feat: add Redis connection diagnostics, VPN routing fixes, and Traefik middleware updates

deployment/ansible/playbooks/diagnose-vpn-routing.yml

@@ -0,0 +1,172 @@
+---
+- name: Diagnose VPN Routing Problem f?r Grafana
+  hosts: production
+  gather_facts: yes
+  become: yes
+  become_user: root
+
+  tasks:
+    - name: Check WireGuard interface status
+      shell: |
+        echo "=== WireGuard Interface Status ==="
+        ip addr show wg0 2>&1 || echo "WireGuard interface not found"
+        echo ""
+        echo "=== WireGuard Peers ==="
+        wg show 2>&1 || echo "WireGuard not running"
+      register: wg_status
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display WireGuard status
+      debug:
+        msg: "{{ wg_status.stdout_lines }}"
+
+    - name: Check routing table for VPN network
+      shell: |
+        echo "=== Routing Table for 10.8.0.0/24 ==="
+        ip route show | grep 10.8.0 || echo "No routes found for 10.8.0.0/24"
+        echo ""
+        echo "=== Default Route ==="
+        ip route show default || echo "No default route"
+      register: routing_info
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display routing information
+      debug:
+        msg: "{{ routing_info.stdout_lines }}"
+
+    - name: Check Traefik access logs for recent Grafana requests
+      shell: |
+        cd ~/deployment/stacks/traefik
+        echo "=== Recent Grafana Access (Last 10 requests) ==="
+        tail -50 logs/access.log | grep grafana | tail -10 | jq -r '[.ClientAddr, .ClientHost, .RequestHost, .DownstreamStatus] | @tsv' 2>&1 || tail -50 logs/access.log | grep grafana | tail -10
+      args:
+        executable: /bin/bash
+      register: traefik_access
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display Traefik access logs
+      debug:
+        msg: "{{ traefik_access.stdout_lines }}"
+
+    - name: Test DNS resolution from server
+      shell: |
+        echo "=== DNS Resolution Tests ==="
+        echo "1. Grafana via VPN DNS (10.8.0.1):"
+        dig +short grafana.michaelschiemer.de @10.8.0.1 2>&1 || echo "Failed"
+        echo ""
+        echo "2. Grafana via public DNS (8.8.8.8):"
+        dig +short grafana.michaelschiemer.de @8.8.8.8 2>&1 || echo "Failed"
+        echo ""
+        echo "3. Grafana via system DNS:"
+        dig +short grafana.michaelschiemer.de 2>&1 || echo "Failed"
+      args:
+        executable: /bin/bash
+      register: dns_tests
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display DNS test results
+      debug:
+        msg: "{{ dns_tests.stdout_lines }}"
+
+    - name: Check firewall rules for WireGuard
+      shell: |
+        echo "=== Firewall Rules for WireGuard (port 51820) ==="
+        sudo ufw status | grep 51820 || sudo iptables -L -n | grep 51820 || echo "No firewall rules found"
+        echo ""
+        echo "=== Allowed IPs in WireGuard Config ==="
+        grep -E "AllowedIPs" /etc/wireguard/wg0.conf 2>&1 || echo "WireGuard config not found"
+      args:
+        executable: /bin/bash
+      register: firewall_info
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display firewall information
+      debug:
+        msg: "{{ firewall_info.stdout_lines }}"
+
+    - name: Check Traefik forwardedHeaders configuration
+      shell: |
+        cd ~/deployment/stacks/traefik
+        echo "=== Traefik forwardedHeaders Config ==="
+        grep -A 10 "forwardedHeaders:" traefik.yml || echo "Not found"
+      args:
+        executable: /bin/bash
+      register: forwarded_headers
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display forwardedHeaders configuration
+      debug:
+        msg: "{{ forwarded_headers.stdout_lines }}"
+
+    - name: Check Grafana middleware configuration
+      shell: |
+        cd ~/deployment/stacks/traefik/dynamic
+        echo "=== Grafana VPN Only Middleware ==="
+        grep -A 6 "grafana-vpn-only:" middlewares.yml || echo "Not found"
+      args:
+        executable: /bin/bash
+      register: grafana_middleware
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display Grafana middleware configuration
+      debug:
+        msg: "{{ grafana_middleware.stdout_lines }}"
+
+    - name: Check CoreDNS configuration
+      shell: |
+        cd ~/deployment/stacks/dns
+        echo "=== CoreDNS Corefile ==="
+        cat Corefile 2>&1 || echo "Not found"
+      args:
+        executable: /bin/bash
+      register: coredns_config
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display CoreDNS configuration
+      debug:
+        msg: "{{ coredns_config.stdout_lines }}"
+
+    - name: Test connection to Grafana from server via VPN IP
+      shell: |
+        echo "=== Test Connection to Grafana via VPN IP (10.8.0.1) ==="
+        curl -k -H "User-Agent: Mozilla/5.0" -s -o /dev/null -w "HTTP %{http_code}\n" https://10.8.0.1:443 -H "Host: grafana.michaelschiemer.de" 2>&1 || echo "Connection failed"
+        echo ""
+        echo "=== Test Connection via Domain ==="
+        curl -k -H "User-Agent: Mozilla/5.0" -s -o /dev/null -w "HTTP %{http_code}\n" https://grafana.michaelschiemer.de/ 2>&1 || echo "Connection failed"
+      args:
+        executable: /bin/bash
+      register: connection_tests
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display connection test results
+      debug:
+        msg: "{{ connection_tests.stdout_lines }}"
+
+    - name: Monitor Traefik access logs in real-time (for next request)
+      shell: |
+        echo "=== Instructions ==="
+        echo "1. Connect to VPN with your WireGuard client"
+        echo "2. Ensure DNS is set to 10.8.0.1 in WireGuard config"
+        echo "3. Access https://grafana.michaelschiemer.de in your browser"
+        echo "4. Check the ClientAddr in the access logs below"
+        echo ""
+        echo "=== Last Grafana Access Attempt ==="
+        tail -1 ~/deployment/stacks/traefik/logs/access.log 2>&1 | jq -r '[.ClientAddr, .ClientHost, .DownstreamStatus] | @tsv' || tail -1 ~/deployment/stacks/traefik/logs/access.log
+      args:
+        executable: /bin/bash
+      register: monitoring_info
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Display monitoring instructions
+      debug:
+        msg: "{{ monitoring_info.stdout_lines }}"