Documentation compl\u00e8te de l'infrastructure Talloires h\u00e9berg\u00e9e sur Raspberry Pi 5.
"},{"location":"#quick-links","title":"Quick Links","text":""},{"location":"#core-infrastructure","title":"Core Infrastructure","text":"Service URL Go Link Description Authelia auth.talloires.local go/auth SSO / Authentication MkDocs docs.talloires.local go/docs Documentation"},{"location":"#media-downloads","title":"Media & Downloads","text":"Service URL Go Link Description Jellyfin jellyfin.talloires.local go/jellyfin Media streaming Transmission transmission.talloires.tailfd281f.ts.net go/torrent BitTorrent via VPN (Tailscale only)"},{"location":"#tools-productivity","title":"Tools & Productivity","text":"Service URL Go Link Description Gitea git.talloires.local go/git Git repositories MicroBin paste.talloires.local go/paste Simple pastebin PrivateBin spaste.talloires.local go/spaste E2E encrypted pastebin Shlink go.talloires.local go/shlink URL shortener"},{"location":"#rss-readers","title":"RSS Readers","text":"Service URL Go Link Description Miniflux rss.talloires.local go/rss Minimal RSS reader FreshRSS freshrss.talloires.local go/freshrss Full-featured RSS reader"},{"location":"#automation","title":"Automation","text":"Service URL Go Link Description Home Assistant homeassistant.talloires.local go/ha Home automation ESPHome esphome.talloires.local \u2014 ESP device management"},{"location":"#monitoring","title":"Monitoring","text":"Service URL Go Link Description Arcane arcane.talloires.local go/docker Docker management Dozzle dozzle.talloires.local go/logs Container logs Netdata netdata.talloires.local go/netdata System monitoring"},{"location":"#architecture","title":"Architecture","text":"\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 INTERNET \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 UniFi DR7 \u2502\n \u2502 (Theseus) \u2502\n \u2502 10.171.171.1 \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 \u2502 \u2502\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Raspberry Pi 5 \u2502 \u2502 Synology NAS \u2502 \u2502 Clients \u2502\n\u2502 (Talloires) \u2502 \u2502 (Annecy) \u2502 \u2502 Mac/iOS \u2502\n\u2502 10.171.171.7 \u2502 \u2502 10.171.171.50 \u2502 \u2502 \u2502\n\u2502 TS: 100.116... \u2502 \u2502 TS: 100.69... \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n~/lake/infra/ caddy, authelia media ~/lake/media/ jellyfin monitoring ~/lake/monitoring/ arcane, dozzle, netdata p2p ~/lake/p2p/ wireguard, transmission tools ~/lake/tools/ gitea, mkdocs, shlink, shlink-web, microbin, miniflux, miniflux-db, privatebin, freshrss automation ~/lake/automation/ homeassistant, signal-api, esphome, tgv-tracker"},{"location":"#sections","title":"Sections","text":"Tous les services sont accessibles via des liens courts go/xxx :
# Core\ngo/auth \u2192 Authelia SSO\ngo/docs \u2192 Documentation\n\n# Media\ngo/jellyfin \u2192 Jellyfin media server\ngo/jf \u2192 Jellyfin (alias)\ngo/torrent \u2192 Transmission (Tailscale only)\n\n# Tools\ngo/git \u2192 Gitea repositories\ngo/paste \u2192 MicroBin (simple paste)\ngo/bin \u2192 MicroBin (alias)\ngo/spaste \u2192 PrivateBin (encrypted)\ngo/securepaste \u2192 PrivateBin (alias)\ngo/shlink \u2192 Shlink admin\n\n# RSS\ngo/rss \u2192 Miniflux\ngo/feeds \u2192 Miniflux (alias)\ngo/freshrss \u2192 FreshRSS\ngo/frss \u2192 FreshRSS (alias)\n\n# Automation\ngo/ha \u2192 Home Assistant\n\n# Monitoring\ngo/docker \u2192 Arcane\ngo/arcane \u2192 Arcane (alias)\ngo/logs \u2192 Dozzle\ngo/dz \u2192 Dozzle (alias)\ngo/netdata \u2192 Netdata\nLa page que vous cherchez n'existe pas ou a \u00e9t\u00e9 d\u00e9plac\u00e9e.
"},{"location":"404/#go-links-acces-rapides","title":"Go Links - Acc\u00e8s rapides","text":"Go Link Service Description go/jellyfin Jellyfin Media streaming go/git Gitea Git repositories go/ha Home Assistant Domotique go/torrent Transmission BitTorrent go/docs MkDocs Documentation go/docker Arcane Docker management go/logs Dozzle Container logs go/shlink Shlink URL shortener admin go/netdata Netdata System monitoring"},{"location":"404/#navigation","title":"Navigation","text":"Session de maintenance majeure pour r\u00e9parer plusieurs services et optimiser l'espace disque.
"},{"location":"changelog/2025-12-31/#problemes-resolus","title":"Probl\u00e8mes r\u00e9solus","text":""},{"location":"changelog/2025-12-31/#shlink-url-shortener","title":"\ud83d\udd27 Shlink (URL Shortener)","text":"Probl\u00e8me: Les short URLs ne fonctionnaient pas - Caddy utilisait des redirections manuelles cass\u00e9es.
Solution: - Simplifi\u00e9 le Caddyfile avec reverse_proxy shlink:8080 - Configur\u00e9 servers.json pour Shlink-web avec l'API key
Test: https://go/ts \u2192 Redirige vers Tailscale admin \u2705
Probl\u00e8me: 1. Container en crash loop (ENCRYPTION_KEY trop courte - 31 chars au lieu de 32) 2. Bloqu\u00e9 par Authelia
Solution: - G\u00e9n\u00e9r\u00e9 nouvelles cl\u00e9s de 32+ caract\u00e8res - D\u00e9sactiv\u00e9 Authelia pour acc\u00e8s direct - Reset de la base de donn\u00e9es
Acc\u00e8s: https://arcane.talloires.local (arcane / [nouveau mot de passe])
Probl\u00e8me: Les m\u00e9dias n'\u00e9taient pas mont\u00e9s (volumes pointaient vers /mnt/annecy au lieu de /mnt/mediaserver)
Solution: Recr\u00e9\u00e9 le container avec les bons bind mounts
"},{"location":"changelog/2025-12-31/#espace-disque-sd","title":"\ud83d\udcc0 Espace Disque SD","text":"Avant: 86% utilis\u00e9 (8.4 GB libre) Apr\u00e8s: 71% utilis\u00e9 (17 GB libre)
Actions: - Supprim\u00e9 volumes Docker orphelins (~7 GB): - media_jellyfin_config (2.5 GB) - talloires-jellyfin-config (2.5 GB) - talloires_jellyfin_config (1 GB) - docker_jellyfin_config (426 MB) - Volumes Prometheus/Grafana/Loki orphelins - Archiv\u00e9 et supprim\u00e9 /home/lionel/docker/ (ancienne structure v1) - Migr\u00e9 caches vers SSD
/mnt/mediaserver/jellyfin-cache Netdata cache SD (/home/lionel/talloires-v2/netdata/cache) /mnt/mediaserver/netdata-cache"},{"location":"changelog/2025-12-31/#consolidation-caddyfile","title":"\ud83d\udcc1 Consolidation Caddyfile","text":"/home/lionel/talloires-v2/infra/caddy//mnt/mediaserver/talloires/caddy/Caddyfile/mnt/mediaserver/talloires/caddy/Caddyfile - Simplifi\u00e9 config Shlink, d\u00e9sactiv\u00e9 Authelia pour Arcane/home/lionel/talloires-v2/media/docker-compose.yml - Cache Jellyfin sur SSD/home/lionel/talloires-v2/monitoring/docker-compose.yml - Cache Netdata sur SSD/home/lionel/talloires-v2/docker-mgmt/docker-compose.yml - Nouvelles cl\u00e9s Arcane/home/lionel/talloires-v2/tools/docker-compose.yml - Volume servers.json pour Shlink-web/home/lionel/talloires-v2/shlink-web/servers.json - Configuration API Shlink/mnt/mediaserver/backups/docker-v1-archive-20251231.tar.gz (63 MB) - Ancienne structure DockerTransmission est maintenant accessible uniquement via Tailscale avec authentification Authelia.
"},{"location":"changelog/2026-01-03/#changements","title":"Changements","text":""},{"location":"changelog/2026-01-03/#securite-transmission","title":"S\u00e9curit\u00e9 Transmission","text":"transmission.talloires.local retourne 403transmission.talloires.tailfd281f.ts.netgo/torrent, go/trn, go/transmission redirigent vers le FQDN Tailscale.ts.net172.19.0.0/16 (lake_net)/mnt/mediaserver/caddy/Caddyfile S\u00e9paration .local (403) / .ts.net (Authelia) ~/lake/infra/docker-compose.yml Mount tailscaled.sock dans Caddy ~/lake/p2p/docker-compose.yml Suppression USER/PASS env vars ~/lake/p2p/transmission/settings.json rpc-authentication-required: false"},{"location":"changelog/2026-01-03/#shlink-go-links","title":"Shlink go-links","text":"go/torrent \u2192 https://transmission.talloires.tailfd281f.ts.net\ngo/trn \u2192 https://transmission.talloires.tailfd281f.ts.net\ngo/transmission \u2192 https://transmission.talloires.tailfd281f.ts.net\nLa stack Servarr avait initialement Transmission derri\u00e8re le VPN (gluetun), mais Prowlarr, Sonarr et Radarr \u00e9taient expos\u00e9s directement sur le r\u00e9seau Docker, sans protection VPN.
"},{"location":"changelog/2026-01-12/#changements","title":"Changements","text":""},{"location":"changelog/2026-01-12/#architecture-reseau","title":"Architecture r\u00e9seau","text":"Service Avant Apr\u00e8s Transmission \u2705 Via VPN \u2705 Via VPN Prowlarr \u274c Direct \u2705 Via VPN Sonarr \u274c Direct \u2705 Via VPN Radarr \u274c Direct \u2705 Via VPN"},{"location":"changelog/2026-01-12/#configuration-docker","title":"Configuration Docker","text":"Tous les services utilisent maintenant network_mode: \"service:gluetun\" :
services:\n gluetun:\n ports:\n - \"9091:9091\" # Transmission\n - \"9696:9696\" # Prowlarr \n - \"7878:7878\" # Radarr\n - \"8989:8989\" # Sonarr\n environment:\n - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/16,100.64.0.0/10\n\n prowlarr:\n network_mode: \"service:gluetun\"\n depends_on:\n gluetun:\n condition: service_healthy\n\n sonarr:\n network_mode: \"service:gluetun\"\n # ...\n\n radarr:\n network_mode: \"service:gluetun\"\n # ...\nLes connexions internes ont \u00e9t\u00e9 mises \u00e0 jour dans les bases SQLite :
App Setting Ancienne valeur Nouvelle valeur Prowlarr Download Clientgluetun:9091 localhost:9091 Prowlarr Sonarr App http://sonarr:8989 http://localhost:8989 Prowlarr Radarr App http://radarr:7878 http://localhost:7878 Sonarr Download Client gluetun:9091 localhost:9091 Radarr Download Client gluetun:9091 localhost:9091"},{"location":"changelog/2026-01-12/#avantages","title":"Avantages","text":"# V\u00e9rifier l'IP VPN\ndocker exec gluetun wget -qO- https://ipinfo.io/ip\n# R\u00e9sultat: 5.253.204.x (ProtonVPN Luxembourg)\n\n# Tester la connectivit\u00e9 interne\ndocker exec gluetun sh -c 'wget -qO- http://localhost:9696/ping'\n# R\u00e9sultat: {\"status\":\"OK\"}\n~/lake/servarr/docker-compose.yml \u2014 nouvelle architecture~/lake/servarr/prowlarr/prowlarr.db \u2014 connexions internes~/lake/servarr/sonarr/sonarr.db \u2014 connexions internes~/lake/servarr/radarr/radarr.db \u2014 connexions internesAncien compose sauvegard\u00e9 : ~/lake/servarr/docker-compose.yml.bak
gluetun:PORTcaddy reload \u00e9tait n\u00e9cessaireSession de maintenance majeure pour r\u00e9parer l'infrastructure apr\u00e8s r\u00e9organisation.
"},{"location":"infra/issues-2025-12-31/#1-shlink-urls-cassees","title":"1. Shlink - URLs cass\u00e9es","text":"Sympt\u00f4me : Les short URLs (go/ts, go/ui, etc.) ne fonctionnaient plus.
Cause : Le Caddyfile contenait des redirections manuelles au lieu d'un reverse proxy vers Shlink.
Solution :
# AVANT (cass\u00e9)\ngo.talloires.local {\n redir /ts https://tailscale.com permanent\n redir /ui https://unifi.ui.com permanent\n}\n\n# APR\u00c8S (fonctionnel)\ngo.talloires.local {\n reverse_proxy shlink:8080\n}\nFichiers modifi\u00e9s : - /mnt/mediaserver/talloires/caddy/Caddyfile - /home/lionel/talloires-v2/shlink-web/servers.json
Sympt\u00f4me : Container en restart permanent.
Cause : ENCRYPTION_KEY invalide (31 caract\u00e8res au lieu de 32+).
Solution :
# G\u00e9n\u00e9rer nouvelles cl\u00e9s\nopenssl rand -base64 32\n\n# Mettre \u00e0 jour docker-compose.yml\nENCRYPTION_KEY=fY+ln5hq7XMkDR+cU/pxu3Kf11LgUkjYXdM+QSwU3jM=\nSESSION_SECRET=QDGWo1nA9Qa4fRT2ektsjQ0oUbuAwUz4V8xsBfZYiWw=\nNote : Authelia d\u00e9sactiv\u00e9 temporairement pour Arcane.
"},{"location":"infra/issues-2025-12-31/#3-jellyfin-medias-non-montes","title":"3. Jellyfin - M\u00e9dias non mont\u00e9s","text":"Sympt\u00f4me : Biblioth\u00e8ques vides, m\u00e9dias inaccessibles.
Cause : Volumes Docker pointaient vers /mnt/annecy au lieu de /mnt/mediaserver.
Solution : Correction des bind mounts dans docker-compose.yml.
Sympt\u00f4me : 500 Internal Server Error lors du login Authelia.
Cause : Gitea ne faisait pas confiance au certificat SSL de Caddy (nouveau CA apr\u00e8s r\u00e9g\u00e9n\u00e9ration).
Solution :
# Copier le CA dans Gitea\ndocker exec caddy cat /data/caddy/pki/authorities/local/root.crt > /tmp/caddy-root.crt\ndocker cp /tmp/caddy-root.crt gitea:/usr/local/share/ca-certificates/\ndocker exec gitea update-ca-certificates\ndocker restart gitea\nSympt\u00f4me : Could not save the consent session
Cause : Le dossier /home/lionel/docker/authelia/config/ avait \u00e9t\u00e9 supprim\u00e9 lors du nettoyage, mais le container montait encore ce chemin.
Solution :
# Restaurer depuis l'archive\ntar xzf /mnt/mediaserver/backups/docker-v1-archive-20251231.tar.gz \\\n -C /home/lionel docker/authelia\ndocker restart authelia\nSympt\u00f4me : Page de cr\u00e9ation de compte au lieu du login.
Cause : Le container montait /mnt/mediaserver/talloires/homeassistant mais la config restaur\u00e9e \u00e9tait dans /home/lionel/talloires-v2/homeassistant.
Solution :
# Copier la config restaur\u00e9e vers le bon emplacement\ncp -a /home/lionel/talloires-v2/homeassistant /mnt/mediaserver/talloires/homeassistant\ndocker restart homeassistant\nSympt\u00f4me : Bad Gateway lors de l'acc\u00e8s.
Cause : Caddy cherchait transmission:9091 mais Transmission utilise network_mode: service:wireguard.
Solution :
# Dans Caddyfile\nreverse_proxy wireguard:9091 # Pas transmission:9091\nSympt\u00f4me : URL ne fonctionnait pas.
Cause : Dozzle n'\u00e9tait pas configur\u00e9 dans le Caddyfile.
Solution :
dozzle.talloires.local, dozzle.talloires.tailfd281f.ts.net {\n import authelia\n reverse_proxy dozzle:8080\n import internal_tls\n}\nTailscale remplace ZeroTier depuis d\u00e9cembre 2025 pour le mesh VPN.
"},{"location":"infra/network/#configuration","title":"Configuration","text":"Machine IP Tailscale Hostname Talloires (RPi5) 10.171.171.1 talloires.tailfd281f.ts.net Annecy (Synology) 10.171.171.50 annecy.tailfd281f.ts.net Mac Lionel 100.x.x.x (dynamique)"},{"location":"infra/network/#dns-magicdns","title":"DNS MagicDNS","text":"Tailscale fournit la r\u00e9solution DNS automatique :
*.talloires.tailfd281f.ts.net \u2192 Services Talloires\nTous les services sont accessibles via deux domaines :
Type Domaine Exemple LAN*.talloires.local jellyfin.talloires.local Tailscale *.talloires.tailfd281f.ts.net jellyfin.talloires.tailfd281f.ts.net"},{"location":"infra/network/#acces-lan","title":"Acc\u00e8s LAN","text":""},{"location":"infra/network/#prerequis","title":"Pr\u00e9requis","text":"# Sur Talloires\ndocker exec caddy cat /data/caddy/pki/authorities/local/root.crt > caddy-root.crt\n\n# Sur Mac\nsudo security add-trusted-cert -d -r trustRoot \\\n -k /Library/Keychains/System.keychain caddy-root.crt\nOption 1 : dnsmasq sur le routeur
address=/talloires.local/10.171.171.7\nOption 2 : /etc/hosts sur chaque client
10.171.171.7 jellyfin.talloires.local\n10.171.171.7 git.talloires.local\n10.171.171.7 homeassistant.talloires.local\n# etc.\nLa plupart des services sont prot\u00e9g\u00e9s par Authelia :
Client \u2192 Caddy \u2192 Authelia \u2192 Service\nServices prot\u00e9g\u00e9s par Authelia : - Transmission - Netdata - Dozzle - Cockpit
Services avec auth propre (bypass Authelia) : - Jellyfin (auth interne) - Gitea (OIDC via Authelia) - Home Assistant (auth interne) - Arcane (d\u00e9sactiv\u00e9 temporairement)
"},{"location":"infra/network/#protonvpn-wireguard","title":"ProtonVPN (WireGuard)","text":"Transmission utilise un tunnel WireGuard vers ProtonVPN :
Transmission \u2192 WireGuard container \u2192 ProtonVPN \u2192 Internet\n \u2193\n Kill switch int\u00e9gr\u00e9\n (network_mode: service:wireguard)\nV\u00e9rification IP :
# IP Transmission (doit \u00eatre ProtonVPN)\ndocker exec transmission curl -s ifconfig.me\n\n# IP locale\ncurl -s ifconfig.me\nTalloires (/etc/dnsmasq.d/tailscale.conf): - \u00c9coute: 127.0.0.1, 100.116.198.105 - Forward: cloudflared (AdGuard DoH)
Annecy (/volume1/docker/dnsmasq/): - Container: andyshinn/dnsmasq - Mode: network_mode: host + bind-interfaces - \u00c9coute: 10.171.171.50, 10.171.171.51 - Forward: Talloires \u2192 1.1.1.1 \u2192 8.8.8.8
dig @10.171.171.50 talloires.local +short # Annecy\ndig @100.116.198.105 go +short # Talloires\n# SD Card (OS + configs)\n/dev/mmcblk0p2 \u2192 / # 58 GB\n\n# SSD externe (donn\u00e9es)\n/dev/sda1 \u2192 /mnt/mediaserver # 4 TB\n\n# NFS Synology (backups)\nannecy:/volume1/Backups \u2192 /mnt/annecy\n~/lake/\n\u251c\u2500\u2500 automation/ # Home Assistant, ESPHome, Signal, TGV-tracker\n\u2502 \u251c\u2500\u2500 homeassistant/\n\u2502 \u251c\u2500\u2500 esphome/\n\u2502 \u251c\u2500\u2500 signal/\n\u2502 \u2514\u2500\u2500 tgv-tracker/\n\u251c\u2500\u2500 infra/ # Caddy, Authelia\n\u2502 \u251c\u2500\u2500 caddy/\n\u2502 \u2514\u2500\u2500 authelia/\n\u251c\u2500\u2500 media/ # Jellyfin\n\u2502 \u2514\u2500\u2500 jellyfin/\n\u251c\u2500\u2500 monitoring/ # Arcane, Dozzle, Netdata\n\u2502 \u251c\u2500\u2500 arcane/\n\u2502 \u251c\u2500\u2500 dozzle/\n\u2502 \u2514\u2500\u2500 netdata/\n\u251c\u2500\u2500 p2p/ # Legacy (voir servarr)\n\u2502 \u251c\u2500\u2500 transmission/\n\u2502 \u2514\u2500\u2500 wireguard/\n\u251c\u2500\u2500 servarr/ # Stack m\u00e9dia automatis\u00e9e (VPN)\n\u2502 \u251c\u2500\u2500 gluetun/\n\u2502 \u251c\u2500\u2500 transmission/\n\u2502 \u251c\u2500\u2500 prowlarr/\n\u2502 \u251c\u2500\u2500 radarr/\n\u2502 \u2514\u2500\u2500 sonarr/\n\u2514\u2500\u2500 tools/ # Gitea, Shlink, MkDocs, Glance, etc.\n \u251c\u2500\u2500 gitea/\n \u251c\u2500\u2500 shlink/\n \u251c\u2500\u2500 mkdocs/\n \u2514\u2500\u2500 glance/\nflowchart LR\n subgraph lake_net[lake_net - R\u00e9seau principal]\n CADDY[Caddy]\n AUTH[Authelia]\n JELLYFIN[Jellyfin]\n GITEA[Gitea]\n HA[Home Assistant]\n MKDOCS[MkDocs]\n GLUETUN[Gluetun]\n end\n\n subgraph gluetun_ns[Namespace Gluetun]\n TRANS[Transmission]\n PROWLARR[Prowlarr]\n SONARR[Sonarr]\n RADARR[Radarr]\n end\n\n CADDY --> AUTH\n CADDY --> JELLYFIN\n CADDY --> GITEA\n CADDY --> HA\n CADDY --> MKDOCS\n CADDY --> GLUETUN\n GLUETUN --> gluetun_nslake_net 172.19.0.0/16 R\u00e9seau principal, tous les services gluetun namespace localhost Services Servarr via VPN"},{"location":"infra/overview/#services-actifs","title":"Services actifs","text":"Service Stack Port URL Caddy infra 80, 443 - Authelia infra 9091 auth.talloires.local Jellyfin media 8096 jellyfin.talloires.local Home Assistant automation 8123 homeassistant.talloires.local ESPHome automation 6052 - Gitea tools 3000 git.talloires.local MkDocs tools 8000 docs.talloires.local Shlink tools 8080 go.talloires.local Arcane monitoring 3552 arcane.talloires.local Dozzle monitoring 8080 dozzle.talloires.local Netdata monitoring 19999 netdata.talloires.local Gluetun servarr 8000 - Transmission servarr 9091 transmission.talloires.tailfd281f.ts.net Prowlarr servarr 9696 prowlarr.talloires.local Sonarr servarr 8989 sonarr.talloires.local Radarr servarr 7878 radarr.talloires.local"},{"location":"infra/overview/#adresses-ip","title":"Adresses IP","text":"Machine IP LAN IP Tailscale Talloires 10.171.171.7 talloires.tailfd281f.ts.net Annecy 10.171.171.50 annecy.tailfd281f.ts.net Olympou (Mac) 10.171.171.x olympou.tailfd281f.ts.net"},{"location":"infra/overview/#domaines","title":"Domaines","text":"Domaine Usage *.talloires.local Acc\u00e8s LAN *.talloires.tailfd281f.ts.net Acc\u00e8s Tailscale"},{"location":"infra/overview/#stockage-media","title":"Stockage m\u00e9dia","text":"/mnt/mediaserver/\n\u251c\u2500\u2500 servarr/\n\u2502 \u251c\u2500\u2500 torrents/ # Downloads Transmission\n\u2502 \u2514\u2500\u2500 media/\n\u2502 \u251c\u2500\u2500 movies/ # Films (Radarr)\n\u2502 \u2514\u2500\u2500 tv/ # S\u00e9ries (Sonarr)\n\u251c\u2500\u2500 jellyfin/\n\u2502 \u251c\u2500\u2500 movies/ # Biblioth\u00e8que legacy\n\u2502 \u251c\u2500\u2500 series/ # Biblioth\u00e8que legacy\n\u2502 \u251c\u2500\u2500 lionel/ # M\u00e9dias Lionel\n\u2502 \u2514\u2500\u2500 fiona/ # M\u00e9dias Fiona\n\u2514\u2500\u2500 jellyfin-cache/ # Cache transcoding\nSituation actuelle : - SD Card 64GB : 69% utilis\u00e9 (OS + configs) - SSD 4TB : donn\u00e9es uniquement
Recommandation : Boot sur SSD 512GB pour : - Meilleure fiabilit\u00e9 (SD cards = points de d\u00e9faillance) - Meilleures performances I/O - Plus d'espace pour les configs Docker
\u00c9tapes :
# 1. Cloner la SD vers le SSD\nsudo dd if=/dev/mmcblk0 of=/dev/sdX bs=4M status=progress\n\n# 2. \u00c9tendre la partition\nsudo raspi-config # Advanced > Expand Filesystem\n\n# 3. Configurer le boot USB\nsudo raspi-config # Advanced > Boot Order > USB Boot\n\n# 4. Modifier /boot/cmdline.txt si n\u00e9cessaire\nSituation : 3.6 GB de config Jellyfin sur SD card
# D\u00e9placer vers SSD\nmv /home/lionel/talloires-v2/jellyfin /mnt/mediaserver/talloires/jellyfin\n\n# Mettre \u00e0 jour docker-compose.yml\nvolumes:\n - /mnt/mediaserver/talloires/jellyfin:/config\nActuellement d\u00e9sactiv\u00e9 pour contourner un probl\u00e8me d'acc\u00e8s.
# Dans Caddyfile, r\u00e9activer :\narcane.talloires.local {\n import authelia # D\u00e9commenter\n reverse_proxy arcane:3000\n}\n# configuration.yaml - utiliser un app password ProtonMail\nnotify:\n - platform: smtp\n server: 127.0.0.1 # Via ProtonMail Bridge\n port: 1025\n sender: xxx@protonmail.com\n username: xxx\n password: !secret smtp_password\nActuellement dispers\u00e9s entre : - /home/lionel/talloires-v2/ (configs Docker Compose) - /mnt/mediaserver/talloires/ (donn\u00e9es services) - /home/lionel/docker/ (ancien, \u00e0 migrer)
Recommandation : Tout consolider sur le SSD apr\u00e8s migration.
"},{"location":"infra/recommendations/#6-backup-automatise-des-configs","title":"6. Backup automatis\u00e9 des configs","text":"# Ajouter au cron\n0 4 * * * tar czf /mnt/annecy/talloires-config-$(date +%Y%m%d).tar.gz \\\n /home/lionel/talloires-v2 \\\n /mnt/mediaserver/talloires\nAjouter des alertes si les backups \u00e9chouent : - Healthchecks.io pour le cron - Telegram bot pour alertes critiques
"},{"location":"infra/recommendations/#priorite-basse","title":"Priorit\u00e9 basse \ud83d\udfe2","text":""},{"location":"infra/recommendations/#8-snmp-monitoring-synology","title":"8. SNMP monitoring Synology","text":"Ajouter le monitoring RAID et disques du NAS Annecy.
"},{"location":"infra/recommendations/#9-documentation-continue","title":"9. Documentation continue","text":"# Apr\u00e8s validation de la migration SSD\nrm /mnt/mediaserver/backups/docker-v1-archive-20251231.tar.gz\nMigration r\u00e9ussie le 1er janvier 2026
Talloires boot d\u00e9sormais sur un SSD NVMe de 512GB, avec la carte SD comme fallback automatique.
"},{"location":"infra/ssd-migration/#contexte","title":"Contexte","text":"Le Raspberry Pi 5 fonctionnait sur une carte SD de 64GB, ce qui posait plusieurs probl\u00e8mes :
# Backup complet vers Annecy (NAS)\n~/backup-to-annecy.sh\nLe script sauvegarde ~/talloires-v2/ (3.7GB, 19,427 fichiers) vers /mnt/annecy/talloires/.
Le SSD \u00e9tait d\u00e9j\u00e0 partitionn\u00e9 avec une installation pr\u00e9c\u00e9dente :
/dev/nvme0n1p1 511M boot (FAT32)\n/dev/nvme0n1p2 468G root (ext4)\n# Sync root filesystem\nsudo rsync -axHAWXS --numeric-ids --info=progress2 --delete \\\n --exclude=\"/boot/firmware/*\" \\\n --exclude=\"/dev/*\" \\\n --exclude=\"/proc/*\" \\\n --exclude=\"/sys/*\" \\\n --exclude=\"/tmp/*\" \\\n --exclude=\"/run/*\" \\\n --exclude=\"/mnt/*\" \\\n --exclude=\"/media/*\" \\\n --exclude=\"/lost+found\" \\\n / /mnt/ssd-root/\n\n# Sync boot partition\nsudo rsync -avx /boot/firmware/ /mnt/ssd-boot/\nMise \u00e0 jour de /etc/fstab sur le SSD :
PARTUUID=e4c047f7-01 /boot/firmware vfat defaults 0 2\nPARTUUID=e4c047f7-02 / ext4 defaults,noatime 0 1\nMise \u00e0 jour de /boot/firmware/cmdline.txt :
root=PARTUUID=e4c047f7-02\n# Avant: 0xf461 (SD \u2192 NVMe \u2192 USB)\n# Apr\u00e8s: 0xf416 (NVMe \u2192 SD \u2192 USB)\nsudo rpi-eeprom-config --edit\n# Modifier BOOT_ORDER=0xf416\nPourquoi les IOPS 4K comptent
Les \u00e9critures al\u00e9atoires 4K sont critiques pour :
# V\u00e9rifier le device de boot\nfindmnt -n -o SOURCE /\n# /dev/nvme0n1p2\n\n# Espace disponible\ndf -h /\n# 468G total, 406G libres (87%)\n\n# Boot order\nsudo rpi-eeprom-config | grep BOOT_ORDER\n# BOOT_ORDER=0xf416\nLa carte SD reste branch\u00e9e et contient un syst\u00e8me fonctionnel. Si le SSD a un probl\u00e8me :
Pour forcer le boot SD (debug) :
# Temporairement changer le boot order\nsudo rpi-eeprom-config --edit\n# BOOT_ORDER=0xf461 (SD first)\nsudo reboot\n~/backup-to-annecy.sh : Backup quotidien vers NAS (cron 3h)Application iOS native pour g\u00e9rer les services Servarr depuis iPhone/iPad.
"},{"location":"services/helmarr/#presentation","title":"Pr\u00e9sentation","text":"Helmarr est une app iOS/iPadOS/macOS pour contr\u00f4ler Radarr, Sonarr, Prowlarr, Transmission et autres services *arr depuis mobile. Interface native, widgets Home Screen, notifications push.
App Store
Helmarr sur l'App Store \u2014 Gratuit
"},{"location":"services/helmarr/#services-supportes","title":"Services support\u00e9s","text":"Service Fonction Support\u00e9 Sonarr S\u00e9ries TV \u2705 Radarr Films \u2705 Lidarr Musique \u2705 Prowlarr Indexeurs \u2705 Transmission Torrents \u2705 Tautulli Stats Plex \u2705 Overseerr/Jellyseerr Requ\u00eates \u2705 SABnzbd/NZBGet Usenet \u2705"},{"location":"services/helmarr/#configuration-talloires","title":"Configuration Talloires","text":""},{"location":"services/helmarr/#urls-et-api-keys","title":"URLs et API Keys","text":"Service URL Tailscale API Key Radarrhttps://radarr.talloires.tailfd281f.ts.net b87fbcc6737e4d6a8c3c64f91bb81cef Sonarr https://sonarr.talloires.tailfd281f.ts.net eb2cc87743de4ff18944d684f7e33da2 Prowlarr https://prowlarr.talloires.tailfd281f.ts.net 813a9853a8bc468c8d6a4f013373cff7 Transmission https://transmission.talloires.tailfd281f.ts.net (auth basique) S\u00e9curit\u00e9
Ces API keys donnent un acc\u00e8s complet aux services. Ne pas partager.
"},{"location":"services/helmarr/#etapes-de-configuration","title":"\u00c9tapes de configuration","text":"Installer Helmarr depuis l'App Store
Ajouter Radarr :
+ \u2192 Radarrradarr.talloires.tailfd281f.ts.net443b87fbcc6737e4d6a8c3c64f91bb81cefAjouter Sonarr :
+ \u2192 Sonarrsonarr.talloires.tailfd281f.ts.net443eb2cc87743de4ff18944d684f7e33da2Ajouter Prowlarr :
+ \u2192 Prowlarrprowlarr.talloires.tailfd281f.ts.net443813a9853a8bc468c8d6a4f013373cff7Ajouter Transmission :
+ \u2192 Transmissiontransmission.talloires.tailfd281f.ts.net443Helmarr supporte plusieurs h\u00f4tes avec basculement automatique :
R\u00e9seau URL Quand Tailscale*.talloires.tailfd281f.ts.net Partout (recommand\u00e9) LAN *.talloires.local \u00c0 la maison uniquement Configuration recommand\u00e9e
Utiliser uniquement les URLs Tailscale \u2014 fonctionne partout tant que Tailscale est connect\u00e9 sur l'iPhone.
"},{"location":"services/helmarr/#fonctionnalites","title":"Fonctionnalit\u00e9s","text":""},{"location":"services/helmarr/#widgets-home-screen","title":"Widgets Home Screen","text":"Configurer dans chaque *arr app \u2192 Settings \u2192 Connect \u2192 Webhook :
URL: https://helmarr.app/webhook/<votre_token>\nEvents: On Download, On Upgrade\nPas d'Authelia requis
Les endpoints /api/* sont configur\u00e9s sans Authelia dans Caddy. Helmarr acc\u00e8de directement aux APIs avec la cl\u00e9 API.
https://radarr.talloires.tailfd281f.ts.net/api/v3/system/status?apikey=...docker ps | grep radarrLes certificats Tailscale sont valides. Si erreur :
Les services tournent derri\u00e8re gluetun (VPN). Latence normale ~100-200ms.
"},{"location":"services/homarr/","title":"Homarr","text":"Dashboard self-hosted pour organiser et acc\u00e9der aux services homelab.
"},{"location":"services/homarr/#presentation","title":"Pr\u00e9sentation","text":"Homarr est un dashboard moderne pour centraliser l'acc\u00e8s \u00e0 tous les services. Int\u00e9gration native avec les *arr apps, widgets temps r\u00e9el, personnalisation pouss\u00e9e.
Projet
GitHub Homarr \u2014 Open source, MIT License
"},{"location":"services/homarr/#deploiement","title":"D\u00e9ploiement","text":""},{"location":"services/homarr/#docker-compose","title":"Docker Compose","text":"Cr\u00e9er ~/lake/tools/homarr/docker-compose.yml :
services:\n homarr:\n image: ghcr.io/ajnart/homarr:latest\n container_name: homarr\n restart: unless-stopped\n volumes:\n - /var/run/docker.sock:/var/run/docker.sock:ro\n - ./configs:/app/data/configs\n - ./icons:/app/public/icons\n - ./data:/data\n ports:\n - \"7575:7575\"\n environment:\n - TZ=Europe/Luxembourg\n networks:\n - lake_net\n\nnetworks:\n lake_net:\n external: true\ncd ~/lake/tools/homarr\ndocker compose up -d\nAjouter dans ~/lake/infra/caddy/Caddyfile :
homarr.talloires.local, homarr.talloires.tailfd281f.ts.net {\n import authelia\n reverse_proxy homarr:7575\n import internal_tls\n}\nRecharger Caddy :
docker exec caddy caddy reload --config /etc/caddy/Caddyfile\nhttp://jellyfin:8096 jellyfin Radarr http://gluetun:7878 radarr Sonarr http://gluetun:8989 sonarr Prowlarr http://gluetun:9696 prowlarr Transmission http://gluetun:9091 transmission Home Assistant http://homeassistant:8123 home-assistant Gitea http://gitea:3000 gitea Grafana http://grafana:3000 grafana Portainer http://portainer:9000 portainer"},{"location":"services/homarr/#integrations-arr","title":"Int\u00e9grations *arr","text":"Homarr peut afficher des widgets avec stats en temps r\u00e9el :
b87fbcc6737e4d6a8c3c64f91bb81cef~/lake/tools/homarr/\n\u251c\u2500\u2500 docker-compose.yml\n\u251c\u2500\u2500 configs/ # Configuration dashboard\n\u2502 \u2514\u2500\u2500 default.json\n\u251c\u2500\u2500 icons/ # Ic\u00f4nes custom\n\u2514\u2500\u2500 data/ # Donn\u00e9es persistantes\n# Si erreur de permission\nsudo chmod 666 /var/run/docker.sock\nT\u00e9l\u00e9charger depuis Dashboard Icons :
cd ~/lake/tools/homarr/icons\nwget https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/radarr.png\n/home/lionel/talloires-v2/infra/)","text":"services:\n - caddy # Reverse proxy + SSL\n - authelia # SSO\n/home/lionel/talloires-v2/media/)","text":"services:\n - jellyfin # Media server\n/home/lionel/talloires-v2/tools/)","text":"services:\n - gitea # Git server\n - shlink # URL shortener\n - shlink-web # Shlink UI\n - signal-api # Signal messaging\n/home/lionel/talloires-v2/automation/)","text":"services:\n - homeassistant\n/home/lionel/talloires-v2/transmission/)","text":"services:\n - wireguard # VPN tunnel\n - transmission # BitTorrent client\n/home/lionel/talloires-v2/monitoring/)","text":"services:\n - netdata\n - dozzle\n/home/lionel/talloires-v2/docker-mgmt/)","text":"services:\n - arcane\n/home/lionel/talloires-v2/mkdocs/)","text":"services:\n - mkdocs\ngraph TD\n Internet --> Caddy\n Caddy --> Authelia\n Caddy --> Jellyfin\n Caddy --> Gitea\n Caddy --> HomeAssistant[Home Assistant]\n Caddy --> Transmission\n Caddy --> Netdata\n Caddy --> Dozzle\n Caddy --> Arcane\n Caddy --> MkDocs\n Caddy --> Shlink\n\n Authelia --> |OIDC| Gitea\n Authelia --> |Forward Auth| Transmission\n Authelia --> |Forward Auth| Netdata\n Authelia --> |Forward Auth| Dozzle\n\n Transmission --> WireGuard\n WireGuard --> ProtonVPN\n\n Gitea --> |Sync| MkDocs# Status de tous les containers\ndocker ps --format \"table {{.Names}}\\t{{.Status}}\\t{{.Ports}}\"\n\n# Red\u00e9marrer un service\ndocker restart jellyfin\n\n# Logs en temps r\u00e9el\ndocker logs -f jellyfin\n\n# Entrer dans un container\ndocker exec -it jellyfin bash\nStack complet et isol\u00e9 pour la gestion automatis\u00e9e des m\u00e9dias, enti\u00e8rement rout\u00e9 via VPN.
"},{"location":"services/servarr/#architecture","title":"Architecture","text":"flowchart TB\n subgraph Internet\n PROTON[ProtonVPN LU<br/>WireGuard]\n end\n\n subgraph Gluetun[gluetun - VPN Container]\n TRANS[Transmission<br/>localhost:9091]\n PROWLARR[Prowlarr<br/>localhost:9696]\n RADARR[Radarr<br/>localhost:7878]\n SONARR[Sonarr<br/>localhost:8989]\n end\n\n subgraph Caddy[Reverse Proxy]\n CADDY[Caddy + Authelia SSO]\n end\n\n subgraph Storage[/mnt/mediaserver/servarr]\n TORRENTS[torrents/]\n MEDIA[media/]\n end\n\n PROTON <--> Gluetun\n CADDY -->|gluetun:*| Gluetun\n TRANS --> TORRENTS\n PROWLARR --> TRANS\n RADARR --> TRANS\n SONARR --> TRANS\n RADARR --> MEDIA\n SONARR --> MEDIAKill Switch Int\u00e9gr\u00e9
Tous les services partagent le namespace r\u00e9seau de gluetun via network_mode: service:gluetun. Si le VPN tombe, aucun service n'a acc\u00e8s \u00e0 Internet.
Acc\u00e8s LAN \u00e9galement disponible
prowlarr.talloires.localsonarr.talloires.localradarr.talloires.localtransmission.talloires.local \u2192 bloqu\u00e9 (Tailscale uniquement)/mnt/mediaserver/servarr/\n\u251c\u2500\u2500 torrents/\n\u2502 \u251c\u2500\u2500 incomplete/ # Downloads en cours\n\u2502 \u2514\u2500\u2500 complete/ # Downloads termin\u00e9s\n\u2514\u2500\u2500 media/\n \u251c\u2500\u2500 movies/ # Films (Radarr \u2192 Jellyfin)\n \u2514\u2500\u2500 tv/ # S\u00e9ries (Sonarr \u2192 Jellyfin)\nHardlinks
Tous les services voient /data/ qui pointe vers /mnt/mediaserver/servarr/. Cela permet les hardlinks \u2014 pas de copie, d\u00e9placement instantan\u00e9.
Tous les services utilisent network_mode: \"service:gluetun\", ce qui signifie :
# Exemple de configuration\nservices:\n gluetun:\n ports:\n - \"9091:9091\" # Transmission\n - \"9696:9696\" # Prowlarr\n - \"7878:7878\" # Radarr\n - \"8989:8989\" # Sonarr\n environment:\n - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/16,100.64.0.0/10\n\n prowlarr:\n network_mode: \"service:gluetun\"\n depends_on:\n gluetun:\n condition: service_healthy\nlocalhost:9091 Prowlarr Apps \u2192 Sonarr localhost:8989 Prowlarr Apps \u2192 Radarr localhost:7878 Sonarr Download Client \u2192 Transmission localhost:9091 Radarr Download Client \u2192 Transmission localhost:9091 Important
Ne pas utiliser les noms de containers (prowlarr, sonarr, etc.) car ils ne sont pas r\u00e9solvables dans ce mode r\u00e9seau.
# V\u00e9rifier l'IP VPN\ndocker exec gluetun wget -qO- https://ipinfo.io/ip\n# Doit retourner une IP ProtonVPN Luxembourg (5.253.204.x)\nenvironment:\n # Autorise acc\u00e8s depuis LAN et Tailscale\n - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/16,100.64.0.0/10\n # Port forwarding pour seeding\n - FIREWALL_VPN_INPUT_PORTS=51413\nLes services sont expos\u00e9s via Caddy avec Authelia SSO :
prowlarr.talloires.local, prowlarr.talloires.tailfd281f.ts.net {\n @api path /api/*\n handle @api {\n reverse_proxy gluetun:9696\n }\n handle {\n import authelia\n reverse_proxy gluetun:9696\n }\n import internal_tls\n}\nAPI sans auth
Les endpoints /api/* sont accessibles sans Authelia pour permettre la communication inter-apps.
docker exec gluetun wget -qO- https://ipinfo.io\nDoit afficher une IP ProtonVPN (M247/Datacamp), pas ton IP r\u00e9elle.
"},{"location":"services/servarr/#connectivite-interne","title":"Connectivit\u00e9 interne","text":"# Depuis gluetun, tester tous les services\ndocker exec gluetun sh -c 'wget -qO- http://localhost:9696/ping' # Prowlarr\ndocker exec gluetun sh -c 'wget -qO- http://localhost:8989/ping' # Sonarr\ndocker exec gluetun sh -c 'wget -qO- http://localhost:7878/ping' # Radarr\ncd ~/lake/servarr && docker compose ps\ndocker inspect gluetun --format='{{.State.Health.Status}}'\n# Doit retourner: healthy\n~/lake/servarr/docker-compose.yml Environment ~/lake/servarr/.env Backup ~/lake/servarr/docker-compose.yml.bak Donn\u00e9es /mnt/mediaserver/servarr/"},{"location":"services/servarr/#historique","title":"Historique","text":"Service BitTorrent s\u00e9curis\u00e9 via VPN ProtonVPN.
"},{"location":"services/transmission/#acces","title":"Acc\u00e8s","text":"M\u00e9thode URL Statut Tailscale transmission.talloires.tailfd281f.ts.net \u2705 Autoris\u00e9 LAN transmission.talloires.local \u274c Bloqu\u00e9 Go-link go/torrent \u2705 Redirige vers TS"},{"location":"services/transmission/#architecture-de-securite","title":"Architecture de s\u00e9curit\u00e9","text":"\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 INTERNET \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502 \u25b2\n \u2502 Torrent traffic \u2502 VPN tunnel\n \u25bc \u2502\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 ProtonVPN LU \u2502\u25c4\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25ba\u2502 WireGuard \u2502\n\u2502 5.253.204.x \u2502 encrypted \u2502 container \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 Transmission \u2502\n \u2502 container \u2502\n \u2502 (network_mode: \u2502\n \u2502 wireguard) \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 Tailscale DNS \u2502 \u2502 LAN DNS \u2502\n \u2502 .ts.net r\u00e9solu \u2502 \u2502 .local r\u00e9solu \u2502\n \u2502 uniquement sur \u2502 \u2502 sur r\u00e9seau \u2502\n \u2502 devices TS \u2502 \u2502 local \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502 \u2502\n \u25bc \u25bc\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 Authelia \u2502 \u2502 403 Blocked \u2502\n \u2502 + Transmission \u2502 \u2502 \"Use Tailscale\"\u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\nTransmission utilise network_mode: service:wireguard. Tout le trafic r\u00e9seau passe par le conteneur WireGuard, qui :
IP publique visible : 5.253.204.x (ProtonVPN LU)
.ts.net non r\u00e9solvable hors TS Quelqu'un sur Tailscale non autoris\u00e9 Authelia (login requis) Principe : Le DNS *.tailfd281f.ts.net n'est r\u00e9solvable que par les devices connect\u00e9s au tailnet. C'est une premi\u00e8re couche de s\u00e9curit\u00e9 \"gratuite\". Authelia ajoute l'authentification.
Le LAN est consid\u00e9r\u00e9 moins s\u00fbr que Tailscale pour Transmission :
Tailscale garantit que seuls les devices explicitement autoris\u00e9s dans le tailnet peuvent m\u00eame r\u00e9soudre le nom DNS.
"},{"location":"services/transmission/#risques-residuels","title":"Risques r\u00e9siduels","text":"Risque Probabilit\u00e9 Impact Mitigation Compromission d'un device TS Faible Moyen Authelia 2FA recommand\u00e9 Fuite IP si WireGuard crash Tr\u00e8s faible \u00c9lev\u00e9 Kill switch iptables Contenu ill\u00e9gal t\u00e9l\u00e9charg\u00e9 Variable \u00c9lev\u00e9 Responsabilit\u00e9 utilisateur DMCA notice Faible (VPN) Faible ProtonVPN no-logs policy"},{"location":"services/transmission/#configuration-technique","title":"Configuration technique","text":""},{"location":"services/transmission/#wireguard-kill-switch","title":"WireGuard kill switch","text":"# /home/lionel/lake/p2p/wireguard/wg_confs/wg0.conf\nPostUp = iptables -I OUTPUT -o eth0 -d 5.253.204.162 -j ACCEPT\nPostUp = iptables -I OUTPUT -o eth0 -d 172.18.0.0/16 -j ACCEPT\nPostUp = iptables -I OUTPUT -o eth0 -d 172.19.0.0/16 -j ACCEPT\nPostUp = iptables -A OUTPUT -o eth0 -j REJECT\nSeuls autoris\u00e9s : - L'endpoint VPN ProtonVPN - Les r\u00e9seaux Docker internes (pour que Caddy puisse atteindre Transmission)
"},{"location":"services/transmission/#caddy-configuration","title":"Caddy configuration","text":"# LAN - Bloqu\u00e9\ntransmission.talloires.local {\n respond \"Access denied - Use Tailscale\" 403\n}\n\n# Tailscale - Authelia + Transmission\ntransmission.talloires.tailfd281f.ts.net {\n import authelia\n reverse_proxy wireguard:9091\n}\n# Transmission utilise le r\u00e9seau de WireGuard\ntransmission:\n network_mode: service:wireguard\n depends_on:\n - wireguard\n\n# WireGuard est sur lake_net pour \u00eatre joignable par Caddy\nwireguard:\n networks:\n - lake_net\n/mnt/mediaserver/transmission/downloads/Pour confirmer que le trafic passe bien par le VPN :
# IP publique vue par Transmission\ndocker exec wireguard curl -s https://ifconfig.me\n# Devrait retourner 5.253.204.x (ProtonVPN LU)\n~/lake/p2p/docker-compose.yml Config Docker WireGuard + Transmission ~/lake/p2p/wireguard/wg_confs/wg0.conf Config WireGuard + kill switch ~/lake/p2p/transmission/settings.json Config Transmission /mnt/mediaserver/transmission/downloads/ Dossier t\u00e9l\u00e9chargements"},{"location":"vault/","title":"\ud83d\uddc4\ufe0f Vault - Archive Documentation v1.0","text":"Cette section contient l'archive de la documentation de l'infrastructure Talloires v1.0 (pr\u00e9-migration du 30 d\u00e9cembre 2025).
"},{"location":"vault/#archive-historique","title":"\u26a0\ufe0f Archive Historique","text":"Cette documentation est archiv\u00e9e \u00e0 titre de r\u00e9f\u00e9rence.
Pour la documentation actuelle de l'infrastructure v2.0, voir: - Page d'accueil v2.0 - Services v2.0 - Infrastructure v2.0
"},{"location":"vault/#contenu-v10-archive","title":"\ud83d\udcda Contenu v1.0 Archiv\u00e9","text":""},{"location":"vault/#documentation-v10","title":"Documentation v1.0","text":"Page d'accueil originale de la documentation v1.0.
"},{"location":"vault/#services-v10","title":"Services v1.0","text":"Documentation des services de l'infrastructure v1.0 (25+ services).
"},{"location":"vault/#configuration-v10","title":"Configuration v1.0","text":"Fichiers de configuration et r\u00e9f\u00e9rences techniques v1.0.
"},{"location":"vault/#reference-v10","title":"R\u00e9f\u00e9rence v1.0","text":"Documentation de r\u00e9f\u00e9rence et guides v1.0.
"},{"location":"vault/#migration-v10-v20","title":"\ud83d\udd04 Migration v1.0 \u2192 v2.0","text":"Date: 30 d\u00e9cembre 2025 Strat\u00e9gie: Refonte compl\u00e8te (60% r\u00e9duction services)
"},{"location":"vault/#services-conserves-et-migres","title":"Services Conserv\u00e9s et Migr\u00e9s","text":"Archive compl\u00e8te disponible sur Annecy NAS:
/mnt/annecy/talloires/migration-v2/\n\u251c\u2500\u2500 talloires-v1-docker-20251230-191258.tar.gz (65 MB)\n\u251c\u2500\u2500 mkdocs-v1-archive-20251230.tar.gz (12 KB)\n\u2514\u2500\u2500 critical-configs-20251230-191758.tar.gz (3.5 KB)\nRetour \u00e0 la documentation v2.0
"},{"location":"vault/index-v1/","title":"Talloires - Home Server","text":"Bienvenue sur le portail de documentation de Talloires, le serveur domestique Raspberry Pi 5.
"},{"location":"vault/index-v1/#go-links-raccourcis","title":"\ud83d\ude80 Go Links (Raccourcis)","text":"Acc\u00e8s rapide via https://go/xxx :
Tous les go-links : ha, homeassistant, jf, jellyfin, lw, linkwarden, docs, git, auth, grafana, dockge, portainer, transmission, netdata, uptime, cockpit, vikunja, outline, lt, languagetool, shlink, annecy
Cr\u00e9er un nouveau go-link
"},{"location":"vault/index-v1/#services","title":"Services","text":""},{"location":"vault/index-v1/#media","title":"Media","text":"Service Go Link URL Jellyfin go/jf jellyfin.talloires.local Transmission go/transmission transmission.talloires.local"},{"location":"vault/index-v1/#productivite","title":"Productivit\u00e9","text":"Service Go Link URL Vikunja go/vikunja vikunja.talloires.local Outline go/outline outline.talloires.local Linkwarden go/lw linkwarden.talloires.local LanguageTool go/lt languagetool.talloires.local"},{"location":"vault/index-v1/#infrastructure","title":"Infrastructure","text":"Service Go Link URL Portainer go/portainer portainer.talloires.local Dockge go/dockge dockge.talloires.local Gitea go/git git.talloires.local MkDocs go/docs docs.talloires.local Shlink go/shlink shlink.talloires.local"},{"location":"vault/index-v1/#monitoring","title":"Monitoring","text":"Service Go Link URL Grafana go/grafana grafana.talloires.local Netdata go/netdata netdata.talloires.local Uptime Kuma go/uptime uptime.talloires.local Cockpit go/cockpit cockpit.talloires.local"},{"location":"vault/index-v1/#domotique","title":"Domotique","text":"Service Go Link URL Home Assistant go/ha homeassistant.talloires.local"},{"location":"vault/index-v1/#securite","title":"S\u00e9curit\u00e9","text":"Service Go Link URL Authelia go/auth auth.talloires.local CrowdSec - (service interne)"},{"location":"vault/index-v1/#acces-rapide","title":"Acc\u00e8s rapide","text":"Caddy g\u00e8re le reverse proxy et les certificats SSL internes pour tous les services.
"},{"location":"vault/config/caddy/#principes-cles","title":"Principes cl\u00e9s","text":"Ces services ont leur propre authentification :
(authelia) {\n forward_auth authelia:9091 {\n uri /api/authz/forward-auth\n copy_headers Remote-User Remote-Groups Remote-Email Remote-Name\n }\n}\nPour Home Assistant et Dockge :
homeassistant.talloires.local {\n reverse_proxy homeassistant:8123 {\n header_up Host {host}\n }\n tls internal\n}\n~/docker/caddy/Caddyfile
Les services sont organis\u00e9s en stacks modulaires :
Stack R\u00e9pertoire Services Core ~/docker/core Caddy, Authelia, CrowdSec, Portainer, Dockge Monitoring ~/docker/monitoring Uptime Kuma, Netdata, Grafana, Loki, Promtail Media ~/docker/media Jellyfin, Transmission Productivity ~/docker/productivity Gitea, MkDocs, Vikunja, LanguageTool Homelab ~/docker/homelab Home Assistant, Watchtower Linkwarden ~/docker/linkwarden Linkwarden + PostgreSQL Outline ~/docker/outline Outline + PostgreSQL + Redis"},{"location":"vault/config/docker-stacks/#reseau","title":"R\u00e9seau","text":"Tous les containers utilisent le r\u00e9seau externe talloires_net :
networks:\n talloires_net:\n external: true\nAttention lors des migrations : les volumes Docker sont pr\u00e9fix\u00e9s par le nom du r\u00e9pertoire.
Exemple : transmission_config dans ~/docker/talloires devient talloires_transmission_config.
Solution : Utiliser external: true pour les volumes existants :
volumes:\n talloires_transmission_config:\n external: true\nPr\u00e9f\u00e9rer les bind mounts pour les donn\u00e9es importantes :
volumes:\n - /home/lionel/docker/gitea:/data\n# D\u00e9marrer un stack\ncd ~/docker/media && docker compose up -d\n\n# Voir les logs\ndocker logs -f jellyfin\n\n# Recr\u00e9er un container\ndocker compose up -d --force-recreate jellyfin\nVPN mesh reliant tous les appareils de la famille.
Machine IP Tailscale OS talloires 100.116.198.105 Raspberry Pi 5 (Debian) annecy 100.118.210.128 Synology DS620slim olympou 100.125.242.58 macOS pentamodi 100.78.237.78 iOS perce 100.69.7.78 tvOS (Apple TV)Tailnet: tailfd281f.ts.net
"},{"location":"vault/config/network/#dnsmasq","title":"dnsmasq","text":"Serveur DNS local sur Talloires, r\u00e9sout les domaines internes.
Config: /etc/dnsmasq.d/tailscale.conf
Commandes:
"},{"location":"vault/config/network/#cloudflared","title":"cloudflared","text":"Proxy DNS-over-HTTPS vers AdGuard DNS avec profil personnel.
Config: /etc/cloudflared/config.yml
Commandes:
"},{"location":"vault/config/network/#configuration-tailscale-admin","title":"Configuration Tailscale Admin","text":"Dans Tailscale Admin Console \u2192 DNS \u2192 Nameservers :
Cela force tous les appareils Tailscale \u00e0 utiliser dnsmasq sur Talloires.
"},{"location":"vault/config/network/#domaines","title":"Domaines","text":"Domaine Usage*.talloires.local Services sur Talloires (recommand\u00e9) *.talloires.tailfd281f.ts.net Alternative Tailscale go Raccourcis Shlink"},{"location":"vault/config/network/#depannage","title":"D\u00e9pannage","text":""},{"location":"vault/config/network/#test-resolution-dns","title":"Test r\u00e9solution DNS","text":"Server: 100.116.198.105 Address: 100.116.198.105#53
Name: go Address: 100.116.198.105
Server: 100.116.198.105 Address: 100.116.198.105#53
Name: docs.talloires.local Address: 100.116.198.105
Server: 100.116.198.105 Address: 100.116.198.105#53
Non-authoritative answer: Name: google.com Address: 142.250.27.138 Name: google.com Address: 142.250.27.100 Name: google.com Address: 142.250.27.101 Name: google.com Address: 142.250.27.102 Name: google.com Address: 142.250.27.113 Name: google.com Address: 142.250.27.139
"},{"location":"vault/config/network/#services-ne-repondent-pas","title":"Services ne r\u00e9pondent pas","text":"sudo systemctl status dnsmasqsudo systemctl status cloudflared-dnsdocker ps | grep caddySympt\u00f4me : Safari affiche \"Can't establish secure connection\"
Cause : CA Caddy non trust\u00e9 par macOS
Solution :
# Exporter le CA\nssh lionel@10.144.221.22 \"docker exec caddy cat /data/caddy/pki/authorities/local/root.crt\" > ~/Downloads/caddy-root-ca.crt\n\n# Importer dans macOS\nsudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/caddy-root-ca.crt\nCause : URL OAuth pointe vers hostname Docker interne
V\u00e9rifier :
docker exec gitea sqlite3 /data/gitea/gitea.db \"SELECT cfg FROM login_source WHERE type=6;\"\nCorriger :
docker exec gitea sqlite3 /data/gitea/gitea.db \"UPDATE login_source SET cfg = REPLACE(cfg, 'http://authelia:9091', 'https://auth.talloires.local') WHERE type=6;\"\ndocker restart gitea\nCause : Container ne peut pas r\u00e9soudre ou valider le certificat SSL
Solution : Monter le CA Caddy dans le container :
volumes:\n - /home/lionel/docker/caddy-root-ca.crt:/etc/ssl/certs/caddy-root-ca.crt:ro\nenvironment:\n - SSL_CERT_FILE=/etc/ssl/certs/caddy-root-ca.crt\nCause : Double authentification (Authelia + OIDC Outline)
Solution : Ne pas utiliser import authelia pour Outline dans Caddyfile
Cause : Nom du volume change avec le r\u00e9pertoire (pr\u00e9fixe)
Solution : Utiliser external: true ou lister les volumes existants :
docker volume ls | grep transmission\nCause : WebSocket non support\u00e9 ou mauvais reverse proxy
V\u00e9rifier :
curl -s http://localhost:8123 | head -5\nSolution : Utiliser le nom du container, pas l'IP :
reverse_proxy homeassistant:8123\n# Status de tous les containers\ndocker ps -a\n\n# Logs dun service\ndocker logs -f <container>\n\n# Red\u00e9marrer un service\ndocker restart <container>\n\n# Recr\u00e9er un service (apr\u00e8s modif compose)\ncd ~/docker/talloires && docker compose up -d <service>\n\n# Tout red\u00e9marrer\ncd ~/docker/talloires && docker compose down && docker compose up -d\n\n# Shell dans un container\ndocker exec -it <container> sh\n# Recharger la config\ndocker exec caddy caddy reload --config /etc/caddy/Caddyfile\n\n# Voir les logs\ndocker logs caddy -f\n\n# Tester la config\ndocker exec caddy caddy validate --config /etc/caddy/Caddyfile\n# Logs\ndocker logs authelia -f\n\n# G\u00e9n\u00e9rer un hash de mot de passe\ndocker exec authelia authelia crypto hash generate argon2 --password \"motdepasse\"\n\n# G\u00e9n\u00e9rer un hash pour OIDC secret\ndocker exec authelia authelia crypto hash generate pbkdf2 --password \"secret\"\n# Lancer un backup manuel\n~/backup-to-annecy.sh\n\n# Voir le log\ncat ~/backup.log\n\n# Lister les backups sur Annecy\nsudo ssh -i /root/.ssh/id_ed25519 rsync-talloires@10.171.171.50 \"ls -lh /volume1/Backups/talloires/\"\n# Espace disque\ndf -h\n\n# M\u00e9moire\nfree -h\n\n# Temp\u00e9rature CPU\nvcgencmd measure_temp\n\n# Services systemd\nsudo systemctl status docker\nsudo systemctl status cockpit\n\n# Logs syst\u00e8me\njournalctl -f\n# IP des containers\ndocker network inspect talloires_net | grep -A2 Name\n\n# Test DNS Docker\ndocker exec caddy nslookup authelia\n\n# Connecter un container au r\u00e9seau\ndocker network connect talloires_net <container>\n# Status\ndocker exec crowdsec cscli metrics\n\n# D\u00e9cisions actives (bans)\ndocker exec crowdsec cscli decisions list\n\n# Ajouter un ban manuel\ndocker exec crowdsec cscli decisions add --ip 1.2.3.4 --reason \"test\"\n# Exporter le CA Caddy (pour clients)\ndocker exec caddy cat /data/caddy/pki/authorities/local/root.crt > caddy-ca.crt\n\n# Installer sur Mac\nsecurity add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db caddy-ca.crt\nAcces rapide a tous les services via https://go/xxx
Liste complete et creation de nouveaux liens
"},{"location":"vault/reference/ports/#urls-par-domaine","title":"URLs par domaine","text":""},{"location":"vault/reference/ports/#acces-local-talloireslocal-avec-authelia","title":"Acces local (.talloires.local) - avec Authelia","text":"Service URL Authentification Go Links https://go Shlink Homepage https://talloires.local Authelia Auth https://auth.talloires.local - Shlink Admin https://shlink.talloires.local Authelia Git https://git.talloires.local OIDC Authelia Jellyfin https://jellyfin.talloires.local Authelia Grafana https://grafana.talloires.local Header Auth Portainer https://portainer.talloires.local Authelia Dockge https://dockge.talloires.local Authelia Docs https://docs.talloires.local Authelia Vikunja https://vikunja.talloires.local Authelia Outline https://outline.talloires.local OIDC Authelia Linkwarden https://linkwarden.talloires.local Authelia LanguageTool https://languagetool.talloires.local Authelia Transmission https://transmission.talloires.local Authelia Netdata https://netdata.talloires.local Authelia Uptime Kuma https://uptime.talloires.local Authelia Cockpit https://cockpit.talloires.local Authelia Home Assistant https://homeassistant.talloires.local Authelia"},{"location":"vault/reference/ports/#acces-zerotier-talloirestailfd281ftsnet-sans-authelia","title":"Acces ZeroTier (.talloires.tailfd281f.ts.net) - sans Authelia","text":"Ces URLs sont accessibles depuis exterieur via le reseau ZeroTier.
Service URL Auth native Go Links https://go Shlink Vikunja https://vikunja.talloires.tailfd281f.ts.net Vikunja login Outline https://outline.talloires.tailfd281f.ts.net OIDC Authelia Linkwarden https://linkwarden.tailfd281f.ts.net Linkwarden login LanguageTool https://languagetool.talloires.tailfd281f.ts.net Aucune (API)"},{"location":"vault/reference/ports/#reseau-zerotier","title":"Reseau ZeroTier","text":"Serveur IP ZeroTier Role Talloires 10.144.221.22 Serveur principal (Pi5) Annecy 10.144.78.193 NAS Synology (backup) Olympou 10.144.46.46 Mac de travail"},{"location":"vault/reference/scripts/","title":"Scripts de maintenance","text":"Scripts utilitaires pour la gestion de Talloires.
"},{"location":"vault/reference/scripts/#update-containerssh","title":"update-containers.sh","text":"Met \u00e0 jour tous les containers Docker en parcourant les r\u00e9pertoires avec un fichier docker-compose.
Emplacement :
=== Pulling latest images ===
Usage :
"},{"location":"vault/reference/scripts/#transmission-togglesh","title":"transmission-toggle.sh","text":"Active/d\u00e9sactive le container Transmission \u00e0 la demande (\u00e9conomie de ressources).
Emplacement :
\ud83d\udd34 Transmission is STOPPED
Usage :
"},{"location":"vault/reference/scripts/#backup-to-annecysh","title":"backup-to-annecy.sh","text":"Sauvegarde les configs Docker vers le NAS Synology (Annecy).
Emplacement :
Planification : Cron \u00e0 3h00 quotidien
V\u00e9rifier les backups :
"},{"location":"vault/reference/scripts/#watchtower-automatique","title":"Watchtower (automatique)","text":"Watchtower v\u00e9rifie et met \u00e0 jour automatiquement les containers \u00e0 4h00.
Configuration : Dans
Logs :
"},{"location":"vault/services-v1/authelia/","title":"Authelia - SSO","text":"Authelia fournit l authentification unique (SSO) pour tous les services Talloires.
"},{"location":"vault/services-v1/authelia/#acces","title":"Acces","text":"Parametre Valeur URL auth.talloires.local Utilisateur lionel Email dflected@dflected.org 2FA TOTP active"},{"location":"vault/services-v1/authelia/#matrice-de-protection-des-services","title":"Matrice de protection des services","text":"Service Authelia Raison docs \u2705 Documentation interne portainer \u2705 Admin Docker dockge \u2705 Admin Docker Compose transmission \u2705 Client torrent netdata \u2705 Monitoring systeme grafana \u2705 Dashboards / Logs uptime \u2705 Monitoring disponibilite cockpit \u2705 Admin systeme languagetool \u2705 API grammaire auth \u274c C est Authelia lui-meme git \u274c Auth OIDC propre jellyfin \u274c Auth propre homeassistant \u274c Auth propre linkwarden \u274c Auth propre vikunja \u274c Auth propre outline \u274c Auth OIDC propreNote : Cette protection s applique aux domaines .local ET .tailfd281f.ts.net
Ces services utilisent Authelia comme provider OpenID Connect :
"},{"location":"vault/services-v1/authelia/#gitea","title":"Gitea","text":"Parametre Valeur Client ID gitea Redirect URI https://git.talloires.local/user/oauth2/Authelia/callback Scopes openid, email, profile"},{"location":"vault/services-v1/authelia/#outline","title":"Outline","text":"Parametre Valeur Client ID outline Redirect URI https://outline.talloires.local/auth/oidc.callback Scopes openid, offline_access, profile, email"},{"location":"vault/services-v1/authelia/#grafana-header-auth","title":"Grafana (Header Auth)","text":"Grafana utilise l authentification par header via Authelia (pas OIDC) :
Header Valeur Remote-User Utilisateur authentifie Remote-Email Email de l utilisateur"},{"location":"vault/services-v1/authelia/#configuration","title":"Configuration","text":""},{"location":"vault/services-v1/authelia/#fichiers","title":"Fichiers","text":"Fichier Usage ~/docker/authelia/config/configuration.yml Config principale ~/docker/authelia/config/users_database.yml Base utilisateurs ~/docker/authelia/config/oidc.key Cle privee OIDC"},{"location":"vault/services-v1/authelia/#smtp-proton-mail","title":"SMTP (Proton Mail)","text":"Parametre Valeur Serveur smtp.protonmail.ch:465 Protocol TLS implicite From Talloires dflected@dflected.org"},{"location":"vault/services-v1/authelia/#integration-caddy","title":"Integration Caddy","text":""},{"location":"vault/services-v1/authelia/#snippet-forward_auth","title":"Snippet forward_auth","text":"(authelia) {\n forward_auth authelia:9091 {\n uri /api/authz/forward-auth\n copy_headers Remote-User Remote-Groups Remote-Email Remote-Name\n }\n}\nmonservice.talloires.local, monservice.talloires.tailfd281f.ts.net {\n import authelia\n reverse_proxy backend:port\n tls internal\n}\nGenerer le hash du secret :
docker exec authelia authelia crypto hash generate pbkdf2 --password \"mon-secret\"\nAjouter dans configuration.yml :
- client_id: nouveau_client\n client_name: Mon Service\n client_secret: \"$pbkdf2-sha512$...\"\n public: false\n authorization_policy: two_factor\n redirect_uris:\n - https://service.talloires.local/callback\n scopes:\n - openid\n - email\n - profile\nRedemarrer Authelia :
docker restart authelia\n# Logs\ndocker logs authelia -f\n\n# Hash mot de passe utilisateur\ndocker exec authelia authelia crypto hash generate argon2 --password \"motdepasse\"\n\n# Hash OIDC client secret\ndocker exec authelia authelia crypto hash generate pbkdf2 --password \"secret\"\n\n# Valider la configuration\ndocker exec authelia authelia validate-config\nSauvegarde automatique de Talloires vers Annecy (Synology NAS).
"},{"location":"vault/services-v1/backup/#configuration","title":"Configuration","text":"Param\u00e8tre Valeur Script ~/backup-to-annecy.sh Destination rsync-talloires@10.171.171.50:/volume1/Backups/talloires/ M\u00e9thode tar over SSH (rsync SUID bloqu\u00e9 sur Synology DSM 7) Schedule Cron quotidien \u00e0 3h00 R\u00e9tention 7 derniers backups Log ~/backup.log"},{"location":"vault/services-v1/backup/#donnees-sauvegardees","title":"Donn\u00e9es sauvegard\u00e9es","text":"~/backup-to-annecy.sh\ncat ~/backup.log\nsudo ssh -i /root/.ssh/id_ed25519 rsync-talloires@10.171.171.50 \"ls -lh /volume1/Backups/talloires/\"\n# Sur Talloires\nsudo ssh -i /root/.ssh/id_ed25519 rsync-talloires@10.171.171.50 \"cat /volume1/Backups/talloires/docker-backup-YYYYMMDD-HHMMSS.tar.gz\" | sudo tar -xzf - -C /home/lionel/\n# Voir le cron\nsudo crontab -l\n\n# Modifier\nsudo crontab -e\nEntr\u00e9e actuelle :
0 3 * * * /home/lionel/backup-to-annecy.sh\nLe rsync classique ne fonctionne pas avec Synology DSM 7 car : - rsync est SUID root sur DSM - Les utilisateurs non-admin nont pas de shell par d\u00e9faut - Solution: tar over SSH fonctionne parfaitement
"},{"location":"vault/services-v1/grafana/","title":"Grafana - Monitoring & Alertes","text":""},{"location":"vault/services-v1/grafana/#vue-densemble","title":"Vue densemble","text":""},{"location":"vault/services-v1/overview/","title":"Vue ensemble des services","text":""},{"location":"vault/services-v1/overview/#architecture","title":"Architecture","text":"Client (Mac/iPhone)\n |\n | HTTPS (certificat Caddy CA)\n v\n[Caddy] :443\n |\n +-- forward_auth --> [Authelia] :9091\n | |\n | (si authentifi\u00e9)\n | |\n +-------------------------+\n |\n v\nServices Docker\n~/docker/\n\u251c\u2500\u2500 authelia/ # Config SSO\n\u251c\u2500\u2500 caddy/ # Caddyfile + certificats\n\u251c\u2500\u2500 crowdsec/ # Config IDS\n\u251c\u2500\u2500 dockge/ # Stacks Dockge\n\u251c\u2500\u2500 docs/ # MkDocs (cette doc)\n\u251c\u2500\u2500 gitea/ # Config + data Gitea\n\u251c\u2500\u2500 grafana/ # Dashboards\n\u251c\u2500\u2500 homeassistant/ # Config HA\n\u251c\u2500\u2500 languagetool/ # Config LT\n\u251c\u2500\u2500 linkwarden/ # Config Linkwarden\n\u251c\u2500\u2500 outline/ # Config Outline\n\u251c\u2500\u2500 syslog-ng/ # Config syslog\n\u251c\u2500\u2500 talloires/ # Stack principal (docker-compose.yml)\n\u251c\u2500\u2500 uptime-kuma/ # Data Uptime Kuma\n\u251c\u2500\u2500 vikunja/ # Config Vikunja\n\u2514\u2500\u2500 zeronsd/ # DNS ZeroTier\n/mnt/mediaserver/\n\u251c\u2500\u2500 databases/\n\u2502 \u251c\u2500\u2500 languagetool/ngrams/ # N-grams FR/EN/DE (~8GB)\n\u2502 \u2514\u2500\u2500 outline/\n\u2502 \u251c\u2500\u2500 data/ # Fichiers Outline\n\u2502 \u251c\u2500\u2500 postgres/ # PostgreSQL Outline\n\u2502 \u2514\u2500\u2500 redis/ # Redis Outline\n\u251c\u2500\u2500 downloads/ # Transmission\n\u251c\u2500\u2500 movies/ # Films (Jellyfin)\n\u2514\u2500\u2500 series/ # S\u00e9ries (Jellyfin)\nVoir Scripts de maintenance pour les d\u00e9tails.
"},{"location":"vault/services-v1/overview/#maintenance-automatique","title":"Maintenance automatique","text":"T\u00e2che Schedule Outil Mise \u00e0 jour containers 4h00 Watchtower Backup vers Annecy 3h00 backup-to-annecy.sh (cron) Nettoyage images Apr\u00e8s update docker image prune"},{"location":"vault/services-v1/shlink/","title":"Shlink - Go Links","text":"Shlink est un service de raccourcissement d URL qui permet de creer des go-links personnalises.
"},{"location":"vault/services-v1/shlink/#acces","title":"Acces","text":"Interface URL Go Linkshttps://go/xxx Admin go/shlink"},{"location":"vault/services-v1/shlink/#go-links-disponibles","title":"Go Links disponibles","text":"Raccourci Destination go/ha Home Assistant go/homeassistant Home Assistant go/jf Jellyfin go/jellyfin Jellyfin go/lw Linkwarden go/linkwarden Linkwarden go/lt LanguageTool go/languagetool LanguageTool go/docs Documentation go/git Gitea go/auth Authelia go/grafana Grafana go/dockge Dockge go/portainer Portainer go/transmission Transmission go/netdata Netdata go/uptime Uptime Kuma go/cockpit Cockpit go/vikunja Vikunja go/outline Outline go/cryptpad CryptPad go/shlink Admin Shlink"},{"location":"vault/services-v1/shlink/#creer-un-nouveau-go-link","title":"Creer un nouveau go-link","text":""},{"location":"vault/services-v1/shlink/#via-interface-web","title":"Via interface web","text":"docker exec shlink shlink short-url:create https://example.com --custom-slug=example\ndocker exec shlink shlink short-url:list\ndocker exec shlink shlink short-url:delete <short-code>\nEmplacement : ~/docker/shlink/docker-compose.yml
services:\n shlink:\n image: shlinkio/shlink:stable\n container_name: shlink\n environment:\n - DEFAULT_DOMAIN=go\n - IS_HTTPS_ENABLED=true\n - DB_DRIVER=sqlite\n volumes:\n - ./data:/etc/shlink/data\n networks:\n - talloires_net\n\n shlink-web:\n image: shlinkio/shlink-web-client:stable\n container_name: shlink-web\n networks:\n - talloires_net\ngo, go.local, go.tailfd281f.ts.net {\n reverse_proxy shlink:8080\n tls internal\n}\n\nshlink.talloires.local, shlink.talloires.tailfd281f.ts.net {\n import authelia\n reverse_proxy shlink-web:8080\n tls internal\n}\nTransmission est le client BitTorrent utilis\u00e9 sur Talloires, configur\u00e9 pour router tout son trafic via ProtonVPN afin de prot\u00e9ger la vie priv\u00e9e et masquer l'activit\u00e9 de t\u00e9l\u00e9chargement \u00e0 l'ISP.
Configuration VPN
Le trafic de Talloires (10.171.171.7) est automatiquement rout\u00e9 via ProtonVPN sur Theseus, garantissant que Transmission est invisible pour l'ISP.
"},{"location":"vault/services-v1/transmission/#informations-de-connexion","title":"Informations de connexion","text":"Param\u00e8tre Valeur URL locale http://talloires.local:9091 URL Tailscale http://talloires.tailfd281f.ts.net:9091 Containertransmission R\u00e9seau Docker talloires_net IP Container 172.20.0.17"},{"location":"vault/services-v1/transmission/#configuration","title":"Configuration","text":""},{"location":"vault/services-v1/transmission/#docker-compose","title":"Docker Compose","text":"transmission:\n image: linuxserver/transmission:latest\n container_name: transmission\n restart: unless-stopped\n ports:\n - 51413:51413\n - 51413:51413/udp\n expose:\n - 9091\n environment:\n - PUID=1026\n - PGID=100\n - TZ=Europe/Luxembourg\n volumes:\n - talloires_transmission_config:/config\n - /mnt/mediaserver/downloads:/downloads\n networks:\n - talloires_net\nLe trafic de Transmission passe par ProtonVPN :
# V\u00e9rifier l'IP publique de Transmission\ndocker exec transmission sh -c \"curl -s ipinfo.io\"\nR\u00e9sultat attendu :
{\n \"ip\": \"5.253.204.205\",\n \"city\": \"Brussels\",\n \"country\": \"BE\",\n \"org\": \"AS9009 M247 Europe SRL\"\n}\nIP diff\u00e9rente de l'ISP
L'IP normale de l'ISP est 87.240.228.220 (POST Luxembourg). Si Transmission montre cette IP, le VPN ne fonctionne pas correctement.
Un script de gestion est disponible pour d\u00e9marrer/stopper Transmission facilement.
"},{"location":"vault/services-v1/transmission/#emplacement","title":"Emplacement","text":"/home/lionel/scripts/transmission-control.sh\n# Stopper Transmission\n~/scripts/transmission-control.sh stop\n\n# D\u00e9marrer Transmission \n~/scripts/transmission-control.sh start\n\n# Red\u00e9marrer Transmission\n~/scripts/transmission-control.sh restart\n\n# Voir le statut et les statistiques\n~/scripts/transmission-control.sh status\n$ ~/scripts/transmission-control.sh status\n=== Transmission Status ===\n1b69f36ee669 linuxserver/transmission:latest Up 3 days transmission\n\n=== Network Stats ===\nCONTAINER ID NAME CPU % MEM USAGE / LIMIT NET I/O\n1b69f36ee669 transmission 0.05% 45MiB / 7.68GiB 16.8GB / 813MB\nSur Theseus :
# Voir les statistiques du tunnel WireGuard\nssh -l root theseus.local 'wg show wgclt1'\n# Logs en temps r\u00e9el\ndocker logs -f transmission\n\n# Derni\u00e8res 50 lignes\ndocker logs transmission --tail 50\nV\u00e9rifier que le VPN est actif :
ssh -l root theseus.local 'wg show wgclt1 | grep handshake'\nV\u00e9rifier l'IP de Transmission :
docker exec transmission sh -c \"curl -s ipinfo.io | grep ip\"\nRed\u00e9marrer Transmission :
~/scripts/transmission-control.sh restart\nLe routage via VPN peut r\u00e9duire la vitesse. V\u00e9rifier :
Latence du tunnel :
ssh -l root theseus.local 'ping -c 3 10.2.0.1' # Gateway VPN\nCharge CPU de Talloires :
docker stats transmission --no-stream\nTalloires est configur\u00e9 comme DMZ :
Si le VPN tombe, Talloires perd l'acc\u00e8s Internet (pas de fallback sur l'IP ISP), garantissant qu'aucun trafic torrent ne fuite.
"},{"location":"vault/services-v1/transmission/#ressources","title":"Ressources","text":"/home/lionel/docker/media/docker-compose.yml