refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/ansible/templates/wg0.conf.j2

@@ -0,0 +1,50 @@
+# WireGuard Server Configuration
+# Interface: wg0
+# Network: {{ wg_network }}
+# Server IP: {{ wg_server_ip }}
+
+[Interface]
+PrivateKey = {{ wg_server_private_key }}
+Address = {{ wg_server_ip }}/{{ wg_netmask }}
+ListenPort = {{ wg_port | default(51820) }}
+
+# Enable IP forwarding for VPN routing
+PostUp = sysctl -w net.ipv4.ip_forward=1
+
+# nftables: Setup VPN routing and firewall
+PostUp = nft add table inet wireguard
+PostUp = nft add chain inet wireguard postrouting { type nat hook postrouting priority srcnat\; }
+PostUp = nft add chain inet wireguard forward { type filter hook forward priority filter\; }
+
+# NAT for VPN traffic (masquerade to WAN)
+PostUp = nft add rule inet wireguard postrouting oifname "{{ wan_interface }}" ip saddr {{ wg_network }} masquerade
+
+# Allow VPN traffic forwarding
+PostUp = nft add rule inet wireguard forward iifname "wg0" ip saddr {{ wg_network }} accept
+PostUp = nft add rule inet wireguard forward oifname "wg0" ip daddr {{ wg_network }} ct state established,related accept
+
+# Cleanup on shutdown
+PostDown = nft delete table inet wireguard
+
+# Peers (automatically managed)
+# Format:
+# [Peer]
+# # Description: device-name
+# PublicKey = peer_public_key
+# PresharedKey = peer_preshared_key
+# AllowedIPs = 10.8.0.X/32
+# PersistentKeepalive = 25  # Optional: for clients behind NAT
+
+{% for peer in wg_peers | default([]) %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+{% if peer.preshared_key is defined %}
+PresharedKey = {{ peer.preshared_key }}
+{% endif %}
+AllowedIPs = {{ peer.allowed_ips }}
+{% if peer.persistent_keepalive | default(true) %}
+PersistentKeepalive = 25
+{% endif %}
+
+{% endfor %}

deployment/ansible/templates/wireguard-client.conf.j2

@@ -1,29 +0,0 @@
-# WireGuard Client Configuration for {{ client_name }}
-# Generated by Ansible - DO NOT EDIT MANUALLY
-
-[Interface]
-# Client private key
-PrivateKey = {{ client_private_key.stdout }}
-
-# Client IP address in VPN network
-Address = {{ client_ip }}/24
-
-{% if wireguard_dns_servers | length > 0 %}
-# DNS servers provided via Ansible (optional)
-DNS = {{ wireguard_dns_servers | join(', ') }}
-{% endif %}
-
-[Peer]
-# Server public key
-PublicKey = {{ server_public_key_cmd.stdout }}
-
-# Server endpoint
-Endpoint = {{ server_external_ip_content }}:{{ wireguard_port }}
-
-# Allowed IPs (routes through VPN)
-# IMPORTANT: Only VPN network is routed through VPN by default
-# SSH access via normal IP ({{ server_external_ip_content }}) remains available
-AllowedIPs = {{ allowed_ips }}
-
-# Keep connection alive
-PersistentKeepalive = 25

deployment/ansible/templates/wireguard-host-firewall.nft.j2

@@ -0,0 +1,116 @@
+#!/usr/sbin/nft -f
+# WireGuard VPN Firewall Rules
+# Purpose: Isolate admin services behind VPN, allow public access only to ports 80, 443, 22
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+table inet wireguard_firewall {
+    # Define sets for easy management
+    set vpn_network {
+        type ipv4_addr
+        flags interval
+        elements = { {{ wg_network }} }
+    }
+
+    set admin_service_ports {
+        type inet_service
+        elements = {
+            8080,  # Traefik Dashboard
+            9090,  # Prometheus
+            3001,  # Grafana
+            9000,  # Portainer
+            8001,  # Redis Insight
+{% for port in additional_admin_ports | default([]) %}
+            {{ port }},  # {{ port }}
+{% endfor %}
+        }
+    }
+
+    set public_service_ports {
+        type inet_service
+        elements = {
+            80,    # HTTP
+            443,   # HTTPS
+            22,    # SSH
+{% for port in additional_public_ports | default([]) %}
+            {{ port }},  # {{ port }}
+{% endfor %}
+        }
+    }
+
+    # Input chain - Handle incoming traffic
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        # Allow established/related connections
+        ct state established,related accept
+
+        # Allow loopback
+        iifname "lo" accept
+
+        # Allow ICMP (ping)
+        ip protocol icmp accept
+        ip6 nexthdr icmpv6 accept
+
+        # Allow SSH (public)
+        tcp dport 22 accept
+
+        # Allow WireGuard port (public)
+        udp dport {{ wg_port | default(51820) }} accept comment "WireGuard VPN"
+
+        # Allow public web services (HTTP/HTTPS)
+        tcp dport @public_service_ports accept comment "Public services"
+
+        # Allow VPN network to access admin services
+        ip saddr @vpn_network tcp dport @admin_service_ports accept comment "VPN admin access"
+
+        # Block public access to admin services
+        tcp dport @admin_service_ports counter log prefix "BLOCKED_ADMIN_SERVICE: " drop
+
+        # Log and drop all other traffic
+        counter log prefix "BLOCKED_INPUT: " drop
+    }
+
+    # Forward chain - Handle routed traffic (VPN to services)
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        # Allow established/related connections
+        ct state established,related accept
+
+        # Allow VPN clients to access local services
+        iifname "wg0" ip saddr @vpn_network accept comment "VPN to services"
+
+        # Allow return traffic to VPN clients
+        oifname "wg0" ip daddr @vpn_network ct state established,related accept
+
+        # Log and drop all other forwarded traffic
+        counter log prefix "BLOCKED_FORWARD: " drop
+    }
+
+    # Output chain - Allow all outgoing traffic
+    chain output {
+        type filter hook output priority filter; policy accept;
+    }
+
+    # NAT chain - Masquerade VPN traffic to WAN
+    chain postrouting {
+        type nat hook postrouting priority srcnat;
+
+        # Masquerade VPN traffic going to WAN
+        oifname "{{ wan_interface }}" ip saddr @vpn_network masquerade comment "VPN NAT"
+    }
+}
+
+# Optional: Rate limiting for VPN port (DDoS protection)
+{% if wg_enable_rate_limit | default(true) %}
+table inet wireguard_ratelimit {
+    chain input {
+        type filter hook input priority -10;
+
+        # Rate limit WireGuard port: 10 connections per second per IP
+        udp dport {{ wg_port | default(51820) }} \
+            meter vpn_ratelimit { ip saddr limit rate over 10/second } \
+            counter log prefix "VPN_RATELIMIT: " drop
+    }
+}
+{% endif %}

deployment/ansible/templates/wireguard-nftables.nft.j2

@@ -0,0 +1,15 @@
+table inet wireguard_{{ wg_interface }} {
+    chain postrouting {
+        type nat hook postrouting priority srcnat;
+        oifname "{{ wan_interface }}" ip saddr {{ wg_net }} masquerade
+    }
+
+    chain forward {
+        type filter hook forward priority filter;
+        iifname "{{ wg_interface }}" ip saddr {{ wg_net }} counter accept
+        oifname "{{ wg_interface }}" ip daddr {{ wg_net }} ct state established,related counter accept
+{% for net in extra_nets %}
+        iifname "{{ wg_interface }}" ip daddr {{ net }} counter accept
+{% endfor %}
+    }
+}

deployment/ansible/templates/wireguard-server.conf.j2

@@ -1,22 +0,0 @@
-# WireGuard Server Configuration
-# Generated by Ansible - DO NOT EDIT MANUALLY
-
-[Interface]
-# Server private key
-PrivateKey = {{ server_private_key_for_config }}
-
-# Server IP address in VPN network
-Address = {{ wireguard_server_ip }}/24
-
-# Port to listen on
-ListenPort = {{ wireguard_port }}
-
-# Enable NAT for VPN clients to access internet
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
-
-# Clients will be added here by the add-wireguard-client playbook
-# Example:
-# [Peer]
-# PublicKey = <client_public_key>
-# AllowedIPs = 10.8.0.2/32