refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
2025-11-05 12:48:25 +01:00
parent 7c52065aae
commit 95147ff23e
215 changed files with 29490 additions and 368 deletions
--- a/deployment/stacks/traefik/dynamic/middlewares.yml
+++ b/deployment/stacks/traefik/dynamic/middlewares.yml
@@ -52,25 +52,6 @@ http:
    #       - "127.0.0.1/32"
    #       - "10.0.0.0/8"
    
-    # VPN-only IP allowlist for Grafana and other monitoring services
-    # Restrict access strictly to the WireGuard network
-    # Note: ipAllowList checks the real client IP from the connection
-    # When connected via VPN, client IP should be from 10.8.0.0/24
-    # If client IP shows public IP, the traffic is NOT going through VPN
-    # TEMPORARY: Added public IP for testing - REMOVE after fixing VPN routing!
-    grafana-vpn-only:
-      ipAllowList:
-        sourceRange:
-          - "10.8.0.0/24"      # WireGuard VPN network (10.8.0.1 = server, 10.8.0.x = clients)
-          - "89.246.96.244/32" # TEMPORARY: Public IP for testing - REMOVE after VPN routing is fixed!
-
-    # VPN-only IP allowlist for general use (Traefik Dashboard, etc.)
-    # Restrict access strictly to the WireGuard network
-    vpn-only:
-      ipAllowList:
-        sourceRange:
-          - "10.8.0.0/24"      # WireGuard VPN network
-
    # Chain multiple middlewares
    default-chain:
      chain:
--- a/deployment/stacks/traefik/traefik.yml
+++ b/deployment/stacks/traefik/traefik.yml
@@ -64,10 +64,8 @@ providers:

 # Forwarded Headers Configuration
 # This ensures Traefik correctly identifies the real client IP
-# Important for VPN access where requests come from WireGuard interface
 forwardedHeaders:
  trustedIPs:
-    - "10.8.0.0/24"      # WireGuard VPN network
    - "127.0.0.1/32"     # Localhost
    - "172.17.0.0/16"    # Docker bridge network
    - "172.18.0.0/16"    # Docker user-defined networks