feat(mazenet): publish gateway service ports via docker

Gateway deckies (forwards_l3=True) are the DMZ's ingress. Their
service containers share the base namespace via network_mode:service,
so any listener inside the gateway is reachable through the base
container's published ports. Emit 'ports: [<p>:<p>, ...]' on the
gateway base from svc.ports across the decky's service list.

This is the principled replacement for the broken network_mode: host
stub — with docker-proxy publishing, the DMZ works on any single-NIC
VPS (no MACVLAN, no promiscuous mode required).

decnet/topology/compose.py

@@ -86,6 +86,19 @@ def generate_topology_compose(hydrated: dict[str, Any]) -> dict:
         }
         if forwards_l3:
             base["sysctls"] = {"net.ipv4.ip_forward": 1}
+            # Gateway decky — publish its service ports on the host so
+            # attackers can reach the DMZ via the host's public IP.
+            # Service containers share this base's namespace (see below),
+            # so ports declared here expose every service's listener.
+            published: list[str] = []
+            for svc_name in svc_names:
+                svc = get_service(svc_name)
+                if svc is None or svc.fleet_singleton:
+                    continue
+                for port in svc.ports:
+                    published.append(f"{port}:{port}")
+            if published:
+                base["ports"] = published
 
         services[base_key] = base