# 📄 deployment.md — Mesh Deployment (self-hosted) ## 1. Composants - mesh-server (FastAPI + WS) - coturn (TURN) — fallback NAT strict - gotify (notifications) - (optionnel) reverse proxy (Caddy/Nginx) + TLS ## 2. Variables d’environnement (exemple) - MESH_PUBLIC_URL=https://mesh.example.com - MESH_JWT_SECRET=... - GOTIFY_URL=https://gotify.example.com - GOTIFY_TOKEN=... - TURN_HOST=turn.example.com - TURN_PORT=3478 - TURN_USER=mesh - TURN_PASS=... ## 3. docker-compose (exemple) Placez ceci dans `infra/docker-compose.yml`. services: mesh-server: build: ../server environment: - MESH_JWT_SECRET=${MESH_JWT_SECRET} - GOTIFY_URL=${GOTIFY_URL} - GOTIFY_TOKEN=${GOTIFY_TOKEN} - TURN_URL=${TURN_URL} - STUN_URL=${STUN_URL} ports: - "8000:8000" restart: unless-stopped coturn: image: coturn/coturn:latest command: > -n --log-file=stdout --external-ip=${TURN_EXTERNAL_IP} --realm=${TURN_REALM} --user=${TURN_USER}:${TURN_PASS} --listening-port=3478 --min-port=49160 --max-port=49200 --fingerprint --lt-cred-mech --no-multicast-peers --no-cli network_mode: "host" restart: unless-stopped gotify: image: gotify/server:latest environment: - GOTIFY_DEFAULTUSER_NAME=admin - GOTIFY_DEFAULTUSER_PASS=adminadmin ports: - "8080:80" volumes: - gotify_data:/app/data restart: unless-stopped volumes: gotify_data: ## 4. Notes TURN - TURN peut devenir “lourd” si beaucoup de pairs passent en relay. - Prévoir monitoring trafic + quotas. - Credentials temporaires (V1+) recommandé. ## 5. Reverse proxy + TLS (recommandé) - Terminer TLS au proxy (Caddy/Nginx). - Forward: - /api → mesh-server - /ws → mesh-server (upgrade websocket) - TURN: idéalement domaine dédié (turn.example.com) + ports ouverts. ## 6. Ports réseau - Mesh Server: 443 (TLS) / 80 (redirect) - TURN: 3478 UDP/TCP + range UDP (ex 49160-49200) - Gotify: 443/80 (si exposé), sinon LAN only ## 7. Checks de santé - /health sur mesh-server - gotify UI accessible - test ICE: vérifier host/srflx/relay ## 8. Exploitation - Sauvegarder: - DB mesh (si sqlite/postgres) - gotify_data - Rotation logs