Michael Schiemer
95147ff23e
Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.
48 lines
1014 B
Markdown
48 lines
1014 B
Markdown
# WireGuard Client Configurations
|
|
|
|
This directory stores generated client configuration files.
|
|
|
|
## Security Notice
|
|
|
|
⚠️ **NEVER commit client configs to Git!**
|
|
|
|
Client configs contain:
|
|
- Private keys
|
|
- Preshared keys
|
|
- Network topology information
|
|
|
|
`.gitignore` is configured to exclude all `.conf`, `.key`, `.qr.txt`, and `.qr.png` files.
|
|
|
|
## Generate New Client
|
|
|
|
```bash
|
|
cd ../../scripts
|
|
sudo ./generate-client-config.sh <device-name>
|
|
```
|
|
|
|
Configs will be created here:
|
|
- `<device-name>.conf` - WireGuard configuration
|
|
- `<device-name>.qr.txt` - QR code (ASCII)
|
|
- `<device-name>.qr.png` - QR code (PNG)
|
|
|
|
## Backup Client Configs
|
|
|
|
```bash
|
|
# Securely backup configs (encrypted)
|
|
tar -czf - *.conf | gpg --symmetric --cipher-algo AES256 -o wireguard-clients-backup-$(date +%Y%m%d).tar.gz.gpg
|
|
```
|
|
|
|
## Revoke Client Access
|
|
|
|
```bash
|
|
# On server
|
|
sudo nano /etc/wireguard/wg0.conf
|
|
# Remove [Peer] section for client
|
|
|
|
# Reload WireGuard
|
|
sudo systemctl reload wg-quick@wg0
|
|
|
|
# Delete client config
|
|
rm <device-name>.*
|
|
```
|