--- - name: Remove Temporary IP Allowlist from Grafana - Make VPN-Only hosts: production gather_facts: no become: no tasks: - name: Check recent Grafana access attempts shell: | cd ~/deployment/stacks/traefik echo "=== Recent Grafana Access (Last 5 attempts) ===" tail -30 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | head -5 args: executable: /bin/bash register: recent_ips ignore_errors: yes failed_when: false - name: Display recent client IPs debug: msg: "{{ recent_ips.stdout_lines }}" - name: Check if any traffic comes from VPN shell: | cd ~/deployment/stacks/traefik tail -20 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | while read ip; do if [[ "$ip" =~ ^10\.8\.0\.[0-9]+$ ]]; then echo "? Found VPN IP: $ip" else echo "? Found public IP: $ip (not VPN)" fi done args: executable: /bin/bash register: vpn_check ignore_errors: yes failed_when: false - name: Display VPN check debug: msg: "{{ vpn_check.stdout_lines }}" - name: Backup middlewares.yml shell: | cd ~/deployment/stacks/traefik/dynamic cp middlewares.yml middlewares.yml.backup.before-remove-temp-ip.$(date +%Y%m%d_%H%M%S) echo "Backup created" args: executable: /bin/bash - name: Remove temporary IP from grafana-vpn-only middleware shell: | cd ~/deployment/stacks/traefik/dynamic sed -i '/89.246.96.244\/32/d' middlewares.yml echo "Temporary IP removed" args: executable: /bin/bash - name: Verify middleware configuration shell: | cd ~/deployment/stacks/traefik/dynamic echo "=== Updated grafana-vpn-only Middleware ===" grep -A 6 "grafana-vpn-only:" middlewares.yml args: executable: /bin/bash register: updated_middleware ignore_errors: yes failed_when: false - name: Display updated middleware debug: msg: "{{ updated_middleware.stdout_lines }}" - name: Validate YAML syntax command: python3 -c "import yaml; yaml.safe_load(open('middlewares.yml')); print('YAML valid')" args: chdir: ~/deployment/stacks/traefik/dynamic register: yaml_validation ignore_errors: yes failed_when: false - name: Display YAML validation debug: msg: "{{ yaml_validation.stdout_lines }}" - name: Restart Traefik to apply changes command: docker compose restart traefik args: chdir: ~/deployment/stacks/traefik register: traefik_restart - name: Wait for Traefik to restart pause: seconds: 5 - name: Verify Traefik status command: docker compose ps traefik args: chdir: ~/deployment/stacks/traefik register: traefik_status - name: Display Traefik status debug: msg: "{{ traefik_status.stdout_lines }}" - name: Final instructions debug: msg: - "=== TEMPORARY IP REMOVED ===" - "Grafana should now be VPN-only" - "" - "Test:" - "1. With VPN: https://grafana.michaelschiemer.de should work ?" - "2. Without VPN: https://grafana.michaelschiemer.de should give 403 ?" - "" - "If it doesn't work:" - "- Check that VPN routing works (DNS = 10.8.0.1 or use hosts file)" - "- Check Traefik logs: tail -f ~/deployment/stacks/traefik/logs/access.log | grep grafana" - "- Restore backup if needed: cp middlewares.yml.backup.* middlewares.yml"