diff --git a/.env.sample b/.env.sample
index 5f97943..af8e523 100644
--- a/.env.sample
+++ b/.env.sample
@@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
 
 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
diff --git a/compose.compy.yml b/compose.compy.yml
index 65fd49c..3b45820 100644
--- a/compose.compy.yml
+++ b/compose.compy.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - COMPY_ENABLED
     ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host
diff --git a/compose.foodsoft.yml b/compose.foodsoft.yml
index 8ac770d..97e3e97 100644
--- a/compose.foodsoft.yml
+++ b/compose.foodsoft.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - FOODSOFT_SMTP_ENABLED
     ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host
diff --git a/compose.gitea.yml b/compose.gitea.yml
index bf58bb3..09350bc 100644
--- a/compose.gitea.yml
+++ b/compose.gitea.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - GITEA_SSH_ENABLED
     ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host
diff --git a/compose.host.yml b/compose.host.yml
index b4fef30..64d2ba2 100644
--- a/compose.host.yml
+++ b/compose.host.yml
@@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host
diff --git a/compose.irc.yml b/compose.irc.yml
index 109d986..3ab1dec 100644
--- a/compose.irc.yml
+++ b/compose.irc.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - IRC_ENABLED
     ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host
diff --git a/compose.matrix.yml b/compose.matrix.yml
index 558898d..615b1ed 100644
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - MATRIX_FEDERATION_ENABLED
     ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host
diff --git a/compose.minio.yml b/compose.minio.yml
index 44dceb1..b182822 100644
--- a/compose.minio.yml
+++ b/compose.minio.yml
@@ -6,4 +6,7 @@ services:
     environment:
       - MINIO_CONSOLE_ENABLED
     ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
diff --git a/compose.mumble.yml b/compose.mumble.yml
index e2ea8bd..b03f853 100644
--- a/compose.mumble.yml
+++ b/compose.mumble.yml
@@ -4,6 +4,11 @@ services:
     environment:
       - MUMBLE_ENABLED
     ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host
diff --git a/compose.nextcloud-talk-hpb.yml b/compose.nextcloud-talk-hpb.yml
index 7ee4b3e..8c935b9 100644
--- a/compose.nextcloud-talk-hpb.yml
+++ b/compose.nextcloud-talk-hpb.yml
@@ -4,5 +4,11 @@ services:
     environment:
       - NEXTCLOUD_TALK_HPB_ENABLED
     ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
\ No newline at end of file
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host
\ No newline at end of file
diff --git a/compose.no-host.yml b/compose.no-host.yml
new file mode 100644
index 0000000..9a0c36d
--- /dev/null
+++ b/compose.no-host.yml
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip
diff --git a/compose.peertube.yml b/compose.peertube.yml
index fe515a7..9af306a 100644
--- a/compose.peertube.yml
+++ b/compose.peertube.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - PEERTUBE_RTMP_ENABLED
     ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host
diff --git a/compose.smtp.yml b/compose.smtp.yml
index 16d503c..927766b 100644
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@@ -6,4 +6,7 @@ services:
     environment:
       - SMTP_ENABLED
     ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
diff --git a/compose.ssb.yml b/compose.ssb.yml
index 76520f3..367b7cf 100644
--- a/compose.ssb.yml
+++ b/compose.ssb.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - SSB_MUXRPC_ENABLED
     ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host
diff --git a/compose.web-alt.yml b/compose.web-alt.yml
index 39e7c32..95cf0f6 100644
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - WEB_ALT_ENABLED
     ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host
diff --git a/compose.yml b/compose.yml
index c55df95..156fa26 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,8 +8,14 @@ services:
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
     ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
     volumes:
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
@@ -37,9 +43,10 @@ services:
     command: traefik
     entrypoint: /custom-entrypoint.sh
     deploy:
+      endpoint_mode: dnsrr
       update_config:
         failure_action: rollback
-        order: start-first
+        order: stop-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
diff --git a/release/next b/release/next
new file mode 100644
index 0000000..dfe17d1
--- /dev/null
+++ b/release/next
@@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.