chore: update VPN routing configuration and add Grafana VPN documentation

2025-11-02 18:10:04 +01:00
parent 2dd8468d70
commit 7b7f0b41d2
41 changed files with 3727 additions and 11 deletions
--- a/deployment/ansible/playbooks/fix-grafana-vpn-routing.yml
+++ b/deployment/ansible/playbooks/fix-grafana-vpn-routing.yml
@@ -0,0 +1,80 @@
+---
+- name: Fix Grafana VPN Routing and Remove Temporary IP Allow
+  hosts: production
+  gather_facts: no
+  become: no
+
+  tasks:
+    - name: Check recent Grafana access attempts
+      shell: |
+        cd ~/deployment/stacks/traefik
+        echo "=== Recent Grafana Access (Last 10 attempts) ==="
+        tail -50 logs/access.log | grep grafana | tail -10 | while read line; do
+          echo "$line" | grep -oP '"ClientHost":"[^"]*"' || echo "Could not parse"
+        done
+      args:
+        executable: /bin/bash
+      register: recent_access
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display recent access attempts
+      debug:
+        msg: "{{ recent_access.stdout_lines }}"
+
+    - name: Check if traffic comes from VPN
+      shell: |
+        cd ~/deployment/stacks/traefik
+        echo "=== Checking if recent traffic comes from VPN (10.8.0.0/24) ==="
+        tail -20 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | while read ip; do
+          if [[ "$ip" =~ ^10\.8\.0\.[0-9]+$ ]]; then
+            echo "? $ip -> VPN traffic (10.8.0.0/24)"
+          else
+            echo "? $ip -> Public IP (not VPN)"
+          fi
+        done
+      args:
+        executable: /bin/bash
+      register: vpn_check
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display VPN check results
+      debug:
+        msg: "{{ vpn_check.stdout_lines }}"
+
+    - name: Backup current middlewares.yml
+      shell: |
+        cd ~/deployment/stacks/traefik/dynamic
+        cp middlewares.yml middlewares.yml.backup.$(date +%Y%m%d_%H%M%S)
+      args:
+        executable: /bin/bash
+      when: false  # Skip for now - we'll do this manually
+
+    - name: Check current middleware configuration
+      shell: |
+        cd ~/deployment/stacks/traefik/dynamic
+        echo "=== Current grafana-vpn-only Middleware ==="
+        grep -A 8 "grafana-vpn-only:" middlewares.yml
+      args:
+        executable: /bin/bash
+      register: middleware_config
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display middleware configuration
+      debug:
+        msg: "{{ middleware_config.stdout_lines }}"
+
+    - name: Instructions for removing temporary IP
+      debug:
+        msg:
+          - "=== TO REMOVE TEMPORARY IP ALLOWLIST ==="
+          - "1. Make sure VPN routing works (DNS = 10.8.0.1 or use hosts file)"
+          - "2. Test that traffic comes from VPN (ClientHost: 10.8.0.7)"
+          - "3. Remove temporary IP from middlewares.yml:"
+          - "   cd ~/deployment/stacks/traefik/dynamic"
+          - "   sed -i '/89.246.96.244\/32/d' middlewares.yml"
+          - "4. Restart Traefik:"
+          - "   cd ~/deployment/stacks/traefik && docker compose restart traefik"
+          - "5. Test: With VPN = OK, Without VPN = 403"