michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Browse Source 
Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.
This commit is contained in:
Michael Schiemer
2025-11-05 12:48:25 +01:00
parent 7c52065aae
commit 95147ff23e
215 changed files with 29490 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
deployment/wireguard-old/test-wireguard-docker-container.yml Normal file
View File

@@ -0,0 +1,168 @@
---
- name: Test WireGuard Connection from Docker Container
hosts: production
become: yes
gather_facts: yes
vars:
test_container_name: "wireguard-test-client"
wireguard_config_path: "/tmp/wireguard-test"
tasks:
- name: Validate client name
fail:
msg: "client_name is required. Usage: ansible-playbook ... -e 'client_name=grafana-test'"
when: client_name is not defined or client_name == ""
- name: Check if WireGuard client config exists
stat:
path: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
register: client_config_exists
delegate_to: localhost
become: no
- name: Fail if client config not found
fail:
msg: "Client config not found: {{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
when: not client_config_exists.stat.exists
- name: Read client config
slurp:
src: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
register: client_config_content
delegate_to: localhost
become: no
- name: Extract client IP from config
set_fact:
client_vpn_ip: "{{ (client_config_content.content | b64decode | regex_findall('Address\\s*=\\s*([0-9.]+)') | first) | default('10.8.0.7') }}"
failed_when: false
- name: Display extracted client IP
debug:
msg: "Client VPN IP: {{ client_vpn_ip }}"
- name: Stop and remove existing test container
shell: |
docker stop {{ test_container_name }} || true
docker rm {{ test_container_name }} || true
args:
executable: /bin/bash
ignore_errors: yes
failed_when: false
- name: Create temporary directory for WireGuard config
file:
path: "{{ wireguard_config_path }}"
state: directory
mode: '0700'
- name: Copy client config to server
copy:
content: "{{ client_config_content.content | b64decode }}"
dest: "{{ wireguard_config_path }}/{{ client_name }}.conf"
mode: '0600'
- name: Start WireGuard test container
shell: |
docker run -d \
--name {{ test_container_name }} \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v {{ wireguard_config_path }}/{{ client_name }}.conf:/etc/wireguard/{{ client_name }}.conf:ro \
--device /dev/net/tun \
ghcr.io/linuxserver/wireguard:latest
args:
executable: /bin/bash
register: container_result
ignore_errors: yes
- name: Wait for container to start
pause:
seconds: 5
- name: Check container status
shell: docker ps -a --filter "name={{ test_container_name }}" --format "{{ '{{' }}.Status{{ '}}' }}"
register: container_status
failed_when: false
- name: Display container status
debug:
msg: "Container Status: {{ container_status.stdout }}"
- name: Get container logs
shell: docker logs {{ test_container_name }} --tail 50
register: container_logs
failed_when: false
- name: Display container logs
debug:
msg: "{{ container_logs.stdout_lines }}"
- name: Test ping to VPN server from container
shell: |
docker exec {{ test_container_name }} ping -c 4 10.8.0.1 || true
register: ping_result
failed_when: false
- name: Display ping result
debug:
msg: "{{ ping_result.stdout_lines }}"
- name: Test curl to Grafana from container
shell: |
docker exec {{ test_container_name }} curl -s -o /dev/null -w "%{http_code}" --max-time 10 https://grafana.michaelschiemer.de/ || echo "FAILED"
register: curl_result
failed_when: false
- name: Display curl result
debug:
msg: "HTTP Status Code: {{ curl_result.stdout }}"
- name: Get container IP
shell: |
docker exec {{ test_container_name }} ip addr show wg0 | grep "inet " | awk '{print $2}' | cut -d/ -f1 || echo "No WireGuard IP"
register: container_wg_ip
failed_when: false
- name: Display container WireGuard IP
debug:
msg: "Container WireGuard IP: {{ container_wg_ip.stdout }}"
- name: Test DNS resolution from container
shell: |
docker exec {{ test_container_name }} nslookup grafana.michaelschiemer.de || true
register: dns_result
failed_when: false
- name: Display DNS result
debug: "{{ dns_result.stdout_lines }}"
- name: Check Traefik logs for container access
shell: |
cd ~/deployment/stacks/traefik
tail -100 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | sort -u
register: traefik_client_ips
failed_when: false
- name: Display Traefik client IPs
debug:
msg: "{{ traefik_client_ips.stdout_lines }}"
- name: Cleanup instructions
debug:
msg: |
========================================
TEST ABGESCHLOSSEN
========================================
Container-Name: {{ test_container_name }}
Um Container zu entfernen:
docker stop {{ test_container_name }}
docker rm {{ test_container_name }}
Um Config zu entfernen:
rm -rf {{ wireguard_config_path }}
========================================