documentation/Machines virtuelles/gestion.md

4.2 KiB

Machine virtuelle GESTION

Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.

Matériel virtuel

CPU : 4
RAM : 3000 Mio Stockage de masse : 50 Gio

Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (linux-libre-lts des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : etckeeper, mollyguard, git, tig, screen
Compta et gestion des membres : garradin
Mail Transfer Agent : postfix

Caractéristiques notables

Domaine : gestion.a-lec.org
Adresse ipv4 publique : 80.67.179.96
Adresse ipv4 interne : 192.169.1.236
Adresse ipv6 publique : 2001:910:1360::1ab

Configuration réseau

/etc/network/interfaces
# The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet dhcp
iface enp1s0 inet6 static
        address 2001:910:1360::1ab/128
        gateway 2001:910:1360::
/etc/host.allow
sshd: 192.169.1.0/24, [2001:910:1360::]/48
/etc/host/deny
sshd: ALL

Configuration MTA

/etc/postfix/transport

a-lec.org    :
*              discard:

/etc/postfix/virtual

@localhost admin@a-lec.org
@gestion.a-lec.org admin@a-lec.org

Configuration serveur web (nginx)

server {
  server_name coffre.a-lec.org;

  set_real_ip_from  192.169.1.1;
  real_ip_header proxy_protocol;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8000;
  }

   listen 443 ssl http2 proxy_protocol; # managed by Certbot
   listen [::]:443 ssl http2; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = coffre.a-lec.org) {
        return 302 https://$host$request_uri;
    } # managed by Certbot

   server_name coffre.a-lec.org;

    listen 80;
    return 404; # managed by Certbot
}

server {

    root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)

    server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
    
    set_real_ip_from  192.169.1.1;
    real_ip_header proxy_protocol;

    location / {
        try_files $uri $uri/ /_route.php?$query_string;
        index index.php /_route.php;
    }

    location ~ \.php {
        try_files $uri $uri/ /_route.php?$query_string;
        include fastcgi.conf;
        #fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
        fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket        
    }

    listen 443 ssl proxy_protocol; # managed by Certbot
    listen [::]:443 ssl;
    ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = gestion.a-lec.org) {
        return 302 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name gestion.a-lec.org;
    return 404; # managed by Certbot
}