fix: add front network to tools stack for Docker port binding

Docker 29.x does not create DNAT rules for containers only on internal
networks. Add a non-internal 'front' network that outline and n8n join
alongside their internal networks, enabling host port binding to work.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/tools/templates/docker-compose.yml.j2

@@ -2,6 +2,10 @@
 # Do not edit manually; re-run ansible-playbook playbooks/tools.yml
 
 networks:
+  # front — non-internal: needed for Docker port binding to work (expose ports to host)
+  # Docker does not create DNAT rules for containers only on internal networks
+  front:
+    driver: bridge
   outline-internal:
     driver: bridge
     internal: true
@@ -24,6 +28,7 @@ services:
     env_file: .env
     networks:
       - outline-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:3000:3000"
@@ -92,6 +97,7 @@ services:
     restart: unless-stopped
     networks:
       - n8n-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:5678:5678"