refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/ansible/playbooks/README-WIREGUARD.md

@@ -179,6 +179,141 @@ sudo ufw allow 51820/udp comment 'WireGuard VPN'
 sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
 ```
 
+## Split-Tunnel Routing & NAT Fix
+
+### A. Quick Fix Commands (manuell auf dem Server)
+```bash
+WAN_IF=${WAN_IF:-eth0}
+WG_IF=${WG_IF:-wg0}
+WG_NET=${WG_NET:-10.8.0.0/24}
+WG_PORT=${WG_PORT:-51820}
+EXTRA_NETS=${EXTRA_NETS:-"192.168.178.0/24 172.20.0.0/16"}
+
+sudo sysctl -w net.ipv4.ip_forward=1
+sudo tee /etc/sysctl.d/99-${WG_IF}-forward.conf >/dev/null <<'EOF'
+# WireGuard Forwarding
+net.ipv4.ip_forward=1
+EOF
+sudo sysctl --system
+
+# iptables Variante
+sudo iptables -t nat -C POSTROUTING -s ${WG_NET} -o ${WAN_IF} -j MASQUERADE 2>/dev/null \
+  || sudo iptables -t nat -A POSTROUTING -s ${WG_NET} -o ${WAN_IF} -j MASQUERADE
+sudo iptables -C FORWARD -i ${WG_IF} -s ${WG_NET} -o ${WAN_IF} -j ACCEPT 2>/dev/null \
+  || sudo iptables -A FORWARD -i ${WG_IF} -s ${WG_NET} -o ${WAN_IF} -j ACCEPT
+sudo iptables -C FORWARD -o ${WG_IF} -d ${WG_NET} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null \
+  || sudo iptables -A FORWARD -o ${WG_IF} -d ${WG_NET} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+for NET in ${EXTRA_NETS}; do
+  sudo iptables -C FORWARD -i ${WG_IF} -d ${NET} -j ACCEPT 2>/dev/null || sudo iptables -A FORWARD -i ${WG_IF} -d ${NET} -j ACCEPT
+done
+
+# nftables Variante
+sudo nft list table inet wireguard_${WG_IF} >/dev/null 2>&1 || sudo nft add table inet wireguard_${WG_IF}
+sudo nft list chain inet wireguard_${WG_IF} postrouting >/dev/null 2>&1 \
+  || sudo nft add chain inet wireguard_${WG_IF} postrouting '{ type nat hook postrouting priority srcnat; }'
+sudo nft list chain inet wireguard_${WG_IF} forward >/dev/null 2>&1 \
+  || sudo nft add chain inet wireguard_${WG_IF} forward '{ type filter hook forward priority filter; policy accept; }'
+sudo nft list chain inet wireguard_${WG_IF} postrouting | grep -q "${WAN_IF}" \
+  || sudo nft add rule inet wireguard_${WG_IF} postrouting oifname "${WAN_IF}" ip saddr ${WG_NET} masquerade
+sudo nft list chain inet wireguard_${WG_IF} forward | grep -q "iifname \"${WG_IF}\"" \
+  || sudo nft add rule inet wireguard_${WG_IF} forward iifname "${WG_IF}" ip saddr ${WG_NET} counter accept
+sudo nft list chain inet wireguard_${WG_IF} forward | grep -q "oifname \"${WG_IF}\"" \
+  || sudo nft add rule inet wireguard_${WG_IF} forward oifname "${WG_IF}" ip daddr ${WG_NET} ct state established,related counter accept
+for NET in ${EXTRA_NETS}; do
+  sudo nft list chain inet wireguard_${WG_IF} forward | grep -q "${NET}" \
+    || sudo nft add rule inet wireguard_${WG_IF} forward iifname "${WG_IF}" ip daddr ${NET} counter accept
+done
+
+# Firewall Hooks
+if command -v ufw >/dev/null && sudo ufw status | grep -iq "Status: active"; then
+  sudo sed -i 's/^DEFAULT_FORWARD_POLICY=.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
+  sudo ufw allow ${WG_PORT}/udp
+  sudo ufw route allow in on ${WG_IF} out on ${WAN_IF} to any
+fi
+if command -v firewall-cmd >/dev/null && sudo firewall-cmd --state >/dev/null 2>&1; then
+  sudo firewall-cmd --permanent --zone=${FIREWALLD_ZONE:-public} --add-port=${WG_PORT}/udp
+  sudo firewall-cmd --permanent --zone=${FIREWALLD_ZONE:-public} --add-masquerade
+  sudo firewall-cmd --reload
+fi
+
+sudo systemctl enable --now wg-quick@${WG_IF}
+sudo wg show
+```
+
+### B. Skript: `deployment/ansible/scripts/setup-wireguard-routing.sh`
+```bash
+cd deployment/ansible
+sudo WAN_IF=eth0 WG_IF=wg0 WG_NET=10.8.0.0/24 EXTRA_NETS="192.168.178.0/24 172.20.0.0/16" \
+  ./scripts/setup-wireguard-routing.sh
+```
+*Erkennt automatisch iptables/nftables und konfiguriert optional UFW/Firewalld.*
+
+### C. Ansible Playbook: `playbooks/wireguard-routing.yml`
+```bash
+cd deployment/ansible
+ansible-playbook -i inventory/production.yml playbooks/wireguard-routing.yml \
+  -e "wg_interface=wg0 wg_addr=10.8.0.1/24 wg_net=10.8.0.0/24 wan_interface=eth0" \
+  -e '{"extra_nets":["192.168.178.0/24","172.20.0.0/16"],"firewall_backend":"iptables","manage_ufw":true}'
+```
+*Variablen:* `wg_interface`, `wg_addr`, `wg_net`, `wan_interface`, `extra_nets`, `firewall_backend` (`iptables|nftables`), `manage_ufw`, `manage_firewalld`, `firewalld_zone`.
+
+### D. Beispiel `wg0.conf` Ausschnitt
+```ini
+[Interface]
+Address = 10.8.0.1/24
+ListenPort = 51820
+PrivateKey = <ServerPrivateKey>
+
+# iptables
+PostUp = iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+PostUp = iptables -C FORWARD -i wg0 -s 10.8.0.0/24 -j ACCEPT 2>/dev/null || iptables -A FORWARD -i wg0 -s 10.8.0.0/24 -j ACCEPT
+PostUp = iptables -C FORWARD -o wg0 -d 10.8.0.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || iptables -A FORWARD -o wg0 -d 10.8.0.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 2>/dev/null || true
+PostDown = iptables -D FORWARD -i wg0 -s 10.8.0.0/24 -j ACCEPT 2>/dev/null || true
+PostDown = iptables -D FORWARD -o wg0 -d 10.8.0.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+
+# nftables (stattdessen)
+# PostUp = nft -f /etc/nftables.d/wireguard-wg0.nft
+# PostDown = nft delete table inet wireguard_wg0 2>/dev/null || true
+
+[Peer]
+PublicKey = <ClientPublicKey>
+AllowedIPs = 10.8.0.5/32, 192.168.178.0/24, 172.20.0.0/16
+PersistentKeepalive = 25
+```
+
+### E. Windows Client (AllowedIPs & Tests)
+```ini
+[Interface]
+Address = 10.8.0.5/32
+DNS = 10.8.0.1     # optional
+
+[Peer]
+PublicKey = <ServerPublicKey>
+Endpoint = vpn.example.com:51820
+AllowedIPs = 10.8.0.0/24, 192.168.178.0/24, 172.20.0.0/16
+PersistentKeepalive = 25
+```
+PowerShell:
+```powershell
+wg show
+Test-Connection -Source 10.8.0.5 -ComputerName 10.8.0.1
+Test-Connection 192.168.178.1
+Test-NetConnection -ComputerName 192.168.178.10 -Port 22
+```
+Optional: `Set-DnsClientNrptRule -Namespace "internal.lan" -NameServers 10.8.0.1`.
+
+### F. Troubleshooting & Rollback
+- Checks: `ip r`, `ip route get <target>`, `iptables -t nat -S`, `nft list ruleset`, `sysctl net.ipv4.ip_forward`, `wg show`, `tcpdump -i wg0`, `tcpdump -i eth0 host 10.8.0.5`.
+- Häufige Fehler: falsches WAN-Interface, Forwarding/NAT fehlt, doppelte Firewalls (iptables + nftables), Docker-NAT kollidiert, Policy-Routing aktiv.
+- Rollback:
+  - `sudo rm /etc/sysctl.d/99-wg0-forward.conf && sudo sysctl -w net.ipv4.ip_forward=0`
+  - iptables: Regeln mit `iptables -D` entfernen (siehe oben).
+  - nftables: `sudo nft delete table inet wireguard_wg0`.
+  - UFW: `sudo ufw delete allow 51820/udp`, Route-Regeln entfernen, `DEFAULT_FORWARD_POLICY` zurücksetzen.
+  - Firewalld: `firewall-cmd --permanent --remove-port=51820/udp`, `--remove-masquerade`, `--reload`.
+  - Dienst: `sudo systemctl disable --now wg-quick@wg0`.
+
 ## Troubleshooting
 
 ### WireGuard startet nicht
@@ -281,4 +416,4 @@ Bei Problemen:
 1. Prüfe Logs: `sudo journalctl -u wg-quick@wg0`
 2. Prüfe Status: `sudo wg show`
 3. Prüfe Firewall: `sudo ufw status`
-4. Teste Connectivity: `ping 10.8.0.1` (vom Client)
+4. Teste Connectivity: `ping 10.8.0.1` (vom Client)