feat: add PHP ini management system and update infrastructure configs

- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni)
- Update deployment configurations (Wireguard, Traefik, Monitoring)
- Add DNS stack and Ansible role
- Add deployment debugging playbooks
- Update framework components (FilePath, RedisConnectionPool)
- Update .gitignore and documentation

deployment/stacks/traefik/traefik.yml

@@ -6,9 +6,12 @@ global:
   sendAnonymousUsage: false
 
 # API and Dashboard
+# Note: insecure: false means API is only accessible via HTTPS (through Traefik itself)
+# No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de
 api:
   dashboard: true
   insecure: false
+  # Dashboard accessible via HTTPS router (no separate HTTP listener needed)
 
 # Entry Points
 entryPoints:
@@ -26,9 +29,6 @@ entryPoints:
           - main: michaelschiemer.de
             sans:
               - "*.michaelschiemer.de"
-      middlewares:
-        - security-headers@docker
-        - compression@docker
 
 # Certificate Resolvers
 certificatesResolvers:
@@ -50,13 +50,25 @@ providers:
   docker:
     endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
-    network: traefik-public
+    # Network mode is 'host', so we don't specify a network here
+    # Traefik can reach containers directly via their IPs in host network mode
     watch: true
 
   file:
     directory: /dynamic
     watch: true
 
+# Forwarded Headers Configuration
+# This ensures Traefik correctly identifies the real client IP
+# Important for VPN access where requests come from WireGuard interface
+forwardedHeaders:
+  trustedIPs:
+    - "10.8.0.0/24"      # WireGuard VPN network
+    - "127.0.0.1/32"     # Localhost
+    - "172.17.0.0/16"    # Docker bridge network
+    - "172.18.0.0/16"    # Docker user-defined networks
+  insecure: false
+
 # Logging
 log:
   level: INFO