feat: add PHP ini management system and update infrastructure configs

- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni)
- Update deployment configurations (Wireguard, Traefik, Monitoring)
- Add DNS stack and Ansible role
- Add deployment debugging playbooks
- Update framework components (FilePath, RedisConnectionPool)
- Update .gitignore and documentation

deployment/ansible/templates/dns-Corefile.j2

@@ -0,0 +1,15 @@
+. {
+    log
+    errors
+    health :8053
+    hosts {
+{% for record in dns_records %}
+        {{ record.address }} {{ record.host }}
+{% endfor %}
+        fallthrough
+    }
+{% if dns_forwarders | length > 0 %}
+    forward . {{ dns_forwarders | join(' ') }}
+{% endif %}
+    cache 30
+}

deployment/ansible/templates/traefik-middlewares.yml.j2

@@ -0,0 +1,82 @@
+# Dynamic Middleware Configuration
+
+http:
+  middlewares:
+    # Security headers for all services
+    security-headers-global:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "geolocation=(), microphone=(), camera=()"
+
+    # Compression for better performance
+    gzip-compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
+    # Rate limiting - strict
+    rate-limit-strict:
+      rateLimit:
+        average: 50
+        burst: 25
+        period: 1s
+
+    # Rate limiting - moderate
+    rate-limit-moderate:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+
+    # Rate limiting - lenient
+    rate-limit-lenient:
+      rateLimit:
+        average: 200
+        burst: 100
+        period: 1s
+
+    # IP whitelist for admin services (example)
+    # Uncomment and adjust for production
+    # admin-whitelist:
+    #   ipWhiteList:
+    #     sourceRange:
+    #       - "127.0.0.1/32"
+    #       - "10.0.0.0/8"
+    
+    # VPN-only IP whitelist for Grafana and other monitoring services
+    # Restrict access strictly to the WireGuard VPN network
+    grafana-vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ vpn_network }}"      # WireGuard VPN network
+
+    # VPN-only IP whitelist for general use (Traefik Dashboard, etc.)
+    # Restrict access strictly to the WireGuard network
+    vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ vpn_network }}"      # WireGuard VPN network
+
+    # Chain multiple middlewares
+    default-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+
+    admin-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+          - rate-limit-strict
+          # - admin-whitelist  # Uncomment for IP whitelisting

deployment/ansible/templates/wireguard-client.conf.j2

@@ -8,8 +8,8 @@ PrivateKey = {{ client_private_key.stdout }}
 # Client IP address in VPN network
 Address = {{ client_ip }}/24
 
-# DNS server (optional)
-DNS = 1.1.1.1, 8.8.8.8
+# DNS server (VPN internal resolver)
+DNS = {{ wireguard_dns_servers | join(', ') }}
 
 [Peer]
 # Server public key
@@ -24,4 +24,4 @@ Endpoint = {{ server_external_ip_content }}:{{ wireguard_port }}
 AllowedIPs = {{ allowed_ips }}
 
 # Keep connection alive
-PersistentKeepalive = 25
+PersistentKeepalive = 25