refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
2025-11-05 12:48:25 +01:00
parent 7c52065aae
commit 95147ff23e
215 changed files with 29490 additions and 368 deletions
--- a/deployment/scripts/cleanup-old-wireguard.sh
+++ b/deployment/scripts/cleanup-old-wireguard.sh
@@ -0,0 +1,206 @@
+#!/bin/bash
+# Cleanup Old WireGuard Docker Setup
+# Purpose: Remove old WireGuard Docker stack and CoreDNS before migrating to host-based setup
+# WARNING: This will stop and remove the old VPN setup!
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+print_info() {
+    echo -e "${BLUE}[INFO]${NC} $1"
+}
+
+print_success() {
+    echo -e "${GREEN}[SUCCESS]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# ========================================
+# Configuration
+# ========================================
+
+DEPLOYMENT_DIR="/home/michael/dev/michaelschiemer/deployment"
+WIREGUARD_STACK_DIR="${DEPLOYMENT_DIR}/stacks/wireguard"
+COREDNS_STACK_DIR="${DEPLOYMENT_DIR}/stacks/coredns"
+ARCHIVE_DIR="${DEPLOYMENT_DIR}/wireguard-docker-archive-$(date +%Y%m%d)"
+
+# ========================================
+# Pre-flight Checks
+# ========================================
+
+print_info "WireGuard Docker Setup Cleanup Script"
+echo ""
+print_warning "This script will:"
+echo "  - Stop WireGuard Docker container"
+echo "  - Stop CoreDNS container (if exists)"
+echo "  - Archive old configuration"
+echo "  - Remove Docker stacks"
+echo ""
+print_warning "VPN access will be lost until new host-based setup is deployed!"
+echo ""
+read -p "Continue? (type 'yes' to proceed): " -r
+if [[ ! $REPLY == "yes" ]]; then
+    print_info "Aborted by user"
+    exit 0
+fi
+
+# ========================================
+# Stop Docker Containers
+# ========================================
+
+print_info "Stopping WireGuard Docker container..."
+if [ -d "$WIREGUARD_STACK_DIR" ]; then
+    cd "$WIREGUARD_STACK_DIR"
+    if [ -f "docker-compose.yml" ]; then
+        docker-compose down || print_warning "WireGuard container already stopped or not found"
+    fi
+else
+    print_warning "WireGuard stack directory not found: $WIREGUARD_STACK_DIR"
+fi
+
+print_info "Stopping CoreDNS Docker container (if exists)..."
+if [ -d "$COREDNS_STACK_DIR" ]; then
+    cd "$COREDNS_STACK_DIR"
+    if [ -f "docker-compose.yml" ]; then
+        docker-compose down || print_warning "CoreDNS container already stopped or not found"
+    fi
+else
+    print_info "CoreDNS stack directory not found (may not have existed)"
+fi
+
+# ========================================
+# Archive Old Configuration
+# ========================================
+
+print_info "Creating archive of old configuration..."
+mkdir -p "$ARCHIVE_DIR"
+
+# Archive WireGuard stack
+if [ -d "$WIREGUARD_STACK_DIR" ]; then
+    print_info "Archiving WireGuard stack..."
+    cp -r "$WIREGUARD_STACK_DIR" "$ARCHIVE_DIR/wireguard-stack"
+    print_success "WireGuard stack archived to: $ARCHIVE_DIR/wireguard-stack"
+fi
+
+# Archive CoreDNS stack
+if [ -d "$COREDNS_STACK_DIR" ]; then
+    print_info "Archiving CoreDNS stack..."
+    cp -r "$COREDNS_STACK_DIR" "$ARCHIVE_DIR/coredns-stack"
+    print_success "CoreDNS stack archived to: $ARCHIVE_DIR/coredns-stack"
+fi
+
+# Archive old Ansible files
+print_info "Archiving old Ansible playbooks..."
+if [ -d "${DEPLOYMENT_DIR}/wireguard-old" ]; then
+    cp -r "${DEPLOYMENT_DIR}/wireguard-old" "$ARCHIVE_DIR/ansible-old"
+fi
+
+# Archive nftables templates
+if [ -f "${DEPLOYMENT_DIR}/ansible/templates/wireguard-nftables.nft.j2" ]; then
+    mkdir -p "$ARCHIVE_DIR/ansible-templates"
+    cp "${DEPLOYMENT_DIR}/ansible/templates/wireguard-nftables.nft.j2" "$ARCHIVE_DIR/ansible-templates/"
+fi
+
+# Create archive summary
+cat > "$ARCHIVE_DIR/ARCHIVE_INFO.txt" <<EOF
+WireGuard Docker Setup Archive
+Created: $(date)
+
+This archive contains the old WireGuard Docker-based setup that was replaced
+with a host-based WireGuard configuration.
+
+Contents:
+- wireguard-stack/: Docker Compose stack for WireGuard
+- coredns-stack/: Docker Compose stack for CoreDNS (if existed)
+- ansible-old/: Old Ansible playbooks and configs
+- ansible-templates/: Old nftables templates
+
+To restore old setup (NOT RECOMMENDED):
+1. Stop new host-based WireGuard: systemctl stop wg-quick@wg0
+2. Copy stacks back: cp -r wireguard-stack ../stacks/
+3. Start container: cd ../stacks/wireguard && docker-compose up -d
+
+For new host-based setup, see:
+- deployment/wireguard/README.md
+- deployment/ansible/playbooks/setup-wireguard-host.yml
+EOF
+
+print_success "Archive created at: $ARCHIVE_DIR"
+
+# ========================================
+# Remove Docker Stacks
+# ========================================
+
+print_info "Removing old Docker stacks..."
+
+read -p "Remove WireGuard Docker stack directory? (y/N): " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    if [ -d "$WIREGUARD_STACK_DIR" ]; then
+        rm -rf "$WIREGUARD_STACK_DIR"
+        print_success "WireGuard Docker stack removed"
+    fi
+fi
+
+read -p "Remove CoreDNS Docker stack directory? (y/N): " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    if [ -d "$COREDNS_STACK_DIR" ]; then
+        rm -rf "$COREDNS_STACK_DIR"
+        print_success "CoreDNS Docker stack removed"
+    fi
+fi
+
+# ========================================
+# Clean up Docker Resources
+# ========================================
+
+print_info "Cleaning up Docker resources..."
+
+# Remove WireGuard network
+docker network rm wireguard-net 2>/dev/null || print_info "WireGuard network already removed"
+
+# Remove unused volumes
+print_info "Removing unused Docker volumes..."
+docker volume prune -f || print_warning "Could not prune volumes"
+
+# ========================================
+# Summary
+# ========================================
+
+echo ""
+print_success "=========================================="
+print_success "Cleanup Complete!"
+print_success "=========================================="
+echo ""
+echo "Archive Location: $ARCHIVE_DIR"
+echo ""
+print_info "Next Steps:"
+echo "  1. Deploy host-based WireGuard:"
+echo "     cd ${DEPLOYMENT_DIR}/ansible"
+echo "     ansible-playbook playbooks/setup-wireguard-host.yml"
+echo ""
+echo "  2. Generate client configs:"
+echo "     cd ${DEPLOYMENT_DIR}/scripts"
+echo "     sudo ./generate-client-config.sh <device-name>"
+echo ""
+echo "  3. Verify new setup:"
+echo "     sudo wg show wg0"
+echo "     sudo systemctl status wg-quick@wg0"
+echo ""
+print_warning "Old Docker-based VPN is now inactive!"
+print_info "VPN access will be restored after deploying host-based setup"
+echo ""