first
This commit is contained in:
Gilles Soulier
@@ -0,0 +1,93 @@
|
||||
# 📄 deployment.md — Mesh Deployment (self-hosted)
|
||||
|
||||
## 1. Composants
|
||||
- mesh-server (FastAPI + WS)
|
||||
- coturn (TURN) — fallback NAT strict
|
||||
- gotify (notifications)
|
||||
- (optionnel) reverse proxy (Caddy/Nginx) + TLS
|
||||
|
||||
## 2. Variables d’environnement (exemple)
|
||||
- MESH_PUBLIC_URL=https://mesh.example.com
|
||||
- MESH_JWT_SECRET=...
|
||||
- GOTIFY_URL=https://gotify.example.com
|
||||
- GOTIFY_TOKEN=...
|
||||
- TURN_HOST=turn.example.com
|
||||
- TURN_PORT=3478
|
||||
- TURN_USER=mesh
|
||||
- TURN_PASS=...
|
||||
|
||||
## 3. docker-compose (exemple)
|
||||
Placez ceci dans `infra/docker-compose.yml`.
|
||||
|
||||
services:
|
||||
mesh-server:
|
||||
build: ../server
|
||||
environment:
|
||||
- MESH_JWT_SECRET=${MESH_JWT_SECRET}
|
||||
- GOTIFY_URL=${GOTIFY_URL}
|
||||
- GOTIFY_TOKEN=${GOTIFY_TOKEN}
|
||||
- TURN_URL=${TURN_URL}
|
||||
- STUN_URL=${STUN_URL}
|
||||
ports:
|
||||
- "8000:8000"
|
||||
restart: unless-stopped
|
||||
|
||||
coturn:
|
||||
image: coturn/coturn:latest
|
||||
command: >
|
||||
-n
|
||||
--log-file=stdout
|
||||
--external-ip=${TURN_EXTERNAL_IP}
|
||||
--realm=${TURN_REALM}
|
||||
--user=${TURN_USER}:${TURN_PASS}
|
||||
--listening-port=3478
|
||||
--min-port=49160 --max-port=49200
|
||||
--fingerprint
|
||||
--lt-cred-mech
|
||||
--no-multicast-peers
|
||||
--no-cli
|
||||
network_mode: "host"
|
||||
restart: unless-stopped
|
||||
|
||||
gotify:
|
||||
image: gotify/server:latest
|
||||
environment:
|
||||
- GOTIFY_DEFAULTUSER_NAME=admin
|
||||
- GOTIFY_DEFAULTUSER_PASS=adminadmin
|
||||
ports:
|
||||
- "8080:80"
|
||||
volumes:
|
||||
- gotify_data:/app/data
|
||||
restart: unless-stopped
|
||||
|
||||
volumes:
|
||||
gotify_data:
|
||||
|
||||
## 4. Notes TURN
|
||||
- TURN peut devenir “lourd” si beaucoup de pairs passent en relay.
|
||||
- Prévoir monitoring trafic + quotas.
|
||||
- Credentials temporaires (V1+) recommandé.
|
||||
|
||||
## 5. Reverse proxy + TLS (recommandé)
|
||||
- Terminer TLS au proxy (Caddy/Nginx).
|
||||
- Forward:
|
||||
- /api → mesh-server
|
||||
- /ws → mesh-server (upgrade websocket)
|
||||
- TURN: idéalement domaine dédié (turn.example.com) + ports ouverts.
|
||||
|
||||
## 6. Ports réseau
|
||||
- Mesh Server: 443 (TLS) / 80 (redirect)
|
||||
- TURN: 3478 UDP/TCP + range UDP (ex 49160-49200)
|
||||
- Gotify: 443/80 (si exposé), sinon LAN only
|
||||
|
||||
## 7. Checks de santé
|
||||
- /health sur mesh-server
|
||||
- gotify UI accessible
|
||||
- test ICE: vérifier host/srflx/relay
|
||||
|
||||
## 8. Exploitation
|
||||
- Sauvegarder:
|
||||
- DB mesh (si sqlite/postgres)
|
||||
- gotify_data
|
||||
- Rotation logs
|
||||
|
||||
Reference in New Issue
Block a user