```

✨ feat(security): Ajoute l'authentification Keycloak SSO et migre les commandes Supprime la commande AccountCommand, la migration et ajoute l'authentification Keycloak SSO. Crée les vues de base pour le tableau de bord. ```
2026-01-15 18:04:01 +01:00
parent 662bb0bcc6
commit 3b0ce1314f
38 changed files with 1485 additions and 604 deletions
--- a/ansible/hosts.ini
+++ b/ansible/hosts.ini
@@ -0,0 +1,2 @@
+[webservers]
+127.0.0.1 ansible_connection=local ansible_python_interpreter=/usr/bin/python3 path=/var/www/ludikevent-intranet
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -0,0 +1,220 @@
+# Fichier: install_php_83_symfony_pgsql.yml
+
+- name: Deploy application
+  hosts: webservers
+  become: true
+  gather_facts: true
+
+  vars:
+      db_name: "ludikevent"
+      db_user: "ludikevent"
+      db_password: "ludikevent"
+      redis_password: "ludikevent"
+      redis_port: "20110"
+      # Assurez-vous que 'path' est définie dans votre inventaire ou comme extra-var
+      # Exemple: path: /var/www/mainframe/app
+
+  tasks:
+      -   name: Exécuter 'composer install' dans le répertoire de l'application
+          ansible.builtin.command: composer install --no-dev --optimize-autoloader
+          become: false # Run as the connection user (e.g., 'bot')
+          args:
+              chdir: "{{ path }}"
+          when: ansible_os_family == "Debian"
+      -   name: Send a message to the Discord channel
+          community.general.discord:
+              webhook_id: "1419573620602044518"
+              webhook_token: "ikAdxWxsrrTqMTb5Gh_8ylcoJHlOnq7aJZvR5udoS_fCK56Jk3qpEnJHVKdD8fwuNJF3"
+              content: "Mise à jour du intranet ludikevent"
+
+      - name: Installer le support ACL pour corriger les permissions de 'become_user'
+        ansible.builtin.apt:
+            name: acl
+            state: present
+            update_cache: true
+        when: ansible_os_family == "Debian"
+
+      - name: Installation des dépendances pour le module Ansible PostgreSQL
+        ansible.builtin.apt:
+            name: python3-psycopg2
+            state: present
+            update_cache: true
+        when: ansible_os_family == "Debian"
+
+      - name: Installation de PHP 8.3 et PHP 8.3-FPM avec les dépendances
+        ansible.builtin.apt:
+            name:
+                - php8.3
+                - php8.3-fpm
+                - php8.3-cli
+                - php8.3-common
+                - php8.3-mysql
+                - php8.3-pgsql
+                - php8.3-xml
+                - php8.3-mbstring
+                - php8.3-zip
+                - php8.3-intl
+                - php8.3-gd
+                - php8.3-curl
+                - php8.3-pdo
+                - php8.3-opcache
+                - php8.3-bcmath
+                - php8.3-redis
+                - php8.3-imagick
+                - ffmpeg
+            state: present
+        when: ansible_os_family == "Debian"
+
+      - name: Démarrage et activation du service PHP 8.3 FPM
+        ansible.builtin.systemd:
+            name: php8.3-fpm
+            state: started
+            enabled: yes
+        when: ansible_os_family == "Debian"
+
+      - name: Créer le fichier .env.local avec les secrets de production
+        ansible.builtin.copy:
+            content: |
+                APP_ENV=prod
+                VITE_LOAD=1
+                DATABASE_URL="postgresql://{{ db_user }}:{{ db_password }}@127.0.0.1:5432/{{ db_name }}?serverVersion=16&charset=utf8"
+                REDIS_DSN="redis://{{ redis_password }}@127.0.0.1:{{ redis_port }}"
+                REDIS_URL="redis://{{ redis_password }}@127.0.0.1:{{ redis_port }}"
+                MESSENGER_TRANSPORT_DSN="redis://{{ redis_password }}@127.0.0.1:{{ redis_port }}/messages"
+                APP_SECRET=939bbc67038c2e2d1232d86fc605bf2f
+                REAL_MAIL=1
+                VAULT_ADDR=http://127.0.0.1:8200
+                VAULT_TOKEN=hvs.QLpUdiptXtSPo5Qf7i2nn2Xz
+                MAILER_DSN=ses+smtp://AKIAWTT2T22CWBRBBDYN:BBdgb6KxRQ8mNcpWFJsZCJxbSGNdgLhKFiITMErfBlQP@default?region=eu-west-3
+
+            dest: "{{ path }}/.env.local"
+        when: ansible_os_family == "Debian"
+
+      # --- Initial creation of essential directories with correct ownership ---
+      # These directories should exist before composer runs, but composer might create subdirs.
+      - name: Ensure app/var and public/media directories exist with correct owner/group
+        ansible.builtin.file:
+            path: "{{ item }}"
+            owner: bot # Assuming 'bot' is your deployment user
+            group: www-data
+            mode: '0775' # Allow 'bot' and 'www-data' to read/write/execute
+            state: directory
+            recurse: yes # Important to ensure subdirectories created by previous deploys also get permissions
+        loop:
+            - "{{ path }}/var"
+            - "{{ path }}/var/log" # Specific for log, though var/log might be created by composer later
+            - "{{ path }}/public/media" # For uploads
+            - "{{ path }}/public/storage" # For uploads
+            - "{{ path }}/public/tmp-sign" # For uploads
+
+      # --- POST-COMPOSER PERMISSION FIXES ---
+      # This is crucial because composer creates var/cache as the `become: false` user
+      - name: Set correct permissions for Symfony cache and logs directories
+        ansible.builtin.file:
+            path: "{{ item }}"
+            owner: bot
+            group: www-data
+            mode: '0775' # rwx for owner and group, rx for others
+            state: directory
+            recurse: yes # Apply to all contents
+        loop:
+            - "{{ path }}/var/cache"
+            - "{{ path }}/var/log"
+          # For web-writable directories created by the app itself (e.g., uploads), you might set ACLs
+          # or chown to www-data and then your user gets access via group membership.
+
+      # Alternative for cache/log permissions using ACLs (more robust for mixed ownership)
+      # This requires 'acl' package installed (which you already do).
+      # Use this if 'bot' needs to own, but www-data needs to write.
+      - name: Set ACLs for Symfony cache and logs (recommended for web-writable dirs)
+        ansible.builtin.acl:
+            path: "{{ item }}"
+            entity: www-data
+            etype: group
+            permissions: rwx
+            state: present
+            recursive: yes
+            default: yes # Apply default ACLs for new files/dirs within
+        loop:
+            - "{{ path }}/var/cache"
+            - "{{ path }}/var/log"
+        when: ansible_os_family == "Debian" # ACLs are Linux-specific
+
+      - name: Exécuter bun install dans le répertoire de l application
+        ansible.builtin.command: bun install
+        become: false
+        args:
+            chdir: "{{ path }}"
+        when: ansible_os_family == "Debian"
+
+      - name: Exécuter bun build dans le répertoire de l application
+        ansible.builtin.command: bun run build
+        become: false
+        args:
+            chdir: "{{ path }}"
+        when: ansible_os_family == "Debian"
+
+      - name: Supervisor config
+        ansible.builtin.template:
+            src: supervisor.j2
+            dest: "/etc/supervisor/conf.d/mainframe.conf"
+            mode: '0644'
+
+      - name: Reread Supervisor configuration
+        ansible.builtin.command: supervisorctl reread
+        changed_when: true # Always mark as changed, as output is not always useful for idempotency
+
+      - name: Update Supervisor (add/remove updated programs)
+        ansible.builtin.command: supervisorctl update
+        changed_when: true
+
+      - name: Purger la base de données Redis
+        ansible.builtin.command: "redis-cli -p {{ redis_port }} -a {{ redis_password }} FLUSHALL"
+        when: ansible_os_family == "Debian"
+
+      - name: Generate Caddy site configuration
+        ansible.builtin.template:
+            src: caddy.j2
+            dest: "/etc/caddy/sites/mainframe.conf"
+            mode: '0644'
+
+      - name: Reload Caddy to apply new configuration
+        ansible.builtin.systemd:
+            name: caddy
+            state: reloaded
+            enabled: yes
+      - name: Exécuter doctrine:migration:migrate dans le répertoire de l application
+        ansible.builtin.command: php bin/console doctrine:migrations:migrate --no-interaction
+        become: false
+        args:
+            chdir: "{{ path }}"
+        when: ansible_os_family == "Debian"
+      - name: Exécuter cache:clear dans le répertoire de l application
+        ansible.builtin.command: php bin/console cache:clear
+        become: false
+        args:
+            chdir: "{{ path }}"
+        when: ansible_os_family == "Debian"
+
+      - name: Exécuter liip:imagine:cache:remove dans le répertoire de l application
+        ansible.builtin.command: php bin/console liip:imagine:cache:remove
+        become: false
+        args:
+            chdir: "{{ path }}"
+        when: ansible_os_family == "Debian" # Added a when condition here, often missed
+
+      - name: Set correct permissions for Symfony cache and logs directories
+        ansible.builtin.file:
+            path: "{{ item }}"
+            owner: bot
+            group: www-data
+            mode: '0777' # rwx for owner and group, rx for others
+            state: directory
+            recurse: yes # Apply to all contents
+        loop:
+            - "{{ path }}/var/cache"
+            - "{{ path }}/var/log"
+            - "{{ path }}/public/media"
+            - "{{ path }}/public/storage" # For uploads
+            - "{{ path }}/public/tmp-sign" # For uploads
+
--- a/ansible/templates/caddy.j2
+++ b/ansible/templates/caddy.j2
@@ -0,0 +1,21 @@
+intranet.ludikevent.fr{
+    tls {
+        dns cloudflare KL6pZ-Z_12_zbnM2TtFDIsKM8A-HLPhU5GJJbKTW
+    }
+    root * {{ path }}/public
+
+    file_server
+    request_body {
+        max_size 100MB
+    }
+    header {
+        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), clipboard-write=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), usb=(), vr=(), screen-wake-lock=(), xr-spatial-tracking=(), bluetooth=(), ambient-light-sensor=(), battery=(), gamepad=(), notifications=(), push=()"
+    }
+
+    php_fastcgi unix//run/php/php8.3-fpm.sock {
+        read_timeout 300s
+        write_timeout 300s
+        dial_timeout 100s
+        env HTTP_PROXY ""
+    }
+}
--- a/ansible/templates/supervisor.j2
+++ b/ansible/templates/supervisor.j2
@@ -0,0 +1,17 @@
+[program:redis_ludikevent_intranet]
+command=redis-server --port {{ redis_port }}  --requirepass {{ redis_password }}
+autostart=true
+autorestart=true
+user=root
+stdout_logfile=/var/www/ludikevent-intranet/var/log/redis_stdout.log
+stderr_logfile=/var/www/ludikevent-intranet/var/log/redis_stderr.log
+
+[program:messenger_redis_ludikevent_intranet]
+command=php {{path}}/bin/console messenger:consume async --time-limit=3600
+autostart=true
+autorestart=true
+user=root
+startsecs=0
+startretries=10
+stdout_logfile=/var/www/ludikevent-intranet/var/log/messenger_stderr.log
+stderr_logfile=/var/www/ludikevent-intranet/var/log/messenger_stdout.log