120 lines
3.7 KiB
YAML
120 lines
3.7 KiB
YAML
---
|
|
- name: Remove Temporary IP Allowlist from Grafana - Make VPN-Only
|
|
hosts: production
|
|
gather_facts: no
|
|
become: no
|
|
|
|
tasks:
|
|
- name: Check recent Grafana access attempts
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik
|
|
echo "=== Recent Grafana Access (Last 5 attempts) ==="
|
|
tail -30 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | head -5
|
|
args:
|
|
executable: /bin/bash
|
|
register: recent_ips
|
|
ignore_errors: yes
|
|
failed_when: false
|
|
|
|
- name: Display recent client IPs
|
|
debug:
|
|
msg: "{{ recent_ips.stdout_lines }}"
|
|
|
|
- name: Check if any traffic comes from VPN
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik
|
|
tail -20 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | while read ip; do
|
|
if [[ "$ip" =~ ^10\.8\.0\.[0-9]+$ ]]; then
|
|
echo "? Found VPN IP: $ip"
|
|
else
|
|
echo "? Found public IP: $ip (not VPN)"
|
|
fi
|
|
done
|
|
args:
|
|
executable: /bin/bash
|
|
register: vpn_check
|
|
ignore_errors: yes
|
|
failed_when: false
|
|
|
|
- name: Display VPN check
|
|
debug:
|
|
msg: "{{ vpn_check.stdout_lines }}"
|
|
|
|
- name: Backup middlewares.yml
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik/dynamic
|
|
cp middlewares.yml middlewares.yml.backup.before-remove-temp-ip.$(date +%Y%m%d_%H%M%S)
|
|
echo "Backup created"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Remove temporary IP from grafana-vpn-only middleware
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik/dynamic
|
|
sed -i '/89.246.96.244\/32/d' middlewares.yml
|
|
echo "Temporary IP removed"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Verify middleware configuration
|
|
shell: |
|
|
cd ~/deployment/stacks/traefik/dynamic
|
|
echo "=== Updated grafana-vpn-only Middleware ==="
|
|
grep -A 6 "grafana-vpn-only:" middlewares.yml
|
|
args:
|
|
executable: /bin/bash
|
|
register: updated_middleware
|
|
ignore_errors: yes
|
|
failed_when: false
|
|
|
|
- name: Display updated middleware
|
|
debug:
|
|
msg: "{{ updated_middleware.stdout_lines }}"
|
|
|
|
- name: Validate YAML syntax
|
|
command: python3 -c "import yaml; yaml.safe_load(open('middlewares.yml')); print('YAML valid')"
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik/dynamic
|
|
register: yaml_validation
|
|
ignore_errors: yes
|
|
failed_when: false
|
|
|
|
- name: Display YAML validation
|
|
debug:
|
|
msg: "{{ yaml_validation.stdout_lines }}"
|
|
|
|
- name: Restart Traefik to apply changes
|
|
command: docker compose restart traefik
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik
|
|
register: traefik_restart
|
|
|
|
- name: Wait for Traefik to restart
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Verify Traefik status
|
|
command: docker compose ps traefik
|
|
args:
|
|
chdir: ~/deployment/stacks/traefik
|
|
register: traefik_status
|
|
|
|
- name: Display Traefik status
|
|
debug:
|
|
msg: "{{ traefik_status.stdout_lines }}"
|
|
|
|
- name: Final instructions
|
|
debug:
|
|
msg:
|
|
- "=== TEMPORARY IP REMOVED ==="
|
|
- "Grafana should now be VPN-only"
|
|
- ""
|
|
- "Test:"
|
|
- "1. With VPN: https://grafana.michaelschiemer.de should work ?"
|
|
- "2. Without VPN: https://grafana.michaelschiemer.de should give 403 ?"
|
|
- ""
|
|
- "If it doesn't work:"
|
|
- "- Check that VPN routing works (DNS = 10.8.0.1 or use hosts file)"
|
|
- "- Check Traefik logs: tail -f ~/deployment/stacks/traefik/logs/access.log | grep grafana"
|
|
- "- Restore backup if needed: cp middlewares.yml.backup.* middlewares.yml"
|