refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/wireguard-old/add-wireguard-client.yml

@@ -0,0 +1,205 @@
+---
+- name: Add WireGuard Client
+  hosts: production
+  become: yes
+  gather_facts: yes
+
+  vars:
+    wireguard_interface: "wg0"
+    wireguard_config_path: "/etc/wireguard"
+    wireguard_config_file: "{{ wireguard_config_path }}/{{ wireguard_interface }}.conf"
+    wireguard_client_configs_path: "/etc/wireguard/clients"
+    wireguard_local_client_configs_dir: "{{ playbook_dir }}/../wireguard-clients"
+    wireguard_dns_servers: []
+
+  pre_tasks:
+    - name: Set WireGuard network
+      set_fact:
+        wireguard_network: "{{ wireguard_network | default('10.8.0.0/24') }}"
+
+    - name: Set WireGuard other variables with defaults
+      set_fact:
+        wireguard_port: "{{ wireguard_port | default(51820) }}"
+        client_ip: "{{ client_ip | default('') }}"
+        # IMPORTANT: Default to VPN network only (not 0.0.0.0/0)
+        # This ensures SSH access via normal IP remains available
+        allowed_ips: "{{ allowed_ips | default(wireguard_network) }}"
+
+  tasks:
+    - name: Validate client name
+      fail:
+        msg: "client_name is required. Usage: ansible-playbook ... -e 'client_name=myclient'"
+      when: client_name is not defined or client_name == ""
+
+    - name: Get server external IP address
+      uri:
+        url: https://api.ipify.org
+        return_content: yes
+      register: server_external_ip
+      changed_when: false
+      failed_when: false
+
+    - name: Set server external IP
+      set_fact:
+        server_external_ip_content: "{{ ansible_host | default(server_external_ip.content | default('')) }}"
+
+    - name: Check if WireGuard config exists
+      stat:
+        path: "{{ wireguard_config_file }}"
+      register: wireguard_config_exists
+
+    - name: Fail if WireGuard not configured
+      fail:
+        msg: "WireGuard server not configured. Please run setup-wireguard.yml first."
+      when: not wireguard_config_exists.stat.exists
+
+    - name: Read WireGuard server config
+      slurp:
+        src: "{{ wireguard_config_file }}"
+      register: wireguard_server_config_read
+
+    - name: Extract server IP from config
+      set_fact:
+        server_vpn_ip: "{{ (wireguard_server_config_read.content | b64decode | regex_search('Address = ([0-9.]+)', '\\1')) | first | default('10.8.0.1') }}"
+
+    - name: Extract WireGuard server IP octets
+      set_fact:
+        wireguard_server_ip_octets: "{{ server_vpn_ip.split('.') }}"
+      when: client_ip == ""
+
+    - name: Gather existing client addresses
+      set_fact:
+        existing_client_ips: "{{ (wireguard_server_config_read.content | b64decode | regex_findall('AllowedIPs = ([0-9A-Za-z.]+)/32', '\\1')) }}"
+      when: client_ip == ""
+
+    - name: Calculate client IP if not provided
+      vars:
+        existing_last_octets: "{{ (existing_client_ips | default([])) | map('regex_replace', '^(?:\\d+\\.\\d+\\.\\d+\\.)', '') | select('match', '^[0-9]+$') | map('int') | list }}"
+        server_last_octet: "{{ wireguard_server_ip_octets[3] | int }}"
+        next_octet_candidate: "{{ (existing_last_octets + [server_last_octet]) | map('int') | list | max + 1 if (existing_last_octets + [server_last_octet]) else server_last_octet + 1 }}"
+      set_fact:
+        client_ip: "{{ [
+          wireguard_server_ip_octets[0],
+          wireguard_server_ip_octets[1],
+          wireguard_server_ip_octets[2],
+          next_octet_candidate
+        ] | join('.') }}"
+      when: client_ip == ""
+
+    - name: Generate client private key
+      command: "wg genkey"
+      register: client_private_key
+      changed_when: true
+      no_log: yes
+
+    - name: Generate client public key
+      command: "wg pubkey"
+      args:
+        stdin: "{{ client_private_key.stdout }}"
+      register: client_public_key
+      changed_when: false
+      no_log: yes
+
+    - name: Add client to WireGuard server config
+      blockinfile:
+        path: "{{ wireguard_config_file }}"
+        block: |
+          # Client: {{ client_name }}
+          [Peer]
+          PublicKey = {{ client_public_key.stdout }}
+          AllowedIPs = {{ client_ip }}/32
+        marker: "# {mark} ANSIBLE MANAGED BLOCK - Client: {{ client_name }}"
+      register: wireguard_client_block
+
+    - name: Ensure client configs directory exists
+      file:
+        path: "{{ wireguard_client_configs_path }}"
+        state: directory
+        mode: '0700'
+        owner: root
+        group: root
+
+    - name: Ensure local client configs directory exists
+      file:
+        path: "{{ wireguard_local_client_configs_dir }}"
+        state: directory
+        mode: '0700'
+      delegate_to: localhost
+      become: no
+      run_once: true
+
+    - name: Get server public key
+      shell: "cat {{ wireguard_config_path }}/{{ wireguard_interface }}_private.key | wg pubkey"
+      register: server_public_key_cmd
+      changed_when: false
+      no_log: yes
+      failed_when: false
+
+    - name: Create client configuration file
+      template:
+        src: "{{ playbook_dir }}/../templates/wireguard-client.conf.j2"
+        dest: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+        mode: '0600'
+        owner: root
+        group: root
+
+    - name: Download client configuration to control machine
+      fetch:
+        src: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+        dest: "{{ wireguard_local_client_configs_dir }}/{{ client_name }}.conf"
+        flat: yes
+        mode: '0600'
+
+    - name: Ensure local client configuration has strict permissions
+      file:
+        path: "{{ wireguard_local_client_configs_dir }}/{{ client_name }}.conf"
+        mode: '0600'
+      delegate_to: localhost
+      become: no
+
+    - name: Read WireGuard server config to find server IP
+      slurp:
+        src: "{{ wireguard_config_file }}"
+      register: wireguard_server_config_read
+
+    - name: Restart WireGuard service
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+        state: restarted
+      when: wireguard_client_block.changed
+
+    - name: Display client configuration
+      debug:
+        msg: |
+          ========================================
+          WireGuard Client Added: {{ client_name }}
+          ========================================
+          
+          Client Configuration File:
+          {{ wireguard_client_configs_path }}/{{ client_name }}.conf
+
+          Local Copy:
+          {{ wireguard_local_client_configs_dir }}/{{ client_name }}.conf
+          
+          Client IP: {{ client_ip }}
+          Server Endpoint: {{ server_external_ip_content }}:{{ wireguard_port }}
+          
+          To use this configuration:
+          1. Copy the config file to your client machine
+          2. Install WireGuard client
+          3. Run: sudo wg-quick up {{ client_name }}
+          
+          Or scan the QR code (if qrencode installed):
+          qrencode -t ansiutf8 < {{ wireguard_client_configs_path }}/{{ client_name }}.conf
+          ========================================
+
+    - name: Generate QR code for client config
+      command: "qrencode -t ansiutf8 -r {{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+      register: qr_code
+      changed_when: false
+      failed_when: false
+
+    - name: Display QR code
+      debug:
+        msg: "{{ qr_code.stdout }}"
+      when: qr_code.rc == 0

deployment/wireguard-old/regenerate-wireguard-client.yml

@@ -0,0 +1,206 @@
+---
+- name: Regenerate WireGuard Client - Fresh Config
+  hosts: production
+  become: yes
+  gather_facts: yes
+
+  vars:
+    wireguard_interface: "wg0"
+    wireguard_config_path: "/etc/wireguard"
+    wireguard_config_file: "{{ wireguard_config_path }}/{{ wireguard_interface }}.conf"
+    wireguard_client_configs_path: "/etc/wireguard/clients"
+    wireguard_local_client_configs_dir: "{{ playbook_dir }}/../wireguard-clients"
+
+  tasks:
+    - name: Validate client name
+      fail:
+        msg: "client_name is required. Usage: ansible-playbook ... -e 'client_name=myclient'"
+      when: client_name is not defined or client_name == ""
+
+    - name: Check if old client config exists
+      stat:
+        path: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+      register: old_client_config
+      failed_when: false
+
+    - name: Backup old client config
+      copy:
+        src: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+        dest: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf.backup-{{ ansible_date_time.epoch }}"
+        remote_src: yes
+      when: old_client_config.stat.exists
+      register: backup_result
+      failed_when: false
+
+    - name: Display backup info
+      debug:
+        msg: "Alte Config wurde gesichert als: {{ backup_result.dest | default('N/A') }}"
+      when: old_client_config.stat.exists
+
+    - name: Remove old client from WireGuard server config
+      shell: |
+        # Entferne den [Peer] Block f?r den Client aus wg0.conf
+        sed -i '/# BEGIN ANSIBLE MANAGED BLOCK - Client: {{ client_name }}/,/^# END ANSIBLE MANAGED BLOCK - Client: {{ client_name }}/d' {{ wireguard_config_file }}
+        # Fallback: Entferne auch ohne Marker
+        sed -i '/# Client: {{ client_name }}/,/{/d' {{ wireguard_config_file }}
+        sed -i '/PublicKey = .*/d' {{ wireguard_config_file }} || true
+        sed -i '/AllowedIPs = .*\/32$/d' {{ wireguard_config_file }} || true
+      args:
+        executable: /bin/bash
+      register: remove_result
+      failed_when: false
+      changed_when: false
+
+    - name: Set WireGuard network
+      set_fact:
+        wireguard_network: "{{ wireguard_network | default('10.8.0.0/24') }}"
+
+    - name: Set WireGuard other variables with defaults
+      set_fact:
+        wireguard_port: "{{ wireguard_port | default(51820) }}"
+        client_ip: "{{ client_ip | default('') }}"
+        allowed_ips: "{{ allowed_ips | default(wireguard_network) }}"
+
+    - name: Get server external IP address
+      uri:
+        url: https://api.ipify.org
+        return_content: yes
+      register: server_external_ip
+      changed_when: false
+      failed_when: false
+
+    - name: Set server external IP
+      set_fact:
+        server_external_ip_content: "{{ ansible_host | default(server_external_ip.content | default('')) }}"
+
+    - name: Read WireGuard server config
+      slurp:
+        src: "{{ wireguard_config_file }}"
+      register: wireguard_server_config_read
+
+    - name: Extract server IP from config
+      set_fact:
+        server_vpn_ip: "{{ (wireguard_server_config_read.content | b64decode | regex_findall('Address\\s*=\\s*([0-9.]+)') | first) | default('10.8.0.1') }}"
+      failed_when: false
+
+    - name: Extract WireGuard server IP octets
+      set_fact:
+        wireguard_server_ip_octets: "{{ (server_vpn_ip | default('')).split('.') }}"
+      when: client_ip == ""
+
+    - name: Fail if server VPN IP is invalid
+      fail:
+        msg: "Server VPN IP '{{ server_vpn_ip }}' ist ungültig – bitte wg0.conf prüfen."
+      when: client_ip == "" and (wireguard_server_ip_octets | length) < 4
+
+    - name: Gather existing client addresses
+      set_fact:
+        existing_client_ips: "{{ (wireguard_server_config_read.content | b64decode | regex_findall('AllowedIPs = ([0-9A-Za-z.]+)/32', '\\\\1')) }}"
+      when: client_ip == ""
+
+    - name: Calculate client IP if not provided
+      vars:
+        existing_last_octets: "{{ (existing_client_ips | default([])) | map('regex_replace', '^(?:\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.)', '') | select('match', '^[0-9]+$') | map('int') | list }}"
+        server_last_octet: "{{ wireguard_server_ip_octets[3] | int }}"
+        next_octet_candidate: "{{ (existing_last_octets + [server_last_octet]) | map('int') | list | max + 1 if (existing_client_ips | default([]) | length > 0) else server_last_octet + 1 }}"
+      set_fact:
+        client_ip: "{{ [
+          wireguard_server_ip_octets[0],
+          wireguard_server_ip_octets[1],
+          wireguard_server_ip_octets[2],
+          next_octet_candidate
+        ] | join('.') }}"
+      when: client_ip == "" and (wireguard_server_ip_octets | length) >= 4
+
+    - name: Generate NEW client private key
+      command: "wg genkey"
+      register: client_private_key
+      changed_when: true
+      no_log: yes
+
+    - name: Generate NEW client public key
+      command: "wg pubkey"
+      args:
+        stdin: "{{ client_private_key.stdout }}"
+      register: client_public_key
+      changed_when: false
+      no_log: yes
+
+    - name: Add NEW client to WireGuard server config
+      blockinfile:
+        path: "{{ wireguard_config_file }}"
+        block: |
+          # Client: {{ client_name }}
+          [Peer]
+          PublicKey = {{ client_public_key.stdout }}
+          AllowedIPs = {{ client_ip }}/32
+        marker: "# {mark} ANSIBLE MANAGED BLOCK - Client: {{ client_name }}"
+      register: wireguard_client_block
+
+    - name: Ensure client configs directory exists
+      file:
+        path: "{{ wireguard_client_configs_path }}"
+        state: directory
+        mode: '0700'
+        owner: root
+        group: root
+
+    - name: Ensure local client configs directory exists
+      file:
+        path: "{{ wireguard_local_client_configs_dir }}"
+        state: directory
+        mode: '0700'
+      delegate_to: localhost
+      become: no
+      run_once: true
+
+    - name: Get server public key
+      shell: "cat {{ wireguard_config_path }}/{{ wireguard_interface }}_private.key | wg pubkey"
+      register: server_public_key_cmd
+      changed_when: false
+      no_log: yes
+      failed_when: false
+
+    - name: Create NEW client configuration file
+      template:
+        src: "{{ playbook_dir }}/../templates/wireguard-client.conf.j2"
+        dest: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+        mode: '0600'
+        owner: root
+        group: root
+
+    - name: Download NEW client configuration to control machine
+      fetch:
+        src: "{{ wireguard_client_configs_path }}/{{ client_name }}.conf"
+        dest: "{{ wireguard_local_client_configs_dir }}/{{ client_name }}.conf"
+        flat: yes
+        mode: '0600'
+
+    - name: Restart WireGuard service
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+        state: restarted
+
+    - name: Display NEW client configuration
+      debug:
+        msg: |
+          ========================================
+          WireGuard Client REGENERATED: {{ client_name }}
+          ========================================
+          
+          Neue Client-IP: {{ client_ip }}
+          Server Endpoint: {{ server_external_ip_content }}:{{ wireguard_port }}
+          
+          Neue Client-Konfiguration:
+          {{ wireguard_local_client_configs_dir }}/{{ client_name }}.conf
+          
+          WICHTIG:
+          1. Lade die neue Config-Datei herunter
+          2. Importiere sie in WireGuard (ersetze die alte!)
+          3. Verbinde mit dem VPN
+          4. Teste: ping 10.8.0.1
+          5. Teste: https://grafana.michaelschiemer.de
+          
+          Alte Config gesichert als:
+          {{ backup_result.dest | default('N/A') }}
+          ========================================

deployment/wireguard-old/setup-wireguard.yml

@@ -0,0 +1,287 @@
+---
+- name: Setup WireGuard VPN Server
+  hosts: production
+  become: yes
+  gather_facts: yes
+
+  vars:
+    # WireGuard variables are defined in group_vars/production.yml
+    # Can be overridden via -e flag if needed
+    wireguard_port: "{{ wireguard_port_default | default(51820) }}"
+    wireguard_network: "{{ wireguard_network_default | default('10.8.0.0/24') }}"
+    wireguard_server_ip: "{{ wireguard_server_ip_default | default('10.8.0.1') }}"
+
+  pre_tasks:
+
+    - name: Optionally load wireguard secrets from vault
+      include_vars:
+        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
+  tasks:
+    - name: Check if WireGuard is already installed
+      command: which wg
+      register: wireguard_installed
+      changed_when: false
+      failed_when: false
+
+    - name: Update package cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+      when: not wireguard_installed.rc == 0
+
+    - name: Install WireGuard
+      apt:
+        name:
+          - wireguard
+          - wireguard-tools
+          - qrencode
+        state: present
+      when: not wireguard_installed.rc == 0
+      notify: restart wireguard
+
+    - name: Ensure WireGuard config directory exists
+      file:
+        path: "{{ wireguard_config_path }}"
+        state: directory
+        mode: '0700'
+        owner: root
+        group: root
+
+    - name: Ensure WireGuard client configs directory exists
+      file:
+        path: "{{ wireguard_client_configs_path }}"
+        state: directory
+        mode: '0700'
+        owner: root
+        group: root
+
+    - name: Check if WireGuard server keys exist
+      stat:
+        path: "{{ wireguard_private_key_file }}"
+      register: server_private_key_exists
+
+    - name: Generate WireGuard server private key
+      command: "wg genkey"
+      register: server_private_key
+      changed_when: true
+      when: not server_private_key_exists.stat.exists
+      no_log: yes
+
+    - name: Save WireGuard server private key
+      copy:
+        content: "{{ server_private_key.stdout }}"
+        dest: "{{ wireguard_private_key_file }}"
+        mode: '0600'
+        owner: root
+        group: root
+      when: not server_private_key_exists.stat.exists
+      no_log: yes
+
+    - name: Read WireGuard server private key
+      slurp:
+        src: "{{ wireguard_private_key_file }}"
+      register: server_private_key_content
+      when: server_private_key_exists.stat.exists
+
+    - name: Generate WireGuard server public key
+      command: "wg pubkey"
+      args:
+        stdin: "{{ server_private_key.stdout if not server_private_key_exists.stat.exists else server_private_key_content.content | b64decode | trim }}"
+      register: server_public_key
+      changed_when: false
+      when: not server_private_key_exists.stat.exists
+      no_log: yes
+
+    - name: Get existing server public key
+      shell: "cat {{ wireguard_private_key_file }} | wg pubkey"
+      register: existing_server_public_key
+      changed_when: false
+      when: server_private_key_exists.stat.exists
+      no_log: yes
+      failed_when: false
+
+    - name: Set server public key fact
+      set_fact:
+        server_public_key_value: "{{ server_public_key.stdout if not server_private_key_exists.stat.exists else existing_server_public_key.stdout }}"
+
+    - name: Save WireGuard server public key
+      copy:
+        content: "{{ server_public_key_value }}"
+        dest: "{{ wireguard_public_key_file }}"
+        mode: '0644'
+        owner: root
+        group: root
+
+    - name: Enable IP forwarding
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: '1'
+        state: present
+        sysctl_set: yes
+        reload: yes
+      when: wireguard_enable_ip_forwarding
+
+    - name: Make IP forwarding persistent
+      lineinfile:
+        path: /etc/sysctl.conf
+        regexp: '^net\.ipv4\.ip_forward'
+        line: 'net.ipv4.ip_forward=1'
+        state: present
+      when: wireguard_enable_ip_forwarding
+
+    - name: Get server external IP address
+      uri:
+        url: https://api.ipify.org
+        return_content: yes
+      register: server_external_ip
+      changed_when: false
+      failed_when: false
+
+    - name: Set server external IP from inventory if API fails
+      set_fact:
+        server_external_ip_content: "{{ ansible_host | default(server_external_ip.content | default('')) }}"
+      when: server_external_ip.content is defined
+
+    - name: Get server external IP from ansible_host
+      set_fact:
+        server_external_ip_content: "{{ ansible_host }}"
+      when: server_external_ip.content is not defined
+
+    - name: Read server private key for config
+      slurp:
+        src: "{{ wireguard_private_key_file }}"
+      register: server_private_key_file_content
+      when: server_private_key_exists.stat.exists
+
+    - name: Set server private key for template (new key)
+      set_fact:
+        server_private_key_for_config: "{{ server_private_key.stdout }}"
+      when: not server_private_key_exists.stat.exists
+
+    - name: Set server private key for template (existing key)
+      set_fact:
+        server_private_key_for_config: "{{ server_private_key_file_content.content | b64decode | trim }}"
+      when: server_private_key_exists.stat.exists
+
+    - name: Get network interface name
+      shell: "ip route | grep default | awk '{print $5}' | head -1"
+      register: default_interface
+      changed_when: false
+      failed_when: false
+
+    - name: Set default interface
+      set_fact:
+        wireguard_interface_name: "{{ default_interface.stdout | default('eth0') }}"
+
+    - name: Check if WireGuard config exists
+      stat:
+        path: "{{ wireguard_config_file }}"
+      register: wireguard_config_exists
+
+    - name: Create WireGuard server configuration
+      template:
+        src: "{{ playbook_dir }}/../templates/wireguard-server.conf.j2"
+        dest: "{{ wireguard_config_file }}"
+        mode: '0600'
+        owner: root
+        group: root
+      notify: restart wireguard
+
+    - name: Check if WireGuard service is enabled
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+      register: wireguard_service_status
+      failed_when: false
+      changed_when: false
+
+    - name: Enable WireGuard service
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+        enabled: yes
+        daemon_reload: yes
+      when: not wireguard_service_status.status.ActiveState is defined or wireguard_service_status.status.ActiveState != 'active'
+
+    - name: Start WireGuard service
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+        state: started
+      notify: restart wireguard
+
+    - name: Check if UFW firewall is installed
+      command: which ufw
+      register: ufw_installed
+      changed_when: false
+      failed_when: false
+
+    - name: Verify SSH access is allowed in UFW
+      command: "ufw status | grep -q '22/tcp' || echo 'SSH not found'"
+      register: ssh_ufw_check
+      changed_when: false
+      failed_when: false
+      when: ufw_installed.rc == 0
+
+    - name: Warn if SSH is not explicitly allowed
+      debug:
+        msg: |
+          ??  WARNING: SSH (port 22) might not be explicitly allowed in UFW!
+          Please ensure SSH access is configured before proceeding.
+          Run: sudo ufw allow 22/tcp
+      when: ufw_installed.rc == 0 and 'SSH not found' in ssh_ufw_check.stdout
+
+    - name: Allow WireGuard port in UFW firewall
+      ufw:
+        rule: allow
+        port: "{{ wireguard_port }}"
+        proto: udp
+        comment: "WireGuard VPN"
+      when: ufw_installed.rc == 0
+
+    - name: Allow WireGuard port in UFW firewall (alternative)
+      shell: "ufw allow {{ wireguard_port }}/udp comment 'WireGuard VPN'"
+      when: ufw_installed.rc == 0
+      failed_when: false
+      changed_when: false
+
+    - name: Check WireGuard status
+      command: "wg show {{ wireguard_interface }}"
+      register: wireguard_status
+      changed_when: false
+      failed_when: false
+
+    - name: Display WireGuard status
+      debug:
+        msg: |
+          WireGuard Status:
+          {{ wireguard_status.stdout if wireguard_status.rc == 0 else 'WireGuard interface not active' }}
+
+    - name: Display server public key
+      debug:
+        msg: |
+          ========================================
+          WireGuard Server Setup Complete!
+          ========================================
+          
+          Server Public Key:
+          {{ server_public_key_value }}
+          
+          Server IP: {{ wireguard_server_ip }}
+          Server Endpoint: {{ server_external_ip_content }}:{{ wireguard_port }}
+          Network: {{ wireguard_network }}
+          
+          To add a client, run:
+          ansible-playbook -i inventory/production.yml playbooks/add-wireguard-client.yml -e "client_name=myclient"
+          
+          Client configs are stored in:
+          {{ wireguard_client_configs_path }}/
+          ========================================
+
+  handlers:
+    - name: restart wireguard
+      systemd:
+        name: "wg-quick@{{ wireguard_interface }}"
+        state: restarted

deployment/wireguard-old/test-wireguard-docker-container.yml

@@ -0,0 +1,168 @@
+---
+- name: Test WireGuard Connection from Docker Container
+  hosts: production
+  become: yes
+  gather_facts: yes
+
+  vars:
+    test_container_name: "wireguard-test-client"
+    wireguard_config_path: "/tmp/wireguard-test"
+
+  tasks:
+    - name: Validate client name
+      fail:
+        msg: "client_name is required. Usage: ansible-playbook ... -e 'client_name=grafana-test'"
+      when: client_name is not defined or client_name == ""
+
+    - name: Check if WireGuard client config exists
+      stat:
+        path: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
+      register: client_config_exists
+      delegate_to: localhost
+      become: no
+
+    - name: Fail if client config not found
+      fail:
+        msg: "Client config not found: {{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
+      when: not client_config_exists.stat.exists
+
+    - name: Read client config
+      slurp:
+        src: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
+      register: client_config_content
+      delegate_to: localhost
+      become: no
+
+    - name: Extract client IP from config
+      set_fact:
+        client_vpn_ip: "{{ (client_config_content.content | b64decode | regex_findall('Address\\s*=\\s*([0-9.]+)') | first) | default('10.8.0.7') }}"
+      failed_when: false
+
+    - name: Display extracted client IP
+      debug:
+        msg: "Client VPN IP: {{ client_vpn_ip }}"
+
+    - name: Stop and remove existing test container
+      shell: |
+        docker stop {{ test_container_name }} || true
+        docker rm {{ test_container_name }} || true
+      args:
+        executable: /bin/bash
+      ignore_errors: yes
+      failed_when: false
+
+    - name: Create temporary directory for WireGuard config
+      file:
+        path: "{{ wireguard_config_path }}"
+        state: directory
+        mode: '0700'
+
+    - name: Copy client config to server
+      copy:
+        content: "{{ client_config_content.content | b64decode }}"
+        dest: "{{ wireguard_config_path }}/{{ client_name }}.conf"
+        mode: '0600'
+
+    - name: Start WireGuard test container
+      shell: |
+        docker run -d \
+          --name {{ test_container_name }} \
+          --cap-add=NET_ADMIN \
+          --cap-add=SYS_MODULE \
+          --sysctl net.ipv4.conf.all.src_valid_mark=1 \
+          -v {{ wireguard_config_path }}/{{ client_name }}.conf:/etc/wireguard/{{ client_name }}.conf:ro \
+          --device /dev/net/tun \
+          ghcr.io/linuxserver/wireguard:latest
+      args:
+        executable: /bin/bash
+      register: container_result
+      ignore_errors: yes
+
+    - name: Wait for container to start
+      pause:
+        seconds: 5
+
+    - name: Check container status
+      shell: docker ps -a --filter "name={{ test_container_name }}" --format "{{ '{{' }}.Status{{ '}}' }}"
+      register: container_status
+      failed_when: false
+
+    - name: Display container status
+      debug:
+        msg: "Container Status: {{ container_status.stdout }}"
+
+    - name: Get container logs
+      shell: docker logs {{ test_container_name }} --tail 50
+      register: container_logs
+      failed_when: false
+
+    - name: Display container logs
+      debug:
+        msg: "{{ container_logs.stdout_lines }}"
+
+    - name: Test ping to VPN server from container
+      shell: |
+        docker exec {{ test_container_name }} ping -c 4 10.8.0.1 || true
+      register: ping_result
+      failed_when: false
+
+    - name: Display ping result
+      debug:
+        msg: "{{ ping_result.stdout_lines }}"
+
+    - name: Test curl to Grafana from container
+      shell: |
+        docker exec {{ test_container_name }} curl -s -o /dev/null -w "%{http_code}" --max-time 10 https://grafana.michaelschiemer.de/ || echo "FAILED"
+      register: curl_result
+      failed_when: false
+
+    - name: Display curl result
+      debug:
+        msg: "HTTP Status Code: {{ curl_result.stdout }}"
+
+    - name: Get container IP
+      shell: |
+        docker exec {{ test_container_name }} ip addr show wg0 | grep "inet " | awk '{print $2}' | cut -d/ -f1 || echo "No WireGuard IP"
+      register: container_wg_ip
+      failed_when: false
+
+    - name: Display container WireGuard IP
+      debug:
+        msg: "Container WireGuard IP: {{ container_wg_ip.stdout }}"
+
+    - name: Test DNS resolution from container
+      shell: |
+        docker exec {{ test_container_name }} nslookup grafana.michaelschiemer.de || true
+      register: dns_result
+      failed_when: false
+
+    - name: Display DNS result
+      debug: "{{ dns_result.stdout_lines }}"
+
+    - name: Check Traefik logs for container access
+      shell: |
+        cd ~/deployment/stacks/traefik
+        tail -100 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | sort -u
+      register: traefik_client_ips
+      failed_when: false
+
+    - name: Display Traefik client IPs
+      debug:
+        msg: "{{ traefik_client_ips.stdout_lines }}"
+
+    - name: Cleanup instructions
+      debug:
+        msg: |
+          ========================================
+          TEST ABGESCHLOSSEN
+          ========================================
+          
+          Container-Name: {{ test_container_name }}
+          
+          Um Container zu entfernen:
+          docker stop {{ test_container_name }}
+          docker rm {{ test_container_name }}
+          
+          Um Config zu entfernen:
+          rm -rf {{ wireguard_config_path }}
+          ========================================

deployment/wireguard-old/wireguard-client.conf.j2

@@ -0,0 +1,29 @@
+# WireGuard Client Configuration for {{ client_name }}
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+[Interface]
+# Client private key
+PrivateKey = {{ client_private_key.stdout }}
+
+# Client IP address in VPN network
+Address = {{ client_ip }}/24
+
+{% if wireguard_dns_servers | length > 0 %}
+# DNS servers provided via Ansible (optional)
+DNS = {{ wireguard_dns_servers | join(', ') }}
+{% endif %}
+
+[Peer]
+# Server public key
+PublicKey = {{ server_public_key_cmd.stdout }}
+
+# Server endpoint
+Endpoint = {{ server_external_ip_content }}:{{ wireguard_port }}
+
+# Allowed IPs (routes through VPN)
+# IMPORTANT: Only VPN network is routed through VPN by default
+# SSH access via normal IP ({{ server_external_ip_content }}) remains available
+AllowedIPs = {{ allowed_ips }}
+
+# Keep connection alive
+PersistentKeepalive = 25

deployment/wireguard-old/wireguard-server.conf.j2

@@ -0,0 +1,22 @@
+# WireGuard Server Configuration
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+[Interface]
+# Server private key
+PrivateKey = {{ server_private_key_for_config }}
+
+# Server IP address in VPN network
+Address = {{ wireguard_server_ip }}/24
+
+# Port to listen on
+ListenPort = {{ wireguard_port }}
+
+# Enable NAT for VPN clients to access internet
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
+
+# Clients will be added here by the add-wireguard-client playbook
+# Example:
+# [Peer]
+# PublicKey = <client_public_key>
+# AllowedIPs = 10.8.0.2/32