Chanot.html` (header). - **Référence**: `index.html` (hero-eyebrow, about-text para 3, about-callout) + `CV_Bastien_Chanot.html` (header).
---
## BDR-004 — Containerize site with nginx:alpine behind reverse proxy
- **Date**: 2026-05-15
- **Status**: accepted
- **Decision**: Ship site as `bchanot-web` Docker container (`nginx:1.27-alpine`). Container listens on port 80 internally; host port configurable via `PORT` env (default 8080), bound to `127.0.0.1`. Host nginx terminates TLS + `proxy_pass` to container.
- **Why**: VPS hosts multiple sites (`zenquality.fr`, `nuit-folle.zenquality.fr`, `bchanot.fr`). Container isolates static assets + nginx config, easier rollback, reproducible build. Loopback bind blocks direct external hits, forces traffic through host nginx (TLS, rate limit, logs).
- **Hardening**: `read_only: true`, `cap_drop: ALL` + minimal `cap_add`, `no-new-privileges`, tmpfs for `/var/cache/nginx` + `/var/run` + `/tmp`. CSP allows inline CSS/JS (project convention) + Google Fonts. HSTS deliberately omitted at container level — set by outer proxy after TLS termination.
- **Alternatives rejected**:
- Bare static files served by host nginx — no isolation, config drift between sites, harder rollback.
- Caddy / Traefik container — overkill for 1 static site, host nginx already handles TLS for other domains.
- **Reference**: `Dockerfile`, `nginx.conf`, `docker-compose.yml`, `.env.example`.

View File

@ -20,3 +20,8 @@ rules:
- Serveur dev: `python3 -m http.server 8000 --bind 0.0.0.0` → LAN sur `192.168.1.101:8000`. - Serveur dev: `python3 -m http.server 8000 --bind 0.0.0.0` → LAN sur `192.168.1.101:8000`.
- Position pro précisée: CDI embarqué/logiciel prioritaire, freelance ZenQuality parallèle, remote ou Paris 1-2 j/mois, mobilité Pays de la Loire. - Position pro précisée: CDI embarqué/logiciel prioritaire, freelance ZenQuality parallèle, remote ou Paris 1-2 j/mois, mobilité Pays de la Loire.
- Squelette `.claude/` + `CLAUDE.md` + `README.md` créés a posteriori (init-project skippé init pour single-file livrable). - Squelette `.claude/` + `CLAUDE.md` + `README.md` créés a posteriori (init-project skippé init pour single-file livrable).
- Docker setup: `Dockerfile` (nginx:1.27-alpine), `nginx.conf` (gzip+cache+CSP), `docker-compose.yml` (`PORT` env, 127.0.0.1 bind, hardened). Decision logged BDR-004.
- Git init + remote `https://git.bchanot.fr/bchanot/bchanot-cv.git`. 2 commits baseline + docker, branch renamed `main`→`master` to match remote default. Pushed `7957b04..54e8300`.
- Certbot install failed for `bchanot.fr`: diagnosed mismatch — `sites-available/bchanot.fr` contained `server_name autreprojet.fr;` (copy-paste leftover). Fix: sed rewrite. Learning logged LRN-001.
- Commits: `54e8300..7957b04` + user's `414bce1` (CV final).
- Dedicated `#formation` section added between Parcours + Contact: timeline reused, 3 theme-cards inside École 42 entry (Systèmes/Kernel · Bas niveau · Sécurité/Algo), TSRIT block with `Félicitations du jury` honors pill. Removed `.contact-side` aside + dead CSS, `.contact-list` 2-col on >=768px to fill freed space. Nav link inserted. Commit `1d5fbfa`.

View File

@ -19,14 +19,13 @@ rules:
| ID | Date | Pattern | Applies to | | ID | Date | Pattern | Applies to |
|----|------|---------|------------| |----|------|---------|------------|
| LRN-001 | 2026-05-15 | certbot --nginx matches `server_name`, not filename | nginx + certbot on multi-site VPS |
<!-- Append entries below. Template: ---
## LRN-XXX - <pattern abstrait> ## LRN-001 — certbot --nginx matches `server_name`, not filename
- **Date** : YYYY-MM-DD - **Date**: 2026-05-15
- **Pattern** : <ce qui a été observé, formulé de manière réutilisable> - **Pattern**: `certbot install --cert-name X` (and `certbot --nginx -d X`) locates the target vhost by scanning every `server_name` directive in active nginx configs. The filename in `sites-available/` is irrelevant. A file named `X.conf` with `server_name Y;` inside will NOT be picked up for domain X.
- **Contexte** : < et quand, concret> - **Context**: `/etc/nginx/sites-available/bchanot.fr` existed and was symlinked into `sites-enabled/`, but its body still contained `server_name autreprojet.fr www.autreprojet.fr;` — a copy-paste leftover from a previous project. Certbot returned `Could not automatically find a matching server block for bchanot.fr`.
- **Application future** : <quand se rappeler de ceci> - **Future application**: Before running certbot on a multi-site VPS, `grep -n "server_name" /etc/nginx/sites-enabled/*` — confirm the target domain is actually declared inside, not just present in the filename. Same logic applies when troubleshooting "why is nginx serving the wrong site" — match by `server_name`, never by filename.
-->