chore: update VPN routing configuration and add Grafana VPN documentation

2025-11-02 18:10:04 +01:00
parent 2dd8468d70
commit 7b7f0b41d2
41 changed files with 3727 additions and 11 deletions
--- a/deployment/ansible/playbooks/monitor-grafana-live-with-firewall.yml
+++ b/deployment/ansible/playbooks/monitor-grafana-live-with-firewall.yml
@@ -0,0 +1,86 @@
+---
+- name: Monitor Grafana Access After Firewall Changes
+  hosts: production
+  gather_facts: no
+  become: no
+
+  tasks:
+    - name: Instructions
+      debug:
+        msg:
+          - "=== LIVE MONITORING NACH FIREWALL-?NDERUNGEN ==="
+          - "Firewall-Regeln wurden erstellt ?"
+          - "WireGuard ist verbunden ?"
+          - ""
+          - "Bitte mache JETZT einen neuen Zugriff auf https://grafana.michaelschiemer.de im Browser"
+          - "Ich warte 20 Sekunden und pr?fe dann die Logs..."
+          - ""
+
+    - name: Get current log timestamp
+      shell: |
+        cd ~/deployment/stacks/traefik
+        tail -1 logs/access.log | grep -oP '"time":"[^"]*"'
+      args:
+        executable: /bin/bash
+      register: current_timestamp
+      failed_when: false
+
+    - name: Display current timestamp
+      debug:
+        msg: "Letztes Log: {{ current_timestamp.stdout }}"
+
+    - name: Wait for access attempt
+      pause:
+        seconds: 20
+
+    - name: Check for new Grafana access
+      shell: |
+        cd ~/deployment/stacks/traefik
+        tail -200 logs/access.log | grep -i grafana | tail -20 | while IFS= read -r line; do
+          time=$(echo "$line" | grep -oP '"time":"[^"]*"' | sed 's/"time":"//;s/"//' | cut -d'T' -f2 | cut -d'+' -f1 | cut -d':' -f1-2)
+          client=$(echo "$line" | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//')
+          status=$(echo "$line" | grep -oP '"DownstreamStatus":[0-9]+' | sed 's/"DownstreamStatus"://')
+          if echo "$client" | grep -q '^10\.8\.0\.'; then
+            echo "$time | ClientHost: $client | Status: $status ? VPN-IP (Traffic kommt ?ber VPN!)"
+          elif [ "$client" = "89.246.96.244" ]; then
+            echo "$time | ClientHost: $client | Status: $status ? Public IP (Traffic kommt NICHT ?ber VPN)"
+          else
+            echo "$time | ClientHost: $client | Status: $status ? Unknown IP"
+          fi
+        done
+      args:
+        executable: /bin/bash
+      register: analysis
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display analysis
+      debug:
+        msg: "{{ analysis.stdout_lines }}"
+
+    - name: Get unique client IPs from last 10 requests
+      shell: |
+        cd ~/deployment/stacks/traefik
+        tail -100 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | sort -u
+      args:
+        executable: /bin/bash
+      register: unique_ips
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display unique IPs
+      debug:
+        msg: "{{ unique_ips.stdout_lines }}"
+
+    - name: Final verdict
+      debug:
+        msg:
+          - ""
+          - "=== ERGEBNIS ==="
+          - "Pr?fe die obigen Zeilen:"
+          - ""
+          - "? Wenn ClientHost: 10.8.0.7 ? Traffic kommt ?ber VPN!"
+          - "   ? Dann k?nnen wir die tempor?re IP-Erlaubnis entfernen!"
+          - ""
+          - "? Wenn ClientHost: 89.246.96.244 ? Traffic kommt NICHT ?ber VPN"
+          - "   ? Dann m?ssen wir weitere Optionen probieren (Route explizit setzen, etc.)"