322c0bd668
- dnsmasq on Annecy (Synology) as DNS slave - network_mode: host + bind-interfaces for Synology OVS - Document architecture in network.md - Config files in configs/annecy-dns/
142 lines
3.1 KiB
Markdown
142 lines
3.1 KiB
Markdown
# Réseau & Accès
|
|
|
|
## Tailscale VPN
|
|
|
|
Tailscale remplace ZeroTier depuis décembre 2025 pour le mesh VPN.
|
|
|
|
### Configuration
|
|
|
|
| Machine | IP Tailscale | Hostname |
|
|
|---------|--------------|----------|
|
|
| Talloires (RPi5) | 10.171.171.1 | talloires.tailfd281f.ts.net |
|
|
| Annecy (Synology) | 10.171.171.50 | annecy.tailfd281f.ts.net |
|
|
| Mac Lionel | 100.x.x.x | (dynamique) |
|
|
|
|
### DNS MagicDNS
|
|
|
|
Tailscale fournit la résolution DNS automatique :
|
|
|
|
```
|
|
*.talloires.tailfd281f.ts.net → Services Talloires
|
|
```
|
|
|
|
### Accès aux services
|
|
|
|
Tous les services sont accessibles via deux domaines :
|
|
|
|
| Type | Domaine | Exemple |
|
|
|------|---------|---------|
|
|
| LAN | `*.talloires.local` | `jellyfin.talloires.local` |
|
|
| Tailscale | `*.talloires.tailfd281f.ts.net` | `jellyfin.talloires.tailfd281f.ts.net` |
|
|
|
|
## Accès LAN
|
|
|
|
### Prérequis
|
|
|
|
1. **Certificat CA Caddy** installé sur le client
|
|
2. **DNS local** configuré (dnsmasq ou /etc/hosts)
|
|
|
|
### Installation du certificat
|
|
|
|
```bash
|
|
# Sur Talloires
|
|
docker exec caddy cat /data/caddy/pki/authorities/local/root.crt > caddy-root.crt
|
|
|
|
# Sur Mac
|
|
sudo security add-trusted-cert -d -r trustRoot \
|
|
-k /Library/Keychains/System.keychain caddy-root.crt
|
|
```
|
|
|
|
### Configuration DNS
|
|
|
|
Option 1 : **dnsmasq** sur le routeur
|
|
```
|
|
address=/talloires.local/10.171.171.7
|
|
```
|
|
|
|
Option 2 : **/etc/hosts** sur chaque client
|
|
```
|
|
10.171.171.7 jellyfin.talloires.local
|
|
10.171.171.7 git.talloires.local
|
|
10.171.171.7 homeassistant.talloires.local
|
|
# etc.
|
|
```
|
|
|
|
## Ports exposés
|
|
|
|
| Port | Service | Protocole |
|
|
|------|---------|-----------|
|
|
| 443 | Caddy (HTTPS) | TCP |
|
|
| 80 | Caddy (HTTP → HTTPS) | TCP |
|
|
| 2222 | Gitea SSH | TCP |
|
|
| 8123 | Home Assistant (interne) | TCP |
|
|
|
|
## Sécurité
|
|
|
|
### Authelia SSO
|
|
|
|
La plupart des services sont protégés par Authelia :
|
|
|
|
```
|
|
Client → Caddy → Authelia → Service
|
|
```
|
|
|
|
Services protégés par Authelia :
|
|
- Transmission
|
|
- Netdata
|
|
- Dozzle
|
|
- Cockpit
|
|
|
|
Services avec auth propre (bypass Authelia) :
|
|
- Jellyfin (auth interne)
|
|
- Gitea (OIDC via Authelia)
|
|
- Home Assistant (auth interne)
|
|
- Arcane (désactivé temporairement)
|
|
|
|
### ProtonVPN (WireGuard)
|
|
|
|
Transmission utilise un tunnel WireGuard vers ProtonVPN :
|
|
|
|
```
|
|
Transmission → WireGuard container → ProtonVPN → Internet
|
|
↓
|
|
Kill switch intégré
|
|
(network_mode: service:wireguard)
|
|
```
|
|
|
|
Vérification IP :
|
|
```bash
|
|
# IP Transmission (doit être ProtonVPN)
|
|
docker exec transmission curl -s ifconfig.me
|
|
|
|
# IP locale
|
|
curl -s ifconfig.me
|
|
```
|
|
|
|
## DNS Redondant
|
|
|
|
### Architecture
|
|
|
|
| Serveur | IP | Rôle | Upstream |
|
|
|---------|-----|------|----------|
|
|
| Talloires | 100.116.198.105 | Primaire | AdGuard DoH |
|
|
| Annecy | 10.171.171.50 | Secondaire | Talloires → 1.1.1.1 |
|
|
|
|
### Configuration
|
|
|
|
**Talloires** (`/etc/dnsmasq.d/tailscale.conf`):
|
|
- Écoute: 127.0.0.1, 100.116.198.105
|
|
- Forward: cloudflared (AdGuard DoH)
|
|
|
|
**Annecy** (`/volume1/docker/dnsmasq/`):
|
|
- Container: `andyshinn/dnsmasq`
|
|
- Mode: `network_mode: host` + `bind-interfaces`
|
|
- Écoute: 10.171.171.50, 10.171.171.51
|
|
- Forward: Talloires → 1.1.1.1 → 8.8.8.8
|
|
|
|
### Test
|
|
```bash
|
|
dig @10.171.171.50 talloires.local +short # Annecy
|
|
dig @100.116.198.105 go +short # Talloires
|
|
```
|