From 80574a83f39679f7f937896abba2d53f5a540bc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9drix?= <cedric@abonnel.fr>
Date: Sun, 3 May 2026 16:01:47 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20admin.alpinux.org=20=E2=80=94=20sous-dom?=
 =?UTF-8?q?aine=20d=C3=A9di=C3=A9=20conforme=20=C3=A0=20la=20convention=20?=
 =?UTF-8?q?ISPConfig?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remplace portail.alpinux.org.admin.conf (snippet incorrectement formaté)
par scripts/admin.alpinux.org.vhost.conf : VirtualHost complet HTTP+HTTPS,
reverse proxy Gunicorn port 5002, même structure que les autres vhosts.

admin/app.py : supprime x_prefix=1 du ProxyFix (plus de sous-chemin /admin/)
admin/.env.example : client Keycloak renommé admin-alpinux
scripts/alpinux-admin.service : description mise à jour

redirect_uri Keycloak attendu : https://admin.alpinux.org/auth/callback

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 admin/.env.example                     |  2 +-
 admin/app.py                           |  4 +--
 scripts/admin.alpinux.org.vhost.conf   | 36 ++++++++++++++++++++++++++
 scripts/alpinux-admin.service          |  2 +-
 scripts/portail.alpinux.org.admin.conf | 10 -------
 5 files changed, 40 insertions(+), 14 deletions(-)
 create mode 100644 scripts/admin.alpinux.org.vhost.conf
 delete mode 100644 scripts/portail.alpinux.org.admin.conf

diff --git a/admin/.env.example b/admin/.env.example
index 92331fe..4c4187a 100644
--- a/admin/.env.example
+++ b/admin/.env.example
@@ -1,6 +1,6 @@
 SECRET_KEY=changez-moi-avec-une-valeur-aleatoire-longue
 
-ALPID_CLIENT_ID=alpinux-admin
+ALPID_CLIENT_ID=admin-alpinux
 ALPID_CLIENT_SECRET=
 ALPID_DISCOVERY_URL=https://alpid.alpinux.org/realms/alpinux/.well-known/openid-configuration
 
diff --git a/admin/app.py b/admin/app.py
index 947ccec..83d0d1d 100644
--- a/admin/app.py
+++ b/admin/app.py
@@ -8,8 +8,8 @@ import builds
 app = Flask(__name__)
 app.secret_key = os.environ["SECRET_KEY"]
 
-# Gère X-Forwarded-Proto et X-Script-Name envoyés par Apache
-app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1, x_prefix=1)
+# Gère X-Forwarded-Proto envoyé par Apache
+app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1)
 
 # ── OIDC AlpID ────────────────────────────────────────────────────
 oauth = OAuth(app)
diff --git a/scripts/admin.alpinux.org.vhost.conf b/scripts/admin.alpinux.org.vhost.conf
new file mode 100644
index 0000000..f9102a5
--- /dev/null
+++ b/scripts/admin.alpinux.org.vhost.conf
@@ -0,0 +1,36 @@
+# Apache vhost pour admin.alpinux.org
+# À créer via ISPConfig : Sites > Ajouter un site web
+# Domaine : admin.alpinux.org
+# Activer SSL Let's Encrypt dans ISPConfig
+#
+# L'app admin Flask tourne derrière Gunicorn sur 127.0.0.1:5002
+
+<VirtualHost *:80>
+    ServerName admin.alpinux.org
+    Redirect permanent / https://admin.alpinux.org/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName admin.alpinux.org
+
+    # ── Proxy vers Gunicorn ──────────────────────────────────────
+    ProxyPreserveHost On
+    ProxyPass        / http://127.0.0.1:5002/
+    ProxyPassReverse / http://127.0.0.1:5002/
+
+    RequestHeader set X-Forwarded-Proto "https"
+    RequestHeader set X-Forwarded-For   "%{REMOTE_ADDR}s"
+
+    # ── Sécurité ─────────────────────────────────────────────────
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options        "DENY"
+    Header always set Referrer-Policy        "strict-origin-when-cross-origin"
+
+    # ── Logs ─────────────────────────────────────────────────────
+    ErrorLog  /var/log/apache2/admin.alpinux.org-error.log
+    CustomLog /var/log/apache2/admin.alpinux.org-access.log combined
+
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/admin.alpinux.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/admin.alpinux.org/privkey.pem
+</VirtualHost>
diff --git a/scripts/alpinux-admin.service b/scripts/alpinux-admin.service
index dc0a1ed..16a92ac 100644
--- a/scripts/alpinux-admin.service
+++ b/scripts/alpinux-admin.service
@@ -3,7 +3,7 @@
 # puis : sudo systemctl enable --now alpinux-admin
 
 [Unit]
-Description=Alpinux Admin — interface de déploiement (Flask + Gunicorn)
+Description=Alpinux Admin — admin.alpinux.org (Flask + Gunicorn)
 After=network.target
 
 [Service]
diff --git a/scripts/portail.alpinux.org.admin.conf b/scripts/portail.alpinux.org.admin.conf
deleted file mode 100644
index cb0214d..0000000
--- a/scripts/portail.alpinux.org.admin.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# Bloc à ajouter dans le VirtualHost HTTPS de portail.alpinux.org
-# (dans ISPConfig : Sites > portail.alpinux.org > Directives Apache personnalisées)
-#
-# L'app admin Flask tourne sur Gunicorn à 127.0.0.1:5002
-
-    # ── Admin Alpinux : /admin/ → Gunicorn port 5002 ────────────────
-    ProxyPass        /admin/ http://127.0.0.1:5002/
-    ProxyPassReverse /admin/ http://127.0.0.1:5002/
-    RequestHeader set X-Forwarded-Proto "https"
-    RequestHeader set X-Script-Name     "/admin"