feat: add PHP ini management system and update infrastructure configs

- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni) - Update deployment configurations (Wireguard, Traefik, Monitoring) - Add DNS stack and Ansible role - Add deployment debugging playbooks - Update framework components (FilePath, RedisConnectionPool) - Update .gitignore and documentation
2025-11-02 15:29:41 +01:00
parent e628d30fa0
commit edcf509a4f
29 changed files with 926 additions and 39 deletions
--- a/deployment/stacks/traefik/docker-compose.yml
+++ b/deployment/stacks/traefik/docker-compose.yml
@@ -5,11 +5,14 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
-    networks:
-      - traefik-public
-    ports:
-      - "80:80"
-      - "443:443"
+    # Use host network mode to correctly identify client IPs from WireGuard
+    # Without this, Traefik sees Docker bridge IPs instead of real client IPs (10.8.0.x)
+    network_mode: host
+    # When using host network mode, we don't bind ports in docker-compose
+    # Traefik listens directly on host ports 80 and 443
+    # ports:
+    #   - "80:80"
+    #   - "443:443"
    environment:
      - TZ=Europe/Berlin
    volumes:
@@ -27,13 +30,15 @@ services:
      # Enable Traefik for itself
      - "traefik.enable=true"

-      # Dashboard
+      # Dashboard - VPN-only access (WireGuard network required)
+      # Accessible only from WireGuard VPN network (10.8.0.0/24)
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
      - "traefik.http.routers.traefik-dashboard.tls=true"
      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-dashboard.service=api@internal"
-      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
+      # VPN-only + BasicAuth protection (order: vpn-only first, then BasicAuth)
+      - "traefik.http.routers.traefik-dashboard.middlewares=vpn-only@file,traefik-auth"

      # BasicAuth for dashboard (user: admin, password: generate with htpasswd)
      # htpasswd -nb admin your_password
@@ -73,6 +78,5 @@ services:
      retries: 3
      start_period: 10s

-networks:
-  traefik-public:
-    external: true
+# Note: network_mode: host is used, so we don't define networks here
+# Traefik still discovers services via Docker labels using the Docker socket