Files

Michael Schiemer 3ed2685e74 feat: add comprehensive framework features and deployment improvements

Major additions:
- Storage abstraction layer with filesystem and in-memory implementations
- Gitea API integration with MCP tools for repository management
- Console dialog mode with interactive command execution
- WireGuard VPN DNS fix implementation and documentation
- HTTP client streaming response support
- Router generic result type
- Parameter type validator for framework core

Framework enhancements:
- Console command registry improvements
- Console dialog components
- Method signature analyzer updates
- Route mapper refinements
- MCP server and tool mapper updates
- Queue job chain and dependency commands
- Discovery tokenizer improvements

Infrastructure:
- Deployment architecture documentation
- Ansible playbook updates for WireGuard client regeneration
- Production environment configuration updates
- Docker Compose local configuration updates
- Remove obsolete docker-compose.yml (replaced by environment-specific configs)

Documentation:
- PERMISSIONS.md for access control guidelines
- WireGuard DNS fix implementation details
- Console dialog mode usage guide
- Deployment architecture overview

Testing:
- Multi-purpose attribute tests
- Gitea Actions integration tests (typed and untyped)

2025-11-04 20:39:48 +01:00

7.1 KiB

Raw Blame History

WireGuard DNS Fix - Implementation Status

Status: ✅ Phase 1 COMPLETED - DNS Configuration Added Datum: 2025-01-29 Implementiert: DNS-Konfiguration in Ansible Variables

Was wurde geändert?

1. Ansible Group Variables Update

Datei: deployment/ansible/group_vars/production.yml

Änderung:

# WireGuard DNS Configuration
# DNS server for VPN clients (points to VPN server IP)
# This ensures internal services are resolved to VPN IPs
wireguard_dns_servers:
  - "{{ wireguard_server_ip_default }}"

Effekt:

Template wireguard-client.conf.j2 wird jetzt DNS = 10.8.0.1 in Client-Configs generieren
Die {% if wireguard_dns_servers | length > 0 %} Bedingung im Template wird jetzt TRUE
Alle neu generierten Client-Configs enthalten DNS-Konfiguration

Wie funktioniert es?

Template Logic (bereits vorhanden)

{% if wireguard_dns_servers | length > 0 %}
# DNS servers provided via Ansible (optional)
DNS = {{ wireguard_dns_servers | join(', ') }}
{% endif %}

Generated Client Config (nach Regenerierung)

[Interface]
PrivateKey = <client_private_key>
Address = 10.8.0.7/24
DNS = 10.8.0.1    # ← JETZT ENTHALTEN!

[Peer]
PublicKey = <server_public_key>
Endpoint = michaelschiemer.de:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25

Erwartetes Verhalten

DNS Resolution (Windows Client)

# Nach Import der neuen Config:
Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}

# Expected Output:
InterfaceAlias       : WireGuard Tunnel wg0
ServerAddresses      : {10.8.0.1}    # ← VPN DNS Server

Service Resolution

Resolve-DnsName grafana.michaelschiemer.de

# Expected Output:
Name                  Type  TTL   Section    IPAddress
----                  ----  ---   -------    ---------
grafana.michaelschiemer.de  A  300  Answer     10.8.0.1    # ← VPN IP statt Public IP!

HTTP Traffic Routing

# Traefik Access Log (Server-Side):
# VORHER (ohne DNS):
89.246.96.244 - - [Date] "GET /grafana HTTP/2.0" 404
      ↑ Public IP (FALSCH)

# NACHHER (mit DNS):
10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
    ↑ VPN IP (KORREKT)

Nächste Schritte (PENDING)

Phase 2: Client Config Regenerierung

Für Windows Client "mikepc":

cd ~/dev/michaelschiemer/deployment/ansible

ansible-playbook -i inventory/production.yml \
  playbooks/regenerate-wireguard-client.yml \
  -e "client_name=mikepc" \
  -e "client_ip=10.8.0.5"

Output:

Backup: mikepc.conf.backup-<timestamp>
Neue Config: deployment/ansible/wireguard-clients/mikepc.conf
QR Code: deployment/ansible/wireguard-clients/mikepc.png

Phase 3: Docker Container Test (OPTIONAL)

Teste VPN-Funktionalität in isolierter Umgebung:

ansible-playbook -i inventory/production.yml \
  playbooks/test-wireguard-docker-container.yml \
  -e "client_name=mikepc"

Verifizierung:

# Ping Test
docker exec wireguard-test-mikepc ping -c 4 10.8.0.1

# DNS Test
docker exec wireguard-test-mikepc nslookup grafana.michaelschiemer.de 10.8.0.1

# HTTP Test
docker exec wireguard-test-mikepc curl -v https://grafana.michaelschiemer.de

Phase 4: Windows Client Import

WireGuard Application öffnen
Tunnel "wg0" deaktivieren (falls aktiv)
Tunnel "wg0" löschen (alte Config entfernen)
Neue Config importieren:
- "Add Tunnel" → "Import from file"
- Datei: deployment/ansible/wireguard-clients/mikepc.conf
Tunnel "wg0" aktivieren

Phase 5: Verification (Windows)

DNS Check:

Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
# Expected: ServerAddresses = {10.8.0.1}

Resolve-DnsName grafana.michaelschiemer.de
# Expected: IPAddress = 10.8.0.1

Browser Test:

https://grafana.michaelschiemer.de
Expected: Grafana Dashboard OHNE 404 Error

Server-Side Verification:

# Traefik Access Log
ssh deploy@michaelschiemer.de
docker logs traefik --tail 50 | grep grafana

# Expected:
# 10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
#     ↑ VPN IP statt Public IP!

Troubleshooting

Problem: DNS Still Not Working

Check 1: Verify Config Contains DNS Line

Get-Content "C:\Path\To\mikepc.conf" | Select-String -Pattern "DNS"

# Expected:
DNS = 10.8.0.1

Check 2: Verify Windows Uses VPN DNS

Get-DnsClientServerAddress | Format-Table InterfaceAlias, ServerAddresses

# WireGuard Interface should show 10.8.0.1

Check 3: Flush DNS Cache

ipconfig /flushdns
Clear-DnsClientCache

Problem: VPN Connects But Still Uses Public IP

Check 1: Verify Routes

Get-NetRoute | Where-Object {$_.DestinationPrefix -eq "10.8.0.0/24"}

# Should exist with WireGuard interface

Check 2: Test DNS Resolution

Resolve-DnsName grafana.michaelschiemer.de -Server 10.8.0.1

# Direct query to VPN DNS should work

Problem: Cannot Reach grafana.michaelschiemer.de

Check 1: CoreDNS on Server

ssh deploy@michaelschiemer.de
docker ps | grep coredns
docker logs coredns

Check 2: Traefik Configuration

docker logs traefik | grep grafana
# Check for middleware configuration

Rollback Plan

Falls Probleme auftreten:

Rollback Client Config

# Restore backup on server
ssh deploy@michaelschiemer.de
cd /etc/wireguard/clients
cp mikepc.conf.backup-<timestamp> mikepc.conf

# Re-import on Windows

Rollback Ansible Variables

git diff deployment/ansible/group_vars/production.yml
git checkout deployment/ansible/group_vars/production.yml

Success Criteria

✅ DNS Configuration Added: Ansible variables updated ⏳ Client Config Regenerated: PENDING ⏳ Windows Client Import: PENDING ⏳ DNS Resolution Working: PENDING ⏳ HTTP/HTTPS via VPN: PENDING ⏳ Traefik Shows VPN IP: PENDING

Alternative Options (If DNS Fix Fails)

Option B: Full Tunnel VPN

# AllowedIPs = 0.0.0.0/0 statt 10.8.0.0/24
# Routes ALL traffic through VPN

Option C: Alternative VPN Software

OpenVPN (bewährt, stabil)
Tailscale (managed, einfach)
ZeroTier (mesh network)

Referenzen

Implementation Plan: WIREGUARD-IMPLEMENTATION-PLAN.md
Original Analysis: WIREGUARD-WINDOWS-ROUTING-FINAL-ANALYSIS.md
DNS Solution: WIREGUARD-WINDOWS-DNS-FIX.md
Template: deployment/ansible/templates/wireguard-client.conf.j2
Variables: deployment/ansible/group_vars/production.yml

Notes

Warum DNS-Konfiguration fehlt:

Template hatte bereits Unterstützung via {% if wireguard_dns_servers | length > 0 %}
Variable wireguard_dns_servers fehlte in group_vars
Jetzt gesetzt auf ["{{ wireguard_server_ip_default }}"] → ["10.8.0.1"]

Erwarteter Effekt:

Alle neuen Client-Configs enthalten DNS = 10.8.0.1
Windows nutzt VPN-DNS für Namensauflösung
Interne Services (grafana.michaelschiemer.de) werden zu VPN-IP (10.8.0.1) aufgelöst
HTTP/HTTPS Traffic geht über VPN statt Public Interface

Nächster kritischer Schritt: Client Config für "mikepc" regenerieren und auf Windows importieren

7.1 KiB Raw Blame History