2.2 KiB
📄 deployment.md — Mesh Deployment (self-hosted)
1. Composants
- mesh-server (FastAPI + WS)
- coturn (TURN) — fallback NAT strict
- gotify (notifications)
- (optionnel) reverse proxy (Caddy/Nginx) + TLS
2. Variables d’environnement (exemple)
- MESH_PUBLIC_URL=https://mesh.example.com
- MESH_JWT_SECRET=...
- GOTIFY_URL=https://gotify.example.com
- GOTIFY_TOKEN=...
- TURN_HOST=turn.example.com
- TURN_PORT=3478
- TURN_USER=mesh
- TURN_PASS=...
3. docker-compose (exemple)
Placez ceci dans infra/docker-compose.yml.
services: mesh-server: build: ../server environment: - MESH_JWT_SECRET=${MESH_JWT_SECRET} - GOTIFY_URL=${GOTIFY_URL} - GOTIFY_TOKEN=${GOTIFY_TOKEN} - TURN_URL=${TURN_URL} - STUN_URL=${STUN_URL} ports: - "8000:8000" restart: unless-stopped
coturn: image: coturn/coturn:latest command: > -n --log-file=stdout --external-ip=${TURN_EXTERNAL_IP} --realm=${TURN_REALM} --user=${TURN_USER}:${TURN_PASS} --listening-port=3478 --min-port=49160 --max-port=49200 --fingerprint --lt-cred-mech --no-multicast-peers --no-cli network_mode: "host" restart: unless-stopped
gotify: image: gotify/server:latest environment: - GOTIFY_DEFAULTUSER_NAME=admin - GOTIFY_DEFAULTUSER_PASS=adminadmin ports: - "8080:80" volumes: - gotify_data:/app/data restart: unless-stopped
volumes: gotify_data:
4. Notes TURN
- TURN peut devenir “lourd” si beaucoup de pairs passent en relay.
- Prévoir monitoring trafic + quotas.
- Credentials temporaires (V1+) recommandé.
5. Reverse proxy + TLS (recommandé)
- Terminer TLS au proxy (Caddy/Nginx).
- Forward:
- /api → mesh-server
- /ws → mesh-server (upgrade websocket)
- TURN: idéalement domaine dédié (turn.example.com) + ports ouverts.
6. Ports réseau
- Mesh Server: 443 (TLS) / 80 (redirect)
- TURN: 3478 UDP/TCP + range UDP (ex 49160-49200)
- Gotify: 443/80 (si exposé), sinon LAN only
7. Checks de santé
- /health sur mesh-server
- gotify UI accessible
- test ICE: vérifier host/srflx/relay
8. Exploitation
- Sauvegarder:
- DB mesh (si sqlite/postgres)
- gotify_data
- Rotation logs