Migration ZeroTier → Tailscale: URLs .talloires.local, ajout doc réseau (dnsmasq, cloudflared, AdGuard DoH)

2025-12-24 00:39:47 +01:00
parent 6942125240
commit eaf73e2afe
7 changed files with 139 additions and 46 deletions
--- a/docs/config/caddy.md
+++ b/docs/config/caddy.md
@@ -7,7 +7,7 @@ Caddy gère le reverse proxy et les certificats SSL internes pour tous les servi
 ### Principes clés

 1. **Domaines .local** : Utilisent Authelia pour l'authentification (réseau local)
-2. **Domaines .1871.zt** : Accès ZeroTier sans Authelia (services ont leur propre auth)
+2. **Domaines .tailfd281f.ts.net** : Accès ZeroTier sans Authelia (services ont leur propre auth)
 3. **Certificats** : Auto-générés par Caddy (CA interne)

 ### Services sans Authelia
--- a/docs/config/network.md
+++ b/docs/config/network.md
@@ -0,0 +1,92 @@
+# Architecture Réseau
+
+## Vue d'ensemble
+
+Tous les appareils Tailscale utilisent Talloires comme serveur DNS.
+
+- `go` et `*.talloires.local` → résolus localement par dnsmasq
+- Autres requêtes → cloudflared → AdGuard DoH (filtrage pub/tracking)
+
+## Composants
+
+### Tailscale
+
+VPN mesh reliant tous les appareils.
+
+| Machine | IP Tailscale | OS |
+|---------|--------------|-----|
+| talloires | 100.116.198.105 | Raspberry Pi 5 (Debian) |
+| annecy | 100.118.210.128 | Synology DS620slim |
+| olympou | 100.125.242.58 | macOS |
+| pentamodi | 100.78.237.78 | iOS |
+| perce | 100.69.7.78 | tvOS (Apple TV) |
+
+**Tailnet:** tailfd281f.ts.net
+
+### dnsmasq
+
+Serveur DNS local sur Talloires.
+
+**Config:** `/etc/dnsmasq.d/tailscale.conf`
+
+```ini
+address=/.talloires.tailfd281f.ts.net/100.116.198.105
+address=/.talloires.local/100.116.198.105
+address=/go/100.116.198.105
+listen-address=127.0.0.1,100.116.198.105
+bind-dynamic
+server=127.0.0.1#5053
+no-resolv
+```
+
+**Commandes:**
+
+```bash
+sudo systemctl status dnsmasq
+sudo systemctl restart dnsmasq
+sudo journalctl -u dnsmasq -f
+```
+
+### cloudflared
+
+Proxy DNS-over-HTTPS vers AdGuard DNS.
+
+**Config:** `/etc/cloudflared/config.yml`
+
+**Commandes:**
+
+```bash
+sudo systemctl status cloudflared-dns
+sudo systemctl restart cloudflared-dns
+sudo journalctl -u cloudflared-dns -f
+```
+
+## Configuration Tailscale Admin
+
+Dans Tailscale Admin Console, DNS, Nameservers :
+
+- **Global nameserver:** 100.116.198.105 (Talloires)
+- **Override local DNS:** activé
+
+## Domaines
+
+| Domaine | Usage |
+|---------|-------|
+| `*.talloires.local` | Services sur Talloires (recommandé) |
+| `go` | Raccourcis Shlink |
+
+## Dépannage
+
+### Test résolution DNS
+
+```bash
+nslookup go 100.116.198.105
+nslookup docs.talloires.local 100.116.198.105
+nslookup google.com 100.116.198.105
+```
+
+### Cache DNS macOS
+
+```bash
+sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
+```
--- a/docs/index.md
+++ b/docs/index.md
@@ -14,64 +14,64 @@ Accès rapide via `https://go/xxx` :
 | [go/grafana](https://go/grafana) | Grafana | [go/dockge](https://go/dockge) | Dockge |
 | [go/shlink](https://go/shlink) | Admin Go Links | [go/auth](https://go/auth) | Authelia |

-**Tous les go-links :** ha, homeassistant, jf, jellyfin, lw, linkwarden, docs, git, auth, grafana, dockge, portainer, transmission, netdata, uptime, cockpit, vikunja, outline, lt, languagetool, cryptpad, shlink
+**Tous les go-links :** ha, homeassistant, jf, jellyfin, lw, linkwarden, docs, git, auth, grafana, dockge, portainer, transmission, netdata, uptime, cockpit, vikunja, outline, lt, languagetool, shlink, annecy

-[Creer un nouveau go-link](https://go/shlink)
+[Créer un nouveau go-link](https://go/shlink)

 ---

 ## Services

 ### Media
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Jellyfin | [go/jf](https://go/jf) | jellyfin.talloires.1871.zt |
-| Transmission | [go/transmission](https://go/transmission) | transmission.talloires.1871.zt |
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Jellyfin | [go/jf](https://go/jf) | jellyfin.talloires.local |
+| Transmission | [go/transmission](https://go/transmission) | transmission.talloires.local |

-### Productivite
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Vikunja | [go/vikunja](https://go/vikunja) | vikunja.talloires.1871.zt |
-| Outline | [go/outline](https://go/outline) | outline.talloires.1871.zt |
-| Linkwarden | [go/lw](https://go/lw) | linkwarden.talloires.1871.zt |
-| LanguageTool | [go/lt](https://go/lt) | languagetool.talloires.1871.zt |
-| CryptPad | [go/cryptpad](https://go/cryptpad) | cryptpad.1871.zt |
+### Productivité
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Vikunja | [go/vikunja](https://go/vikunja) | vikunja.talloires.local |
+| Outline | [go/outline](https://go/outline) | outline.talloires.local |
+| Linkwarden | [go/lw](https://go/lw) | linkwarden.talloires.local |
+| LanguageTool | [go/lt](https://go/lt) | languagetool.talloires.local |

 ### Infrastructure
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Portainer | [go/portainer](https://go/portainer) | portainer.talloires.1871.zt |
-| Dockge | [go/dockge](https://go/dockge) | dockge.talloires.1871.zt |
-| Gitea | [go/git](https://go/git) | git.talloires.1871.zt |
-| MkDocs | [go/docs](https://go/docs) | docs.talloires.1871.zt |
-| Shlink | [go/shlink](https://go/shlink) | shlink.talloires.1871.zt |
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Portainer | [go/portainer](https://go/portainer) | portainer.talloires.local |
+| Dockge | [go/dockge](https://go/dockge) | dockge.talloires.local |
+| Gitea | [go/git](https://go/git) | git.talloires.local |
+| MkDocs | [go/docs](https://go/docs) | docs.talloires.local |
+| Shlink | [go/shlink](https://go/shlink) | shlink.talloires.local |

 ### Monitoring
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Grafana | [go/grafana](https://go/grafana) | grafana.talloires.1871.zt |
-| Netdata | [go/netdata](https://go/netdata) | netdata.talloires.1871.zt |
-| Uptime Kuma | [go/uptime](https://go/uptime) | uptime.talloires.1871.zt |
-| Cockpit | [go/cockpit](https://go/cockpit) | cockpit.talloires.1871.zt |
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Grafana | [go/grafana](https://go/grafana) | grafana.talloires.local |
+| Netdata | [go/netdata](https://go/netdata) | netdata.talloires.local |
+| Uptime Kuma | [go/uptime](https://go/uptime) | uptime.talloires.local |
+| Cockpit | [go/cockpit](https://go/cockpit) | cockpit.talloires.local |

 ### Domotique
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Home Assistant | [go/ha](https://go/ha) | homeassistant.talloires.1871.zt |
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Home Assistant | [go/ha](https://go/ha) | homeassistant.talloires.local |

-### Securite
-| Service | Go Link | URL complete |
-|---------|---------|--------------|
-| Authelia | [go/auth](https://go/auth) | auth.talloires.1871.zt |
+### Sécurité
+| Service | Go Link | URL |
+|---------|---------|-----|
+| Authelia | [go/auth](https://go/auth) | auth.talloires.local |
 | CrowdSec | - | (service interne) |

 ---

-## Acces rapide
+## Accès rapide

 - [Vue ensemble des services](services/overview.md)
+- [Architecture réseau](config/network.md)
 - [Configuration Shlink](services/shlink.md)
 - [Configuration SSO](services/authelia.md)
 - [Backup](services/backup.md)
- [Ports utilises](reference/ports.md)
+- [Ports utilisés](reference/ports.md)
 - [Commandes utiles](reference/commands.md)
--- a/docs/reference/ports.md
+++ b/docs/reference/ports.md
@@ -77,17 +77,17 @@ Acces rapide a tous les services via `https://go/xxx`
 | Cockpit | https://cockpit.talloires.local | Authelia |
 | Home Assistant | https://homeassistant.talloires.local | Authelia |

-### Acces ZeroTier (.talloires.1871.zt) - sans Authelia
+### Acces ZeroTier (.talloires.tailfd281f.ts.net) - sans Authelia

 Ces URLs sont accessibles depuis exterieur via le reseau ZeroTier.

 | Service | URL | Auth native |
 |---------|-----|-------------|
 | Go Links | https://go | Shlink |
-| Vikunja | https://vikunja.talloires.1871.zt | Vikunja login |
-| Outline | https://outline.talloires.1871.zt | OIDC Authelia |
-| Linkwarden | https://linkwarden.1871.zt | Linkwarden login |
-| LanguageTool | https://languagetool.talloires.1871.zt | Aucune (API) |
+| Vikunja | https://vikunja.talloires.tailfd281f.ts.net | Vikunja login |
+| Outline | https://outline.talloires.tailfd281f.ts.net | OIDC Authelia |
+| Linkwarden | https://linkwarden.tailfd281f.ts.net | Linkwarden login |
+| LanguageTool | https://languagetool.talloires.tailfd281f.ts.net | Aucune (API) |

 ## Reseau ZeroTier

--- a/docs/services/authelia.md
+++ b/docs/services/authelia.md
@@ -32,7 +32,7 @@ Authelia fournit l authentification unique (SSO) pour tous les services Talloire
 | **vikunja** | ❌ | Auth propre |
 | **outline** | ❌ | Auth OIDC propre |

-> **Note** : Cette protection s applique aux domaines `.local` ET `.1871.zt`
+> **Note** : Cette protection s applique aux domaines `.local` ET `.tailfd281f.ts.net`

 ## Services avec OAuth/OIDC

@@ -90,7 +90,7 @@ Grafana utilise l authentification par header via Authelia (pas OIDC) :

 ### Usage dans Caddyfile
 ```
-monservice.talloires.local, monservice.talloires.1871.zt {
+monservice.talloires.local, monservice.talloires.tailfd281f.ts.net {
    import authelia
    reverse_proxy backend:port
    tls internal
--- a/docs/services/shlink.md
+++ b/docs/services/shlink.md
@@ -96,12 +96,12 @@ services:
 ## Caddy

 ```
-go, go.local, go.1871.zt {
+go, go.local, go.tailfd281f.ts.net {
    reverse_proxy shlink:8080
    tls internal
 }

-shlink.talloires.local, shlink.talloires.1871.zt {
+shlink.talloires.local, shlink.talloires.tailfd281f.ts.net {
    import authelia
    reverse_proxy shlink-web:8080
    tls internal