refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
2025-11-05 12:48:25 +01:00
parent 7c52065aae
commit 95147ff23e
215 changed files with 29490 additions and 368 deletions
--- a/deployment/wireguard-old/wireguard-client.conf.j2
+++ b/deployment/wireguard-old/wireguard-client.conf.j2
@@ -0,0 +1,29 @@
+# WireGuard Client Configuration for {{ client_name }}
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+[Interface]
+# Client private key
+PrivateKey = {{ client_private_key.stdout }}
+
+# Client IP address in VPN network
+Address = {{ client_ip }}/24
+
+{% if wireguard_dns_servers | length > 0 %}
+# DNS servers provided via Ansible (optional)
+DNS = {{ wireguard_dns_servers | join(', ') }}
+{% endif %}
+
+[Peer]
+# Server public key
+PublicKey = {{ server_public_key_cmd.stdout }}
+
+# Server endpoint
+Endpoint = {{ server_external_ip_content }}:{{ wireguard_port }}
+
+# Allowed IPs (routes through VPN)
+# IMPORTANT: Only VPN network is routed through VPN by default
+# SSH access via normal IP ({{ server_external_ip_content }}) remains available
+AllowedIPs = {{ allowed_ips }}
+
+# Keep connection alive
+PersistentKeepalive = 25