refactor(deployment): Remove WireGuard VPN dependency and restore public service access
Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
This commit is contained in:
50
deployment/ansible/templates/wg0.conf.j2
Normal file
50
deployment/ansible/templates/wg0.conf.j2
Normal file
@@ -0,0 +1,50 @@
|
||||
# WireGuard Server Configuration
|
||||
# Interface: wg0
|
||||
# Network: {{ wg_network }}
|
||||
# Server IP: {{ wg_server_ip }}
|
||||
|
||||
[Interface]
|
||||
PrivateKey = {{ wg_server_private_key }}
|
||||
Address = {{ wg_server_ip }}/{{ wg_netmask }}
|
||||
ListenPort = {{ wg_port | default(51820) }}
|
||||
|
||||
# Enable IP forwarding for VPN routing
|
||||
PostUp = sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
# nftables: Setup VPN routing and firewall
|
||||
PostUp = nft add table inet wireguard
|
||||
PostUp = nft add chain inet wireguard postrouting { type nat hook postrouting priority srcnat\; }
|
||||
PostUp = nft add chain inet wireguard forward { type filter hook forward priority filter\; }
|
||||
|
||||
# NAT for VPN traffic (masquerade to WAN)
|
||||
PostUp = nft add rule inet wireguard postrouting oifname "{{ wan_interface }}" ip saddr {{ wg_network }} masquerade
|
||||
|
||||
# Allow VPN traffic forwarding
|
||||
PostUp = nft add rule inet wireguard forward iifname "wg0" ip saddr {{ wg_network }} accept
|
||||
PostUp = nft add rule inet wireguard forward oifname "wg0" ip daddr {{ wg_network }} ct state established,related accept
|
||||
|
||||
# Cleanup on shutdown
|
||||
PostDown = nft delete table inet wireguard
|
||||
|
||||
# Peers (automatically managed)
|
||||
# Format:
|
||||
# [Peer]
|
||||
# # Description: device-name
|
||||
# PublicKey = peer_public_key
|
||||
# PresharedKey = peer_preshared_key
|
||||
# AllowedIPs = 10.8.0.X/32
|
||||
# PersistentKeepalive = 25 # Optional: for clients behind NAT
|
||||
|
||||
{% for peer in wg_peers | default([]) %}
|
||||
[Peer]
|
||||
# {{ peer.name }}
|
||||
PublicKey = {{ peer.public_key }}
|
||||
{% if peer.preshared_key is defined %}
|
||||
PresharedKey = {{ peer.preshared_key }}
|
||||
{% endif %}
|
||||
AllowedIPs = {{ peer.allowed_ips }}
|
||||
{% if peer.persistent_keepalive | default(true) %}
|
||||
PersistentKeepalive = 25
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
Reference in New Issue
Block a user