refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
2025-11-05 12:48:25 +01:00
parent 7c52065aae
commit 95147ff23e
215 changed files with 29490 additions and 368 deletions
--- a/deployment/stacks/wireguard/.env.example
+++ b/deployment/stacks/wireguard/.env.example
@@ -0,0 +1,22 @@
+# WireGuard VPN Configuration
+
+# Server endpoint (auto-detected or set manually)
+SERVERURL=auto
+
+# WireGuard port
+SERVERPORT=51820
+
+# VPN network subnet
+INTERNAL_SUBNET=10.8.0.0/24
+
+# Allowed IPs (VPN network only - no split tunneling)
+ALLOWEDIPS=10.8.0.0/24
+
+# DNS configuration (use host DNS)
+PEERDNS=auto
+
+# Timezone
+TZ=Europe/Berlin
+
+# Peers (managed manually)
+PEERS=0
--- a/deployment/stacks/wireguard/docker-compose.yml
+++ b/deployment/stacks/wireguard/docker-compose.yml
@@ -0,0 +1,49 @@
+services:
+  wireguard:
+    image: linuxserver/wireguard:1.0.20210914
+    container_name: wireguard
+    restart: unless-stopped
+
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - SERVERURL=auto
+      - SERVERPORT=51820
+      - PEERS=0  # Managed manually via config files
+      - PEERDNS=auto  # Use host DNS
+      - INTERNAL_SUBNET=10.8.0.0/24
+      - ALLOWEDIPS=10.8.0.0/24  # VPN network only
+      - LOG_CONFS=true
+
+    volumes:
+      - ./config:/config
+      - /lib/modules:/lib/modules:ro
+
+    ports:
+      - "51820:51820/udp"
+
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+
+    healthcheck:
+      test: ["CMD", "bash", "-c", "wg show wg0 | grep -q interface"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+networks:
+  default:
+    name: wireguard-net
+    driver: bridge