lionel/202601docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Documentation complète: infrastructure, réseau, issues, recommandations

Browse Source
This commit is contained in:
Lionel
2025-12-31 20:38:04 +01:00
parent 891d5f1a7d
commit cf5669b1fa
8 changed files with 641 additions and 802 deletions
Download Patch File Download Diff File Expand all files Collapse all files

432
docs/infra/overview.md
View File

@@ -1,382 +1,94 @@
# Infrastructure Talloires v2.0
# Infrastructure Overview
Documentation de l'infrastructure réseau, VPN, DNS, et backups.
## Hardware
---
### Talloires (Raspberry Pi 5 - 8GB)
## 🖥️ Serveurs
| Composant | Détails |
|-----------|---------|
| CPU | Broadcom BCM2712 (4x Cortex-A76 @ 2.4GHz) |
| RAM | 8 GB LPDDR4X |
| Stockage | SD Card 64GB + SSD 4TB USB |
| Réseau | Ethernet 1Gbps |
| OS | Raspberry Pi OS (Debian 12 Bookworm) |
### Talloires (Production)
- **Type**: Raspberry Pi 5 (8GB RAM)
- **OS**: Raspberry Pi OS (Debian 12)
- **IP Tailscale**: `100.116.198.105`
- **Hostname**: `talloires.tailfd281f.ts.net`
- **Rôle**: Serveur principal (Docker)
### Annecy (Synology DS620slim)
### Annecy (Storage)
- **Type**: Synology DS620slim
- **OS**: DSM 7.x
- **IP Tailscale**: `100.69.227.96`
- **Hostname**: `annecy.tailfd281f.ts.net`
- **Rôle**: NAS, Backups
| Composant | Détails |
|-----------|---------|
| Stockage | 6x SSD en RAID |
| Rôle | NAS backup, stockage long terme |
| Accès | NFS via Tailscale |
### Theseus (Network)
- **Type**: UniFi Dream Router 7
- **Rôle**: Gateway, Firewall, DHCP
### Theseus (UniFi Dream Router 7)
---
| Rôle | Détails |
|------|---------|
| Routeur | Gateway réseau domestique |
| WiFi | WiFi 7 (BE) |
| DHCP | 192.168.1.0/24 |
## 🐳 Outils Docker Management
## Points de montage
### 🎨 Arcane - Web UI
**URL**: [go/arcane](https://go/arcane)
**License**: BSD-3-Clause
**Status**: ✅ Opérationnel
**Fonctionnalités:**
- Gestion containers, images, volumes, networks
- Docker Compose templates & projects
- Monitoring temps réel (CPU/RAM)
- Interface moderne & responsive
- Multi-serveurs (via agents)
**Usage:**
```bash
# Accès web
https://go/arcane
# SD Card (OS + configs)
/dev/mmcblk0p2 → / # 58 GB
# Credentials par défaut
Username: arcane
Password: arcane-admin
# SSD externe (données)
/dev/sda1 → /mnt/mediaserver # 4 TB
# NFS Synology (backups)
10.171.171.50:/volume1/Backups → /mnt/annecy
```
**Alternative à:** Portainer (proprietary), Dockge (unstable)
## Structure des fichiers
---
```
/home/lionel/
└── talloires-v2/ # Configurations Docker
├── infra/ # Caddy, Authelia
├── media/ # Jellyfin compose
├── monitoring/ # Netdata, Dozzle
├── tools/ # Shlink, Gitea compose
├── docker-mgmt/ # Arcane
├── automation/ # Home Assistant
├── transmission/ # Transmission + WireGuard
├── mkdocs/ # Cette documentation
├── jellyfin/ # Config Jellyfin (3.6GB)
├── homeassistant/ # Config HA (dupliqué sur SSD)
└── arcane/ # Config Arcane
### 📋 Dozzle - Logs Viewer
/mnt/mediaserver/
├── talloires/ # Données services
│ ├── caddy/ # Caddyfile + certs
│ ├── gitea/ # Repos git + DB
│ ├── homeassistant/ # Config active HA
│ └── authelia/ # (si présent)
├── jellyfin-cache/ # Cache Jellyfin
├── netdata-cache/ # Cache Netdata
├── movies/ # Bibliothèque films
├── series/ # Bibliothèque séries
├── musicvideos/ # Clips musicaux
├── lionel/ # Médias Lionel
├── fiona/ # Médias Fiona
└── backups/ # Archives
```
**URL**: [go/logs](https://go/logs)
**License**: MIT
**Status**: ✅ Opérationnel
## Réseaux Docker
**Fonctionnalités:**
- Real-time log streaming
- Multi-container view
- Search & filter
- Ultra-léger (~30 MB RAM)
- Aucune base de données
**Usage:**
```bash
# Accès web
https://go/logs
# Réseau principal pour tous les services
talloires_net (172.18.0.0/16)
# Pas d'authentification requise (Tailscale VPN only)
# Services connectés :
- caddy, authelia, gitea, jellyfin, homeassistant
- mkdocs, shlink, shlink-web, arcane, dozzle
- netdata, signal-api, transmission, wireguard
```
**Use cases:** Debug, troubleshooting, monitoring logs
## Adresses IP
---
### ⚡ Lazydocker - Terminal UI
**License**: MIT
**Status**: ✅ Installé sur Talloires & Annecy
**Version**: 0.24.3
**Installation:**
```bash
# Talloires
lazydocker --version
# Location: /usr/local/bin/lazydocker
# Annecy (Synology)
~/.local/bin/lazydocker --version
```
**Fonctionnalités:**
- TUI (Terminal User Interface)
- Stats en temps réel (CPU/RAM)
- Logs interactifs
- Actions rapides (start/stop/restart)
- Fonctionne via SSH
**Usage:**
```bash
# Sur Talloires
ssh lionel@talloires.local
lazydocker
# Sur Annecy
ssh lionel@100.69.227.96
~/.local/bin/lazydocker
```
**Navigation:**
- `↑/↓`: Sélection
- `Enter`: Actions
- `l`: Logs
- `e`: Exec shell
- `q`: Quitter
---
### 📊 Comparaison Outils
| Feature | Arcane | Dozzle | Lazydocker |
|---------|--------|--------|------------|
| **Type** | Web UI | Web UI | TUI |
| **Containers** | ✅ Full mgmt | ❌ View only | ✅ Full mgmt |
| **Logs** | ✅ | ✅ | ✅ |
| **Compose** | ✅ Templates | ❌ | ✅ View |
| **Stats** | ✅ | ❌ | ✅ |
| **Remote** | ✅ Multi-host | ❌ Single | ❌ Single |
| **SSH** | ❌ | ❌ | ✅ Works |
| **RAM** | ~100 MB | ~30 MB | ~50 MB |
**Recommandations:**
- **Arcane**: Gestion quotidienne, templates, multi-serveurs
- **Dozzle**: Quick log inspection, debugging
- **Lazydocker**: SSH access, TUI lovers, remote management
---
## 🌐 Réseau
### Tailscale VPN
- **Type**: WireGuard mesh VPN
- **MagicDNS**: Désactivé (dnsmasq preferred)
- **Subnet**: `100.64.0.0/10`
### DNS Local (dnsmasq)
**Config**: `/etc/dnsmasq.d/tailscale.conf`
```
# Machines
address=/talloires.local/100.116.198.105
address=/annecy.local/100.69.227.96
# Wildcards
address=/.talloires.local/100.116.198.105
# Go-links
address=/go/100.116.198.105
# Upstream DNS
server=127.0.0.1#5053
```
### AdGuard DNS (DoH)
- **Port**: 5053
- **Upstream**: AdGuard DNS-over-HTTPS
- **Config**: `cloudflared` tunnel
---
## 🔐 VPN Tunnel (ProtonVPN)
### Configuration WireGuard
- **Server**: Luxembourg (LU#44)
- **Public IP**: 5.253.204.190
- **Endpoint**: 5.253.204.162:51820
- **Config**: `/home/lionel/talloires-v2/transmission/wireguard/wg0.conf`
### Kill-Switch
Transmission utilise `network_mode: service:wireguard` → Impossible de leak l'IP réelle.
### Monitoring VPN
- Vérification automatique IP publique
- Alertes Telegram si VPN down (<30s)
- Health checks Docker
---
## 💾 Backups
### Structure NFS
```
/mnt/annecy/talloires/
├── migration-v2/ # Backups migration
│ ├── jellyfin-config-*.tar.gz # 2.3 GB
│ ├── gitea-data-*.tar.gz # Repos Git
│ ├── mkdocs-v1-archive-*.tar.gz # 12 KB
│ └── critical-configs-*.tar.gz # 3.5 KB
└── daily/ # Backups quotidiens (TODO)
```
### NFS Mount
```bash
sudo mount -t nfs 100.69.227.96:/volume1/talloires /mnt/annecy -o rw,hard,intr,rsize=8192,wsize=8192
```
**Fstab**:
```
100.69.227.96:/volume1/talloires /mnt/annecy nfs rw,hard,intr,rsize=8192,wsize=8192 0 0
```
### Backup Automatique (Cron)
TODO: Mettre à jour cron pour v2.0 structure.
---
## 🔒 Sécurité
### Firewall (UFW)
```bash
sudo ufw status
```
Ports ouverts:
- 80, 443: HTTP/HTTPS (Caddy)
- 2222: SSH Gitea
- 8096: Jellyfin (direct access)
- 22: SSH (Tailscale only)
### Certificats HTTPS
- **CA**: Caddy Local Authority
- **Cert**: `/data/caddy/pki/authorities/local/root.crt`
- **Installation**: Importer dans macOS Keychain → Always Trust
### Accès
- Tailscale VPN uniquement
- Pas d'exposition Internet directe
- SSH keys only (no password)
---
## 📊 Monitoring
### Stack Monitoring
**Netdata** - System metrics
- **URL**: `https://go/net`
- **Métriques**: CPU, RAM, Disk, Network, Docker
- **Alertes**: À configurer (optionnel)
**Arcane** - Docker monitoring
- **URL**: `https://go/arcane`
- **Métriques**: Containers stats (CPU/RAM)
- **Features**: Dashboard, projects, logs
**Dozzle** - Logs viewer
- **URL**: `https://go/logs`
- **Features**: Real-time logs, search, filter
**Lazydocker** - Terminal monitoring
```bash
ssh lionel@talloires.local
lazydocker
```
### Docker Health Checks
Tous les containers ont des health checks configurés.
### Logs
```bash
# CLI
docker logs <container>
docker logs <container> --follow
docker logs <container> --tail 100
# Web UI (Dozzle)
https://go/logs
# TUI (Lazydocker)
lazydocker
```
---
## 🛠️ Maintenance
### Docker Management
**Via Arcane (Web):**
```
https://go/arcane
→ Containers → Start/Stop/Restart
→ Images → Pull/Delete
→ Projects → Manage Compose stacks
```
**Via Lazydocker (TUI):**
```bash
ssh lionel@talloires.local
lazydocker
# Navigate avec arrows, Enter pour actions
```
**Via CLI:**
```bash
# Update containers
cd /home/lionel/talloires-v2/core
docker compose pull
docker compose up -d
# Restart service
docker restart <container>
# View logs
docker logs <container> --tail 100
```
### Backup Manuel
```bash
# Jellyfin
tar -czf /mnt/annecy/talloires/manual/jellyfin-$(date +%Y%m%d).tar.gz \\
/home/lionel/talloires-v2/jellyfin/config
# Gitea
tar -czf /mnt/annecy/talloires/manual/gitea-$(date +%Y%m%d).tar.gz \\
/home/lionel/talloires-v2/gitea/
# Arcane database
tar -czf /mnt/annecy/talloires/manual/arcane-$(date +%Y%m%d).tar.gz \\
/home/lionel/talloires-v2/docker-mgmt/arcane-data
```
### Restart Services
```bash
docker restart <container>
docker compose restart
```
---
## 📁 Fichiers de Configuration
### Docker Management
```
/home/lionel/talloires-v2/docker-mgmt/
├── docker-compose.yml # Arcane + Dozzle
└── arcane-data/ # Arcane database
```
### Caddy
```
/home/lionel/talloires-v2/caddy/
├── Caddyfile # Reverse proxy config
└── Caddyfile.backup-* # Backups automatiques
```
### Services
```
/home/lionel/talloires-v2/
├── core/ # Caddy, Shlink
├── jellyfin/ # Media server
├── transmission/ # BitTorrent + WireGuard
├── gitea/ # Git hosting
├── homeassistant/ # Domotique
├── mkdocs/ # Documentation
├── netdata/ # Monitoring
├── signal-api/ # Notifications
└── docker-mgmt/ # Arcane + Dozzle
```
---
*Voir [Services](../services/overview.md) pour configuration applicative.*
*Dernière mise à jour: 31 décembre 2025*
| Service | IP Locale | Tailscale |
|---------|-----------|-----------|
| Talloires | 192.168.1.100 | 10.171.171.1 |
| Annecy | 192.168.1.50 | 10.171.171.50 |