feat: add PHP ini management system and update infrastructure configs

- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni) - Update deployment configurations (Wireguard, Traefik, Monitoring) - Add DNS stack and Ansible role - Add deployment debugging playbooks - Update framework components (FilePath, RedisConnectionPool) - Update .gitignore and documentation
2025-11-02 15:29:41 +01:00
parent e628d30fa0
commit edcf509a4f
29 changed files with 926 additions and 39 deletions
--- a/deployment/stacks/traefik/README.md
+++ b/deployment/stacks/traefik/README.md
@@ -11,7 +11,10 @@ Traefik acts as the central reverse proxy for all services, handling:

 ## Services

- **traefik.michaelschiemer.de** - Traefik Dashboard (BasicAuth protected)
+- **traefik.michaelschiemer.de** - Traefik Dashboard (VPN-only + BasicAuth protected)
+  - ?? **Nur ?ber WireGuard VPN erreichbar** (10.8.0.0/24)
+  - Zus?tzlich durch BasicAuth gesch?tzt
+  - ?ffentlicher Zugriff ist blockiert

 ## Prerequisites

@@ -126,6 +129,16 @@ labels:
  - "traefik.http.routers.myapp.middlewares=gzip-compression@file"
 ```

+### VPN-Only Access (WireGuard Network)
+```yaml
+labels:
+  # Restrict access to WireGuard VPN network only (10.8.0.0/24)
+  - "traefik.http.routers.myapp.middlewares=vpn-only@file"
+
+  # Combined: VPN-only + BasicAuth (order matters - VPN check first, then BasicAuth)
+  - "traefik.http.routers.myapp.middlewares=vpn-only@file,traefik-auth"
+```
+
 ### Middleware Chains
 ```yaml
 labels:
--- a/deployment/stacks/traefik/docker-compose.yml
+++ b/deployment/stacks/traefik/docker-compose.yml
@@ -5,11 +5,14 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
-    networks:
-      - traefik-public
-    ports:
-      - "80:80"
-      - "443:443"
+    # Use host network mode to correctly identify client IPs from WireGuard
+    # Without this, Traefik sees Docker bridge IPs instead of real client IPs (10.8.0.x)
+    network_mode: host
+    # When using host network mode, we don't bind ports in docker-compose
+    # Traefik listens directly on host ports 80 and 443
+    # ports:
+    #   - "80:80"
+    #   - "443:443"
    environment:
      - TZ=Europe/Berlin
    volumes:
@@ -27,13 +30,15 @@ services:
      # Enable Traefik for itself
      - "traefik.enable=true"

-      # Dashboard
+      # Dashboard - VPN-only access (WireGuard network required)
+      # Accessible only from WireGuard VPN network (10.8.0.0/24)
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
      - "traefik.http.routers.traefik-dashboard.tls=true"
      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-dashboard.service=api@internal"
-      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
+      # VPN-only + BasicAuth protection (order: vpn-only first, then BasicAuth)
+      - "traefik.http.routers.traefik-dashboard.middlewares=vpn-only@file,traefik-auth"

      # BasicAuth for dashboard (user: admin, password: generate with htpasswd)
      # htpasswd -nb admin your_password
@@ -73,6 +78,5 @@ services:
      retries: 3
      start_period: 10s

-networks:
-  traefik-public:
-    external: true
+# Note: network_mode: host is used, so we don't define networks here
+# Traefik still discovers services via Docker labels using the Docker socket
--- a/deployment/stacks/traefik/dynamic/middlewares.yml
+++ b/deployment/stacks/traefik/dynamic/middlewares.yml
@@ -51,6 +51,20 @@ http:
    #     sourceRange:
    #       - "127.0.0.1/32"
    #       - "10.0.0.0/8"
+    
+    # VPN-only IP whitelist for Grafana and other monitoring services
+    # Restrict access strictly to the WireGuard network
+    grafana-vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "10.8.0.0/24"      # WireGuard VPN network
+
+    # VPN-only IP whitelist for general use (Traefik Dashboard, etc.)
+    # Restrict access strictly to the WireGuard network
+    vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "10.8.0.0/24"      # WireGuard VPN network

    # Chain multiple middlewares
    default-chain:
--- a/deployment/stacks/traefik/traefik.yml
+++ b/deployment/stacks/traefik/traefik.yml
@@ -6,9 +6,12 @@ global:
  sendAnonymousUsage: false

 # API and Dashboard
+# Note: insecure: false means API is only accessible via HTTPS (through Traefik itself)
+# No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de
 api:
  dashboard: true
  insecure: false
+  # Dashboard accessible via HTTPS router (no separate HTTP listener needed)

 # Entry Points
 entryPoints:
@@ -26,9 +29,6 @@ entryPoints:
          - main: michaelschiemer.de
            sans:
              - "*.michaelschiemer.de"
-      middlewares:
-        - security-headers@docker
-        - compression@docker

 # Certificate Resolvers
 certificatesResolvers:
@@ -50,13 +50,25 @@ providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
-    network: traefik-public
+    # Network mode is 'host', so we don't specify a network here
+    # Traefik can reach containers directly via their IPs in host network mode
    watch: true

  file:
    directory: /dynamic
    watch: true

+# Forwarded Headers Configuration
+# This ensures Traefik correctly identifies the real client IP
+# Important for VPN access where requests come from WireGuard interface
+forwardedHeaders:
+  trustedIPs:
+    - "10.8.0.0/24"      # WireGuard VPN network
+    - "127.0.0.1/32"     # Localhost
+    - "172.17.0.0/16"    # Docker bridge network
+    - "172.18.0.0/16"    # Docker user-defined networks
+  insecure: false
+
 # Logging
 log:
  level: INFO