sodimo

Chapter 13 / 40

Network

The Gennevilliers office runs two separate networks on one cabling plant. The distinction matters for day-to-day work.

Data network (192.168.0.x) — this is where work happens.

Key hosts:

  • NAS (SAUVE_DISK) at 192.168.0.17 — holds all Sodiwin file exports and office file shares. The nightly Sodiwin dump lands here at 02:30.
  • Sodiwin server at 192.168.0.88 — the ERP. Treated as a black box; nothing connects to it directly.
  • Framework Desktop (arriving this week) — goes into the server-room rack switch at gigabit speed.

Connect to the sodimo_wifi wireless network to reach the NAS and infrastructure from a laptop. Some wall ports in the office are wired to the wrong network — verify with sodimo_wifi if in doubt.

VoIP network (192.168.1.x) — phone system only. Cannot reach the NAS. Do not plug AI equipment into a VoIP wall port.

Remote access — two paths, different audiences:

Sodimo runs two separate remote-access networks on the Framework Desktop, for different people and different jobs. They are not substitutes.

Cloudflare Tunnel + Cloudflare Access — employee access to on-prem services. Employees reach Cockpit, OpenWebUI, Paperclip, the Twenty CRM, Piler, and the vault at *.sodimo.eu URLs through a Cloudflare Tunnel. Authentication happens at the Cloudflare Access edge, against Google Workspace. No VPN client is installed on employee laptops; a Google login is the credential. This is the default path — it is what Rani, Paul, Jack, and Michel use every day.

Tailscale — dev and break-glass access. Thomas’s laptop, the Framework Desktop, and the NAS sit on a private overlay network. This is for SSH, configuration work, and (future) Moonlight/Sunshine remote desktop. Tailscale is not a general employee tool — Rani does not need Tailscale, Paul does not need Tailscale, and chapter OpenWebUI is reached via the Cloudflare Tunnel path, not Tailscale, for the first time on Wednesday’s architectural pivot.

The split preserves the core property from chapter Three design principles: no inbound port is opened on the Fedora harness. The Cloudflare Tunnel dials out from the box to Cloudflare — all ingress is Cloudflare-terminated. Tailscale is a WireGuard mesh — also outbound-dial from the harness’s perspective. Neither path requires a public listener on the Fedora side.

ISP items (Jack’s ticket):

A static public IP address, PTR record delegation, and port 25 access are all pending from the ISP. These three items are the critical path for the email migration. Jack owns the ticket.