feat(mazenet): publish gateway service ports via docker

Gateway deckies (forwards_l3=True) are the DMZ's ingress. Their service containers share the base namespace via network_mode:service, so any listener inside the gateway is reachable through the base container's published ports. Emit 'ports: [<p>:<p>, ...]' on the gateway base from svc.ports across the decky's service list. This is the principled replacement for the broken network_mode: host stub — with docker-proxy publishing, the DMZ works on any single-NIC VPS (no MACVLAN, no promiscuous mode required).
2026-04-20 23:07:07 -04:00
parent cc9765e54e
commit 3618c59d08
1 changed files with 13 additions and 0 deletions
--- a/decnet/topology/compose.py
+++ b/decnet/topology/compose.py
@@ -86,6 +86,19 @@ def generate_topology_compose(hydrated: dict[str, Any]) -> dict:
        }
        if forwards_l3:
            base["sysctls"] = {"net.ipv4.ip_forward": 1}
+            # Gateway decky — publish its service ports on the host so
+            # attackers can reach the DMZ via the host's public IP.
+            # Service containers share this base's namespace (see below),
+            # so ports declared here expose every service's listener.
+            published: list[str] = []
+            for svc_name in svc_names:
+                svc = get_service(svc_name)
+                if svc is None or svc.fleet_singleton:
+                    continue
+                for port in svc.ports:
+                    published.append(f"{port}:{port}")
+            if published:
+                base["ports"] = published

        services[base_key] = base