refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/stacks/dns/docker-compose.yml

@@ -1,14 +0,0 @@
-services:
-  coredns:
-    image: coredns/coredns:1.11.1
-    container_name: coredns
-    restart: unless-stopped
-    network_mode: host
-    command: -conf /etc/coredns/Corefile
-    volumes:
-      - ./Corefile:/etc/coredns/Corefile:ro
-    healthcheck:
-      # Disable healthcheck - CoreDNS is a minimal image without shell
-      # CoreDNS runs fine (verified by DNS queries working correctly)
-      # If needed, health can be checked externally via dig
-      disable: true

deployment/stacks/monitoring/docker-compose-direct-access.yml

@@ -1,141 +0,0 @@
-services:
-  portainer:
-    image: portainer/portainer-ce:latest
-    container_name: portainer
-    restart: unless-stopped
-    # DIRECT ACCESS: Bind only to VPN gateway IP
-    ports:
-      - "10.8.0.1:9002:9000"  # Port 9002 to avoid conflict with MinIO (port 9000)
-    networks:
-      - monitoring-internal
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - portainer-data:/data
-    # Removed Traefik labels - direct access only
-
-  prometheus:
-    image: prom/prometheus:latest
-    container_name: prometheus
-    restart: unless-stopped
-    user: "65534:65534"
-    # DIRECT ACCESS: Bind only to VPN gateway IP
-    ports:
-      - "10.8.0.1:9090:9090"
-    networks:
-      - monitoring-internal
-      - app-internal
-    volumes:
-      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
-      - ./prometheus/alerts.yml:/etc/prometheus/alerts.yml:ro
-      - prometheus-data:/prometheus
-    command:
-      - '--config.file=/etc/prometheus/prometheus.yml'
-      - '--storage.tsdb.path=/prometheus'
-      - '--storage.tsdb.retention.time=30d'
-      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
-      - '--web.console.templates=/usr/share/prometheus/consoles'
-      - '--web.enable-lifecycle'
-    # Removed Traefik labels - direct access only
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9090/-/healthy"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-
-  grafana:
-    image: grafana/grafana:latest
-    container_name: grafana
-    restart: unless-stopped
-    # DIRECT ACCESS: Bind only to VPN gateway IP
-    ports:
-      - "10.8.0.1:3001:3000"
-    networks:
-      - monitoring-internal
-      - app-internal
-    environment:
-      # Updated root URL for direct IP access
-      - GF_SERVER_ROOT_URL=http://10.8.0.1:3001
-      - GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER}
-      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD}
-      - GF_USERS_ALLOW_SIGN_UP=false
-      - GF_INSTALL_PLUGINS=${GRAFANA_PLUGINS}
-      - GF_LOG_LEVEL=info
-      - GF_ANALYTICS_REPORTING_ENABLED=false
-      # Performance: Disable external connections to grafana.com
-      - GF_PLUGIN_GRAFANA_COM_URL=
-      - GF_CHECK_FOR_UPDATES=false
-      - GF_CHECK_FOR_PLUGIN_UPDATES=false
-      # Disable background plugin installer completely
-      - GF_FEATURE_TOGGLES_ENABLE=disablePluginInstaller
-      - GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS=
-    volumes:
-      - grafana-data:/var/lib/grafana
-      - ./grafana/grafana.ini:/etc/grafana/grafana.ini:ro
-      - ./grafana/provisioning:/etc/grafana/provisioning:ro
-      - ./grafana/dashboards:/var/lib/grafana/dashboards:ro
-    # Removed Traefik labels - direct access only
-    depends_on:
-      prometheus:
-        condition: service_healthy
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/api/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-
-  node-exporter:
-    image: prom/node-exporter:latest
-    container_name: node-exporter
-    restart: unless-stopped
-    networks:
-      - app-internal
-    volumes:
-      - /proc:/host/proc:ro
-      - /sys:/host/sys:ro
-      - /:/rootfs:ro
-    command:
-      - '--path.procfs=/host/proc'
-      - '--path.sysfs=/host/sys'
-      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9100/metrics"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-
-  cadvisor:
-    image: gcr.io/cadvisor/cadvisor:latest
-    container_name: cadvisor
-    restart: unless-stopped
-    privileged: true
-    networks:
-      - app-internal
-    volumes:
-      - /:/rootfs:ro
-      - /var/run:/var/run:ro
-      - /sys:/sys:ro
-      - /var/lib/docker/:/var/lib/docker:ro
-      - /dev/disk/:/dev/disk:ro
-    devices:
-      - /dev/kmsg
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-
-volumes:
-  portainer-data:
-    name: portainer-data
-  prometheus-data:
-    name: prometheus-data
-  grafana-data:
-    name: grafana-data
-
-networks:
-  # New internal network for monitoring services
-  monitoring-internal:
-    name: monitoring-internal
-    driver: bridge
-  app-internal:
-    external: true

deployment/stacks/monitoring/docker-compose.yml

@@ -41,7 +41,7 @@ services:
       - "traefik.http.routers.prometheus.entrypoints=websecure"
       - "traefik.http.routers.prometheus.tls=true"
       - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.prometheus.middlewares=prometheus-auth"
+      - "traefik.http.routers.prometheus.middlewares=prometheus-auth@docker"
       - "traefik.http.middlewares.prometheus-auth.basicauth.users=${PROMETHEUS_AUTH}"
       - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
     healthcheck:
@@ -75,9 +75,6 @@ services:
       - "traefik.http.routers.grafana.entrypoints=websecure"
       - "traefik.http.routers.grafana.tls=true"
       - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
-      # VPN IP whitelist: Use middleware defined in Traefik dynamic config
-      # Middleware is defined in deployment/stacks/traefik/dynamic/middlewares.yml
-      - "traefik.http.routers.grafana.middlewares=grafana-vpn-only@file"
       - "traefik.http.services.grafana.loadbalancer.server.port=3000"
     depends_on:
       prometheus:

deployment/stacks/traefik/dynamic/middlewares.yml

@@ -52,25 +52,6 @@ http:
     #       - "127.0.0.1/32"
     #       - "10.0.0.0/8"
     
-    # VPN-only IP allowlist for Grafana and other monitoring services
-    # Restrict access strictly to the WireGuard network
-    # Note: ipAllowList checks the real client IP from the connection
-    # When connected via VPN, client IP should be from 10.8.0.0/24
-    # If client IP shows public IP, the traffic is NOT going through VPN
-    # TEMPORARY: Added public IP for testing - REMOVE after fixing VPN routing!
-    grafana-vpn-only:
-      ipAllowList:
-        sourceRange:
-          - "10.8.0.0/24"      # WireGuard VPN network (10.8.0.1 = server, 10.8.0.x = clients)
-          - "89.246.96.244/32" # TEMPORARY: Public IP for testing - REMOVE after VPN routing is fixed!
-
-    # VPN-only IP allowlist for general use (Traefik Dashboard, etc.)
-    # Restrict access strictly to the WireGuard network
-    vpn-only:
-      ipAllowList:
-        sourceRange:
-          - "10.8.0.0/24"      # WireGuard VPN network
-
     # Chain multiple middlewares
     default-chain:
       chain:

deployment/stacks/traefik/traefik.yml

@@ -64,10 +64,8 @@ providers:
 
 # Forwarded Headers Configuration
 # This ensures Traefik correctly identifies the real client IP
-# Important for VPN access where requests come from WireGuard interface
 forwardedHeaders:
   trustedIPs:
-    - "10.8.0.0/24"      # WireGuard VPN network
     - "127.0.0.1/32"     # Localhost
     - "172.17.0.0/16"    # Docker bridge network
     - "172.18.0.0/16"    # Docker user-defined networks

deployment/stacks/wireguard/.env.example

@@ -0,0 +1,22 @@
+# WireGuard VPN Configuration
+
+# Server endpoint (auto-detected or set manually)
+SERVERURL=auto
+
+# WireGuard port
+SERVERPORT=51820
+
+# VPN network subnet
+INTERNAL_SUBNET=10.8.0.0/24
+
+# Allowed IPs (VPN network only - no split tunneling)
+ALLOWEDIPS=10.8.0.0/24
+
+# DNS configuration (use host DNS)
+PEERDNS=auto
+
+# Timezone
+TZ=Europe/Berlin
+
+# Peers (managed manually)
+PEERS=0

deployment/stacks/wireguard/docker-compose.yml

@@ -0,0 +1,49 @@
+services:
+  wireguard:
+    image: linuxserver/wireguard:1.0.20210914
+    container_name: wireguard
+    restart: unless-stopped
+
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - SERVERURL=auto
+      - SERVERPORT=51820
+      - PEERS=0  # Managed manually via config files
+      - PEERDNS=auto  # Use host DNS
+      - INTERNAL_SUBNET=10.8.0.0/24
+      - ALLOWEDIPS=10.8.0.0/24  # VPN network only
+      - LOG_CONFS=true
+
+    volumes:
+      - ./config:/config
+      - /lib/modules:/lib/modules:ro
+
+    ports:
+      - "51820:51820/udp"
+
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+
+    healthcheck:
+      test: ["CMD", "bash", "-c", "wg show wg0 | grep -q interface"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+networks:
+  default:
+    name: wireguard-net
+    driver: bridge