docs(memory): backfill registries for docker, certbot, formation
decisions.md — log BDR-004 (containerize site with nginx:alpine behind reverse
proxy): rationale, hardening flags (read_only, cap_drop,
no-new-privileges, tmpfs), alternatives rejected (bare nginx,
Caddy/Traefik). Reference commits: 7957b04.
learnings.md — log LRN-001 (certbot --nginx matches `server_name`, not
filename): root cause was leftover `server_name autreprojet.fr`
in `sites-available/bchanot.fr`. Future check:
`grep -n "server_name" /etc/nginx/sites-enabled/*` before any
certbot install on a multi-site VPS.
journal.md — 5 lines covering docker setup, git init + remote + push,
certbot diagnose + fix, prior commit batch, and today's
feat(formation) section work (commit 1d5fbfa).
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
parent
1d5fbfa148
commit
c2e1dd30a8
@ -25,6 +25,7 @@ rules:
|
|||||||
| BDR-001 | 2026-05-15 | Static single-file site, no framework | accepted |
|
| BDR-001 | 2026-05-15 | Static single-file site, no framework | accepted |
|
||||||
| BDR-002 | 2026-05-15 | weasyprint pour PDF CV depuis HTML | accepted |
|
| BDR-002 | 2026-05-15 | weasyprint pour PDF CV depuis HTML | accepted |
|
||||||
| BDR-003 | 2026-05-15 | Position pro: CDI prioritaire, freelance parallèle | accepted |
|
| BDR-003 | 2026-05-15 | Position pro: CDI prioritaire, freelance parallèle | accepted |
|
||||||
|
| BDR-004 | 2026-05-15 | Containerize site with nginx:alpine behind reverse proxy | accepted |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -64,3 +65,17 @@ rules:
|
|||||||
- **Décision**: Site annonce **CDI systèmes/embarqué prioritaire**, ZenQuality (freelance) en parallèle. Géo: full remote idéal, hybride 1-2 j/mois si Paris, mobilité Pays de la Loire.
|
- **Décision**: Site annonce **CDI systèmes/embarqué prioritaire**, ZenQuality (freelance) en parallèle. Géo: full remote idéal, hybride 1-2 j/mois si Paris, mobilité Pays de la Loire.
|
||||||
- **Pourquoi**: Recadrage user. Première version annonçait "Missions long terme & expertise" — pas représentatif. Hiérarchie CDI > freelance maintenant explicite (hero eyebrow + about para + callout + CV header).
|
- **Pourquoi**: Recadrage user. Première version annonçait "Missions long terme & expertise" — pas représentatif. Hiérarchie CDI > freelance maintenant explicite (hero eyebrow + about para + callout + CV header).
|
||||||
- **Référence**: `index.html` (hero-eyebrow, about-text para 3, about-callout) + `CV_Bastien_Chanot.html` (header).
|
- **Référence**: `index.html` (hero-eyebrow, about-text para 3, about-callout) + `CV_Bastien_Chanot.html` (header).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## BDR-004 — Containerize site with nginx:alpine behind reverse proxy
|
||||||
|
|
||||||
|
- **Date**: 2026-05-15
|
||||||
|
- **Status**: accepted
|
||||||
|
- **Decision**: Ship site as `bchanot-web` Docker container (`nginx:1.27-alpine`). Container listens on port 80 internally; host port configurable via `PORT` env (default 8080), bound to `127.0.0.1`. Host nginx terminates TLS + `proxy_pass` to container.
|
||||||
|
- **Why**: VPS hosts multiple sites (`zenquality.fr`, `nuit-folle.zenquality.fr`, `bchanot.fr`). Container isolates static assets + nginx config, easier rollback, reproducible build. Loopback bind blocks direct external hits, forces traffic through host nginx (TLS, rate limit, logs).
|
||||||
|
- **Hardening**: `read_only: true`, `cap_drop: ALL` + minimal `cap_add`, `no-new-privileges`, tmpfs for `/var/cache/nginx` + `/var/run` + `/tmp`. CSP allows inline CSS/JS (project convention) + Google Fonts. HSTS deliberately omitted at container level — set by outer proxy after TLS termination.
|
||||||
|
- **Alternatives rejected**:
|
||||||
|
- Bare static files served by host nginx — no isolation, config drift between sites, harder rollback.
|
||||||
|
- Caddy / Traefik container — overkill for 1 static site, host nginx already handles TLS for other domains.
|
||||||
|
- **Reference**: `Dockerfile`, `nginx.conf`, `docker-compose.yml`, `.env.example`.
|
||||||
|
|||||||
@ -20,3 +20,8 @@ rules:
|
|||||||
- Serveur dev: `python3 -m http.server 8000 --bind 0.0.0.0` → LAN sur `192.168.1.101:8000`.
|
- Serveur dev: `python3 -m http.server 8000 --bind 0.0.0.0` → LAN sur `192.168.1.101:8000`.
|
||||||
- Position pro précisée: CDI embarqué/logiciel prioritaire, freelance ZenQuality parallèle, remote ou Paris 1-2 j/mois, mobilité Pays de la Loire.
|
- Position pro précisée: CDI embarqué/logiciel prioritaire, freelance ZenQuality parallèle, remote ou Paris 1-2 j/mois, mobilité Pays de la Loire.
|
||||||
- Squelette `.claude/` + `CLAUDE.md` + `README.md` créés a posteriori (init-project skippé init pour single-file livrable).
|
- Squelette `.claude/` + `CLAUDE.md` + `README.md` créés a posteriori (init-project skippé init pour single-file livrable).
|
||||||
|
- Docker setup: `Dockerfile` (nginx:1.27-alpine), `nginx.conf` (gzip+cache+CSP), `docker-compose.yml` (`PORT` env, 127.0.0.1 bind, hardened). Decision logged BDR-004.
|
||||||
|
- Git init + remote `https://git.bchanot.fr/bchanot/bchanot-cv.git`. 2 commits baseline + docker, branch renamed `main`→`master` to match remote default. Pushed `7957b04..54e8300`.
|
||||||
|
- Certbot install failed for `bchanot.fr`: diagnosed mismatch — `sites-available/bchanot.fr` contained `server_name autreprojet.fr;` (copy-paste leftover). Fix: sed rewrite. Learning logged LRN-001.
|
||||||
|
- Commits: `54e8300..7957b04` + user's `414bce1` (CV final).
|
||||||
|
- Dedicated `#formation` section added between Parcours + Contact: timeline reused, 3 theme-cards inside École 42 entry (Systèmes/Kernel · Bas niveau · Sécurité/Algo), TSRIT block with `Félicitations du jury` honors pill. Removed `.contact-side` aside + dead CSS, `.contact-list` 2-col on >=768px to fill freed space. Nav link inserted. Commit `1d5fbfa`.
|
||||||
|
|||||||
@ -19,14 +19,13 @@ rules:
|
|||||||
|
|
||||||
| ID | Date | Pattern | Applies to |
|
| ID | Date | Pattern | Applies to |
|
||||||
|----|------|---------|------------|
|
|----|------|---------|------------|
|
||||||
|
| LRN-001 | 2026-05-15 | certbot --nginx matches `server_name`, not filename | nginx + certbot on multi-site VPS |
|
||||||
|
|
||||||
<!-- Append entries below. Template:
|
---
|
||||||
|
|
||||||
## LRN-XXX - <pattern abstrait>
|
## LRN-001 — certbot --nginx matches `server_name`, not filename
|
||||||
|
|
||||||
- **Date** : YYYY-MM-DD
|
- **Date**: 2026-05-15
|
||||||
- **Pattern** : <ce qui a été observé, formulé de manière réutilisable>
|
- **Pattern**: `certbot install --cert-name X` (and `certbot --nginx -d X`) locates the target vhost by scanning every `server_name` directive in active nginx configs. The filename in `sites-available/` is irrelevant. A file named `X.conf` with `server_name Y;` inside will NOT be picked up for domain X.
|
||||||
- **Contexte** : <où et quand, concret>
|
- **Context**: `/etc/nginx/sites-available/bchanot.fr` existed and was symlinked into `sites-enabled/`, but its body still contained `server_name autreprojet.fr www.autreprojet.fr;` — a copy-paste leftover from a previous project. Certbot returned `Could not automatically find a matching server block for bchanot.fr`.
|
||||||
- **Application future** : <quand se rappeler de ceci>
|
- **Future application**: Before running certbot on a multi-site VPS, `grep -n "server_name" /etc/nginx/sites-enabled/*` — confirm the target domain is actually declared inside, not just present in the filename. Same logic applies when troubleshooting "why is nginx serving the wrong site" — match by `server_name`, never by filename.
|
||||||
|
|
||||||
-->
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user