From 3618c59d089c79ec779674b6b111cc21ad510214 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Mon, 20 Apr 2026 23:07:07 -0400
Subject: [PATCH] feat(mazenet): publish gateway service ports via docker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gateway deckies (forwards_l3=True) are the DMZ's ingress. Their
service containers share the base namespace via network_mode:service,
so any listener inside the gateway is reachable through the base
container's published ports. Emit 'ports: [<p>:<p>, ...]' on the
gateway base from svc.ports across the decky's service list.

This is the principled replacement for the broken network_mode: host
stub — with docker-proxy publishing, the DMZ works on any single-NIC
VPS (no MACVLAN, no promiscuous mode required).
---
 decnet/topology/compose.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/decnet/topology/compose.py b/decnet/topology/compose.py
index 955e4233..b2fb59dd 100644
--- a/decnet/topology/compose.py
+++ b/decnet/topology/compose.py
@@ -86,6 +86,19 @@ def generate_topology_compose(hydrated: dict[str, Any]) -> dict:
         }
         if forwards_l3:
             base["sysctls"] = {"net.ipv4.ip_forward": 1}
+            # Gateway decky — publish its service ports on the host so
+            # attackers can reach the DMZ via the host's public IP.
+            # Service containers share this base's namespace (see below),
+            # so ports declared here expose every service's listener.
+            published: list[str] = []
+            for svc_name in svc_names:
+                svc = get_service(svc_name)
+                if svc is None or svc.fleet_singleton:
+                    continue
+                for port in svc.ports:
+                    published.append(f"{port}:{port}")
+            if published:
+                base["ports"] = published
 
         services[base_key] = base