michaelschiemer/deployment/ansible/playbooks/fix-grafana-vpn-routing.yml

---
- name: Fix Grafana VPN Routing and Remove Temporary IP Allow
  hosts: production
  gather_facts: no
  become: no

  tasks:
    - name: Check recent Grafana access attempts
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Recent Grafana Access (Last 10 attempts) ==="
        tail -50 logs/access.log | grep grafana | tail -10 | while read line; do
          echo "$line" | grep -oP '"ClientHost":"[^"]*"' || echo "Could not parse"
        done
      args:
        executable: /bin/bash
      register: recent_access
      ignore_errors: yes
      failed_when: false

    - name: Display recent access attempts
      debug:
        msg: "{{ recent_access.stdout_lines }}"

    - name: Check if traffic comes from VPN
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Checking if recent traffic comes from VPN (10.8.0.0/24) ==="
        tail -20 logs/access.log | grep grafana | tail -5 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | while read ip; do
          if [[ "$ip" =~ ^10\.8\.0\.[0-9]+$ ]]; then
            echo "? $ip -> VPN traffic (10.8.0.0/24)"
          else
            echo "? $ip -> Public IP (not VPN)"
          fi
        done
      args:
        executable: /bin/bash
      register: vpn_check
      ignore_errors: yes
      failed_when: false

    - name: Display VPN check results
      debug:
        msg: "{{ vpn_check.stdout_lines }}"

    - name: Backup current middlewares.yml
      shell: |
        cd ~/deployment/stacks/traefik/dynamic
        cp middlewares.yml middlewares.yml.backup.$(date +%Y%m%d_%H%M%S)
      args:
        executable: /bin/bash
      when: false  # Skip for now - we'll do this manually

    - name: Check current middleware configuration
      shell: |
        cd ~/deployment/stacks/traefik/dynamic
        echo "=== Current grafana-vpn-only Middleware ==="
        grep -A 8 "grafana-vpn-only:" middlewares.yml
      args:
        executable: /bin/bash
      register: middleware_config
      ignore_errors: yes
      failed_when: false

    - name: Display middleware configuration
      debug:
        msg: "{{ middleware_config.stdout_lines }}"

    - name: Instructions for removing temporary IP
      debug:
        msg:
          - "=== TO REMOVE TEMPORARY IP ALLOWLIST ==="
          - "1. Make sure VPN routing works (DNS = 10.8.0.1 or use hosts file)"
          - "2. Test that traffic comes from VPN (ClientHost: 10.8.0.7)"
          - "3. Remove temporary IP from middlewares.yml:"
          - "   cd ~/deployment/stacks/traefik/dynamic"
          - "   sed -i '/89.246.96.244\/32/d' middlewares.yml"
          - "4. Restart Traefik:"
          - "   cd ~/deployment/stacks/traefik && docker compose restart traefik"
          - "5. Test: With VPN = OK, Without VPN = 403"