## Machine virtuelle GESTION

Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.

### Matériel virtuel

CPU : 4  
RAM : 3000 Mio
Stockage de masse : 50 Gio

### Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)  
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)  
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`  
Compta et gestion des membres : `garradin`  
Mail Transfer Agent : `postfix`  

### Caractéristiques notables

Domaine : gestion.a-lec.org  
Adresse ipv4 publique : 80.67.176.33  
Adresse ipv4 interne : 192.168.1.236  
Adresse ipv6 publique : 2001:910:1021::236

### Configuration serveur web (nginx)
<details>

    server {
      server_name coffre.a-lec.org;

      set_real_ip_from  192.169.1.1;
      real_ip_header proxy_protocol;

      # Allow large attachments
      client_max_body_size 128M;

      location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      }

      location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      }

      location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:8000;
      }

       listen 443 ssl http2 proxy_protocol; # managed by Certbot
       listen [::]:443 ssl http2; # managed by Certbot
       ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    }

    server {
        if ($host = coffre.a-lec.org) {
            return 302 https://$host$request_uri;
        } # managed by Certbot

       server_name coffre.a-lec.org;

        listen 80;
        return 404; # managed by Certbot
    }

    server {

        root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)

        server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
        
        set_real_ip_from  192.169.1.1;
        real_ip_header proxy_protocol;

        location / {
            try_files $uri $uri/ /_route.php?$query_string;
            index index.php /_route.php;
        }

        location ~ \.php {
            try_files $uri $uri/ /_route.php?$query_string;
            include fastcgi.conf;
            #fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
            fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket        
        }

        listen 443 ssl proxy_protocol; # managed by Certbot
        listen [::]:443 ssl;
        ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    }

    server {
        if ($host = gestion.a-lec.org) {
            return 302 https://$host$request_uri;
        } # managed by Certbot

        listen 80;
        listen [::]:80;

        server_name gestion.a-lec.org;
        return 404; # managed by Certbot
    }
</details>