From a7b14759af9554bb6b72e96d6e3e769a714d8b2a Mon Sep 17 00:00:00 2001
From: jack <jack@csrx.ru>
Date: Sun, 22 Mar 2026 15:10:52 +0700
Subject: [PATCH] fix: add front network to tools stack for Docker port binding

Docker 29.x does not create DNAT rules for containers only on internal
networks. Add a non-internal 'front' network that outline and n8n join
alongside their internal networks, enabling host port binding to work.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 roles/tools/templates/docker-compose.yml.j2 | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/tools/templates/docker-compose.yml.j2 b/roles/tools/templates/docker-compose.yml.j2
index 7b49f33..6191951 100644
--- a/roles/tools/templates/docker-compose.yml.j2
+++ b/roles/tools/templates/docker-compose.yml.j2
@@ -2,6 +2,10 @@
 # Do not edit manually; re-run ansible-playbook playbooks/tools.yml
 
 networks:
+  # front — non-internal: needed for Docker port binding to work (expose ports to host)
+  # Docker does not create DNAT rules for containers only on internal networks
+  front:
+    driver: bridge
   outline-internal:
     driver: bridge
     internal: true
@@ -24,6 +28,7 @@ services:
     env_file: .env
     networks:
       - outline-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:3000:3000"
@@ -92,6 +97,7 @@ services:
     restart: unless-stopped
     networks:
       - n8n-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:5678:5678"