202601docs/docs/infra/overview.md

# Infrastructure Talloires v2.0

Documentation de l'infrastructure réseau, VPN, DNS, et backups.

---

## 🖥️ Serveurs

### Talloires (Production)
- **Type**: Raspberry Pi 5 (8GB RAM)
- **OS**: Raspberry Pi OS (Debian 12)
- **IP Tailscale**: `100.116.198.105`
- **Hostname**: `talloires.tailfd281f.ts.net`
- **Rôle**: Serveur principal (Docker)

### Annecy (Storage)
- **Type**: Synology DS620slim
- **OS**: DSM 7.x
- **IP Tailscale**: `100.69.227.96`
- **Hostname**: `annecy.tailfd281f.ts.net`
- **Rôle**: NAS, Backups

### Theseus (Network)
- **Type**: UniFi Dream Router 7
- **Rôle**: Gateway, Firewall, DHCP

---

## 🐳 Outils Docker Management

### 🎨 Arcane - Web UI

**URL**: [go/arcane](https://go/arcane)  
**License**: BSD-3-Clause  
**Status**: ✅ Opérationnel

**Fonctionnalités:**
- Gestion containers, images, volumes, networks
- Docker Compose templates & projects
- Monitoring temps réel (CPU/RAM)
- Interface moderne & responsive
- Multi-serveurs (via agents)

**Usage:**
```bash
# Accès web
https://go/arcane

# Credentials par défaut
Username: arcane
Password: arcane-admin
```

**Alternative à:** Portainer (proprietary), Dockge (unstable)

---

### 📋 Dozzle - Logs Viewer

**URL**: [go/logs](https://go/logs)  
**License**: MIT  
**Status**: ✅ Opérationnel

**Fonctionnalités:**
- Real-time log streaming
- Multi-container view
- Search & filter
- Ultra-léger (~30 MB RAM)
- Aucune base de données

**Usage:**
```bash
# Accès web
https://go/logs

# Pas d'authentification requise (Tailscale VPN only)
```

**Use cases:** Debug, troubleshooting, monitoring logs

---

### ⚡ Lazydocker - Terminal UI

**License**: MIT  
**Status**: ✅ Installé sur Talloires & Annecy  
**Version**: 0.24.3

**Installation:**
```bash
# Talloires
lazydocker --version
# Location: /usr/local/bin/lazydocker

# Annecy (Synology)
~/.local/bin/lazydocker --version
```

**Fonctionnalités:**
- TUI (Terminal User Interface)
- Stats en temps réel (CPU/RAM)
- Logs interactifs
- Actions rapides (start/stop/restart)
- Fonctionne via SSH

**Usage:**
```bash
# Sur Talloires
ssh lionel@talloires.local
lazydocker

# Sur Annecy
ssh lionel@100.69.227.96
~/.local/bin/lazydocker
```

**Navigation:**
- `↑/↓`: Sélection
- `Enter`: Actions
- `l`: Logs
- `e`: Exec shell
- `q`: Quitter

---

### 📊 Comparaison Outils

| Feature | Arcane | Dozzle | Lazydocker |
|---------|--------|--------|------------|
| **Type** | Web UI | Web UI | TUI |
| **Containers** | ✅ Full mgmt | ❌ View only | ✅ Full mgmt |
| **Logs** | ✅ | ✅ | ✅ |
| **Compose** | ✅ Templates | ❌ | ✅ View |
| **Stats** | ✅ | ❌ | ✅ |
| **Remote** | ✅ Multi-host | ❌ Single | ❌ Single |
| **SSH** | ❌ | ❌ | ✅ Works |
| **RAM** | ~100 MB | ~30 MB | ~50 MB |

**Recommandations:**
- **Arcane**: Gestion quotidienne, templates, multi-serveurs
- **Dozzle**: Quick log inspection, debugging
- **Lazydocker**: SSH access, TUI lovers, remote management

---

## 🌐 Réseau

### Tailscale VPN
- **Type**: WireGuard mesh VPN
- **MagicDNS**: Désactivé (dnsmasq preferred)
- **Subnet**: `100.64.0.0/10`

### DNS Local (dnsmasq)
**Config**: `/etc/dnsmasq.d/tailscale.conf`

```
# Machines
address=/talloires.local/100.116.198.105
address=/annecy.local/100.69.227.96

# Wildcards
address=/.talloires.local/100.116.198.105

# Go-links
address=/go/100.116.198.105

# Upstream DNS
server=127.0.0.1#5053
```

### AdGuard DNS (DoH)
- **Port**: 5053
- **Upstream**: AdGuard DNS-over-HTTPS
- **Config**: `cloudflared` tunnel

---

## 🔐 VPN Tunnel (ProtonVPN)

### Configuration WireGuard
- **Server**: Luxembourg (LU#44)
- **Public IP**: 5.253.204.190
- **Endpoint**: 5.253.204.162:51820
- **Config**: `/home/lionel/talloires-v2/transmission/wireguard/wg0.conf`

### Kill-Switch
Transmission utilise `network_mode: service:wireguard` → Impossible de leak l'IP réelle.

### Monitoring VPN
- Vérification automatique IP publique
- Alertes Telegram si VPN down (<30s)
- Health checks Docker

---

## 💾 Backups

### Structure NFS
```
/mnt/annecy/talloires/
├── migration-v2/                     # Backups migration
│   ├── jellyfin-config-*.tar.gz     # 2.3 GB
│   ├── gitea-data-*.tar.gz          # Repos Git
│   ├── mkdocs-v1-archive-*.tar.gz   # 12 KB
│   └── critical-configs-*.tar.gz    # 3.5 KB
└── daily/                            # Backups quotidiens (TODO)
```

### NFS Mount
```bash
sudo mount -t nfs 100.69.227.96:/volume1/talloires /mnt/annecy -o rw,hard,intr,rsize=8192,wsize=8192
```

**Fstab**:
```
100.69.227.96:/volume1/talloires /mnt/annecy nfs rw,hard,intr,rsize=8192,wsize=8192 0 0
```

### Backup Automatique (Cron)
TODO: Mettre à jour cron pour v2.0 structure.

---

## 🔒 Sécurité

### Firewall (UFW)
```bash
sudo ufw status
```

Ports ouverts:
- 80, 443: HTTP/HTTPS (Caddy)
- 2222: SSH Gitea
- 8096: Jellyfin (direct access)
- 22: SSH (Tailscale only)

### Certificats HTTPS
- **CA**: Caddy Local Authority
- **Cert**: `/data/caddy/pki/authorities/local/root.crt`
- **Installation**: Importer dans macOS Keychain → Always Trust

### Accès
- Tailscale VPN uniquement
- Pas d'exposition Internet directe
- SSH keys only (no password)

---

## 📊 Monitoring

### Stack Monitoring

**Netdata** - System metrics
- **URL**: `https://go/net`
- **Métriques**: CPU, RAM, Disk, Network, Docker
- **Alertes**: À configurer (optionnel)

**Arcane** - Docker monitoring
- **URL**: `https://go/arcane`
- **Métriques**: Containers stats (CPU/RAM)
- **Features**: Dashboard, projects, logs

**Dozzle** - Logs viewer
- **URL**: `https://go/logs`
- **Features**: Real-time logs, search, filter

**Lazydocker** - Terminal monitoring
```bash
ssh lionel@talloires.local
lazydocker
```

### Docker Health Checks
Tous les containers ont des health checks configurés.

### Logs
```bash
# CLI
docker logs <container>
docker logs <container> --follow
docker logs <container> --tail 100

# Web UI (Dozzle)
https://go/logs

# TUI (Lazydocker)
lazydocker
```

---

## 🛠️ Maintenance

### Docker Management

**Via Arcane (Web):**
```
https://go/arcane
→ Containers → Start/Stop/Restart
→ Images → Pull/Delete
→ Projects → Manage Compose stacks
```

**Via Lazydocker (TUI):**
```bash
ssh lionel@talloires.local
lazydocker
# Navigate avec arrows, Enter pour actions
```

**Via CLI:**
```bash
# Update containers
cd /home/lionel/talloires-v2/core
docker compose pull
docker compose up -d

# Restart service
docker restart <container>

# View logs
docker logs <container> --tail 100
```

### Backup Manuel
```bash
# Jellyfin
tar -czf /mnt/annecy/talloires/manual/jellyfin-$(date +%Y%m%d).tar.gz \\
  /home/lionel/talloires-v2/jellyfin/config

# Gitea
tar -czf /mnt/annecy/talloires/manual/gitea-$(date +%Y%m%d).tar.gz \\
  /home/lionel/talloires-v2/gitea/

# Arcane database
tar -czf /mnt/annecy/talloires/manual/arcane-$(date +%Y%m%d).tar.gz \\
  /home/lionel/talloires-v2/docker-mgmt/arcane-data
```

### Restart Services
```bash
docker restart <container>
docker compose restart
```

---

## 📁 Fichiers de Configuration

### Docker Management
```
/home/lionel/talloires-v2/docker-mgmt/
├── docker-compose.yml      # Arcane + Dozzle
└── arcane-data/           # Arcane database
```

### Caddy
```
/home/lionel/talloires-v2/caddy/
├── Caddyfile             # Reverse proxy config
└── Caddyfile.backup-*    # Backups automatiques
```

### Services
```
/home/lionel/talloires-v2/
├── core/                 # Caddy, Shlink
├── jellyfin/            # Media server
├── transmission/        # BitTorrent + WireGuard
├── gitea/              # Git hosting
├── homeassistant/      # Domotique
├── mkdocs/             # Documentation
├── netdata/            # Monitoring
├── signal-api/         # Notifications
└── docker-mgmt/        # Arcane + Dozzle
```

---

*Voir [Services](../services/overview.md) pour configuration applicative.*

*Dernière mise à jour: 31 décembre 2025*